{
  // FortiGate KV-format parser — OCSF v1.3.0
  // Uses explicit anchors around each KV pair instead of generic kv type
  attributes: {
    "metadata.version":             "1.3.0",
    "metadata.product.vendor_name": "Fortinet",
    "metadata.product.name":        "FortiGate",
    "metadata.log_provider":        "syslog",
    "Category":               "network",
    "dataSource.vendor":      "Fortinet",
    "dataSource.name":        "FortiGate",
    "dataSource.category":    "firewall",
    "category_uid":           4,
    "category_name":          "Network Activity",
    "class_uid":              4001,
    "class_name":             "Network Activity",
    "activity_id":            6,
    "type_uid":               400106,
    "status_id":              1,
    "severity_id":            1
  },

  patterns: {
    qval: "(\"[^\"]*\"|\\S+)",
    word: "\\S+",
    rest: ".*"
  },

  formats: [
    // IPS / UTM threat → Detection Finding
    {
      id: "fgt_ips",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        type_uid: 200401,
        finding_title: "FortiGate IPS Detection",
        severity_id: 5, severity: "Critical",
        disposition_id: 2, disposition: "Blocked"
      },
      format: ".*type=\"ips\".* srcip=$src_ip=word$ .*dstip=$dst_ip=word$ .*attack=\"$attack=qval$\".*",
      halt: true
    },

    // Forward traffic - Deny
    {
      id: "fgt_deny",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        type_uid: 200401,
        finding_title: "FortiGate Firewall Deny",
        severity_id: 3, severity: "Medium",
        disposition_id: 2, disposition: "Blocked"
      },
      format: ".*action=\"deny\".* srcip=$src_ip=word$ .*srcport=$src_port=word$ .*dstip=$dst_ip=word$ .*dstport=$dst_port=word$ .*proto=$protocol=word$.*",
      halt: true
    },

    // Forward traffic - Allow (passes through to default)
    {
      id: "fgt_traffic",
      attributes: {
        class_uid: 4001, class_name: "Network Activity",
        type_uid: 400106,
        disposition_id: 1, disposition: "Allowed"
      },
      format: ".* srcip=$src_ip=word$ .*srcport=$src_port=word$ .*dstip=$dst_ip=word$ .*dstport=$dst_port=word$ .*proto=$protocol=word$ .*action=\"$action=qval$\".*",
      halt: true
    }
  ]
}
