// SentinelOne AI SIEM Parser: WatchGuard Fireware OS
// OCSF Schema Version: 1.1.0
// Maps WatchGuard Firebox logs to OCSF classes
// Primary Classes: Network Activity (4001), Authentication (3002), Security Finding (2001)

{
  "parserName": "WatchGuard-OCSF",
  "version": "1.0.0",
  "vendor": "WatchGuard",
  "product": "Fireware OS",
  "format": "space-delimited",
  
  "patterns": [
    // Firewall traffic logs
    {
      "pattern": "^(\\d{4}-\\d{2}-\\d{2}\\s+[\\d:]+)\\s+firewall\\s+(Allow|Deny)\\s+([\\d.]+)\\s+([\\d.]+|\\S+)\\s+(\\S+)\\s+(\\d+)\\s+(\\d+)",
      "rewrites": [
        {"set": "class_uid", "value": "4001"},
        {"set": "class_name", "value": "Network Activity"},
        {"set": "category_uid", "value": "4"},
        {"set": "category_name", "value": "Network Activity"},
        
        // Activity
        {"group": 2, "to": "activity_name"},
        {"lookup": "activity_name", "map": {"Allow": 1, "Deny": 2}, "to": "activity_id"},
        
        // Metadata
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "WatchGuard Fireware"},
        {"set": "metadata.product.vendor_name", "value": "WatchGuard"},
        
        // Time
        {"group": 1, "to": "time"},
        
        // Endpoints
        {"group": 3, "to": "src_endpoint.ip"},
        {"group": 4, "to": "dst_endpoint.ip"},
        {"group": 6, "to": "src_endpoint.port"},
        {"group": 7, "to": "dst_endpoint.port"},
        
        // Protocol/Service
        {"group": 5, "to": "connection_info.protocol_name"},
        
        // Extract additional fields
        {"regex": "rule_name=\"([^\"]+)\"", "group": 1, "to": "policy.name"},
        {"regex": "geo_src=\"([^\"]+)\"", "group": 1, "to": "src_endpoint.location.country"},
        {"regex": "geo_dst=\"([^\"]+)\"", "group": 1, "to": "dst_endpoint.location.country"},
        {"regex": "proxy_act=\"([^\"]+)\"", "group": 1, "to": "proxy.name"},
        {"regex": "msg_id=\"([^\"]+)\"", "group": 1, "to": "metadata.uid"},
        
        // Application info
        {"regex": "app_name=\"([^\"]+)\"", "group": 1, "to": "app_name"},
        {"regex": "app_cat=\"([^\"]+)\"", "group": 1, "to": "app.category"},
        {"regex": "app_behavior=\"([^\"]+)\"", "group": 1, "to": "app.feature.name"},
        
        // Status
        {"lookup": "activity_name", "map": {"Allow": 1, "Deny": 2}, "to": "status_id"},
        {"lookup": "activity_name", "map": {"Allow": "Success", "Deny": "Failure"}, "to": "status"}
      ]
    },
    
    // IPS signature match
    {
      "pattern": "IPS\\s+signature_match",
      "rewrites": [
        {"set": "class_uid", "value": "2004"},
        {"set": "class_name", "value": "Detection Finding"},
        {"set": "category_uid", "value": "2"},
        {"set": "category_name", "value": "Findings"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "WatchGuard IPS"},
        {"set": "metadata.product.vendor_name", "value": "WatchGuard"},
        
        // Endpoints
        {"regex": "signature_match\\s+([\\d.]+)\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
        {"regex": "signature_match\\s+([\\d.]+)\\s+([\\d.]+)", "group": 2, "to": "dst_endpoint.ip"},
        
        // Signature info
        {"regex": "sig_name=\"([^\"]+)\"", "group": 1, "to": "finding_info.title"},
        {"regex": "sig_id=\"([^\"]+)\"", "group": 1, "to": "finding_info.uid"},
        {"regex": "sig_vers=\"([^\"]+)\"", "group": 1, "to": "finding_info.version"},
        {"regex": "severity=\"([^\"]+)\"", "group": 1, "to": "severity"},
        {"regex": "action=\"([^\"]+)\"", "group": 1, "to": "activity_name"},
        
        // Severity mapping
        {"lookup": "severity", "map": {"Critical": 5, "High": 4, "Medium": 3, "Low": 2, "Info": 1}, "to": "severity_id"},
        
        // Action mapping
        {"lookup": "activity_name", "map": {"block": 2, "drop": 2, "alert": 1, "allow": 0}, "to": "activity_id"},
        
        // Geo
        {"regex": "geo_src=\"([^\"]+)\"", "group": 1, "to": "src_endpoint.location.country"}
      ]
    },
    
    // Antivirus detection
    {
      "pattern": "antivirus\\s+virus_found",
      "rewrites": [
        {"set": "class_uid", "value": "2001"},
        {"set": "class_name", "value": "Security Finding"},
        {"set": "finding_info.types", "value": ["Malware"]},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "WatchGuard Gateway AntiVirus"},
        {"set": "metadata.product.vendor_name", "value": "WatchGuard"},
        
        // Endpoints
        {"regex": "virus_found\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
        
        // Malware info
        {"regex": "virus_name=\"([^\"]+)\"", "group": 1, "to": "malware.name"},
        {"regex": "file_name=\"([^\"]+)\"", "group": 1, "to": "file.name"},
        {"regex": "action=\"([^\"]+)\"", "group": 1, "to": "activity_name"},
        {"regex": "content_type=\"([^\"]+)\"", "group": 1, "to": "file.type_id"},
        {"regex": "md5=\"([^\"]+)\"", "group": 1, "to": "file.hashes.md5"},
        
        {"set": "severity_id", "value": "5"},
        {"set": "severity", "value": "Critical"}
      ]
    },
    
    // Authentication events
    {
      "pattern": "authentication\\s+(auth_success|auth_failure)",
      "rewrites": [
        {"set": "class_uid", "value": "3002"},
        {"set": "class_name", "value": "Authentication"},
        {"set": "category_uid", "value": "3"},
        {"set": "category_name", "value": "Identity & Access Management"},
        {"set": "activity_id", "value": "1"},
        {"set": "activity_name", "value": "Logon"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "WatchGuard Fireware"},
        {"set": "metadata.product.vendor_name", "value": "WatchGuard"},
        
        // User
        {"regex": "user=\"([^\"]+)\"", "group": 1, "to": "user.name"},
        {"regex": "domain=\"([^\"]+)\"", "group": 1, "to": "user.domain"},
        
        // Source
        {"regex": "auth_\\w+\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
        
        // Auth details
        {"regex": "auth_method=\"([^\"]+)\"", "group": 1, "to": "auth_protocol"},
        {"regex": "auth_server=\"([^\"]+)\"", "group": 1, "to": "auth_server"},
        {"regex": "session_id=\"([^\"]+)\"", "group": 1, "to": "session.uid"},
        {"regex": "reason=\"([^\"]+)\"", "group": 1, "to": "status_detail"},
        {"regex": "attempts=\"([^\"]+)\"", "group": 1, "to": "attempts"},
        
        // Status
        {"set": "status_id", "value": "1", "if": "auth_success"},
        {"set": "status", "value": "Success", "if": "auth_success"},
        {"set": "status_id", "value": "2", "if": "auth_failure"},
        {"set": "status", "value": "Failure", "if": "auth_failure"}
      ]
    },
    
    // System/Config changes
    {
      "pattern": "system\\s+config_change",
      "rewrites": [
        {"set": "class_uid", "value": "5001"},
        {"set": "class_name", "value": "Configuration"},
        {"set": "category_uid", "value": "5"},
        {"set": "category_name", "value": "Discovery"},
        {"set": "activity_id", "value": "2"},
        {"set": "activity_name", "value": "Update"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "WatchGuard Fireware"},
        {"set": "metadata.product.vendor_name", "value": "WatchGuard"},
        
        // Actor
        {"regex": "admin_user=\"([^\"]+)\"", "group": 1, "to": "actor.user.name"},
        {"regex": "config_change\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
        
        // Change details
        {"regex": "change_type=\"([^\"]+)\"", "group": 1, "to": "activity_name"},
        {"regex": "object_type=\"([^\"]+)\"", "group": 1, "to": "resources.type"},
        {"regex": "object_name=\"([^\"]+)\"", "group": 1, "to": "resources.name"},
        {"regex": "action=\"([^\"]+)\"", "group": 1, "to": "resources.action"}
      ]
    },
    
    // DLP events
    {
      "pattern": "dlp\\s+data_leak_prevented",
      "rewrites": [
        {"set": "class_uid", "value": "2001"},
        {"set": "class_name", "value": "Security Finding"},
        {"set": "finding_info.types", "value": ["Data Loss Prevention"]},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "WatchGuard DLP"},
        {"set": "metadata.product.vendor_name", "value": "WatchGuard"},
        
        // Source
        {"regex": "data_leak_prevented\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
        
        // DLP details
        {"regex": "rule_name=\"([^\"]+)\"", "group": 1, "to": "policy.name"},
        {"regex": "pattern_matched=\"([^\"]+)\"", "group": 1, "to": "finding_info.title"},
        {"regex": "action=\"([^\"]+)\"", "group": 1, "to": "activity_name"},
        {"regex": "user=\"([^\"]+)\"", "group": 1, "to": "actor.user.name"},
        {"regex": "file_name=\"([^\"]+)\"", "group": 1, "to": "file.name"},
        {"regex": "bytes_blocked=\"([^\"]+)\"", "group": 1, "to": "traffic.bytes"},
        
        {"set": "severity_id", "value": "4"},
        {"set": "severity", "value": "High"}
      ]
    }
  ]
}
