{
  // Check Point pipe-delimited parser — OCSF v1.3.0  (v3: Gateway + Mgmt)
  //
  // Discrimination is done via the `format:` string (Scalyr ignores `match:`).
  // Rules are ordered most-specific → most-generic with halt:true.
  attributes: {
    "metadata.version":             "1.3.0",
    "metadata.product.vendor_name": "Check Point",
    "metadata.product.name":        "Quantum Security",
    "metadata.log_provider":        "syslog",
    "Category":                     "security",
    "dataSource.vendor":            "Check Point",
    "dataSource.name":              "Check Point"
  },

  patterns: {
    word:  "[^|]+",
    num:   "\\d+",
    ip:    "\\d+\\.\\d+\\.\\d+\\.\\d+"
  },

  formats: [

    // 1. MGMT — SmartCenter Server
    {
      id: "cp_mgmt_smartcenter",
      attributes: {
        "dataSource.category":  "management",
        category_uid: 6, category_name: "Application Activity",
        class_uid: 6003, class_name: "API Activity",
        activity_id: 3, activity_name: "Update",
        type_uid: 600303,
        severity_id: 2, severity: "Low",
        status_id: 1, status: "Success"
      },
      format: ".*[|]product=SmartCenter Server.*",
      halt: true,
      rewrites: [
        { input: "message",   output: "user_name",     match: ".*[|]administrator=([^|]*).*", replace: "$1" },
        { input: "message",   output: "src_ip",        match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message",   output: "device_host",   match: ".*[|]origin=([^|]+).*",        replace: "$1" },
        { input: "message",   output: "object_name",   match: ".*[|]objectname=([^|]+).*",    replace: "$1" },
        { input: "message",   output: "object_type",   match: ".*[|]objecttype=([^|]+).*",    replace: "$1" },
        { input: "message",   output: "client_name",   match: ".*[|]client_name=([^|]+).*",   replace: "$1" },
        { input: "message",   output: "operation",     match: ".*[|]operation=([^|]+).*",    replace: "$1" },
        { input: "operation", output: "finding_title", match: "(.*)", replace: "Check Point Management Audit: $1" }
      ]
    },

    // 2. MGMT — Multi-Domain Server
    {
      id: "cp_mgmt_mds",
      attributes: {
        "dataSource.category":  "management",
        category_uid: 6, category_name: "Application Activity",
        class_uid: 6003, class_name: "API Activity",
        activity_id: 1, activity_name: "Create",
        type_uid: 600301,
        severity_id: 2, severity: "Low",
        status_id: 1, status: "Success"
      },
      format: ".*[|]product=Multi-Domain Server.*",
      halt: true,
      rewrites: [
        { input: "message",   output: "user_name",     match: ".*[|]administrator=([^|]*).*", replace: "$1" },
        { input: "message",   output: "src_ip",        match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message",   output: "device_host",   match: ".*[|]origin=([^|]+).*",        replace: "$1" },
        { input: "message",   output: "operation",     match: ".*[|]operation=([^|]+).*",    replace: "$1" },
        { input: "operation", output: "finding_title", match: "(.*)", replace: "Check Point Management Audit: $1" }
      ]
    },

    // 3. MGMT — Endpoint Security Mgmt
    {
      id: "cp_mgmt_endpoint",
      attributes: {
        "dataSource.category":  "management",
        category_uid: 6, category_name: "Application Activity",
        class_uid: 6003, class_name: "API Activity",
        activity_id: 3, activity_name: "Update",
        type_uid: 600303,
        severity_id: 2, severity: "Low",
        status_id: 1, status: "Success"
      },
      format: ".*[|]product=Endpoint Security Management.*",
      halt: true,
      rewrites: [
        { input: "message",   output: "user_name",     match: ".*[|]administrator=([^|]*).*", replace: "$1" },
        { input: "message",   output: "src_ip",        match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message",   output: "device_host",   match: ".*[|]origin=([^|]+).*",        replace: "$1" },
        { input: "message",   output: "object_name",   match: ".*[|]objectname=([^|]+).*",    replace: "$1" },
        { input: "message",   output: "operation",     match: ".*[|]operation=([^|]+).*",    replace: "$1" },
        { input: "operation", output: "finding_title", match: "(.*)", replace: "Check Point Management Audit: $1" }
      ]
    },

    // 4. IPS — discriminator: protection_type=ips
    {
      id: "cp_ips",
      attributes: {
        "dataSource.category":  "ids",
        category_uid: 2, category_name: "Findings",
        class_uid: 2004, class_name: "Detection Finding",
        activity_id: 1, activity_name: "Create",
        type_uid: 200401,
        severity_id: 4, severity: "High",
        disposition_id: 2, disposition: "Blocked"
      },
      format: ".*[|]protection_type=ips.*",
      halt: true,
      rewrites: [
        { input: "message",     output: "src_ip",        match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message",     output: "dst_ip",        match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message",     output: "src_port",      match: ".*[|]s_port=(\\d+).*",                  replace: "$1" },
        { input: "message",     output: "dst_port",      match: ".*[|]service=(\\d+).*",                 replace: "$1" },
        { input: "message",     output: "attack",        match: ".*[|]attack=([^|]+).*",                 replace: "$1" },
        { input: "message",     output: "protection",    match: ".*[|]protection_name=([^|]+).*",        replace: "$1" },
        { input: "message",     output: "cp_severity",   match: ".*[|]severity=([^|]+).*",               replace: "$1" },
        { input: "cp_severity", output: "severity",      match: "(?si)^\\s*critical\\s*$", replace: "Critical" },
        { input: "cp_severity", output: "severity_id",   match: "(?si)^\\s*critical\\s*$", replace: "5" },
        { input: "attack",      output: "finding_title", match: "(?i).*", replace: "Check Point IPS: $0" }
      ]
    },

    // 5. ANTI-BOT / AV / TE — discriminator: malware_family=…
    {
      id: "cp_antibot_av",
      attributes: {
        "dataSource.category":  "antivirus",
        category_uid: 2, category_name: "Findings",
        class_uid: 2004, class_name: "Detection Finding",
        activity_id: 1, activity_name: "Create",
        type_uid: 200401,
        severity_id: 5, severity: "Critical",
        disposition_id: 2, disposition: "Blocked"
      },
      format: ".*[|]malware_family=$malware_family=word$.*",
      halt: true,
      rewrites: [
        { input: "message",      output: "src_ip",         match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message",      output: "dst_ip",         match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message",      output: "malware_name",   match: ".*[|]malware_name=([^|]+).*",            replace: "$1" },
        { input: "message",      output: "malware_action", match: ".*[|]malware_action=([^|]+).*",          replace: "$1" },
        { input: "message",      output: "ioc_url",        match: ".*[|]resource=([^|]+).*",                replace: "$1" },
        { input: "message",      output: "cp_action",      match: ".*[|]action=([^|]+).*",                  replace: "$1" },
        { input: "cp_action",    output: "disposition",    match: "(?i)^detect$", replace: "Allowed" },
        { input: "cp_action",    output: "disposition_id", match: "(?i)^detect$", replace: "1" },
        { input: "malware_name", output: "finding_title",  match: "(?i).*", replace: "Check Point Malware: $0" }
      ]
    },

    // 6. APP CTRL / URL FILTERING — discriminator: app_name=…
    {
      id: "cp_app_control",
      attributes: {
        "dataSource.category":  "application",
        category_uid: 4, category_name: "Network Activity",
        class_uid: 4002, class_name: "HTTP Activity",
        activity_id: 1, activity_name: "Connection",
        type_uid: 400201,
        severity_id: 2, severity: "Low",
        disposition_id: 1, disposition: "Allowed"
      },
      format: ".*[|]app_name=$app_name=word$.*",
      halt: true,
      rewrites: [
        { input: "message",   output: "src_ip",         match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message",   output: "dst_ip",         match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message",   output: "src_port",       match: ".*[|]s_port=(\\d+).*",                  replace: "$1" },
        { input: "message",   output: "dst_port",       match: ".*[|]service=(\\d+).*",                 replace: "$1" },
        { input: "message",   output: "app_category",   match: ".*[|]app_category=([^|]+).*",           replace: "$1" },
        { input: "message",   output: "app_risk",       match: ".*[|]app_risk=([^|]+).*",               replace: "$1" },
        { input: "message",   output: "user_name",      match: ".*[|]user=([^|]+).*",                   replace: "$1" },
        { input: "message",   output: "url",            match: ".*[|]resource=([^|]+).*",               replace: "$1" },
        { input: "message",   output: "cp_action",      match: ".*[|]action=([^|]+).*",                 replace: "$1" },
        { input: "cp_action", output: "disposition",    match: "(?i)^drop$|^reject$", replace: "Blocked" },
        { input: "cp_action", output: "disposition_id", match: "(?i)^drop$|^reject$", replace: "2" }
      ]
    },

    // 7. FW Drop fallback — discriminator: action=Drop
    {
      id: "cp_drop",
      attributes: {
        "dataSource.category":  "firewall",
        category_uid: 2, category_name: "Findings",
        class_uid: 2004, class_name: "Detection Finding",
        activity_id: 1, activity_name: "Create",
        type_uid: 200401,
        finding_title: "Check Point Firewall Drop",
        severity_id: 3, severity: "Medium",
        disposition_id: 2, disposition: "Blocked"
      },
      format: ".*[|]action=Drop.*",
      halt: true,
      rewrites: [
        { input: "message", output: "src_ip",   match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message", output: "dst_ip",   match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*",                   replace: "$1" },
        { input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*",                  replace: "$1" },
        { input: "message", output: "protocol", match: ".*[|]proto=([^|]+).*",                    replace: "$1" }
      ]
    },

    // 8. FW Reject — discriminator: action=Reject
    {
      id: "cp_reject",
      attributes: {
        "dataSource.category":  "firewall",
        category_uid: 2, category_name: "Findings",
        class_uid: 2004, class_name: "Detection Finding",
        activity_id: 1, activity_name: "Create",
        type_uid: 200401,
        finding_title: "Check Point Firewall Reject",
        severity_id: 3, severity: "Medium",
        disposition_id: 2, disposition: "Blocked"
      },
      format: ".*[|]action=Reject.*",
      halt: true,
      rewrites: [
        { input: "message", output: "src_ip",   match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message", output: "dst_ip",   match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*",                   replace: "$1" },
        { input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*",                  replace: "$1" },
        { input: "message", output: "protocol", match: ".*[|]proto=([^|]+).*",                    replace: "$1" }
      ]
    },

    // 9. FW Accept — discriminator: action=Accept
    {
      id: "cp_accept",
      attributes: {
        "dataSource.category":  "firewall",
        category_uid: 4, category_name: "Network Activity",
        class_uid: 4001, class_name: "Network Activity",
        activity_id: 6, activity_name: "Traffic",
        type_uid: 400106,
        disposition_id: 1, disposition: "Allowed",
        severity_id: 1, severity: "Informational"
      },
      format: ".*[|]action=Accept.*",
      halt: true,
      rewrites: [
        { input: "message", output: "src_ip",   match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message", output: "dst_ip",   match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*",                   replace: "$1" },
        { input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*",                  replace: "$1" },
        { input: "message", output: "protocol", match: ".*[|]proto=([^|]+).*",                    replace: "$1" }
      ]
    },

    // 10. CATCH-ALL — any Check Point log not matched above
    {
      id: "cp_catchall",
      attributes: {
        "dataSource.category":  "security",
        category_uid: 5, category_name: "Discovery",
        class_uid: 5001, class_name: "Device Inventory Info",
        activity_id: 1, activity_name: "Log",
        type_uid: 500101,
        severity_id: 1, severity: "Informational"
      },
      format: ".*time=\\d+[|].*",
      halt: true,
      rewrites: [
        { input: "message", output: "src_ip",      match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message", output: "dst_ip",      match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
        { input: "message", output: "src_port",    match: ".*[|]s_port=(\\d+).*",                   replace: "$1" },
        { input: "message", output: "dst_port",    match: ".*[|]service=(\\d+).*",                  replace: "$1" },
        { input: "message", output: "protocol",    match: ".*[|]proto=([^|]+).*",                   replace: "$1" },
        { input: "message", output: "cp_product",  match: ".*[|]product=([^|]+).*",                 replace: "$1" },
        { input: "message", output: "cp_action",   match: ".*[|]action=([^|]+).*",                  replace: "$1" }
      ]
    }

  ]
}
