{
  "attributes": {
    "dataSource.vendor": "GitHub",
    "dataSource.name": "GitHub Audit",
    "dataSource.category": "security",
    "dataSource.technology": "source_control"
  },
  
  "formats": [
    {
      "id": "github_audit_json",
      "format": "$unmapped.{parse=gron}$",
      "attributes": {
        "class_uid": 8001,
        "class_name": "DevOps Activity",
        "category_uid": 8,
        "category_name": "System Activity",
        "type_uid": 800101,
        "activity_id": 1,
        "activity_name": "Repository Activity",
        "severity_id": 1
      },
      "rewrites": [
        {
          "input": "timestamp",
          "output": "time",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "actor",
          "output": "user.name",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "source_ip",
          "output": "src_endpoint.ip",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "org",
          "output": "metadata.tenant_uid",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "repository",
          "output": "resource.name",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "action",
          "output": "activity_name",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "outcome",
          "output": "status",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "description",
          "output": "message",
          "match": ".*",
          "replace": "$0"
        }
      ]
    }
  ]
}