{
  "attributes": {
    "dataSource.vendor": "Ping Identity",
    "dataSource.name": "PingProtect",
    "dataSource.category": "security",
    "metadata.product.vendor_name": "Ping Identity",
    "metadata.product.name": "PingProtect",
    "metadata.version": "1.0.0"
  },
  "formats": [
    {
      "format": "$unmapped.{parse=json}$",
      "rewrites": [
        {
          "input": "unmapped.timestamp",
          "output": "timestamp",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "unmapped.recordedAt",
          "output": "recorded_at",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "unmapped.actors\\.client\\.id",
          "output": "actor.app.name",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "unmapped.actors\\.user\\.id",
          "output": "actor.user.uid",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "unmapped.source\\.ip",
          "output": "src_endpoint.ip",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "unmapped.action\\.type",
          "output": "activity_name",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "unmapped.action\\.description",
          "output": "activity_desc",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "unmapped.resources\\.application\\.id",
          "output": "resource.uid",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "unmapped.result\\.status",
          "output": "status_detail",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "unmapped.result\\.description",
          "output": "message",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "unmapped.dataSource",
          "output": "metadata.product.name",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "unmapped.dataSource\\.vendor",
          "output": "metadata.product.vendor_name",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "unmapped.dataSource\\.name",
          "output": "metadata.product.name",
          "match": ".*",
          "replace": "$0"
        },
        {
          "input": "unmapped.dataSource\\.category",
          "output": "metadata.product.category",
          "match": ".*",
          "replace": "$0"
        }
      ]
    }
  ],
  "mappings": {
    "version": 1,
    "mappings": [
      {
        "predicate": "activity_name = *",
        "transformations": [
          {
            "constant": {
              "value": 3001,
              "field": "class_uid"
            }
          },
          {
            "constant": {
              "value": "Account Change",
              "field": "class_name"
            }
          },
          {
            "constant": {
              "value": 3,
              "field": "category_uid"
            }
          },
          {
            "constant": {
              "value": "Identity & Access Management",
              "field": "category_name"
            }
          },
          {
            "constant": {
              "value": 5,
              "field": "activity_id",
              "predicate": "activity_name = 'SECRET.READ'"
            }
          },
          {
            "constant": {
              "value": "Read",
              "field": "activity_name",
              "predicate": "activity_name = 'SECRET.READ'"
            }
          },
          {
            "constant": {
              "value": 3,
              "field": "activity_id",
              "predicate": "activity_name = 'ROLE_ASSIGNMENT.DELETED'"
            }
          },
          {
            "constant": {
              "value": "Delete",
              "field": "activity_name",
              "predicate": "activity_name = 'ROLE_ASSIGNMENT.DELETED'"
            }
          },
          {
            "constant": {
              "value": 99,
              "field": "activity_id",
              "predicate": "activity_name = 'MFA.CHALLENGE'"
            }
          },
          {
            "constant": {
              "value": "Other",
              "field": "activity_name",
              "predicate": "activity_name = 'MFA.CHALLENGE'"
            }
          },
          {
            "constant": {
              "value": 1,
              "field": "status_id",
              "predicate": "status_detail = 'SUCCESS'"
            }
          },
          {
            "constant": {
              "value": "Success",
              "field": "status",
              "predicate": "status_detail = 'SUCCESS'"
            }
          },
          {
            "constant": {
              "value": 2,
              "field": "status_id",
              "predicate": "status_detail = 'FAILURE'"
            }
          },
          {
            "constant": {
              "value": "Failure",
              "field": "status",
              "predicate": "status_detail = 'FAILURE'"
            }
          },
          {
            "constant": {
              "value": 1,
              "field": "severity_id"
            }
          },
          {
            "constant": {
              "value": "Informational",
              "field": "severity"
            }
          },
          {
            "constant": {
              "value": 300101,
              "field": "type_uid"
            }
          },
          {
            "copy": {
              "from": "actor.user.uid",
              "to": "actor.user.uid"
            }
          },
          {
            "copy": {
              "from": "actor.app.name",
              "to": "actor.app.name"
            }
          },
          {
            "copy": {
              "from": "src_endpoint.ip",
              "to": "src_endpoint.ip"
            }
          },
          {
            "copy": {
              "from": "resource.uid",
              "to": "resource.uid"
            }
          },
          {
            "copy": {
              "from": "activity_desc",
              "to": "activity_desc"
            }
          },
          {
            "copy": {
              "from": "status_detail",
              "to": "status_detail"
            }
          },
          {
            "copy": {
              "from": "recorded_at",
              "to": "recorded_at"
            }
          },
          {
            "copy": {
              "from": "message",
              "to": "message"
            }
          },
          {
            "copy": {
              "from": "metadata.product.name",
              "to": "metadata.product.name"
            }
          },
          {
            "copy": {
              "from": "metadata.product.vendor_name",
              "to": "metadata.product.vendor_name"
            }
          },
          {
            "copy": {
              "from": "metadata.product.category",
              "to": "metadata.product.category"
            }
          }
        ]
      }
    ]
  },
  "observables": {
    "fields": [
      {
        "name": "actor.user.uid",
        "type": "User"
      },
      {
        "name": "actor.app.name",
        "type": "Other"
      },
      {
        "name": "src_endpoint.ip",
        "type": "IP Address"
      },
      {
        "name": "resource.uid",
        "type": "Other"
      }
    ]
  }
}