{
  // QRadar JSON parser — OCSF v1.3.0
  attributes: {
    "metadata.version":             "1.3.0",
    "metadata.product.vendor_name": "IBM",
    "metadata.product.name":        "QRadar",
    "Category":               "siem",
    "dataSource.vendor":      "IBM",
    "dataSource.name":        "QRadar",
    "dataSource.category":    "siem",
    "category_uid":           4,
    "category_name":          "Network Activity",
    "class_uid":              4001,
    "class_name":             "Network Activity",
    "activity_id":            6,
    "type_uid":               400106,
    "status_id":              1,
    "status":                 "Success",
    "severity_id":            1,
    "severity":               "Informational"
  },

  formats: [
    {
      format: "$=json{parse=json}$",
      halt: true,
      rewrites: [
        { input: "sourceIP",        output: "src_endpoint.ip",   match: ".*", replace: "$0" },
        { input: "sourceIP",        output: "src_ip",            match: ".*", replace: "$0" },
        { input: "sourcePort",      output: "src_endpoint.port", match: ".*", replace: "$0" },
        { input: "destinationIP",   output: "dst_endpoint.ip",   match: ".*", replace: "$0" },
        { input: "destinationIP",   output: "dst_ip",            match: ".*", replace: "$0" },
        { input: "destinationPort", output: "dst_endpoint.port", match: ".*", replace: "$0" },
        { input: "protocol",        output: "connection_info.protocol_name", match: ".*", replace: "$0" },
        { input: "username",        output: "actor.user.name",   match: ".*", replace: "$0" },
        { input: "username",        output: "user_name",         match: ".*", replace: "$0" },
        { input: "category",        output: "metadata.event_type", match: ".*", replace: "$0" },

        // QRadar magnitude → severity
        { input: "magnitude", output: "severity_id", match: "^[1-3]$", replace: "2" },
        { input: "magnitude", output: "severity_id", match: "^[4-6]$", replace: "3" },
        { input: "magnitude", output: "severity_id", match: "^[7-8]$", replace: "4" },
        { input: "magnitude", output: "severity_id", match: "^(9|10)$", replace: "5" },

        // Detection Finding for "Suspicious" / "Authentication" categories
        { input: "category", output: "class_uid",     match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "2004" },
        { input: "category", output: "class_name",    match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "Detection Finding" },
        { input: "category", output: "category_uid",  match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "2" },
        { input: "category", output: "category_name", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "Findings" },
        { input: "category", output: "type_uid",      match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "200401" },
        { input: "category", output: "finding_title", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "$0" },
        { input: "category", output: "finding_info.title", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "$0" },
        { input: "category", output: "severity_id",   match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "4" },
        { input: "category", output: "severity",      match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "High" }
      ]
    }
  ]
}