{ // F5 BIG-IP LTM iRule + ASM parser — OCSF v1.3.0 attributes: { "metadata.version": "1.3.0", "metadata.product.vendor_name": "F5", "metadata.product.name": "BIG-IP LTM", "metadata.log_provider": "syslog", "Category": "network", "dataSource.vendor": "F5", "dataSource.name": "BIG-IP LTM", "dataSource.category": "load-balancer", "category_uid": 4, "category_name": "Network Activity", "class_uid": 4002, "class_name": "HTTP Activity", "activity_id": 1, "type_uid": 400201, "status_id": 1, "severity_id": 1 }, patterns: { ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", word: "\\S+", untilSpace: "[^ ]+", untilC: "[^\\n]*?", rest: ".*" }, formats: [ // BLOCKED iRule WAF event → Detection Finding (CRITICAL) { id: "f5_blocked", attributes: { class_uid: 2004, class_name: "Detection Finding", category_uid: 2, category_name: "Findings", type_uid: 200401, finding_title: "F5 BIG-IP WAF Block", severity_id: 5, severity: "Critical", disposition_id: 2, disposition: "Blocked" }, format: ".*BLOCKED.*Client $src_ip=ipv4$:$src_port=word$.*", halt: true }, // SSL handshake failed → Detection Finding (MEDIUM) { id: "f5_ssl_fail", attributes: { class_uid: 2004, class_name: "Detection Finding", category_uid: 2, category_name: "Findings", type_uid: 200401, finding_title: "F5 SSL Handshake Failure", severity_id: 3, severity: "Medium" }, format: ".*SSL Handshake failed for TCP $src_ip=ipv4$:$src_port=word$.*", halt: true }, // ASM violation (key=value style) { id: "f5_asm_violation", attributes: { class_uid: 2004, class_name: "Detection Finding", category_uid: 2, category_name: "Findings", type_uid: 200401, finding_title: "F5 ASM Web Application Attack", severity_id: 5, severity: "Critical", disposition_id: 2, disposition: "Blocked" }, format: ".*ASM:.*ip_client=\"$src_ip=ipv4$\".*", halt: true }, // Standard HTTP request (informational) { id: "f5_http", attributes: { class_uid: 4002, class_name: "HTTP Activity", type_uid: 400201 }, format: ".*Client $src_ip=ipv4$:$src_port=word$ -> VIP $vip_ip=ipv4$:$vip_port=word$.*", halt: true } ] }