From 2eb71ee618105e5f4f6f53cfdf653e7b07b706e0 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Thu, 29 Jan 2026 12:01:48 -0600 Subject: [PATCH 001/105] feat(pfsense): update pfsense filter --- .../20260129002_update_filter_pfsense.xml | 372 ++++++++++++++++++ .../resources/config/liquibase/master.xml | 2 + 2 files changed, 374 insertions(+) create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260129002_update_filter_pfsense.xml diff --git a/backend/src/main/resources/config/liquibase/changelog/20260129002_update_filter_pfsense.xml b/backend/src/main/resources/config/liquibase/changelog/20260129002_update_filter_pfsense.xml new file mode 100644 index 000000000..9316b44d6 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260129002_update_filter_pfsense.xml @@ -0,0 +1,372 @@ + + + + + + + ' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.deviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}{{.space}}{{.time}}{{.iso8601Timezone}}' + - fieldName: log.syslogHost + pattern: '{{.hostname}}' + - fieldName: log.msgAll + pattern: '{{.greedy}}' + source: raw + where: regexMatch("raw", "\\d{4}-\\d{2}-\\d{2}") + + # Parsing syslog format date (OPNsense/pfSense) + - grok: + patterns: + - fieldName: log.priority + pattern: '\<{{.integer}}\>' + - fieldName: log.deviceTime + pattern: '{{.monthName}}{{.space}}{{.monthDay}}{{.space}}{{.time}}{{.space}}' + - fieldName: log.syslogHost + pattern: '{{.hostname}}{{.space}}' + - fieldName: log.msgAll + pattern: '{{.greedy}}' + source: raw + where: regexMatch("raw", "<\\d+>[A-Z][a-z]{2}\\s+\\d{1,2}\\s+\\d{2}") + + #......................................................................# + # Removing unnecessary characters of the syslogHeader + #......................................................................# + - trim: + function: prefix + substring: "<" + fields: + - log.priority + - trim: + function: suffix + substring: ">" + fields: + - log.priority + + #......................................................................# + # Checking that the msgAll field exists + #......................................................................# + - grok: + patterns: + - fieldName: log.eventType + pattern: '{{.word}}' + - fieldName: log.pid + pattern: '(\[)?({{.integer}}?)(\])?(- -|:)' + - fieldName: log.csvMsg + pattern: '{{.greedy}}' + source: log.msgAll + + #......................................................................# + # Removing unnecessary characters + #......................................................................# + - trim: + function: prefix + substring: "[" + fields: + - log.pid + - trim: + function: suffix + substring: "]:" + fields: + - log.pid + + # ..........................................................................# + # Remove issues fileds + # ..........................................................................# + - delete: + fields: + - log.msgAll + + #......................................................................# + # Using csv to parse the message + #......................................................................# + - csv: + source: log.csvMsg + separator: "," + headers: + - log.ruleNumber + - log.subRuleNumber + - log.anchor + - log.tracker + - log.realInterface + - log.reason + - log.action + - log.direction + - log.ipVersion + - log.ipv4Tos + - log.ipv4Ecn + - log.ipv4Ttl + - log.ipv4Id + - log.ipv4Offset + - log.ipv4Flags + - log.ipv4ProtocolId + - log.proto + - log.ipLength + - log.srcIp + - log.dstIp + - log.srcPort + - log.dstPort + - log.dataLength + - log.tcpFlags + - log.sequenceNumber + - log.ackNumber + - log.tcpWindow + - log.urg + - log.tcpOptions + where: regexMatch("log.csvMsg", "(.+),(\\s)?(match|\\w+),(block|pass),(in|out),(4|6),(.+)(tcp|TCP|Tcp)") + + # .......................................................................# + - csv: + source: log.csvMsg + separator: "," + headers: + - log.ruleNumber + - log.subRuleNumber + - log.anchor + - log.tracker + - log.realInterface + - log.reason + - log.action + - log.direction + - log.ipVersion + - log.ipv4Tos + - log.ipv4Ecn + - log.ipv4Ttl + - log.ipv4Id + - log.ipv4Offset + - log.ipv4Flags + - log.ipv4ProtocolId + - log.proto + - log.ipLength + - log.srcIp + - log.dstIp + - log.srcPort + - log.dstPort + - log.dataLength + where: regexMatch("log.csvMsg", "(.+),(\\s)?(match|\\w+),(block|pass),(in|out),(4|6),(.+)(udp|UDP|Udp)") + + #......................................................................# + - csv: + source: log.csvMsg + separator: "," + headers: + - log.ruleNumber + - log.subRuleNumber + - log.anchor + - log.tracker + - log.realInterface + - log.reason + - log.action + - log.direction + - log.ipVersion + - log.ipv4Tos + - log.ipv4Ecn + - log.ipv4Ttl + - log.ipv4Id + - log.ipv4Offset + - log.ipv4Flags + - log.ipv4ProtocolId + - log.proto + - log.ipLength + - log.srcIp + - log.dstIp + - log.icmpType + - log.icmpData1 + - log.icmpData2 + - log.icmpData3 + - log.icmpData4 + - log.icmpData5 + where: regexMatch("log.csvMsg", "(.+),(\\s)?(match|\\w+),(block|pass),(in|out),(4|6),(.+)(icmp|ICMP|Icmp)") + + #......................................................................# + - csv: + source: log.csvMsg + separator: "," + headers: + - log.ruleNumber + - log.subRuleNumber + - log.anchor + - log.tracker + - log.realInterface + - log.reason + - log.action + - log.direction + - log.ipVersion + - log.ipv6Class + - log.ipv6FlowLabel + - log.ipv6HopLimit + - log.proto + - log.ipv6ProtocolId + - log.ipLength + - log.srcIp + - log.dstIp + - log.srcPort + - log.dstPort + - log.dataLength + - log.tcpFlags + - log.sequenceNumber + - log.ackNumber + - log.tcpWindow + - log.urg + - log.tcpOptions + where: regexMatch("log.csvMsg", "(.+),(\\s)?(match|\\w+),(block|pass),(in|out),(6|17),(.+)(tcp|TCP|Tcp)") + + #......................................................................# + - csv: + source: log.csvMsg + separator: "," + headers: + - log.ruleNumber + - log.subRuleNumber + - log.anchor + - log.tracker + - log.realInterface + - log.reason + - log.action + - log.direction + - log.ipVersion + - log.ipv6Class + - log.ipv6FlowLabel + - log.ipv6HopLimit + - log.proto + - log.ipv6ProtocolId + - log.ipLength + - log.srcIp + - log.dstIp + - log.srcPort + - log.dstPort + - log.dataLength + where: regexMatch("log.csvMsg", "(.+),(match|\\w+),(block|pass),(in|out),6,(.+)(udp|UDP|Udp)") + + #......................................................................# + - csv: + source: log.csvMsg + separator: "," + headers: + - log.ruleNumber + - log.subRuleNumber + - log.anchor + - log.tracker + - log.realInterface + - log.reason + - log.action + - log.direction + - log.ipVersion + - log.ipv6Class + - log.ipv6FlowLabel + - log.ipv6HopLimit + - log.proto + - log.ipv6ProtocolId + - log.ipLength + - log.srcIp + - log.dstIp + - log.icmpType + - log.icmpData1 + - log.icmpData2 + - log.icmpData3 + - log.icmpData4 + - log.icmpData5 + where: regexMatch("log.csvMsg", "(.+),(match|\\w+),(block|pass),(in|out),(6|17),(.+)(icmp|ICMP|Icmp)") + + # ................................................# + # Rename fields + # ................................................# + - rename: + from: + - log.action + to: action + + - rename: + from: + - log.proto + to: protocol + + - rename: + from: + - log.srcIp + to: origin.ip + + - rename: + from: + - log.dstIp + to: target.ip + + - rename: + from: + - log.srcPort + to: origin.port + + - rename: + from: + - log.dstPort + to: target.port + + # ................................................# + # Fileds conversions + # ................................................# + - cast: + fields: + - origin.port + - target.port + to: int + + # Adding geolocation to origin.ip + - dynamic: + plugin: com.utmstack.geolocation + params: + source: origin.ip + destination: origin.geolocation + where: exists("origin.ip") + + # Adding geolocation to target.ip + - dynamic: + plugin: com.utmstack.geolocation + params: + source: target.ip + destination: target.geolocation + where: exists("target.ip") + + # ..........................................................................# + # Remove issues fileds + # ..........................................................................# + - delete: + fields: + - log.csvMsg + +$$ + WHERE id=1522; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml index 71b5ddba4..13634f749 100644 --- a/backend/src/main/resources/config/liquibase/master.xml +++ b/backend/src/main/resources/config/liquibase/master.xml @@ -327,6 +327,8 @@ + + From fe30f0bacaf9db808ba9618c139a9e114d62ccbf Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Thu, 29 Jan 2026 12:12:15 -0600 Subject: [PATCH 002/105] fix: update query suggestions to remove redundant log prefix Signed-off-by: Manuel Abascal --- .../query-suggestions/query-suggestions.constants.ts | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/frontend/src/app/shared/components/code-editor/components/query-suggestions/query-suggestions.constants.ts b/frontend/src/app/shared/components/code-editor/components/query-suggestions/query-suggestions.constants.ts index 289184c58..63efc2888 100644 --- a/frontend/src/app/shared/components/code-editor/components/query-suggestions/query-suggestions.constants.ts +++ b/frontend/src/app/shared/components/code-editor/components/query-suggestions/query-suggestions.constants.ts @@ -6,7 +6,7 @@ export interface QuerySuggestion { export const QUERY_SUGGESTIONS: QuerySuggestion[] = [ { label: 'Selecting Fields', - query: `SELECT lastEvent.log.action, severity + query: `SELECT lastEvent.action, severity FROM v11-alert-* LIMIT 20;` }, @@ -32,13 +32,13 @@ export const QUERY_SUGGESTIONS: QuerySuggestion[] = [ }, { label: 'Selecting Nested Field', - query: `SELECT lastEvent.log.action AS action + query: `SELECT lastEvent.action AS action FROM v11-alert-* LIMIT 5;` }, { label: 'Using Aggregations (COUNT)', - query: `SELECT lastEvent.log.action AS action, COUNT(*) AS total + query: `SELECT lastEvent.action AS action, COUNT(*) AS total FROM v11-alert-* WHERE @timestamp BETWEEN DATE_SUB(NOW(), INTERVAL 30 DAY) AND NOW() GROUP BY action @@ -47,7 +47,7 @@ export const QUERY_SUGGESTIONS: QuerySuggestion[] = [ }, { label: 'Using Aggregations (MAX)', - query: `SELECT lastEvent.log.action AS action, MAX(@timestamp) AS lastSeen + query: `SELECT lastEvent.action AS action, MAX(@timestamp) AS lastSeen FROM v11-alert-* GROUP BY action;` }, @@ -68,7 +68,7 @@ export const QUERY_SUGGESTIONS: QuerySuggestion[] = [ label: 'Using Subqueries', query: `SELECT action, total FROM ( - SELECT lastEvent.log.action AS action, COUNT(*) AS total + SELECT lastEvent.action AS action, COUNT(*) AS total FROM v11-alert-* WHERE @timestamp BETWEEN DATE_SUB(NOW(), INTERVAL 30 DAY) AND NOW() GROUP BY action From f9491e7bae33241592c10dc1e07d348df6d9fbcd Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Fri, 30 Jan 2026 15:38:39 -0600 Subject: [PATCH 003/105] feat: replace hardcoded search limit with MAX_SEARCH_RESULTS constant Signed-off-by: Manuel Abascal --- .../alert-management/alert-view/alert-view.component.ts | 5 ++--- .../alert-echoes-timeline/alert-echoes-timeline.component.ts | 3 ++- .../shared/components/alert-echoes/alert-echoes.component.ts | 3 ++- .../alert-rule-create/alert-rule-create.component.ts | 3 ++- .../file-management/file-view/file-view.component.ts | 3 ++- .../app/incident-response/shared/services/alert.service.ts | 3 ++- frontend/src/app/shared/constants/global.constant.ts | 2 ++ frontend/src/environments/environment.ts | 2 +- 8 files changed, 15 insertions(+), 9 deletions(-) diff --git a/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.ts b/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.ts index c69534c38..97b2cbe09 100644 --- a/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.ts +++ b/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.ts @@ -8,7 +8,6 @@ import {NgxSpinnerService} from 'ngx-spinner'; import {LocalStorageService} from 'ngx-webstorage'; import {Observable, Subject} from 'rxjs'; import {filter, takeUntil, tap} from 'rxjs/operators'; -import {TimelineItem} from 'src/app/shared/types/utm-timeline-item'; import {UtmToastService} from '../../../shared/alert/utm-toast.service'; import { ElasticFilterDefaultTime @@ -30,7 +29,7 @@ import { ALERT_ECHOES_FIELD } from '../../../shared/constants/alert/alert-field.constant'; import {AUTOMATIC_REVIEW, IGNORED} from '../../../shared/constants/alert/alert-status.constant'; -import {ADMIN_ROLE} from '../../../shared/constants/global.constant'; +import {ADMIN_ROLE, MAX_SEARCH_RESULTS} from '../../../shared/constants/global.constant'; import {MAIN_INDEX_PATTERN} from '../../../shared/constants/main-index-pattern.constant'; import {ITEMS_PER_PAGE} from '../../../shared/constants/pagination.constants'; import {SortDirection} from '../../../shared/directives/sortable/type/sort-direction.type'; @@ -340,7 +339,7 @@ export class AlertViewComponent implements OnInit, OnDestroy { getAlert(calledFrom?: string, filtersParam?: ElasticFilterType[]) { this.elasticDataService.search(this.page, this.itemsPerPage, - 100000000, this.dataNature, + MAX_SEARCH_RESULTS, this.dataNature, sanitizeFilters(this.filters), this.sortBy, true).subscribe( (res: HttpResponse) => { this.totalItems = Number(res.headers.get('X-Total-Count')); diff --git a/frontend/src/app/data-management/alert-management/shared/components/alert-echoes-timeline/alert-echoes-timeline.component.ts b/frontend/src/app/data-management/alert-management/shared/components/alert-echoes-timeline/alert-echoes-timeline.component.ts index 5828950f6..66217fc75 100644 --- a/frontend/src/app/data-management/alert-management/shared/components/alert-echoes-timeline/alert-echoes-timeline.component.ts +++ b/frontend/src/app/data-management/alert-management/shared/components/alert-echoes-timeline/alert-echoes-timeline.component.ts @@ -15,6 +15,7 @@ import {ElasticFilterType} from '../../../../../shared/types/filter/elastic-filt import {TimelineItem} from '../../../../../shared/types/utm-timeline-item'; import {sanitizeFilters} from '../../../../../shared/util/elastic-filter.util'; import {AlertEchoesTimelineService, TimelineGroup} from './alert-echoes-timeline.service'; +import {MAX_SEARCH_RESULTS} from "../../../../../shared/constants/global.constant"; @Component({ @@ -178,7 +179,7 @@ export class AlertEchoesTimelineComponent implements OnInit { loadData() { this.loading = true; this.elasticDataService.search(this.page, this.pageSize, - 100000000, DataNatureTypeEnum.ALERT, + MAX_SEARCH_RESULTS, DataNatureTypeEnum.ALERT, sanitizeFilters(this.filters), this.sortBy, true) .subscribe( (res: HttpResponse) => { diff --git a/frontend/src/app/data-management/alert-management/shared/components/alert-echoes/alert-echoes.component.ts b/frontend/src/app/data-management/alert-management/shared/components/alert-echoes/alert-echoes.component.ts index 998692c10..1197692f9 100644 --- a/frontend/src/app/data-management/alert-management/shared/components/alert-echoes/alert-echoes.component.ts +++ b/frontend/src/app/data-management/alert-management/shared/components/alert-echoes/alert-echoes.component.ts @@ -17,6 +17,7 @@ import {UtmAlertType} from '../../../../../shared/types/alert/utm-alert.type'; import {ElasticFilterType} from '../../../../../shared/types/filter/elastic-filter.type'; import {sanitizeFilters} from '../../../../../shared/util/elastic-filter.util'; import {EventDataTypeEnum} from '../../enums/event-data-type.enum'; +import {MAX_SEARCH_RESULTS} from "../../../../../shared/constants/global.constant"; @Component({ selector: 'app-alert-echoes', @@ -61,7 +62,7 @@ export class AlertEchoesComponent implements OnInit { loadChildrenAlerts() { this.loading = true; this.elasticDataService.search(this.page, this.itemsPerPage, - 100000000, this.dataNature, + MAX_SEARCH_RESULTS, this.dataNature, sanitizeFilters(this.filters), this.sortBy, true).subscribe( (res: HttpResponse) => { this.totalItems = Number(res.headers.get('X-Total-Count')); diff --git a/frontend/src/app/data-management/alert-management/shared/components/alert-rule-create/alert-rule-create.component.ts b/frontend/src/app/data-management/alert-management/shared/components/alert-rule-create/alert-rule-create.component.ts index 94c79dce9..19c596d7c 100644 --- a/frontend/src/app/data-management/alert-management/shared/components/alert-rule-create/alert-rule-create.component.ts +++ b/frontend/src/app/data-management/alert-management/shared/components/alert-rule-create/alert-rule-create.component.ts @@ -54,6 +54,7 @@ import {AlertRulesService} from '../../services/alert-rules.service'; import {AlertTagService} from '../../services/alert-tag.service'; import {setAlertPropertyValue} from '../../util/alert-util-function'; import {AlertActionRefreshService} from "../../services/alert-action-refresh.service"; +import {MAX_SEARCH_RESULTS} from "../../../../../shared/constants/global.constant"; @Component({ selector: 'app-alert-rule-create', @@ -415,7 +416,7 @@ export class AlertRuleCreateComponent implements OnInit, OnDestroy { this.elasticDataService.search( this.alertRequest.page, this.alertRequest.size, - 100000000, + MAX_SEARCH_RESULTS, this.alertRequest.dataNature, sanitizeFilters(this.alertRequest.filters), this.alertRequest.sort).subscribe( diff --git a/frontend/src/app/data-management/file-management/file-view/file-view.component.ts b/frontend/src/app/data-management/file-management/file-view/file-view.component.ts index 900eb279a..5db27bcd0 100644 --- a/frontend/src/app/data-management/file-management/file-view/file-view.component.ts +++ b/frontend/src/app/data-management/file-management/file-view/file-view.component.ts @@ -31,6 +31,7 @@ import { import {AccessMaskEnum} from '../shared/enum/access-mask.enum'; import {FileFieldEnum} from '../shared/enum/file-field.enum'; import {FileQueryParamEnum} from '../shared/enum/file-query-param.enum'; +import {MAX_SEARCH_RESULTS} from "../../../shared/constants/global.constant"; @Component({ selector: 'app-file-view', @@ -150,7 +151,7 @@ export class FileViewComponent implements OnInit { getFiles(calledFrom?: string) { this.elasticDataService.search(this.page, this.itemsPerPage, - 100000000, LOG_INDEX_WINLOGBEAT, + MAX_SEARCH_RESULTS, LOG_INDEX_WINLOGBEAT, sanitizeFilters(this.filters), this.sortBy).subscribe( (res: HttpResponse) => { this.totalItems = Number(res.headers.get('X-Total-Count')); diff --git a/frontend/src/app/incident-response/shared/services/alert.service.ts b/frontend/src/app/incident-response/shared/services/alert.service.ts index dd7427b87..47f0e32b7 100644 --- a/frontend/src/app/incident-response/shared/services/alert.service.ts +++ b/frontend/src/app/incident-response/shared/services/alert.service.ts @@ -6,6 +6,7 @@ import {UtmToastService} from '../../../shared/alert/utm-toast.service'; import {ElasticDataService} from '../../../shared/services/elasticsearch/elastic-data.service'; import {RefreshDataService} from '../../../shared/services/util/refresh-data.service'; import {sanitizeFilters} from '../../../shared/util/elastic-filter.util'; +import {MAX_SEARCH_RESULTS} from "../../../shared/constants/global.constant"; @Injectable( { @@ -23,7 +24,7 @@ export class AlertService extends RefreshDataService { return this.elasticDataService.search( request.page, request.size, - 100000000, + MAX_SEARCH_RESULTS, request.dataNature, sanitizeFilters(request.filters), request.sort) diff --git a/frontend/src/app/shared/constants/global.constant.ts b/frontend/src/app/shared/constants/global.constant.ts index 928e9118a..79a792de2 100644 --- a/frontend/src/app/shared/constants/global.constant.ts +++ b/frontend/src/app/shared/constants/global.constant.ts @@ -5,3 +5,5 @@ export const DEMO_URL = 'https://demo.utmstack.com/'; export const LOG_SOURCE_DASHBOARD_NAME = 'Log source system'; export const SAAS_DEFAULT_PASSWORD = 'DefaultPa$$word!'; export const ONLINE_DOCUMENTATION_BASE = 'https://docs.utmstack.com/UTMStackDocumentationSite/'; +export const MAX_SEARCH_RESULTS = 100000; + diff --git a/frontend/src/environments/environment.ts b/frontend/src/environments/environment.ts index c14489291..066a347a4 100644 --- a/frontend/src/environments/environment.ts +++ b/frontend/src/environments/environment.ts @@ -4,7 +4,7 @@ export const environment = { production: false, - SERVER_API_URL: 'https://192.168.1.18/', + SERVER_API_URL: 'https://10.11.12.113/', //SERVER_API_URL: 'http://localhost:8080/', SERVER_API_CONTEXT: '', SESSION_AUTH_TOKEN: window.location.host.split(':')[0].toLocaleUpperCase(), From 9b7cf317767bb30aee4d063e485c502e93a1bc38 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Fri, 30 Jan 2026 15:56:04 -0600 Subject: [PATCH 004/105] feat: replace hardcoded search limit with MAX_SEARCH_RESULTS constant Signed-off-by: Manuel Abascal --- .../alert-report-view/alert-report-view.component.ts | 4 ++-- .../alert-reports/alert-reports.component.ts | 4 ++-- .../components/save-report/save-report.component.ts | 1 - .../alert-events-related.component.ts | 4 ++-- .../file-save-data/file-save-data.component.ts | 4 ++-- .../log-analyzer-field-detail.component.ts | 4 ++-- .../log-analyzer-view/log-analyzer-view.component.ts | 10 ++++------ frontend/src/app/shared/constants/global.constant.ts | 2 +- .../src/app/shared/constants/log-analyzer.constant.ts | 1 - 9 files changed, 15 insertions(+), 19 deletions(-) delete mode 100644 frontend/src/app/shared/constants/log-analyzer.constant.ts diff --git a/frontend/src/app/data-management/alert-management/alert-report-view/alert-report-view.component.ts b/frontend/src/app/data-management/alert-management/alert-report-view/alert-report-view.component.ts index d5c0928ac..02a4a2234 100644 --- a/frontend/src/app/data-management/alert-management/alert-report-view/alert-report-view.component.ts +++ b/frontend/src/app/data-management/alert-management/alert-report-view/alert-report-view.component.ts @@ -2,7 +2,7 @@ import {HttpResponse} from '@angular/common/http'; import {Component, OnInit} from '@angular/core'; import {ActivatedRoute} from '@angular/router'; import * as moment from 'moment'; -import {LOG_ANALYZER_TOTAL_ITEMS} from '../../../shared/constants/log-analyzer.constant'; +import {MAX_SEARCH_RESULTS} from "../../../shared/constants/global.constant"; import {SortEvent} from '../../../shared/directives/sortable/type/sort-event'; import {DataNatureTypeEnum} from '../../../shared/enums/nature-data.enum'; import {ElasticDataExportService} from '../../../shared/services/elasticsearch/elastic-data-export.service'; @@ -78,7 +78,7 @@ export class AlertReportViewComponent implements OnInit { columns: this.report.columns, dataOrigin: DataNatureTypeEnum.ALERT, filters: this.report.filters, - top: LOG_ANALYZER_TOTAL_ITEMS + top: MAX_SEARCH_RESULTS }; this.elasticDataExportService.exportCsv(params, 'UTM ALERTS').then(() => { this.generateReport = false; diff --git a/frontend/src/app/data-management/alert-management/alert-reports/alert-reports.component.ts b/frontend/src/app/data-management/alert-management/alert-reports/alert-reports.component.ts index 23bcd521e..383b7ea37 100644 --- a/frontend/src/app/data-management/alert-management/alert-reports/alert-reports.component.ts +++ b/frontend/src/app/data-management/alert-management/alert-reports/alert-reports.component.ts @@ -6,7 +6,6 @@ import {AccountService} from '../../../core/auth/account.service'; import {User} from '../../../core/user/user.model'; import {UtmToastService} from '../../../shared/alert/utm-toast.service'; import {ModalConfirmationComponent} from '../../../shared/components/utm/util/modal-confirmation/modal-confirmation.component'; -import {LOG_ANALYZER_TOTAL_ITEMS} from '../../../shared/constants/log-analyzer.constant'; import {ITEMS_PER_PAGE} from '../../../shared/constants/pagination.constants'; import {SortEvent} from '../../../shared/directives/sortable/type/sort-event'; import {DataNatureTypeEnum} from '../../../shared/enums/nature-data.enum'; @@ -17,6 +16,7 @@ import {SortByType} from '../../../shared/types/sort-by.type'; import {AlertTagService} from '../shared/services/alert-tag.service'; import {AlertReportFilterComponent} from './shared/components/alert-report-filter/alert-report-filter.component'; import {AlertReportService} from './shared/services/report.service'; +import {MAX_SEARCH_RESULTS} from "../../../shared/constants/global.constant"; @Component({ selector: 'app-alert-saved-reports', @@ -128,7 +128,7 @@ export class AlertReportsComponent implements OnInit { columns: report.columns, dataOrigin: DataNatureTypeEnum.ALERT, filters: report.filters, - top: LOG_ANALYZER_TOTAL_ITEMS + top: MAX_SEARCH_RESULTS }; this.elasticDataExportService.exportCsv(params, 'UTM ALERTS').then(() => { this.generateReport = false; diff --git a/frontend/src/app/data-management/alert-management/alert-reports/shared/components/save-report/save-report.component.ts b/frontend/src/app/data-management/alert-management/alert-reports/shared/components/save-report/save-report.component.ts index 33c2be55e..7be5925ec 100644 --- a/frontend/src/app/data-management/alert-management/alert-reports/shared/components/save-report/save-report.component.ts +++ b/frontend/src/app/data-management/alert-management/alert-reports/shared/components/save-report/save-report.component.ts @@ -1,7 +1,6 @@ import {Component, Input, OnInit} from '@angular/core'; import {NgbActiveModal} from '@ng-bootstrap/ng-bootstrap'; import {UtmToastService} from '../../../../../../shared/alert/utm-toast.service'; -import {LOG_ANALYZER_TOTAL_ITEMS} from '../../../../../../shared/constants/log-analyzer.constant'; import {ALERT_INDEX_PATTERN} from '../../../../../../shared/constants/main-index-pattern.constant'; import {ElasticDataExportService} from '../../../../../../shared/services/elasticsearch/elastic-data-export.service'; import {AlertReportType} from '../../../../../../shared/types/alert/alert-report.type'; diff --git a/frontend/src/app/data-management/alert-management/shared/components/alert-events-related/alert-events-related.component.ts b/frontend/src/app/data-management/alert-management/shared/components/alert-events-related/alert-events-related.component.ts index cdf3a6b61..d7417d051 100644 --- a/frontend/src/app/data-management/alert-management/shared/components/alert-events-related/alert-events-related.component.ts +++ b/frontend/src/app/data-management/alert-management/shared/components/alert-events-related/alert-events-related.component.ts @@ -2,10 +2,10 @@ import {Component, Input, OnInit} from '@angular/core'; import { UtmTableDetailComponent } from '../../../../../shared/components/utm/table/utm-table/utm-table-detail/utm-table-detail.component'; -import {LOG_ANALYZER_TOTAL_ITEMS} from '../../../../../shared/constants/log-analyzer.constant'; import {ITEMS_PER_PAGE} from '../../../../../shared/constants/pagination.constants'; import {ElasticDataTypesEnum} from '../../../../../shared/enums/elastic-data-types.enum'; import {UtmFieldType} from '../../../../../shared/types/table/utm-field.type'; +import {MAX_SEARCH_RESULTS} from "../../../../../shared/constants/global.constant"; @Component({ selector: 'app-alert-events-related', @@ -20,7 +20,7 @@ export class AlertEventsRelatedComponent implements OnInit { @Input() events: any[] = []; displayedLogs: any[] = []; page = 1; - readonly totalItems = LOG_ANALYZER_TOTAL_ITEMS; + readonly totalItems = MAX_SEARCH_RESULTS; itemsPerPage = ITEMS_PER_PAGE; readonly componentDetail = UtmTableDetailComponent; sortField = ''; diff --git a/frontend/src/app/data-management/file-management/shared/components/file-save-data/file-save-data.component.ts b/frontend/src/app/data-management/file-management/shared/components/file-save-data/file-save-data.component.ts index 518f729e5..76ac61874 100644 --- a/frontend/src/app/data-management/file-management/shared/components/file-save-data/file-save-data.component.ts +++ b/frontend/src/app/data-management/file-management/shared/components/file-save-data/file-save-data.component.ts @@ -1,10 +1,10 @@ import {Component, Input, OnInit} from '@angular/core'; import {NgbActiveModal} from '@ng-bootstrap/ng-bootstrap'; -import {LOG_ANALYZER_TOTAL_ITEMS} from '../../../../../shared/constants/log-analyzer.constant'; import {DataNatureTypeEnum} from '../../../../../shared/enums/nature-data.enum'; import {ElasticDataExportService} from '../../../../../shared/services/elasticsearch/elastic-data-export.service'; import {ElasticFilterType} from '../../../../../shared/types/filter/elastic-filter.type'; import {UtmFieldType} from '../../../../../shared/types/table/utm-field.type'; +import {MAX_SEARCH_RESULTS} from "../../../../../shared/constants/global.constant"; @Component({ selector: 'app-file-save-data', @@ -30,7 +30,7 @@ export class FileSaveDataComponent implements OnInit { columns: this.fields, dataOrigin: DataNatureTypeEnum.EVENT, filters: this.filters, - top: LOG_ANALYZER_TOTAL_ITEMS + top: MAX_SEARCH_RESULTS }; this.elasticDataExportService.exportCsv(params, 'UTM FILE CLASSIFICATION').then(() => { this.generateReport = false; diff --git a/frontend/src/app/log-analyzer/explorer/log-analyzer-field/log-analyzer-field-card/log-analyzer-field-detail/log-analyzer-field-detail.component.ts b/frontend/src/app/log-analyzer/explorer/log-analyzer-field/log-analyzer-field-card/log-analyzer-field-detail/log-analyzer-field-detail.component.ts index e0464b536..6f579c7a9 100644 --- a/frontend/src/app/log-analyzer/explorer/log-analyzer-field/log-analyzer-field-card/log-analyzer-field-detail/log-analyzer-field-detail.component.ts +++ b/frontend/src/app/log-analyzer/explorer/log-analyzer-field/log-analyzer-field-card/log-analyzer-field-detail/log-analyzer-field-detail.component.ts @@ -1,7 +1,7 @@ import {Component, Input, OnDestroy, OnInit} from '@angular/core'; import {Observable} from 'rxjs'; import {UtmFilterBehavior} from '../../../../../shared/components/utm/filters/utm-elastic-filter/shared/behavior/utm-filter.behavior'; -import {LOG_ANALYZER_TOTAL_ITEMS} from '../../../../../shared/constants/log-analyzer.constant'; +import {MAX_SEARCH_RESULTS} from "../../../../../shared/constants/global.constant"; import {ElasticDataTypesEnum} from '../../../../../shared/enums/elastic-data-types.enum'; import {ElasticOperatorsEnum} from '../../../../../shared/enums/elastic-operators.enum'; import {ElasticSearchFieldInfoType} from '../../../../../shared/types/elasticsearch/elastic-search-field-info.type'; @@ -22,7 +22,7 @@ export class LogAnalyzerFieldDetailComponent implements OnInit, OnDestroy { filters: ElasticFilterType[] = []; fieldTopValues: LogAnalyzerFieldDetailType; loading = true; - total = LOG_ANALYZER_TOTAL_ITEMS; + total = MAX_SEARCH_RESULTS; public logObservable: Observable<{ filter: ElasticFilterType[], sort: string }>; subscription: any; private sort = '@timestamp,desc'; diff --git a/frontend/src/app/log-analyzer/explorer/log-analyzer-view/log-analyzer-view.component.ts b/frontend/src/app/log-analyzer/explorer/log-analyzer-view/log-analyzer-view.component.ts index 872f68a17..7ca10ec75 100644 --- a/frontend/src/app/log-analyzer/explorer/log-analyzer-view/log-analyzer-view.component.ts +++ b/frontend/src/app/log-analyzer/explorer/log-analyzer-view/log-analyzer-view.component.ts @@ -7,10 +7,9 @@ import * as moment from 'moment'; import {Observable, Subject} from 'rxjs'; import {filter, takeUntil} from 'rxjs/operators'; -import {ADMIN_ROLE} from '../../../shared/constants/global.constant'; +import {ADMIN_ROLE, MAX_SEARCH_RESULTS} from '../../../shared/constants/global.constant'; import {ALERT_INDEX_PATTERN, LOG_INDEX_PATTERN} from '../../../shared/constants/main-index-pattern.constant'; import {ITEMS_PER_PAGE} from '../../../shared/constants/pagination.constants'; -import {LOG_ANALYZER_TOTAL_ITEMS} from '../../../shared/constants/log-analyzer.constant'; import {ElasticDataTypesEnum} from '../../../shared/enums/elastic-data-types.enum'; import {ElasticOperatorsEnum} from '../../../shared/enums/elastic-operators.enum'; @@ -38,7 +37,6 @@ import {IndexFieldController} from '../../shared/behaviors/index-field-controlle import {IndexPatternBehavior} from '../../shared/behaviors/index-pattern.behavior'; import {LogFilterBehavior} from '../../shared/behaviors/log-filter.behavior'; import {QueryRunBehavior} from '../../shared/behaviors/query-run.behavior'; -import {TabService} from '../../shared/services/tab.service'; import {LogAnalyzerQueryType} from '../../shared/type/log-analyzer-query.type'; @Component({ @@ -54,7 +52,7 @@ export class LogAnalyzerViewComponent implements OnInit, OnDestroy { rows: any[] = []; page = 1; itemsPerPage = ITEMS_PER_PAGE; - totalItems = LOG_ANALYZER_TOTAL_ITEMS; + totalItems = MAX_SEARCH_RESULTS; view: 'table' | 'chart' = 'table'; filters: ElasticFilterType[] = [{ field: '@timestamp', @@ -254,7 +252,7 @@ export class LogAnalyzerViewComponent implements OnInit, OnDestroy { this.logAnalyzerService.search( this.page, this.itemsPerPage, - LOG_ANALYZER_TOTAL_ITEMS, + MAX_SEARCH_RESULTS, this.pattern.pattern, this.filters, this.sortBy).subscribe( @@ -380,7 +378,7 @@ export class LogAnalyzerViewComponent implements OnInit, OnDestroy { columns: this.fields, indexPattern: this.pattern.pattern, filters: this.filters, - top: LOG_ANALYZER_TOTAL_ITEMS + top: MAX_SEARCH_RESULTS }; this.elasticDataExportService.exportCsv(params, 'UTM LOG EXPLORER').then(() => { this.csvExport = false; diff --git a/frontend/src/app/shared/constants/global.constant.ts b/frontend/src/app/shared/constants/global.constant.ts index 79a792de2..0558e31c3 100644 --- a/frontend/src/app/shared/constants/global.constant.ts +++ b/frontend/src/app/shared/constants/global.constant.ts @@ -5,5 +5,5 @@ export const DEMO_URL = 'https://demo.utmstack.com/'; export const LOG_SOURCE_DASHBOARD_NAME = 'Log source system'; export const SAAS_DEFAULT_PASSWORD = 'DefaultPa$$word!'; export const ONLINE_DOCUMENTATION_BASE = 'https://docs.utmstack.com/UTMStackDocumentationSite/'; -export const MAX_SEARCH_RESULTS = 100000; +export const MAX_SEARCH_RESULTS = 10000; diff --git a/frontend/src/app/shared/constants/log-analyzer.constant.ts b/frontend/src/app/shared/constants/log-analyzer.constant.ts deleted file mode 100644 index a89f32a48..000000000 --- a/frontend/src/app/shared/constants/log-analyzer.constant.ts +++ /dev/null @@ -1 +0,0 @@ -export const LOG_ANALYZER_TOTAL_ITEMS = 10000; From 2ba7785635807b548700d231bf1ee1d6924a20c2 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Fri, 30 Jan 2026 17:07:46 -0600 Subject: [PATCH 005/105] feat: replace hardcoded search limit with MAX_SEARCH_RESULTS constant Signed-off-by: Manuel Abascal --- .../alert-report-view/alert-report-view.component.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/src/app/data-management/alert-management/alert-report-view/alert-report-view.component.ts b/frontend/src/app/data-management/alert-management/alert-report-view/alert-report-view.component.ts index 02a4a2234..da20fce80 100644 --- a/frontend/src/app/data-management/alert-management/alert-report-view/alert-report-view.component.ts +++ b/frontend/src/app/data-management/alert-management/alert-report-view/alert-report-view.component.ts @@ -2,7 +2,7 @@ import {HttpResponse} from '@angular/common/http'; import {Component, OnInit} from '@angular/core'; import {ActivatedRoute} from '@angular/router'; import * as moment from 'moment'; -import {MAX_SEARCH_RESULTS} from "../../../shared/constants/global.constant"; +import {MAX_SEARCH_RESULTS} from '../../../shared/constants/global.constant'; import {SortEvent} from '../../../shared/directives/sortable/type/sort-event'; import {DataNatureTypeEnum} from '../../../shared/enums/nature-data.enum'; import {ElasticDataExportService} from '../../../shared/services/elasticsearch/elastic-data-export.service'; From 060eed01680369d0b6ad06caa66429b62ee8492f Mon Sep 17 00:00:00 2001 From: Osmany Montero Date: Mon, 2 Feb 2026 13:28:56 +0000 Subject: [PATCH 006/105] docs(README): fix broken tags, improve clarity, and correct grammar --- README.md | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 1f14d3b77..391b08831 100644 --- a/README.md +++ b/README.md @@ -4,21 +4,19 @@

- - - - - - + + + + + +

Enterprise-ready SIEM and XDR powered by Real-Time correlation and Threat Intelligence

## Introduction -Welcome to the UTMStack open-source project! UTMStack is a unified threat management platform that merges SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) technologies. Our unique approach allows real-time correlation of log data, threat intelligence, and malware activity patterns from multiple sources, enabling the identification and halting of complex threats that use stealthy techniques. Visit an [online demo here.](https://utmstack.com/demo) - -We have a [dedicated repository](https://github.com/utmstack/rules) for correlation rules, contributors are welcome to submit a pull request. +Welcome to the UTMStack open-source project! UTMStack is a unified threat management platform that merges SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) technologies. Our unique approach allows real-time correlation of log data, threat intelligence, and malware activity patterns from multiple sources, enabling the identification and halting of complex threats that use stealthy techniques. Visit an [online demo here.](https://utmstack.com/demo)

UTMStack UTMStack

@@ -80,7 +78,7 @@ Definitions: - Cold log storage: archived data that should be restored before accessing it. - Data source: any individual source of logs, for example, devices, agents, SaaS integrations. -Resources needed for one month of hot log storage. +Required resources for one month of hot log storage. - For 50 data sources (120 GB) of hot log storage you will need 4 Cores, 16 GB RAM, 150 GB Disk Space - For 120 data sources (250 GB) of hot log storage you will need 8 Cores, 16 GB RAM, 250 GB Disk Space - For 240 data sources (500 GB) of hot log storage you will need 16 Cores, 32 GB RAM, 500 GB Disk Space @@ -109,16 +107,16 @@ Once UTMStack is installed, use admin as the user and the password generated dur Note: Use HTTPS in front of your server name or IP to access the login page. ### Required ports -- 22/TCP Secure Shell (We recommend to create a firewall rule to allow it only from admin workstation) -- 80/TCP UTMStack Web-based Graphical User Interface Redirector (We recommend to create a firewall rule to allow it only from admin and security analyst workstations) -- 443/TCP UTMStack Web-based Graphical User Interface (We recommend to create a firewall rule to allow it only from admin and security analyst workstations) -- 9090/TCP Cockpit Web-based Graphical Interface for Servers (We recommend to create a firewall rule to allow it only from admin workstation) -- Others ports will be required during the configuration of UTMStack's integrations in order to receive logs. (Please follow the security recommendations given on the integration guide if exists) +- 22/TCP Secure Shell (We recommend creating a firewall rule to allow it only from admins workstations) +- 80/TCP UTMStack Web-based Graphical User Interface Redirector (We recommend creating a firewall rule to allow it only from admin and security analyst workstations) +- 443/TCP UTMStack Web-based Graphical User Interface (We recommend creating a firewall rule to allow it only from admin and security analyst workstations) +- 9090/TCP Cockpit Web-based Graphical Interface for Servers (We recommend creating a firewall rule to allow it only from admin workstation) +- Others ports will be required during the configuration of UTMStack's integrations to receive logs. (Please follow the security recommendations given on the integration guide if exists) # FAQ - Is this based on Grafana, Kibana, or a similar reporting tool? Answer: It is not. UTMStack has been built from the ground up to be a simple and intuitive SIEM/XDR. - Does UTMStack use ELK for log correlation? Answer: It does not. UTMStack correlation engine was built from scratch to analyze data before ingestion and maximize real-time correlation. -- What is the difference between the Open Source and Enterprise version? +- What is the difference between the Open Source and Enterprise versions? The enterprise version includes features that would typically benefit enterprises and MSPs. For example, support, faster correlation, frequent threat intelligence updates, and Artificial Intelligence. From 667e65dc61a55e4a3dc347cb517ab14ec9a9ceaa Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Mon, 2 Feb 2026 10:03:09 -0600 Subject: [PATCH 007/105] feat: add Linux Auditing Daemon update to changelog --- .../20260202001_update_linux_auditing_module.xml | 16 ++++++++++++++++ .../main/resources/config/liquibase/master.xml | 2 ++ 2 files changed, 18 insertions(+) create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260202001_update_linux_auditing_module.xml diff --git a/backend/src/main/resources/config/liquibase/changelog/20260202001_update_linux_auditing_module.xml b/backend/src/main/resources/config/liquibase/changelog/20260202001_update_linux_auditing_module.xml new file mode 100644 index 000000000..f9c0a6b3a --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260202001_update_linux_auditing_module.xml @@ -0,0 +1,16 @@ + + + + + + + + + module_name = 'AUDITD' + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml index 71b5ddba4..f5a33e540 100644 --- a/backend/src/main/resources/config/liquibase/master.xml +++ b/backend/src/main/resources/config/liquibase/master.xml @@ -327,6 +327,8 @@ + + From 2544d9196b1b361f3a939f8dfd76957454bbd76b Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Mon, 2 Feb 2026 10:11:51 -0600 Subject: [PATCH 008/105] feat: update architecture names for clarity in Linux agent guide Signed-off-by: Manuel Abascal --- .../guide-linux-agent/guide-linux-agent.component.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/frontend/src/app/app-module/guides/guide-linux-agent/guide-linux-agent.component.ts b/frontend/src/app/app-module/guides/guide-linux-agent/guide-linux-agent.component.ts index 3dd3b133d..a143e9ed1 100644 --- a/frontend/src/app/app-module/guides/guide-linux-agent/guide-linux-agent.component.ts +++ b/frontend/src/app/app-module/guides/guide-linux-agent/guide-linux-agent.component.ts @@ -78,23 +78,23 @@ export class GuideLinuxAgentComponent implements OnInit { private loadArchitectures() { this.architectures = [ { - id: 1, name: 'Ubuntu 16/18/20+', + id: 1, name: 'Ubuntu / Debian', install: this.getCommandUbuntu('utmstack_agent_service'), uninstall: this.getUninstallCommand('utmstack_agent_service'), shell: '' }, { - id: 2, name: 'Centos 7/Red Hat Enterprise Linux', + id: 2, name: 'Fedora / RedHat', install: this.getCommandCentos7RedHat('utmstack_agent_service'), uninstall: this.getUninstallCommand('utmstack_agent_service'), shell: '' - }, + }/*, { id: 3, name: 'Centos 8/AlmaLinux', install: this.getCommandCentos8Almalinux('utmstack_agent_service'), uninstall: this.getUninstallCommand('utmstack_agent_service'), shell: '' - } + }*/ ]; } } From 2433faa773b5452761238ad7c3c60c7e126dcf8f Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Mon, 2 Feb 2026 10:24:35 -0600 Subject: [PATCH 009/105] feat: enhance version info handling in API documentation component Signed-off-by: Manuel Abascal --- .../utm-api-doc/utm-api-doc.component.html | 2 +- .../utm-api-doc/utm-api-doc.component.ts | 22 ++++++++++++++++--- .../app/shared/constants/global.constant.ts | 2 +- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/frontend/src/app/app-management/utm-api-doc/utm-api-doc.component.html b/frontend/src/app/app-management/utm-api-doc/utm-api-doc.component.html index d21f11edd..a9d639a76 100644 --- a/frontend/src/app/app-management/utm-api-doc/utm-api-doc.component.html +++ b/frontend/src/app/app-management/utm-api-doc/utm-api-doc.component.html @@ -6,7 +6,7 @@

Version: - +

diff --git a/frontend/src/app/app-management/utm-api-doc/utm-api-doc.component.ts b/frontend/src/app/app-management/utm-api-doc/utm-api-doc.component.ts index 56fc76b2e..ad5d30e78 100644 --- a/frontend/src/app/app-management/utm-api-doc/utm-api-doc.component.ts +++ b/frontend/src/app/app-management/utm-api-doc/utm-api-doc.component.ts @@ -1,16 +1,32 @@ -import {Component, OnInit} from '@angular/core'; +import {Component, OnDestroy, OnInit} from '@angular/core'; +import {Subject} from 'rxjs'; +import {takeUntil} from 'rxjs/operators'; +import {VersionInfoService} from '../../shared/services/version/version-info.service'; +import {AppVersionInfo} from '../../shared/types/updates/updates.type'; @Component({ selector: 'app-utm-api-doc', templateUrl: './utm-api-doc.component.html', styleUrls: ['./utm-api-doc.component.scss'] }) -export class UtmApiDocComponent implements OnInit { +export class UtmApiDocComponent implements OnInit, OnDestroy { - constructor() { + versionInfo: AppVersionInfo; + destroy$ = new Subject(); + + constructor(private versionTypeService: VersionInfoService) { } ngOnInit() { + + this.versionTypeService.appVersionInfo$ + .pipe(takeUntil(this.destroy$)) + .subscribe((versionInfo: AppVersionInfo) => this.versionInfo = versionInfo); + } + + ngOnDestroy(): void { + this.destroy$.next(); + this.destroy$.complete(); } } diff --git a/frontend/src/app/shared/constants/global.constant.ts b/frontend/src/app/shared/constants/global.constant.ts index 0558e31c3..5efa49043 100644 --- a/frontend/src/app/shared/constants/global.constant.ts +++ b/frontend/src/app/shared/constants/global.constant.ts @@ -4,6 +4,6 @@ export const ADMIN_DEFAULT_EMAIL = 'admin@localhost'; export const DEMO_URL = 'https://demo.utmstack.com/'; export const LOG_SOURCE_DASHBOARD_NAME = 'Log source system'; export const SAAS_DEFAULT_PASSWORD = 'DefaultPa$$word!'; -export const ONLINE_DOCUMENTATION_BASE = 'https://docs.utmstack.com/UTMStackDocumentationSite/'; +export const ONLINE_DOCUMENTATION_BASE = 'https://docs.utmstack.com'; export const MAX_SEARCH_RESULTS = 10000; From 77b61fd50f78629ffc9ec07597b873cce6cb43cc Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Mon, 2 Feb 2026 10:45:15 -0600 Subject: [PATCH 010/105] feat: add Crowdstrike filter update to changelog --- .../20260202002_update_filter_crowdstrike.xml | 330 ++++++++++++++++++ .../resources/config/liquibase/master.xml | 2 + 2 files changed, 332 insertions(+) create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260202002_update_filter_crowdstrike.xml diff --git a/backend/src/main/resources/config/liquibase/changelog/20260202002_update_filter_crowdstrike.xml b/backend/src/main/resources/config/liquibase/changelog/20260202002_update_filter_crowdstrike.xml new file mode 100644 index 000000000..57f700bf3 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260202002_update_filter_crowdstrike.xml @@ -0,0 +1,330 @@ + + + + + + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml index f5a33e540..41ed68e30 100644 --- a/backend/src/main/resources/config/liquibase/master.xml +++ b/backend/src/main/resources/config/liquibase/master.xml @@ -329,6 +329,8 @@ + + From 175e4e67b86a42f83f380d96a3478cca53484f5b Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Mon, 2 Feb 2026 10:47:16 -0600 Subject: [PATCH 011/105] feat: update layout styles for API documentation component Signed-off-by: Manuel Abascal --- .../utm-api-doc/utm-api-doc.component.scss | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/frontend/src/app/app-management/utm-api-doc/utm-api-doc.component.scss b/frontend/src/app/app-management/utm-api-doc/utm-api-doc.component.scss index 5ea1bf8ae..54cc37d9d 100644 --- a/frontend/src/app/app-management/utm-api-doc/utm-api-doc.component.scss +++ b/frontend/src/app/app-management/utm-api-doc/utm-api-doc.component.scss @@ -1,6 +1,9 @@ -.utm-api-doc { - //max-height: 800px; - //overflow-y: scroll; +:host { + display: flex; + flex-direction: column; + flex: 1 1 auto; + min-height: 0; + height: 100%; } span.method { From 6f3e0e8cae9b8831ae8b232f5681c8b69c92e8b6 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Mon, 2 Feb 2026 10:51:36 -0600 Subject: [PATCH 012/105] feat: comment out security scheme definitions in OpenApiConfiguration --- .../java/com/park/utmstack/config/OpenApiConfiguration.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/src/main/java/com/park/utmstack/config/OpenApiConfiguration.java b/backend/src/main/java/com/park/utmstack/config/OpenApiConfiguration.java index dd1414d6d..f3fcba61e 100644 --- a/backend/src/main/java/com/park/utmstack/config/OpenApiConfiguration.java +++ b/backend/src/main/java/com/park/utmstack/config/OpenApiConfiguration.java @@ -34,7 +34,7 @@ public OpenAPI customOpenAPI() { .addList(securitySchemeApiInternalKey) .addList(securitySchemeApiKey)) .components(new Components() - .addSecuritySchemes(securitySchemeBearer, + /*.addSecuritySchemes(securitySchemeBearer, new SecurityScheme() .name(securitySchemeBearer) .type(SecurityScheme.Type.HTTP) @@ -43,7 +43,7 @@ public OpenAPI customOpenAPI() { .addSecuritySchemes(securitySchemeApiInternalKey, new SecurityScheme() .name("Utm-Internal-Key") .type(SecurityScheme.Type.APIKEY) - .in(SecurityScheme.In.HEADER)) + .in(SecurityScheme.In.HEADER))*/ .addSecuritySchemes(securitySchemeApiKey, new SecurityScheme() .name(Constants.API_KEY_HEADER) .type(SecurityScheme.Type.APIKEY) From acf3eadad53e7de467e6616d8d07e82d60874f6e Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Mon, 2 Feb 2026 11:05:54 -0600 Subject: [PATCH 013/105] feat: update alert field type to string and adjust sorting logic in alert view Signed-off-by: Manuel Abascal --- .../alert-management/alert-view/alert-view.component.html | 6 +++--- .../alert-management/alert-view/alert-view.component.ts | 2 ++ .../src/app/shared/constants/alert/alert-field.constant.ts | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.html b/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.html index 62dad69d5..863052961 100644 --- a/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.html +++ b/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.html @@ -106,11 +106,11 @@
tooltipClass="utm-tooltip-top"> {{item.label}} diff --git a/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.ts b/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.ts index 97b2cbe09..96a135d59 100644 --- a/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.ts +++ b/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.ts @@ -55,6 +55,7 @@ import {AlertActionRefreshService} from '../shared/services/alert-action-refresh import {AlertTagService} from '../shared/services/alert-tag.service'; import {OPEN_ALERTS_KEY, OpenAlertsService} from '../shared/services/open-alerts.service'; import {getCurrentAlertStatus, getStatusName} from '../shared/util/alert-util-function'; +import {ElasticDataTypesEnum} from "../../../shared/enums/elastic-data-types.enum"; @Component({ selector: 'app-alert-view', @@ -139,6 +140,7 @@ export class AlertViewComponent implements OnInit, OnDestroy { pageSizeChildren = ITEMS_PER_PAGE * 4; readonly ALERT_STATUS_FIELD = ALERT_STATUS_FIELD; readonly Math = Math; + readonly ElasticDataTypesEnum = ElasticDataTypesEnum; ngOnInit() { this.openAlerts = this.localStorage.retrieve(OPEN_ALERTS_KEY); diff --git a/frontend/src/app/shared/constants/alert/alert-field.constant.ts b/frontend/src/app/shared/constants/alert/alert-field.constant.ts index e8335c8db..2e91dff5e 100644 --- a/frontend/src/app/shared/constants/alert/alert-field.constant.ts +++ b/frontend/src/app/shared/constants/alert/alert-field.constant.ts @@ -129,7 +129,7 @@ export const ALERT_FIELDS: UtmFieldType[] = [ { label: 'Severity', field: ALERT_SEVERITY_FIELD_LABEL, - type: ElasticDataTypesEnum.NUMBER, + type: ElasticDataTypesEnum.STRING, visible: true, }, { From 4d3d3f9bf8f7be5476d3c890b88f8a9ada8518d4 Mon Sep 17 00:00:00 2001 From: Osmany Montero Date: Mon, 2 Feb 2026 19:09:35 +0000 Subject: [PATCH 014/105] chore(plugins): update dependencies across plugins - Updated versions for `github.com/threatwinds/go-sdk`, `github.com/gabriel-vasile/mimetype`, `github.com/google/cel-go`, and others in `go.mod` files. - Removed unused dependency `github.com/stoewer/go-strcase`. --- plugins/alerts/go.mod | 11 +++++------ plugins/alerts/go.sum | 23 ++++++++++------------- plugins/config/go.mod | 13 ++++++------- plugins/config/go.sum | 27 ++++++++++++--------------- plugins/events/go.mod | 11 +++++------ plugins/events/go.sum | 23 ++++++++++------------- plugins/geolocation/go.mod | 11 +++++------ plugins/geolocation/go.sum | 23 ++++++++++------------- plugins/stats/go.mod | 11 +++++------ plugins/stats/go.sum | 23 ++++++++++------------- 10 files changed, 78 insertions(+), 98 deletions(-) diff --git a/plugins/alerts/go.mod b/plugins/alerts/go.mod index bfcbdb687..d48c7c6dc 100644 --- a/plugins/alerts/go.mod +++ b/plugins/alerts/go.mod @@ -4,7 +4,7 @@ go 1.25.5 require ( github.com/google/uuid v1.6.0 - github.com/threatwinds/go-sdk v1.1.9 + github.com/threatwinds/go-sdk v1.1.10 github.com/tidwall/gjson v1.18.0 google.golang.org/protobuf v1.36.11 ) @@ -16,7 +16,7 @@ require ( github.com/bytedance/sonic v1.15.0 // indirect github.com/bytedance/sonic/loader v0.5.0 // indirect github.com/cloudwego/base64x v0.1.6 // indirect - github.com/gabriel-vasile/mimetype v1.4.12 // indirect + github.com/gabriel-vasile/mimetype v1.4.13 // indirect github.com/gin-contrib/sse v1.1.0 // indirect github.com/gin-gonic/gin v1.11.0 // indirect github.com/go-playground/locales v0.14.1 // indirect @@ -24,7 +24,7 @@ require ( github.com/go-playground/validator/v10 v10.30.1 // indirect github.com/goccy/go-json v0.10.5 // indirect github.com/goccy/go-yaml v1.19.2 // indirect - github.com/google/cel-go v0.26.1 // indirect + github.com/google/cel-go v0.27.0 // indirect github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/cpuid/v2 v2.3.0 // indirect @@ -36,7 +36,6 @@ require ( github.com/pelletier/go-toml/v2 v2.2.4 // indirect github.com/quic-go/qpack v0.6.0 // indirect github.com/quic-go/quic-go v0.59.0 // indirect - github.com/stoewer/go-strcase v1.3.1 // indirect github.com/tidwall/match v1.2.0 // indirect github.com/tidwall/pretty v1.2.1 // indirect github.com/twitchyliquid64/golang-asm v0.15.1 // indirect @@ -48,8 +47,8 @@ require ( golang.org/x/net v0.49.0 // indirect golang.org/x/sys v0.40.0 // indirect golang.org/x/text v0.33.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b // indirect google.golang.org/grpc v1.78.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect sigs.k8s.io/yaml v1.6.0 // indirect diff --git a/plugins/alerts/go.sum b/plugins/alerts/go.sum index 9978feb4f..0c6ce469a 100644 --- a/plugins/alerts/go.sum +++ b/plugins/alerts/go.sum @@ -14,8 +14,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw= -github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s= +github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM= +github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s= github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w= github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM= github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk= @@ -38,8 +38,8 @@ github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM= github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/google/cel-go v0.26.1 h1:iPbVVEdkhTX++hpe3lzSk7D3G3QSYqLGoHOcEio+UXQ= -github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM= +github.com/google/cel-go v0.27.0 h1:e7ih85+4qVrBuqQWTW4FKSqZYokVuc3HnhH5keboFTo= +github.com/google/cel-go v0.27.0/go.mod h1:tTJ11FWqnhw5KKpnWpvW9CJC3Y9GK4EIS0WXnBbebzw= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -77,8 +77,6 @@ github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SA github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU= github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= -github.com/stoewer/go-strcase v1.3.1 h1:iS0MdW+kVTxgMoE1LAZyMiYJFKlOzLooE4MxjirtkAs= -github.com/stoewer/go-strcase v1.3.1/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= @@ -86,13 +84,12 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= -github.com/threatwinds/go-sdk v1.1.9 h1:4i8UZczXyGbRJsUEHRgaS2oQ03VTRjh/DYyTtGdSfRA= -github.com/threatwinds/go-sdk v1.1.9/go.mod h1:N19iqJPaNAoWwZTCuFvV0hIvT0D1jOR1KkKYgAoPLmw= +github.com/threatwinds/go-sdk v1.1.10 h1:joqXa0K8DiiJ135isRi6eOzVTtlPBY2i2yAS2ia2wNU= +github.com/threatwinds/go-sdk v1.1.10/go.mod h1:N19iqJPaNAoWwZTCuFvV0hIvT0D1jOR1KkKYgAoPLmw= github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY= github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= @@ -142,10 +139,10 @@ golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE= golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M= -google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409/go.mod h1:fl8J1IvUjCilwZzQowmw2b7HQB2eAuYBabMXzWurF+I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 h1:H86B94AW+VfJWDqFeEbBPhEtHzJwJfTbgE2lZa54ZAQ= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= +google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b h1:SGYyueaEovpqmWmtTvwtVgo638V/QFE2zlTCnRrR3jg= +google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b h1:GZxXGdFaHX27ZSMHudWc4FokdD+xl8BC2UJm1OVIEzs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc= google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= diff --git a/plugins/config/go.mod b/plugins/config/go.mod index 2ba8d1179..db172777d 100644 --- a/plugins/config/go.mod +++ b/plugins/config/go.mod @@ -3,8 +3,8 @@ module github.com/utmstack/UTMStack/plugins/config go 1.25.5 require ( - github.com/lib/pq v1.10.9 - github.com/threatwinds/go-sdk v1.1.9 + github.com/lib/pq v1.11.1 + github.com/threatwinds/go-sdk v1.1.10 gopkg.in/yaml.v3 v3.0.1 sigs.k8s.io/yaml v1.6.0 ) @@ -16,7 +16,7 @@ require ( github.com/bytedance/sonic v1.15.0 // indirect github.com/bytedance/sonic/loader v0.5.0 // indirect github.com/cloudwego/base64x v0.1.6 // indirect - github.com/gabriel-vasile/mimetype v1.4.12 // indirect + github.com/gabriel-vasile/mimetype v1.4.13 // indirect github.com/gin-contrib/sse v1.1.0 // indirect github.com/gin-gonic/gin v1.11.0 // indirect github.com/go-playground/locales v0.14.1 // indirect @@ -24,7 +24,7 @@ require ( github.com/go-playground/validator/v10 v10.30.1 // indirect github.com/goccy/go-json v0.10.5 // indirect github.com/goccy/go-yaml v1.19.2 // indirect - github.com/google/cel-go v0.26.1 // indirect + github.com/google/cel-go v0.27.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect github.com/json-iterator/go v1.1.12 // indirect @@ -37,7 +37,6 @@ require ( github.com/pelletier/go-toml/v2 v2.2.4 // indirect github.com/quic-go/qpack v0.6.0 // indirect github.com/quic-go/quic-go v0.59.0 // indirect - github.com/stoewer/go-strcase v1.3.1 // indirect github.com/tidwall/gjson v1.18.0 // indirect github.com/tidwall/match v1.2.0 // indirect github.com/tidwall/pretty v1.2.1 // indirect @@ -50,8 +49,8 @@ require ( golang.org/x/net v0.49.0 // indirect golang.org/x/sys v0.40.0 // indirect golang.org/x/text v0.33.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b // indirect google.golang.org/grpc v1.78.0 // indirect google.golang.org/protobuf v1.36.11 // indirect ) diff --git a/plugins/config/go.sum b/plugins/config/go.sum index a0ab31a8b..98dd2873b 100644 --- a/plugins/config/go.sum +++ b/plugins/config/go.sum @@ -14,8 +14,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw= -github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s= +github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM= +github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s= github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w= github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM= github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk= @@ -38,8 +38,8 @@ github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM= github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/google/cel-go v0.26.1 h1:iPbVVEdkhTX++hpe3lzSk7D3G3QSYqLGoHOcEio+UXQ= -github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM= +github.com/google/cel-go v0.27.0 h1:e7ih85+4qVrBuqQWTW4FKSqZYokVuc3HnhH5keboFTo= +github.com/google/cel-go v0.27.0/go.mod h1:tTJ11FWqnhw5KKpnWpvW9CJC3Y9GK4EIS0WXnBbebzw= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -57,8 +57,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ= github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI= -github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= -github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lib/pq v1.11.1 h1:wuChtj2hfsGmmx3nf1m7xC2XpK6OtelS2shMY+bGMtI= +github.com/lib/pq v1.11.1/go.mod h1:/p+8NSbOcwzAEI7wiMXFlgydTwcgTr3OSKMsD2BitpA= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -79,8 +79,6 @@ github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SA github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU= github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= -github.com/stoewer/go-strcase v1.3.1 h1:iS0MdW+kVTxgMoE1LAZyMiYJFKlOzLooE4MxjirtkAs= -github.com/stoewer/go-strcase v1.3.1/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= @@ -88,13 +86,12 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= -github.com/threatwinds/go-sdk v1.1.9 h1:4i8UZczXyGbRJsUEHRgaS2oQ03VTRjh/DYyTtGdSfRA= -github.com/threatwinds/go-sdk v1.1.9/go.mod h1:N19iqJPaNAoWwZTCuFvV0hIvT0D1jOR1KkKYgAoPLmw= +github.com/threatwinds/go-sdk v1.1.10 h1:joqXa0K8DiiJ135isRi6eOzVTtlPBY2i2yAS2ia2wNU= +github.com/threatwinds/go-sdk v1.1.10/go.mod h1:N19iqJPaNAoWwZTCuFvV0hIvT0D1jOR1KkKYgAoPLmw= github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY= github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= @@ -144,10 +141,10 @@ golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE= golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M= -google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409/go.mod h1:fl8J1IvUjCilwZzQowmw2b7HQB2eAuYBabMXzWurF+I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 h1:H86B94AW+VfJWDqFeEbBPhEtHzJwJfTbgE2lZa54ZAQ= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= +google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b h1:SGYyueaEovpqmWmtTvwtVgo638V/QFE2zlTCnRrR3jg= +google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b h1:GZxXGdFaHX27ZSMHudWc4FokdD+xl8BC2UJm1OVIEzs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc= google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= diff --git a/plugins/events/go.mod b/plugins/events/go.mod index 1e9ac27e5..4c508d248 100644 --- a/plugins/events/go.mod +++ b/plugins/events/go.mod @@ -3,7 +3,7 @@ module github.com/utmstack/UTMStack/plugins/events go 1.25.5 require ( - github.com/threatwinds/go-sdk v1.1.9 + github.com/threatwinds/go-sdk v1.1.10 github.com/tidwall/gjson v1.18.0 ) @@ -14,7 +14,7 @@ require ( github.com/bytedance/sonic v1.15.0 // indirect github.com/bytedance/sonic/loader v0.5.0 // indirect github.com/cloudwego/base64x v0.1.6 // indirect - github.com/gabriel-vasile/mimetype v1.4.12 // indirect + github.com/gabriel-vasile/mimetype v1.4.13 // indirect github.com/gin-contrib/sse v1.1.0 // indirect github.com/gin-gonic/gin v1.11.0 // indirect github.com/go-playground/locales v0.14.1 // indirect @@ -22,7 +22,7 @@ require ( github.com/go-playground/validator/v10 v10.30.1 // indirect github.com/goccy/go-json v0.10.5 // indirect github.com/goccy/go-yaml v1.19.2 // indirect - github.com/google/cel-go v0.26.1 // indirect + github.com/google/cel-go v0.27.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect github.com/json-iterator/go v1.1.12 // indirect @@ -35,7 +35,6 @@ require ( github.com/pelletier/go-toml/v2 v2.2.4 // indirect github.com/quic-go/qpack v0.6.0 // indirect github.com/quic-go/quic-go v0.59.0 // indirect - github.com/stoewer/go-strcase v1.3.1 // indirect github.com/tidwall/match v1.2.0 // indirect github.com/tidwall/pretty v1.2.1 // indirect github.com/twitchyliquid64/golang-asm v0.15.1 // indirect @@ -47,8 +46,8 @@ require ( golang.org/x/net v0.49.0 // indirect golang.org/x/sys v0.40.0 // indirect golang.org/x/text v0.33.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b // indirect google.golang.org/grpc v1.78.0 // indirect google.golang.org/protobuf v1.36.11 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/plugins/events/go.sum b/plugins/events/go.sum index 9978feb4f..0c6ce469a 100644 --- a/plugins/events/go.sum +++ b/plugins/events/go.sum @@ -14,8 +14,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw= -github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s= +github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM= +github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s= github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w= github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM= github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk= @@ -38,8 +38,8 @@ github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM= github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/google/cel-go v0.26.1 h1:iPbVVEdkhTX++hpe3lzSk7D3G3QSYqLGoHOcEio+UXQ= -github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM= +github.com/google/cel-go v0.27.0 h1:e7ih85+4qVrBuqQWTW4FKSqZYokVuc3HnhH5keboFTo= +github.com/google/cel-go v0.27.0/go.mod h1:tTJ11FWqnhw5KKpnWpvW9CJC3Y9GK4EIS0WXnBbebzw= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -77,8 +77,6 @@ github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SA github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU= github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= -github.com/stoewer/go-strcase v1.3.1 h1:iS0MdW+kVTxgMoE1LAZyMiYJFKlOzLooE4MxjirtkAs= -github.com/stoewer/go-strcase v1.3.1/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= @@ -86,13 +84,12 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= -github.com/threatwinds/go-sdk v1.1.9 h1:4i8UZczXyGbRJsUEHRgaS2oQ03VTRjh/DYyTtGdSfRA= -github.com/threatwinds/go-sdk v1.1.9/go.mod h1:N19iqJPaNAoWwZTCuFvV0hIvT0D1jOR1KkKYgAoPLmw= +github.com/threatwinds/go-sdk v1.1.10 h1:joqXa0K8DiiJ135isRi6eOzVTtlPBY2i2yAS2ia2wNU= +github.com/threatwinds/go-sdk v1.1.10/go.mod h1:N19iqJPaNAoWwZTCuFvV0hIvT0D1jOR1KkKYgAoPLmw= github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY= github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= @@ -142,10 +139,10 @@ golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE= golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M= -google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409/go.mod h1:fl8J1IvUjCilwZzQowmw2b7HQB2eAuYBabMXzWurF+I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 h1:H86B94AW+VfJWDqFeEbBPhEtHzJwJfTbgE2lZa54ZAQ= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= +google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b h1:SGYyueaEovpqmWmtTvwtVgo638V/QFE2zlTCnRrR3jg= +google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b h1:GZxXGdFaHX27ZSMHudWc4FokdD+xl8BC2UJm1OVIEzs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc= google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= diff --git a/plugins/geolocation/go.mod b/plugins/geolocation/go.mod index 82e6ad8fc..0ac2ba241 100644 --- a/plugins/geolocation/go.mod +++ b/plugins/geolocation/go.mod @@ -3,7 +3,7 @@ module github.com/utmstack/UTMStack/plugins/geolocation go 1.25.5 require ( - github.com/threatwinds/go-sdk v1.1.9 + github.com/threatwinds/go-sdk v1.1.10 github.com/tidwall/gjson v1.18.0 github.com/tidwall/sjson v1.2.5 ) @@ -15,7 +15,7 @@ require ( github.com/bytedance/sonic v1.15.0 // indirect github.com/bytedance/sonic/loader v0.5.0 // indirect github.com/cloudwego/base64x v0.1.6 // indirect - github.com/gabriel-vasile/mimetype v1.4.12 // indirect + github.com/gabriel-vasile/mimetype v1.4.13 // indirect github.com/gin-contrib/sse v1.1.0 // indirect github.com/gin-gonic/gin v1.11.0 // indirect github.com/go-playground/locales v0.14.1 // indirect @@ -23,7 +23,7 @@ require ( github.com/go-playground/validator/v10 v10.30.1 // indirect github.com/goccy/go-json v0.10.5 // indirect github.com/goccy/go-yaml v1.19.2 // indirect - github.com/google/cel-go v0.26.1 // indirect + github.com/google/cel-go v0.27.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect github.com/json-iterator/go v1.1.12 // indirect @@ -36,7 +36,6 @@ require ( github.com/pelletier/go-toml/v2 v2.2.4 // indirect github.com/quic-go/qpack v0.6.0 // indirect github.com/quic-go/quic-go v0.59.0 // indirect - github.com/stoewer/go-strcase v1.3.1 // indirect github.com/tidwall/match v1.2.0 // indirect github.com/tidwall/pretty v1.2.1 // indirect github.com/twitchyliquid64/golang-asm v0.15.1 // indirect @@ -48,8 +47,8 @@ require ( golang.org/x/net v0.49.0 // indirect golang.org/x/sys v0.40.0 // indirect golang.org/x/text v0.33.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b // indirect google.golang.org/grpc v1.78.0 // indirect google.golang.org/protobuf v1.36.11 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/plugins/geolocation/go.sum b/plugins/geolocation/go.sum index 96b622d6e..f69c3240f 100644 --- a/plugins/geolocation/go.sum +++ b/plugins/geolocation/go.sum @@ -14,8 +14,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw= -github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s= +github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM= +github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s= github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w= github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM= github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk= @@ -38,8 +38,8 @@ github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM= github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/google/cel-go v0.26.1 h1:iPbVVEdkhTX++hpe3lzSk7D3G3QSYqLGoHOcEio+UXQ= -github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM= +github.com/google/cel-go v0.27.0 h1:e7ih85+4qVrBuqQWTW4FKSqZYokVuc3HnhH5keboFTo= +github.com/google/cel-go v0.27.0/go.mod h1:tTJ11FWqnhw5KKpnWpvW9CJC3Y9GK4EIS0WXnBbebzw= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -77,8 +77,6 @@ github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SA github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU= github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= -github.com/stoewer/go-strcase v1.3.1 h1:iS0MdW+kVTxgMoE1LAZyMiYJFKlOzLooE4MxjirtkAs= -github.com/stoewer/go-strcase v1.3.1/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= @@ -86,13 +84,12 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= -github.com/threatwinds/go-sdk v1.1.9 h1:4i8UZczXyGbRJsUEHRgaS2oQ03VTRjh/DYyTtGdSfRA= -github.com/threatwinds/go-sdk v1.1.9/go.mod h1:N19iqJPaNAoWwZTCuFvV0hIvT0D1jOR1KkKYgAoPLmw= +github.com/threatwinds/go-sdk v1.1.10 h1:joqXa0K8DiiJ135isRi6eOzVTtlPBY2i2yAS2ia2wNU= +github.com/threatwinds/go-sdk v1.1.10/go.mod h1:N19iqJPaNAoWwZTCuFvV0hIvT0D1jOR1KkKYgAoPLmw= github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY= github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= @@ -143,10 +140,10 @@ golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE= golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M= -google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409/go.mod h1:fl8J1IvUjCilwZzQowmw2b7HQB2eAuYBabMXzWurF+I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 h1:H86B94AW+VfJWDqFeEbBPhEtHzJwJfTbgE2lZa54ZAQ= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= +google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b h1:SGYyueaEovpqmWmtTvwtVgo638V/QFE2zlTCnRrR3jg= +google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b h1:GZxXGdFaHX27ZSMHudWc4FokdD+xl8BC2UJm1OVIEzs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc= google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= diff --git a/plugins/stats/go.mod b/plugins/stats/go.mod index 178d81425..acbcafcbf 100644 --- a/plugins/stats/go.mod +++ b/plugins/stats/go.mod @@ -4,7 +4,7 @@ go 1.25.5 require ( github.com/google/uuid v1.6.0 - github.com/threatwinds/go-sdk v1.1.9 + github.com/threatwinds/go-sdk v1.1.10 google.golang.org/protobuf v1.36.11 ) @@ -15,7 +15,7 @@ require ( github.com/bytedance/sonic v1.15.0 // indirect github.com/bytedance/sonic/loader v0.5.0 // indirect github.com/cloudwego/base64x v0.1.6 // indirect - github.com/gabriel-vasile/mimetype v1.4.12 // indirect + github.com/gabriel-vasile/mimetype v1.4.13 // indirect github.com/gin-contrib/sse v1.1.0 // indirect github.com/gin-gonic/gin v1.11.0 // indirect github.com/go-playground/locales v0.14.1 // indirect @@ -23,7 +23,7 @@ require ( github.com/go-playground/validator/v10 v10.30.1 // indirect github.com/goccy/go-json v0.10.5 // indirect github.com/goccy/go-yaml v1.19.2 // indirect - github.com/google/cel-go v0.26.1 // indirect + github.com/google/cel-go v0.27.0 // indirect github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/cpuid/v2 v2.3.0 // indirect @@ -35,7 +35,6 @@ require ( github.com/pelletier/go-toml/v2 v2.2.4 // indirect github.com/quic-go/qpack v0.6.0 // indirect github.com/quic-go/quic-go v0.59.0 // indirect - github.com/stoewer/go-strcase v1.3.1 // indirect github.com/tidwall/gjson v1.18.0 // indirect github.com/tidwall/match v1.2.0 // indirect github.com/tidwall/pretty v1.2.1 // indirect @@ -48,8 +47,8 @@ require ( golang.org/x/net v0.49.0 // indirect golang.org/x/sys v0.40.0 // indirect golang.org/x/text v0.33.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b // indirect google.golang.org/grpc v1.78.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect sigs.k8s.io/yaml v1.6.0 // indirect diff --git a/plugins/stats/go.sum b/plugins/stats/go.sum index 9978feb4f..0c6ce469a 100644 --- a/plugins/stats/go.sum +++ b/plugins/stats/go.sum @@ -14,8 +14,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw= -github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s= +github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM= +github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s= github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w= github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM= github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk= @@ -38,8 +38,8 @@ github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM= github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/google/cel-go v0.26.1 h1:iPbVVEdkhTX++hpe3lzSk7D3G3QSYqLGoHOcEio+UXQ= -github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM= +github.com/google/cel-go v0.27.0 h1:e7ih85+4qVrBuqQWTW4FKSqZYokVuc3HnhH5keboFTo= +github.com/google/cel-go v0.27.0/go.mod h1:tTJ11FWqnhw5KKpnWpvW9CJC3Y9GK4EIS0WXnBbebzw= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -77,8 +77,6 @@ github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SA github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU= github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= -github.com/stoewer/go-strcase v1.3.1 h1:iS0MdW+kVTxgMoE1LAZyMiYJFKlOzLooE4MxjirtkAs= -github.com/stoewer/go-strcase v1.3.1/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= @@ -86,13 +84,12 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= -github.com/threatwinds/go-sdk v1.1.9 h1:4i8UZczXyGbRJsUEHRgaS2oQ03VTRjh/DYyTtGdSfRA= -github.com/threatwinds/go-sdk v1.1.9/go.mod h1:N19iqJPaNAoWwZTCuFvV0hIvT0D1jOR1KkKYgAoPLmw= +github.com/threatwinds/go-sdk v1.1.10 h1:joqXa0K8DiiJ135isRi6eOzVTtlPBY2i2yAS2ia2wNU= +github.com/threatwinds/go-sdk v1.1.10/go.mod h1:N19iqJPaNAoWwZTCuFvV0hIvT0D1jOR1KkKYgAoPLmw= github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY= github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= @@ -142,10 +139,10 @@ golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE= golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M= -google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409/go.mod h1:fl8J1IvUjCilwZzQowmw2b7HQB2eAuYBabMXzWurF+I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 h1:H86B94AW+VfJWDqFeEbBPhEtHzJwJfTbgE2lZa54ZAQ= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= +google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b h1:SGYyueaEovpqmWmtTvwtVgo638V/QFE2zlTCnRrR3jg= +google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b h1:GZxXGdFaHX27ZSMHudWc4FokdD+xl8BC2UJm1OVIEzs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc= google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= From 2eb57415ac39710f49deba59fc979c65caaff61a Mon Sep 17 00:00:00 2001 From: Osmany Montero Date: Mon, 2 Feb 2026 19:21:35 +0000 Subject: [PATCH 015/105] docs(README): enhance formatting and improve badge layout --- README.md | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index b4c14ab6d..553f1624f 100644 --- a/README.md +++ b/README.md @@ -1,25 +1,32 @@ -

-
- UTMStack -

+# UTMStack

- - - - - - + + UTMStack +

-

Enterprise-ready SIEM and XDR powered by Real-Time correlation and Threat Intelligence

+[![Contributors](https://img.shields.io/github/contributors-anon/utmstack/utmstack)](https://github.com/utmstack/UTMStack/graphs/contributors) +[![Release](https://img.shields.io/github/release/utmstack/utmstack)](https://github.com/utmstack/UTMStack/releases/) +[![Issues](https://img.shields.io/github/issues-raw/utmstack/utmstack)](https://github.com/utmstack/UTMStack/issues) +[![Commit Activity](https://img.shields.io/github/commit-activity/m/utmstack/utmstack)](https://github.com/utmstack/UTMStack/commits/main) +[![License](https://img.shields.io/github/license/ad-aures/castopod?color=blue)](https://github.com/utmstack/UTMStack/blob/master/LICENSE) +[![Discord](https://img.shields.io/discord/1154016563775672400.svg?logo=discord)](https://discord.gg/ZznvZ8xcHh) + +#### Enterprise-ready SIEM and XDR powered by Real-Time correlation and Threat Intelligence ## Introduction Welcome to the UTMStack open-source project! UTMStack is a unified threat management platform that merges SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) technologies. Our unique approach allows real-time correlation of log data, threat intelligence, and malware activity patterns from multiple sources, enabling the identification and halting of complex threats that use stealthy techniques. Visit an [online demo here.](https://utmstack.com/demo) -

-UTMStack UTMStack

+

+ + UTMStack + + + UTMStack + +

## Features @@ -31,7 +38,6 @@ Welcome to the UTMStack open-source project! UTMStack is a unified threat manage - SOC AI-Powered Analysis - Security Compliance - ## Why UTMStack? UTMStack stands out in threat prevention by surpassing the boundaries of traditional systems. Our software platform can swiftly analyze log data to identify and halt threats at their source in real-time, even if the threat was not directly detected on the server itself. This seamless integration of SIEM and XDR capabilities sets UTMStack apart from competitors, providing organizations with an effective, holistic cybersecurity suite that enhances threat detection, response, and remediation across clients’ valuable digital infrastructure. Correlation happens before data ingestion, reducing workload and improving response times. From ace8513f59efca59281a0b3b520d3330d985059f Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Mon, 2 Feb 2026 18:00:03 -0600 Subject: [PATCH 016/105] fix(notification): improve email sending logic and error handling --- frontend/package.json | 2 +- .../adversary-alerts-graph.component.ts | 37 ++++++++++++------- frontend/src/environments/environment.ts | 2 +- 3 files changed, 26 insertions(+), 15 deletions(-) diff --git a/frontend/package.json b/frontend/package.json index aba386502..ee52bf852 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -3,7 +3,7 @@ "version": "7.1.0", "scripts": { "ng": "ng", - "start": "ng serve --host 0.0.0.0", + "start": "ng serve --host 0.0.0.0 --disable-host-check", "build": "ng build --prod --base-href /", "test": "ng test", "lint": "ng lint", diff --git a/frontend/src/app/data-management/adversary-management/adversary-alerts-graph/adversary-alerts-graph.component.ts b/frontend/src/app/data-management/adversary-management/adversary-alerts-graph/adversary-alerts-graph.component.ts index b2163cb91..cd0faedfd 100644 --- a/frontend/src/app/data-management/adversary-management/adversary-alerts-graph/adversary-alerts-graph.component.ts +++ b/frontend/src/app/data-management/adversary-management/adversary-alerts-graph/adversary-alerts-graph.component.ts @@ -1,5 +1,4 @@ import {Component, Input, OnChanges} from '@angular/core'; -import {ECharts} from 'echarts'; import {UtmAlertType} from '../../../shared/types/alert/utm-alert.type'; import {Side} from '../../../shared/types/event/event'; import {EventDataTypeEnum} from '../../alert-management/shared/enums/event-data-type.enum'; @@ -50,7 +49,7 @@ export class AdversaryAlertsGraphComponent implements OnChanges { }); } - private getGraphicElements() { + private getGraphicElements(hasAnyChildren: boolean) { const sankey = { left: 10, right: 180, @@ -60,22 +59,28 @@ export class AdversaryAlertsGraphComponent implements OnChanges { const chartElement = document.querySelector('.chart-container'); const chartContainerWidth = chartElement ? chartElement.clientWidth : 1000; - const columnWidth = chartContainerWidth / 3; - const depthPositions = [ - { left: sankey.left, width: columnWidth }, - { left: sankey.left + columnWidth, width: columnWidth }, - { left: sankey.left + (columnWidth * 2), width: columnWidth } - ]; + // Si no hay hijos → solo 2 columnas + const columnCount = hasAnyChildren ? 3 : 2; + const columnWidth = chartContainerWidth / columnCount; + + const depthPositions = Array.from({ length: columnCount }).map((_, i) => ({ + left: sankey.left + columnWidth * i, + width: columnWidth + })); + + const labels = hasAnyChildren + ? ['Adversary', 'Alerts', 'Echoes'] + : ['Adversary', 'Alerts']; - const graphicElements: any[] = []; - const labels = ['Adversary', 'Alerts', 'Echoes']; const colors = [ { fill: 'rgba(31, 119, 180, 0.06)', text: '#1F77B4' }, { fill: 'rgba(255, 127, 14, 0.06)', text: '#FF7F0E' }, { fill: 'rgba(44, 160, 44, 0.06)', text: '#2CA02C' } ]; + const graphicElements: any[] = []; + depthPositions.forEach((pos, index) => { const color = colors[index]; @@ -83,7 +88,10 @@ export class AdversaryAlertsGraphComponent implements OnChanges { type: 'rect', left: pos.left, top: sankey.top, - shape: { width: pos.width - 10, height: this.chartHeight - sankey.top - sankey.bottom }, + shape: { + width: pos.width - 10, + height: this.chartHeight - sankey.top - sankey.bottom + }, style: { fill: color.fill, stroke: 'none' @@ -92,7 +100,7 @@ export class AdversaryAlertsGraphComponent implements OnChanges { graphicElements.push({ type: 'text', - left: pos.left + (pos.width / 2), + left: pos.left + pos.width / 2, top: 0, style: { text: labels[index], @@ -181,7 +189,7 @@ export class AdversaryAlertsGraphComponent implements OnChanges { meta: { alert: { ...alert, - hasChildren: true + hasChildren: childCount > 0 }, severity: alert.severityLabel, timestamp: alert.timestamp, @@ -249,6 +257,9 @@ export class AdversaryAlertsGraphComponent implements OnChanges { const totalNodes = nodes.length; this.chartHeight = this.baseHeight + totalNodes * this.nodeGap; + console.log('totalNodes', nodes); + console.log('Links', links); + return { tooltip: { trigger: 'item', diff --git a/frontend/src/environments/environment.ts b/frontend/src/environments/environment.ts index 066a347a4..c14489291 100644 --- a/frontend/src/environments/environment.ts +++ b/frontend/src/environments/environment.ts @@ -4,7 +4,7 @@ export const environment = { production: false, - SERVER_API_URL: 'https://10.11.12.113/', + SERVER_API_URL: 'https://192.168.1.18/', //SERVER_API_URL: 'http://localhost:8080/', SERVER_API_CONTEXT: '', SESSION_AUTH_TOKEN: window.location.host.split(':')[0].toLocaleUpperCase(), From 1ef7e24cbdd9eac3554385cd997354024f732849 Mon Sep 17 00:00:00 2001 From: Osmany Montero Date: Tue, 3 Feb 2026 14:21:18 +0000 Subject: [PATCH 017/105] feat(config): add state change detection for dynamic updates - Introduced `ConfigState` to track timestamp updates for assets, rules, filters, and patterns. - Implemented `hasChanges` to detect modifications in database configurations and trigger updates accordingly. --- plugins/config/main.go | 56 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/plugins/config/main.go b/plugins/config/main.go index c15b6c4ac..3db45fca5 100644 --- a/plugins/config/main.go +++ b/plugins/config/main.go @@ -73,6 +73,13 @@ type ExpressionBackend struct { Value interface{} `yaml:"value"` } +type ConfigState struct { + AssetsLastUpdate time.Time + RulesLastUpdate time.Time + FiltersLastUpdate time.Time + PatternsLastUpdate time.Time +} + func (b *ExpressionBackend) ToExpression() Expression { return Expression{ Field: b.Field, @@ -267,6 +274,8 @@ func main() { return } + state := &ConfigState{} + for { func() { db, err := connect() @@ -284,6 +293,17 @@ func main() { } }() + changed, newState, err := hasChanges(db, state) + if err != nil { + _ = catcher.Error("failed to check for changes", err, map[string]any{"process": "plugin_com.utmstack.config"}) + time.Sleep(30 * time.Second) + return + } + + if !changed { + return + } + filters, err := getFilters(db) if err != nil { _ = catcher.Error("failed to get filters", err, map[string]any{"process": "plugin_com.utmstack.config"}) @@ -398,12 +418,46 @@ func main() { time.Sleep(30 * time.Second) return } + + *state = newState }() - time.Sleep(5 * time.Minute) + time.Sleep(30 * time.Second) } } +func hasChanges(db *sql.DB, state *ConfigState) (bool, ConfigState, error) { + newState := ConfigState{} + changed := false + + queries := []struct { + query string + target *time.Time + old time.Time + }{ + {"SELECT MAX(last_update) FROM utm_tenant_config", &newState.AssetsLastUpdate, state.AssetsLastUpdate}, + {"SELECT MAX(rule_last_update) FROM utm_correlation_rules", &newState.RulesLastUpdate, state.RulesLastUpdate}, + {"SELECT MAX(updated_at) FROM utm_logstash_filter", &newState.FiltersLastUpdate, state.FiltersLastUpdate}, + {"SELECT MAX(last_update) FROM utm_regex_pattern", &newState.PatternsLastUpdate, state.PatternsLastUpdate}, + } + + for _, q := range queries { + var lastUpdate sql.NullTime + err := db.QueryRow(q.query).Scan(&lastUpdate) + if err != nil { + return false, newState, err + } + if lastUpdate.Valid { + *q.target = lastUpdate.Time + } + if (*q.target).After(q.old) { + changed = true + } + } + + return changed, newState, nil +} + // connect to postgres database func connect() (*sql.DB, error) { pCfg := plugins.PluginCfg("com.utmstack") From b007feda04e442479262488a4e0d991f9cc34fcd Mon Sep 17 00:00:00 2001 From: Osmany Montero Date: Tue, 3 Feb 2026 14:44:08 +0000 Subject: [PATCH 018/105] refactor(alerts): streamline `AlertFields` struct and initialization - Removed unused fields from the `AlertFields` struct. - Simplified initialization logic by directly setting required fields. --- plugins/alerts/main.go | 75 ++++++++++++++++++------------------------ 1 file changed, 32 insertions(+), 43 deletions(-) diff --git a/plugins/alerts/main.go b/plugins/alerts/main.go index cd49f6d40..8df59ba22 100644 --- a/plugins/alerts/main.go +++ b/plugins/alerts/main.go @@ -24,35 +24,22 @@ type IncidentDetail struct { } type AlertFields struct { - Timestamp string `json:"@timestamp"` - ID string `json:"id"` - ParentID *string `json:"parentId,omitempty"` - Status int `json:"status"` - StatusLabel string `json:"statusLabel"` - StatusObservation string `json:"statusObservation"` - IsIncident bool `json:"isIncident"` - IncidentDetail IncidentDetail `json:"incidentDetail"` - Name string `json:"name"` - Category string `json:"category"` - Severity int `json:"severity"` - SeverityLabel string `json:"severityLabel"` - Description string `json:"description"` - Solution string `json:"solution"` - Technique string `json:"technique"` - Reference []string `json:"reference"` - DataType string `json:"dataType"` - Impact *plugins.Impact `json:"impact"` - ImpactScore uint32 `json:"impactScore"` - DataSource string `json:"dataSource"` - Adversary *plugins.Side `json:"adversary"` - Target *plugins.Side `json:"target"` - Events []*plugins.Event `json:"events"` - LastEvent *plugins.Event `json:"lastEvent"` - Tags []string `json:"tags"` - Notes string `json:"notes"` - TagRulesApplied []int `json:"tagRulesApplied"` - DeduplicatedBy []string `json:"deduplicatedBy"` - GroupedBy []string `json:"groupedBy"` + Status int `json:"status"` + StatusLabel string `json:"statusLabel"` + StatusObservation string `json:"statusObservation"` + IsIncident bool `json:"isIncident"` + IncidentDetail IncidentDetail `json:"incidentDetail"` + Severity int `json:"severity"` + SeverityLabel string `json:"severityLabel"` + Solution string `json:"solution"` + Reference []string `json:"reference"` + LastEvent *plugins.Event `json:"lastEvent"` + Tags []string `json:"tags"` + Notes string `json:"notes"` + TagRulesApplied []int `json:"tagRulesApplied"` + DeduplicatedBy []string `json:"deduplicatedBy"` + GroupedBy []string `json:"groupedBy"` + plugins.Alert } func main() { @@ -329,22 +316,11 @@ func newAlert(alert *plugins.Alert, parentId *string) error { } a := AlertFields{ - Timestamp: alert.Timestamp, - ID: alert.Id, - ParentID: parentId, Status: 1, StatusLabel: "Automatic review", - Name: alert.Name, - Category: alert.Category, Severity: severityN, SeverityLabel: severityLabel, - Description: alert.Description, - Technique: alert.Technique, Reference: alert.References, - DataType: alert.DataType, - DataSource: alert.DataSource, - Adversary: alert.Adversary, - Target: alert.Target, LastEvent: func() *plugins.Event { l := len(alert.Events) if l == 0 { @@ -352,13 +328,26 @@ func newAlert(alert *plugins.Alert, parentId *string) error { } return alert.Events[l-1] }(), - Events: alert.Events, - Impact: alert.Impact, - ImpactScore: alert.ImpactScore, DeduplicatedBy: alert.DeduplicateBy, GroupedBy: alert.GroupBy, } + a.Timestamp = alert.Timestamp + a.Id = alert.Id + a.ParentId = alert.ParentId + a.Name = alert.Name + a.Category = alert.Category + a.Description = alert.Description + a.Technique = alert.Technique + a.DataSource = alert.DataSource + a.DataType = alert.DataType + a.Adversary = alert.Adversary + a.Target = alert.Target + a.Events = alert.Events + a.Impact = alert.Impact + a.ImpactScore = alert.ImpactScore + a.Errors = alert.Errors + // Retry logic for indexing operation maxRetries := 3 retryDelay := 2 * time.Second From 6fbc0fa70218fba3bcc10a48cbe5567198a5ecf5 Mon Sep 17 00:00:00 2001 From: Osmany Montero Date: Tue, 3 Feb 2026 14:53:50 +0000 Subject: [PATCH 019/105] chore(tests): remove integration tests and update SDK to v1.1.11 - Deleted `integration_test.go` file as part of test cleanup. - Upgraded `github.com/threatwinds/go-sdk` to v1.1.11 in `go.mod` and `go.sum`. --- plugins/alerts/go.mod | 4 +- plugins/alerts/go.sum | 4 +- plugins/alerts/integration_test.go | 414 ----------------------------- 3 files changed, 4 insertions(+), 418 deletions(-) delete mode 100644 plugins/alerts/integration_test.go diff --git a/plugins/alerts/go.mod b/plugins/alerts/go.mod index d48c7c6dc..091402ac7 100644 --- a/plugins/alerts/go.mod +++ b/plugins/alerts/go.mod @@ -3,8 +3,7 @@ module github.com/utmstack/UTMStack/plugins/alerts go 1.25.5 require ( - github.com/google/uuid v1.6.0 - github.com/threatwinds/go-sdk v1.1.10 + github.com/threatwinds/go-sdk v1.1.11 github.com/tidwall/gjson v1.18.0 google.golang.org/protobuf v1.36.11 ) @@ -25,6 +24,7 @@ require ( github.com/goccy/go-json v0.10.5 // indirect github.com/goccy/go-yaml v1.19.2 // indirect github.com/google/cel-go v0.27.0 // indirect + github.com/google/uuid v1.6.0 // indirect github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/cpuid/v2 v2.3.0 // indirect diff --git a/plugins/alerts/go.sum b/plugins/alerts/go.sum index 0c6ce469a..52dbfb2d2 100644 --- a/plugins/alerts/go.sum +++ b/plugins/alerts/go.sum @@ -88,8 +88,8 @@ github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXl github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= -github.com/threatwinds/go-sdk v1.1.10 h1:joqXa0K8DiiJ135isRi6eOzVTtlPBY2i2yAS2ia2wNU= -github.com/threatwinds/go-sdk v1.1.10/go.mod h1:N19iqJPaNAoWwZTCuFvV0hIvT0D1jOR1KkKYgAoPLmw= +github.com/threatwinds/go-sdk v1.1.11 h1:3S/sgT9qZaNK+YthSQ5b7D8ucJu70LhQg6yEFSaSqy8= +github.com/threatwinds/go-sdk v1.1.11/go.mod h1:N19iqJPaNAoWwZTCuFvV0hIvT0D1jOR1KkKYgAoPLmw= github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY= github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= diff --git a/plugins/alerts/integration_test.go b/plugins/alerts/integration_test.go deleted file mode 100644 index 308ff1d5a..000000000 --- a/plugins/alerts/integration_test.go +++ /dev/null @@ -1,414 +0,0 @@ -package main - -import ( - "context" - "fmt" - "os" - "strings" - "testing" - "time" - - "github.com/google/uuid" - sdkos "github.com/threatwinds/go-sdk/os" - "github.com/threatwinds/go-sdk/plugins" - "google.golang.org/protobuf/types/known/structpb" -) - -func TestAlertsIntegration(t *testing.T) { - // 1. Setup OpenSearch connection - nodesEnv := os.Getenv("NODES") - if nodesEnv == "" { - t.Skip("NODES env var not set, skipping integration test") - } - - // Fix for http vs https mismatch in test environment - if strings.HasPrefix(nodesEnv, "https://") { - nodesEnv = strings.Replace(nodesEnv, "https://", "http://", 1) - } - if !strings.HasPrefix(nodesEnv, "http://") && !strings.HasPrefix(nodesEnv, "https://") { - nodesEnv = "http://" + nodesEnv - } - - err := sdkos.Connect([]string{nodesEnv}, os.Getenv("USER"), os.Getenv("PASSWORD")) - if err != nil { - t.Fatalf("Failed to connect to OpenSearch: %v", err) - } - - // Helper to create a test alert - createAlert := func(name, user string, dedup []string) *plugins.Alert { - return &plugins.Alert{ - Id: uuid.NewString(), - Name: name, - Description: "Integration Test Alert", - Timestamp: time.Now().UTC().Format(time.RFC3339Nano), - Severity: "low", - Events: []*plugins.Event{ - { - Log: map[string]*structpb.Value{ - "user": structpb.NewStringValue(user), - }, - }, - }, - DeduplicateBy: dedup, - GroupBy: dedup, // Default to using same fields for GroupBy in legacy tests - } - } - - // Helper to clean up - alertIndex := sdkos.BuildIndexPattern("v11", "alert") - runID := uuid.NewString() - - t.Run("Deduplication_Basic", func(t *testing.T) { - alertName := "DedupTest-" + runID - dedupFields := []string{"name"} - - // 1. Send First Alert - alert1 := createAlert(alertName, "user1", dedupFields) - _, err := correlate(context.Background(), alert1) - if err != nil { - t.Fatalf("First correlate failed: %v", err) - } - - // Allow OS to index - time.Sleep(1 * time.Second) - sdkos.RefreshIndex(context.Background(), alertIndex) - - // 2. Send Second Alert (DIFFERENT user so it's not a duplicate, but SAME name so it's grouped) - alert2 := createAlert(alertName, "user2", dedupFields) - alert2.DeduplicateBy = []string{"name", "events.0.log.user"} - alert2.GroupBy = []string{"name"} - - _, err = correlate(context.Background(), alert2) - if err != nil { - t.Fatalf("Second correlate failed: %v", err) - } - - time.Sleep(1 * time.Second) - sdkos.RefreshIndex(context.Background(), alertIndex) - - // Fetch alert2 - a2Doc, err := getAlertFromOS(alert2.Id) - if err != nil { - t.Fatalf("Failed to fetch alert 2: %v", err) - } - - if a2Doc.ParentID == nil { - t.Errorf("Expected Alert 2 to have ParentID, got nil") - } else if *a2Doc.ParentID != alert1.Id { - t.Errorf("Expected Alert 2 ParentID to be %s, got %s", alert1.Id, *a2Doc.ParentID) - } - }) - - t.Run("Deduplication_GroupBy_Fields", func(t *testing.T) { - alertName := "GroupByTest-" + runID - groupBy := []string{"name"} - dedupFields := []string{"name", "events.0.log.user"} - - // 1. User A - First Alert - alertA1 := createAlert(alertName, "userA", dedupFields) - alertA1.GroupBy = groupBy - - _, err := correlate(context.Background(), alertA1) - if err != nil { - t.Fatal(err) - } - - time.Sleep(1 * time.Second) - sdkos.RefreshIndex(context.Background(), alertIndex) - - // 2. User A - Second Alert -> DUPLICATE -> Should be dropped - alertA2_dup := createAlert(alertName, "userA", dedupFields) - alertA2_dup.GroupBy = groupBy - _, err = correlate(context.Background(), alertA2_dup) - if err != nil { - t.Fatal(err) - } - - // 3. User B - First Alert -> DIFFERENT for Dedup, SAME for GroupBy -> Should be linked - alertB1 := createAlert(alertName, "userB", dedupFields) - alertB1.GroupBy = groupBy - _, err = correlate(context.Background(), alertB1) - if err != nil { - t.Fatal(err) - } - - time.Sleep(1 * time.Second) - sdkos.RefreshIndex(context.Background(), alertIndex) - - // Verify A2_dup is NOT in OS - _, err = getAlertFromOS(alertA2_dup.Id) - if err == nil { - t.Errorf("Expected A2_dup to be dropped") - } - - // Verify B1 has parent A1 - docB1, err := getAlertFromOS(alertB1.Id) - if err != nil { - t.Fatalf("Failed to get B1: %v", err) - } - if docB1.ParentID == nil || *docB1.ParentID != alertA1.Id { - t.Errorf("Expected B1 parent to be A1. Got: %v", docB1.ParentID) - } - }) - - // Helper to get hit from OS - getHit := func(id string) (*sdkos.Hit, error) { - query := sdkos.SearchRequest{ - Query: &sdkos.Query{ - Term: map[string]map[string]interface{}{ - "id.keyword": { - "value": id, - }, - }, - }, - Size: 1, - } - hits, err := query.WideSearchIn(context.Background(), []string{sdkos.BuildIndexPattern("v11", "alert")}) - if err != nil { - return nil, err - } - if hits.Hits.Total.Value == 0 { - return nil, fmt.Errorf("not found") - } - return &hits.Hits.Hits[0], nil - } - - t.Run("Deduplication_Reopen_Closed", func(t *testing.T) { - alertName := "ReopenTest-" + runID - dedupFields := []string{"name"} - - // 1. Create Parent Alert - alertParent := createAlert(alertName, "user1", dedupFields) - _, err := correlate(context.Background(), alertParent) - if err != nil { - t.Fatal(err) - } - - time.Sleep(1 * time.Second) - sdkos.RefreshIndex(context.Background(), alertIndex) - - // 2. Manually Close the Parent Alert - hit, err := getHit(alertParent.Id) - if err != nil { - t.Fatal(err) - } - - var a AlertFields - hit.Source.ParseSource(&a) - a.Status = 5 - hit.Source.SetSource(a) - - err = hit.Save(context.Background()) - if err != nil { - t.Fatal("Failed to save closed alert:", err) - } - - time.Sleep(1 * time.Second) - sdkos.RefreshIndex(context.Background(), alertIndex) - - // 3. Create Child Alert (DIFFERENT user so it's not a duplicate, but SAME name so it's grouped) - alertChild := createAlert(alertName, "user2", dedupFields) - alertChild.DeduplicateBy = []string{"name", "events.0.log.user"} - alertChild.GroupBy = []string{"name"} - _, err = correlate(context.Background(), alertChild) - if err != nil { - t.Fatal(err) - } - - time.Sleep(1 * time.Second) - sdkos.RefreshIndex(context.Background(), alertIndex) - - // 4. Verify Parent is Re-opened (Status 2) - docParentReopened, err := getAlertFromOS(alertParent.Id) - if err != nil { - t.Fatal(err) - } - - if docParentReopened.Status != 2 { - t.Errorf("Expected Parent Alert to be re-opened (Status 2), but got %d", docParentReopened.Status) - } - - // Verify Grouping - docChild, _ := getAlertFromOS(alertChild.Id) - if docChild.ParentID == nil || *docChild.ParentID != alertParent.Id { - t.Errorf("Expected Child to group with Parent %s, got %v", alertParent.Id, docChild.ParentID) - } - }) - - t.Run("Deduplication_Missing_Field", func(t *testing.T) { - alertName := "MissingFieldTest-" + runID - dedupFields := []string{"name", "events.0.log.user"} - - alertNoUser := &plugins.Alert{ - Id: uuid.NewString(), - Name: alertName, - Timestamp: time.Now().UTC().Format(time.RFC3339Nano), - Severity: "low", - Events: []*plugins.Event{{Log: map[string]*structpb.Value{}}}, - DeduplicateBy: dedupFields, - GroupBy: dedupFields, - } - - alertWithUser := createAlert(alertName, "bob", dedupFields) - - _, err := correlate(context.Background(), alertNoUser) - if err != nil { - t.Fatal(err) - } - - time.Sleep(1 * time.Second) - sdkos.RefreshIndex(context.Background(), alertIndex) - - _, err = correlate(context.Background(), alertWithUser) - if err != nil { - t.Fatal(err) - } - - time.Sleep(1 * time.Second) - sdkos.RefreshIndex(context.Background(), alertIndex) - - docWithUser, _ := getAlertFromOS(alertWithUser.Id) - if docWithUser.ParentID != nil && *docWithUser.ParentID == alertNoUser.Id { - t.Errorf("Alert with User='bob' incorrectly deduped with Alert (User=Missing)") - } - - alertNoUser2 := &plugins.Alert{ - Id: uuid.NewString(), - Name: alertName, - Timestamp: time.Now().UTC().Format(time.RFC3339Nano), - Severity: "low", - Events: []*plugins.Event{{Log: map[string]*structpb.Value{"diff": structpb.NewStringValue("yes")}}}, - DeduplicateBy: dedupFields, - GroupBy: []string{"name"}, - } - - _, err = correlate(context.Background(), alertNoUser2) - if err != nil { - t.Fatal(err) - } - - time.Sleep(1 * time.Second) - sdkos.RefreshIndex(context.Background(), alertIndex) - - docNoUser2, err := getAlertFromOS(alertNoUser2.Id) - if err != nil { - t.Logf("Alert(NoUser2) correctly dropped or not found yet: %v", err) - } else if docNoUser2.ParentID == nil { - t.Errorf("Expected Alert(NoUser2) to find a parent") - } - }) - - t.Run("Deduplication_Empty_List", func(t *testing.T) { - alertName := "EmptyDedup-" + runID - alert1 := createAlert(alertName, "user1", []string{}) - _, err := correlate(context.Background(), alert1) - if err != nil { - t.Fatal(err) - } - alert2 := createAlert(alertName, "user1", []string{}) - _, err = correlate(context.Background(), alert2) - if err != nil { - t.Fatal(err) - } - time.Sleep(1 * time.Second) - sdkos.RefreshIndex(context.Background(), alertIndex) - doc1, _ := getAlertFromOS(alert1.Id) - doc2, _ := getAlertFromOS(alert2.Id) - if doc1 != nil && doc1.ParentID != nil { - t.Errorf("Alert 1 should be parent") - } - if doc2 != nil && doc2.ParentID != nil { - t.Errorf("Alert 2 should be separate parent") - } - }) - - t.Run("Deduplication_vs_GroupBy", func(t *testing.T) { - alertName := "DedupVsGroup-" + runID - groupBy := []string{"name"} - dedupBy := []string{"name", "events.0.log.user"} - - alert1 := &plugins.Alert{ - Id: uuid.NewString(), - Name: alertName, - Timestamp: time.Now().UTC().Format(time.RFC3339Nano), - Events: []*plugins.Event{{Log: map[string]*structpb.Value{"user": structpb.NewStringValue("userA")}}}, - DeduplicateBy: dedupBy, - GroupBy: groupBy, - } - _, err := correlate(context.Background(), alert1) - if err != nil { - t.Fatal(err) - } - time.Sleep(1 * time.Second) - sdkos.RefreshIndex(context.Background(), alertIndex) - - alert2 := &plugins.Alert{ - Id: uuid.NewString(), - Name: alertName, - Timestamp: time.Now().UTC().Format(time.RFC3339Nano), - Events: []*plugins.Event{{Log: map[string]*structpb.Value{"user": structpb.NewStringValue("userA")}}}, - DeduplicateBy: dedupBy, - GroupBy: groupBy, - } - _, err = correlate(context.Background(), alert2) - if err != nil { - t.Fatal(err) - } - time.Sleep(1 * time.Second) - sdkos.RefreshIndex(context.Background(), alertIndex) - - _, err = getAlertFromOS(alert2.Id) - if err == nil { - t.Errorf("Alert 2 (Duplicate) should not have been indexed") - } - - alert3 := &plugins.Alert{ - Id: uuid.NewString(), - Name: alertName, - Timestamp: time.Now().UTC().Format(time.RFC3339Nano), - Events: []*plugins.Event{{Log: map[string]*structpb.Value{"user": structpb.NewStringValue("userB")}}}, - DeduplicateBy: dedupBy, - GroupBy: groupBy, - } - _, err = correlate(context.Background(), alert3) - if err != nil { - t.Fatal(err) - } - time.Sleep(1 * time.Second) - sdkos.RefreshIndex(context.Background(), alertIndex) - doc3, err := getAlertFromOS(alert3.Id) - if err != nil { - t.Fatalf("Failed to get Alert 3: %v", err) - } - if doc3.ParentID == nil || *doc3.ParentID != alert1.Id { - t.Errorf("Alert 3 should have been grouped with Alert 1. Got: %v", doc3.ParentID) - } - }) -} - -func getAlertFromOS(id string) (*AlertFields, error) { - query := sdkos.SearchRequest{ - Query: &sdkos.Query{ - Term: map[string]map[string]interface{}{ - "id.keyword": { - "value": id, - }, - }, - }, - Size: 1, - } - ctx := context.Background() - hits, err := query.WideSearchIn(ctx, []string{sdkos.BuildIndexPattern("v11", "alert")}) - if err != nil { - return nil, err - } - if hits.Hits.Total.Value == 0 { - return nil, fmt.Errorf("alert not found") - } - var a AlertFields - err = hits.Hits.Hits[0].Source.ParseSource(&a) - if err != nil { - return nil, err - } - return &a, nil -} From d27805edd3178103edc87ddbebf4a535041ba942 Mon Sep 17 00:00:00 2001 From: Osmany Montero Date: Tue, 3 Feb 2026 15:09:31 +0000 Subject: [PATCH 020/105] docs(README): add detailed plugin overviews for alerts and config components --- plugins/alerts/README.md | 43 ++++++++++++++++ plugins/config/README.md | 103 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 146 insertions(+) diff --git a/plugins/alerts/README.md b/plugins/alerts/README.md index 631c4b320..2f917a1e8 100644 --- a/plugins/alerts/README.md +++ b/plugins/alerts/README.md @@ -1 +1,44 @@ # UTMStack Alerts Plugin + +This plugin handles alert correlation and deduplication for UTMStack. It processes incoming alerts, identifies duplicates, and groups related alerts to maintain a clean and manageable alert environment. + +## Features + +- **Alert Deduplication**: Automatically detects and skips duplicate alerts based on configured fields. +- **Alert Correlation**: Groups related alerts by linking them to a parent alert using specified fields. +- **Status Management**: Updates the status of parent alerts when new related events occur (e.g., re-opening completed alerts). +- **OpenSearch Integration**: Stores and updates alert documents directly in OpenSearch. +- **Resilience**: Implements retry logic for search and indexing operations and recovers from panics during alert processing. + +## Configuration + +The plugin requires the following configuration (usually provided via `org.opensearch` configuration): + +- `opensearch`: The URL of the OpenSearch cluster to connect to. + +## How it works + +1. **Initialization**: Connects to OpenSearch and registers itself as a correlation plugin. +2. **Correlation Logic**: + - Checks if the incoming alert is a duplicate based on `DeduplicateBy` fields. + - If not a duplicate, searches for a previous alert to link to based on `GroupBy` fields. + - If a parent alert is found, it updates the parent's status to "Open" if it was previously "Completed". +3. **Indexing**: Creates a new alert document in the `alert` index with metadata like severity, status, and related events. + +## Installation + +This plugin is part of the UTMStack ecosystem and is typically deployed as a containerized service. + +## Development + +To build the plugin: + +```bash +go build -o alerts-plugin main.go +``` + +## Dependencies + +- `github.com/threatwinds/go-sdk` +- `github.com/tidwall/gjson` +- `google.golang.org/protobuf` diff --git a/plugins/config/README.md b/plugins/config/README.md index cf4c0ba15..6ea788d8c 100644 --- a/plugins/config/README.md +++ b/plugins/config/README.md @@ -1 +1,104 @@ # UTMStack Config Plugin + +A lightweight service that keeps UTMStack detection content (rules, filters, patterns, and tenants) in sync from PostgreSQL to the local plugin work directory used by the ThreatWinds SDK. + +It periodically checks the database for updates and, when changes are detected, rewrites the YAML files that power the correlation and pipeline layers. + +## What it does +- Connects to PostgreSQL using settings under the `com.utmstack` configuration group. +- Detects changes in these tables (by their last-update timestamps): + - `utm_tenant_config` (assets/tenants) + - `utm_correlation_rules` (rules) + - `utm_logstash_filter` (pipeline filters) + - `utm_regex_pattern` (Grok/regex patterns) +- Writes files into the plugin work directory (`plugins.WorkDir`): + - `pipeline/tenants.yaml` — tenant and assets configuration + - `pipeline/patterns.yaml` — regex/grok patterns + - `pipeline/filters/.yaml` — Logstash/Log pipeline snippets, one file per active filter + - `rules/utmstack/.yaml` — correlation rules, one file per active rule +- Removes files that no longer exist in the database (safe cleanup per folder). +- Uses an inter-process lock so only one writer runs at a time. + +The loop runs every 30 seconds. If the environment mode is set to `playground`, the program exits immediately (disabled mode). + +## Configuration +This plugin relies on ThreatWinds Go SDK configuration. Two config namespaces are used: + +1) Database credentials: `com.utmstack` +``` +com: + utmstack: + postgresql: + server: 127.0.0.1 + port: 5432 + database: utmstack + user: utmstack + password: change_me +``` + +2) Plugin runtime options: `plugin_com.utmstack.config` +``` +plugin_com: + utmstack: + config: + env: + mode: prod # set to "playground" to disable the loop +``` + +Notes: +- The exact loading mechanism (file path, env) is provided by the ThreatWinds SDK; ensure the process can read these settings. +- `plugins.WorkDir` is also provided by the SDK. By default it points to the plugin’s writable work directory. + +## Database expectations +- Filters are read when `utm_logstash_filter.is_active = true` and written as `.yaml`. +- Rules are read when `utm_correlation_rules.rule_active = true` and written as `.yaml`. +- Rule data types are resolved from `utm_group_rules_data_type` and `utm_data_types`. +- Assets come from `utm_tenant_config` and are exported into `pipeline/tenants.yaml` as a single default tenant. +- Patterns come from `utm_regex_pattern` and are exported into `pipeline/patterns.yaml`. + +## Build +Requires Go (version as specified in `go.mod`). +``` +go build -o utmstack-config-plugin . +``` + +## Run +Ensure configuration is available to the process (see Configuration section), then run: +``` +./utmstack-config-plugin +``` +Behavior: +- On startup, the service connects to PostgreSQL and checks for changes. +- On change, it regenerates the output files under `plugins.WorkDir`. +- It sleeps for ~30s between checks. + +To temporarily disable processing (e.g., during local development), set the plugin env mode to `playground`. + +## Output layout (relative to plugins.WorkDir) +``` +./pipeline/ + tenants.yaml + patterns.yaml + /filters/ + .yaml +./rules/ + /utmstack/ + .yaml +``` + +## Error handling & logging +- Database, I/O, and serialization errors are wrapped with context via the `catcher` package. +- Locking is handled by the SDK (`plugins.AcquireLock`/`plugins.ReleaseLock`). + +## Development notes +Key functions are implemented in `main.go`: +- Database access: `connect`, `getFilters`, `getRules`, `getPatterns`, `getAssets`, `getRuleDataTypes`. +- Change detection: `hasChanges` (uses `MAX(updated_at)`/`MAX(last_update)` timestamps). +- Writers: `writeFilters`, `writeRules`, `writePatterns`, `writeTenant`. +- Cleanup: `cleanUpFilters`, `cleanUpRules`. + +## Troubleshooting +- Verify that the `com.utmstack` database credentials are correct and reachable. +- Ensure the process has write permissions to the SDK work directory (`plugins.WorkDir`). +- Confirm the plugin mode is not set to `playground`. +- Check logs for messages emitted by the `catcher` error wrapper. From bf646216b91edd3e607b66ec0b1926d310df21d6 Mon Sep 17 00:00:00 2001 From: Osmany Montero Date: Tue, 3 Feb 2026 16:03:33 +0000 Subject: [PATCH 021/105] feat(alerts): add `Timestamp` field to `AlertFields` struct - Introduced `Timestamp` field to store alert timestamps. - Updated initialization logic to handle the new field directly. --- plugins/alerts/main.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/alerts/main.go b/plugins/alerts/main.go index 8df59ba22..1c28e998c 100644 --- a/plugins/alerts/main.go +++ b/plugins/alerts/main.go @@ -24,6 +24,7 @@ type IncidentDetail struct { } type AlertFields struct { + Timestamp string `json:"@timestamp"` Status int `json:"status"` StatusLabel string `json:"statusLabel"` StatusObservation string `json:"statusObservation"` @@ -316,6 +317,7 @@ func newAlert(alert *plugins.Alert, parentId *string) error { } a := AlertFields{ + Timestamp: alert.Timestamp, Status: 1, StatusLabel: "Automatic review", Severity: severityN, @@ -332,7 +334,6 @@ func newAlert(alert *plugins.Alert, parentId *string) error { GroupedBy: alert.GroupBy, } - a.Timestamp = alert.Timestamp a.Id = alert.Id a.ParentId = alert.ParentId a.Name = alert.Name From 1ec490cfda1d4251ae93277d5776f6ae1c2902f3 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 3 Feb 2026 10:50:25 -0600 Subject: [PATCH 022/105] feat(adversary-alerts): enhance chart rendering logic with dynamic column count Signed-off-by: Manuel Abascal --- .../adversary-alerts-graph.component.ts | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/frontend/src/app/data-management/adversary-management/adversary-alerts-graph/adversary-alerts-graph.component.ts b/frontend/src/app/data-management/adversary-management/adversary-alerts-graph/adversary-alerts-graph.component.ts index cd0faedfd..246ec8be7 100644 --- a/frontend/src/app/data-management/adversary-management/adversary-alerts-graph/adversary-alerts-graph.component.ts +++ b/frontend/src/app/data-management/adversary-management/adversary-alerts-graph/adversary-alerts-graph.component.ts @@ -60,7 +60,6 @@ export class AdversaryAlertsGraphComponent implements OnChanges { const chartElement = document.querySelector('.chart-container'); const chartContainerWidth = chartElement ? chartElement.clientWidth : 1000; - // Si no hay hijos → solo 2 columnas const columnCount = hasAnyChildren ? 3 : 2; const columnWidth = chartContainerWidth / columnCount; @@ -133,6 +132,7 @@ export class AdversaryAlertsGraphComponent implements OnChanges { ]; let colorIndex = 0; + const hasAnyChildren = adversaryAlerts.some( g => g.alerts.some( a => a.children.length > 0 ) ); const nodeKey = (id: string, name: string) => `${id}::${name}`; const truncate = (text: string, max = 30) => text.length > max ? text.slice(0, max) + '…' : text; const getNodeSize = (count: number, base = 10, max = 30) => Math.min(base + count * 2, max); @@ -257,9 +257,6 @@ export class AdversaryAlertsGraphComponent implements OnChanges { const totalNodes = nodes.length; this.chartHeight = this.baseHeight + totalNodes * this.nodeGap; - console.log('totalNodes', nodes); - console.log('Links', links); - return { tooltip: { trigger: 'item', @@ -276,7 +273,7 @@ export class AdversaryAlertsGraphComponent implements OnChanges { `; } }, - graphic: this.getGraphicElements(), + graphic: this.getGraphicElements(hasAnyChildren), series: [{ type: 'sankey', orient: 'horizontal', From d3b2dd9d912725f19e1dfd096db34975654c2409 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 3 Feb 2026 10:50:32 -0600 Subject: [PATCH 023/105] feat(log-analyzer): update SQL editor container styles for responsive design Signed-off-by: Manuel Abascal --- .../log-analyzer-view.component.html | 2 +- .../log-analyzer-view.component.scss | 24 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/frontend/src/app/log-analyzer/explorer/log-analyzer-view/log-analyzer-view.component.html b/frontend/src/app/log-analyzer/explorer/log-analyzer-view/log-analyzer-view.component.html index ea773e5e3..975fa5f6c 100644 --- a/frontend/src/app/log-analyzer/explorer/log-analyzer-view/log-analyzer-view.component.html +++ b/frontend/src/app/log-analyzer/explorer/log-analyzer-view/log-analyzer-view.component.html @@ -43,7 +43,7 @@ -
+
Date: Tue, 3 Feb 2026 10:51:50 -0600 Subject: [PATCH 024/105] fix(package): restore package.json Signed-off-by: Manuel Abascal --- frontend/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/package.json b/frontend/package.json index ee52bf852..aba386502 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -3,7 +3,7 @@ "version": "7.1.0", "scripts": { "ng": "ng", - "start": "ng serve --host 0.0.0.0 --disable-host-check", + "start": "ng serve --host 0.0.0.0", "build": "ng build --prod --base-href /", "test": "ng test", "lint": "ng lint", From 5b08e5277d9f6a6d8efff4dedaddc2d72100f9f9 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 3 Feb 2026 11:03:12 -0600 Subject: [PATCH 025/105] feat: update last update timestamp when activating or deactivating a rule --- .../service/correlation/rules/UtmCorrelationRulesService.java | 1 + 1 file changed, 1 insertion(+) diff --git a/backend/src/main/java/com/park/utmstack/service/correlation/rules/UtmCorrelationRulesService.java b/backend/src/main/java/com/park/utmstack/service/correlation/rules/UtmCorrelationRulesService.java index 6ae4c80b6..984d1b9dd 100644 --- a/backend/src/main/java/com/park/utmstack/service/correlation/rules/UtmCorrelationRulesService.java +++ b/backend/src/main/java/com/park/utmstack/service/correlation/rules/UtmCorrelationRulesService.java @@ -125,6 +125,7 @@ public void setRuleActivation(Long ruleId, boolean setActive) throws Exception { .orElseThrow(() -> new RuntimeException(ctx + ": The rule you're trying to activate or deactivate is not present in database.")); try { rule.setRuleActive(setActive); + rule.setRuleLastUpdate(Instant.now(Clock.systemUTC())); this.utmCorrelationRulesRepository.save(rule); } catch (Exception ex) { throw new RuntimeException(ctx + ": An error occurred while adding a rule.", ex); From 39360d8456fcb865dc21642a6017492a7691daf1 Mon Sep 17 00:00:00 2001 From: Osmany Montero Date: Tue, 3 Feb 2026 19:34:13 +0000 Subject: [PATCH 026/105] refactor(alerts): update `ParentId` initialization to handle nullable values --- plugins/alerts/main.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/plugins/alerts/main.go b/plugins/alerts/main.go index 1c28e998c..9245d6b53 100644 --- a/plugins/alerts/main.go +++ b/plugins/alerts/main.go @@ -335,7 +335,12 @@ func newAlert(alert *plugins.Alert, parentId *string) error { } a.Id = alert.Id - a.ParentId = alert.ParentId + a.ParentId = func() string { + if parentId != nil { + return *parentId + } + return "" + }() a.Name = alert.Name a.Category = alert.Category a.Description = alert.Description From 2ee1e050cdf7553b509b9d78c8adbf6cb57df6b4 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 3 Feb 2026 14:27:27 -0600 Subject: [PATCH 027/105] fix: update timestamp handling in correlation rules and logstash filter services --- .../service/correlation/rules/UtmCorrelationRulesService.java | 2 +- .../service/logstash_filter/UtmLogstashFilterService.java | 2 ++ .../utmstack/web/rest/logstash_filter/UtmFilterResource.java | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/backend/src/main/java/com/park/utmstack/service/correlation/rules/UtmCorrelationRulesService.java b/backend/src/main/java/com/park/utmstack/service/correlation/rules/UtmCorrelationRulesService.java index 984d1b9dd..97033db62 100644 --- a/backend/src/main/java/com/park/utmstack/service/correlation/rules/UtmCorrelationRulesService.java +++ b/backend/src/main/java/com/park/utmstack/service/correlation/rules/UtmCorrelationRulesService.java @@ -125,7 +125,7 @@ public void setRuleActivation(Long ruleId, boolean setActive) throws Exception { .orElseThrow(() -> new RuntimeException(ctx + ": The rule you're trying to activate or deactivate is not present in database.")); try { rule.setRuleActive(setActive); - rule.setRuleLastUpdate(Instant.now(Clock.systemUTC())); + rule.setRuleLastUpdate(Instant.now()); this.utmCorrelationRulesRepository.save(rule); } catch (Exception ex) { throw new RuntimeException(ctx + ": An error occurred while adding a rule.", ex); diff --git a/backend/src/main/java/com/park/utmstack/service/logstash_filter/UtmLogstashFilterService.java b/backend/src/main/java/com/park/utmstack/service/logstash_filter/UtmLogstashFilterService.java index f3d7e5b67..4afb5dd94 100644 --- a/backend/src/main/java/com/park/utmstack/service/logstash_filter/UtmLogstashFilterService.java +++ b/backend/src/main/java/com/park/utmstack/service/logstash_filter/UtmLogstashFilterService.java @@ -6,6 +6,7 @@ import org.springframework.stereotype.Service; import org.springframework.transaction.annotation.Transactional; +import java.time.Instant; import java.util.List; import java.util.Optional; @@ -36,6 +37,7 @@ public UtmLogstashFilterService(UtmLogstashFilterRepository logstashFilterReposi public UtmLogstashFilter save(UtmLogstashFilter logstashFilter) { final String ctx = CLASSNAME + ".save"; try { + logstashFilter.setUpdatedAt(Instant.now()); logstashFilter.setSystemOwner(false); return logstashFilterRepository.save(logstashFilter); } catch (Exception e) { diff --git a/backend/src/main/java/com/park/utmstack/web/rest/logstash_filter/UtmFilterResource.java b/backend/src/main/java/com/park/utmstack/web/rest/logstash_filter/UtmFilterResource.java index b43929aa7..12060773c 100644 --- a/backend/src/main/java/com/park/utmstack/web/rest/logstash_filter/UtmFilterResource.java +++ b/backend/src/main/java/com/park/utmstack/web/rest/logstash_filter/UtmFilterResource.java @@ -72,7 +72,7 @@ public ResponseEntity createLogstashFilter(@Valid @RequestBod // If you provide a pipelineId we create relation, otherwise only create the filter if (pipelineId!=null) { Optional pipeline = pipelineService.findOne(pipelineId); - if (!pipeline.isPresent()) { + if (pipeline.isEmpty()) { throw new Exception("The pipeline with ID (" + pipelineId + ") not exists"); } UtmLogstashFilter filter = logstashFilterService.save(logstashFilter); From 0ca5bfbc17bfa20ec6aa0c102a810a1b43184427 Mon Sep 17 00:00:00 2001 From: Yorjander Hernandez Vergara Date: Tue, 3 Feb 2026 15:40:33 -0500 Subject: [PATCH 028/105] fix[ci/cd]: solved multiple instance problem in actions --- .github/workflows/v11-deployment-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/v11-deployment-pipeline.yml b/.github/workflows/v11-deployment-pipeline.yml index 8ac8a5e94..65d09e245 100644 --- a/.github/workflows/v11-deployment-pipeline.yml +++ b/.github/workflows/v11-deployment-pipeline.yml @@ -522,7 +522,7 @@ jobs: -H "Content-Type: application/json" \ -H "id: $auth_id" \ -H "key: $auth_key" \ - -d "{\"instance_id\": \"$instance_id\", \"version\": \"$TAG\"}") + -d "{\"instances_ids\": [\"$instance_id\"], \"version\": \"$TAG\"}") http_code=$(echo "$response" | tail -n1) body=$(echo "$response" | sed '$d') From 576874f6a2de4dd53a81f1d3fd4f9229abf72912 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 3 Feb 2026 19:23:59 -0600 Subject: [PATCH 029/105] feat(rule-view): enhance YAML export functionality and improve UI layout Signed-off-by: Manuel Abascal --- .../see-rule/rule-view.component.html | 26 ++++--- .../see-rule/rule-view.component.scss | 76 +++++++++++++++++++ .../see-rule/rule-view.component.ts | 61 ++++++++++++--- .../shared/rule-yaml.mapper.ts | 23 ++++++ 4 files changed, 163 insertions(+), 23 deletions(-) create mode 100644 frontend/src/app/shared/components/utm/util/utm-file-upload/shared/rule-yaml.mapper.ts diff --git a/frontend/src/app/rule-management/app-rule/components/see-rule/rule-view.component.html b/frontend/src/app/rule-management/app-rule/components/see-rule/rule-view.component.html index d326d5738..3780f27e1 100644 --- a/frontend/src/app/rule-management/app-rule/components/see-rule/rule-view.component.html +++ b/frontend/src/app/rule-management/app-rule/components/see-rule/rule-view.component.html @@ -1,17 +1,21 @@ + - +
+
+ {{ 'YAML - ' + rowDocument.name }} +
- +
+ - - -
- + +
-
- - +
+ 

 

diff --git a/frontend/src/app/rule-management/app-rule/components/see-rule/rule-view.component.scss b/frontend/src/app/rule-management/app-rule/components/see-rule/rule-view.component.scss
index 2f8409575..2025c4be1 100644
--- a/frontend/src/app/rule-management/app-rule/components/see-rule/rule-view.component.scss
+++ b/frontend/src/app/rule-management/app-rule/components/see-rule/rule-view.component.scss
@@ -34,3 +34,79 @@ app-utm-modal-header {
     transform: scale(1.05);
   }
 }
+
+.yaml-container {
+  width: 100%;
+  background: #ffffff;
+  padding: 16px;
+  border-radius: 6px;
+  border: 1px solid #e5e7eb;
+}
+
+.yaml-preview {
+  white-space: pre-wrap;
+  font-family: "Fira Code", monospace;
+  font-size: 14px;
+}
+
+::ng-deep .yaml-key {
+  color: #0277bd;
+  font-weight: 600;
+}
+
+::ng-deep .yaml-value {
+  color: #FF6B6B;
+}
+
+.sub-header {
+  background: transparent;
+  border: none;
+  border-bottom: 1px solid #f0f0f0;
+  padding: 12px 0;
+  margin-bottom: 16px;
+  box-shadow: none;
+}
+
+.sub-header-title {
+  font-size: 13px;
+  font-weight: 600;
+  color: #666666;
+  letter-spacing: 0.3px;
+  text-transform: uppercase;
+  max-width: 70%;
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
+}
+
+.sub-btn {
+  background: #232f3e;
+  color: #ffffff;
+  padding: .375rem .75rem;
+  font-size: .75rem !important;
+  border: none;
+  font-weight: 400;
+  cursor: pointer;
+  transition: all 0.2s ease;
+  display: inline-flex;
+  align-items: center;
+  gap: 6px;
+  white-space: nowrap;
+  border-radius: .25rem;
+
+  &:hover {
+    background: #364556;
+    box-shadow: 0 2px 8px rgba(0, 0, 0, 0.2);
+    transform: translateY(-1px);
+  }
+
+  &:active {
+    transform: translateY(0);
+    box-shadow: 0 1px 4px rgba(0, 0, 0, 0.15);
+  }
+
+  i {
+    font-size: .75rem !important;
+  }
+}
+
diff --git a/frontend/src/app/rule-management/app-rule/components/see-rule/rule-view.component.ts b/frontend/src/app/rule-management/app-rule/components/see-rule/rule-view.component.ts
index 126886e59..d9c0696ba 100644
--- a/frontend/src/app/rule-management/app-rule/components/see-rule/rule-view.component.ts
+++ b/frontend/src/app/rule-management/app-rule/components/see-rule/rule-view.component.ts
@@ -1,34 +1,71 @@
-
-import { Component, Input } from '@angular/core';
-import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
-import { Rule } from '../../../models/rule.model';
+import {Component, Input, OnInit} from '@angular/core';
 import * as yaml from 'js-yaml';
+import {mapRuleToYaml} from '../../../../shared/components/utm/util/utm-file-upload/shared/rule-yaml.mapper';
+import {Rule} from '../../../models/rule.model';
 
 @Component({
   selector: 'app-rule-view',
   templateUrl: './rule-view.component.html',
   styleUrls: ['./rule-view.component.scss'],
 })
-export class RuleViewComponent {
- @Input() rowDocument: Rule;
+export class RuleViewComponent implements OnInit {
+  @Input() rowDocument: Rule;
 
   copied = false;
 
+  ngOnInit() {
+    console.log('Rule received:', this.rowDocument);
+  }
+
   get yamlString(): string {
     try {
-      return yaml.dump(this.rowDocument, { indent: 2 });
+      const yamlModel = mapRuleToYaml(this.rowDocument);
+
+      return yaml.dump(yamlModel, {
+        indent: 2,
+        lineWidth: -1,
+        styles: {
+          '!!null': 'empty'
+        }
+      });
     } catch (e) {
-      return 'Error parsing YAML';
+      return 'Error generating YAML';
     }
   }
 
+  get yamlHighlighted(): string {
+    return this.yamlString
+      .replace(/^(\s*)([a-zA-Z0-9_]+):/gm, '$1$2:')
+      .replace(/: (.*)/g, ': $1')
+      .replace(/-\s+(.*)/g, '- $1')
+      .replace(/^\s{2,}(.+)/gm, '  $1');
+  }
+
+  exportYaml() {
+    const yamlContent = this.yamlString;
+
+    const blob = new Blob([yamlContent], {
+      type: 'text/yaml;charset=utf-8'
+    });
+
+    const url = window.URL.createObjectURL(blob);
+
+    const a = document.createElement('a');
+    a.href = url;
+
+    a.download = `${this.rowDocument.name || 'rule'}.yml`
+      .replace(/\s+/g, '-')
+      .toLowerCase();
+    a.click();
+
+    window.URL.revokeObjectURL(url);
+  }
+
+
   copyToClipboard() {
-    window.navigator['clipboard'].writeText(this.yamlString).then(() => {
+    (navigator as any).clipboard.writeText(this.yamlString).then(() => {
       this.copied = true;
       setTimeout(() => (this.copied = false), 1500);
     });
   }
 }
-
-
-
diff --git a/frontend/src/app/shared/components/utm/util/utm-file-upload/shared/rule-yaml.mapper.ts b/frontend/src/app/shared/components/utm/util/utm-file-upload/shared/rule-yaml.mapper.ts
new file mode 100644
index 000000000..31f8fe053
--- /dev/null
+++ b/frontend/src/app/shared/components/utm/util/utm-file-upload/shared/rule-yaml.mapper.ts
@@ -0,0 +1,23 @@
+import {Rule} from '../../../../../../rule-management/models/rule.model';
+
+
+export function mapRuleToYaml(rule: Rule): any {
+  return {
+    name: rule.name,
+    dataTypes: rule.dataTypes ? rule.dataTypes.map(d => d.dataType) : [],
+    impact: {
+      confidentiality: rule.confidentiality,
+      integrity: rule.integrity,
+      availability: rule.availability
+    },
+    category: rule.category,
+    technique: rule.technique,
+    adversary: rule.adversary,
+    references: rule.references,
+    description: rule.description,
+    where: rule.definition,
+    afterEvents: rule.afterEvents && rule.afterEvents.length ? rule.afterEvents : [],
+    groupBy: rule.groupBy && rule.groupBy.length ? rule.groupBy : [],
+    deduplicateBy: rule.deduplicateBy && rule.deduplicateBy.length ? rule.deduplicateBy : []
+  };
+}

From ad0da80af1435dd1aa9f3e20bad953fd13c252ed Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Wed, 4 Feb 2026 07:56:57 -0600
Subject: [PATCH 030/105] fix: rename assetIpMacName to searchQuery in agent
 sidebar data loading

Signed-off-by: Manuel Abascal 
---
 .../shared/component/agent-sidebar/agent-sidebar.component.ts   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/app/incident-response/shared/component/agent-sidebar/agent-sidebar.component.ts b/frontend/src/app/incident-response/shared/component/agent-sidebar/agent-sidebar.component.ts
index 320d6d518..b1e39fd91 100644
--- a/frontend/src/app/incident-response/shared/component/agent-sidebar/agent-sidebar.component.ts
+++ b/frontend/src/app/incident-response/shared/component/agent-sidebar/agent-sidebar.component.ts
@@ -27,7 +27,7 @@ export class AgentSidebarComponent implements OnInit {
     this.agentSidebarService.loadData({
       ...this.request,
       page: 0,
-      assetIpMacName: $event.toString()
+      searchQuery: $event.toString()
     });
   }
 

From 6002ad7330e8f484ed2e06f5b057630d313515d8 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Wed, 4 Feb 2026 12:34:48 -0600
Subject: [PATCH 031/105] fix: clean up alert detail view logic and HTML
 formatting

Signed-off-by: Manuel Abascal 
---
 .../alert-management/alert-view/alert-view.component.html     | 3 +--
 .../alert-management/alert-view/alert-view.component.ts       | 4 ++--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.html b/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.html
index 863052961..208b44871 100644
--- a/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.html
+++ b/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.html
@@ -219,8 +219,7 @@ 

     
       
+          (click)="viewDetailAlert(alert, td)">
 
          0) {
+      /*if (alert.echoes > 0) {
         alert.expanded = true;
         this.loadChildrenAlerts(alert);
-      }
+      }*/
       this.alertDetail = alert;
       this.viewAlertDetail = true;
     }

From 4a2f429f2a5ea8a49be561d7d1540fe362b197a3 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Wed, 4 Feb 2026 12:46:38 -0600
Subject: [PATCH 032/105] feat: add constructors to ComplianceFileResponse for
 improved object initialization

---
 .../service/compliance/ComplianceFileResponse.java        | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceFileResponse.java b/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceFileResponse.java
index 0beccfa66..79653e459 100644
--- a/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceFileResponse.java
+++ b/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceFileResponse.java
@@ -1,17 +1,19 @@
 package com.park.utmstack.service.compliance;
 
+import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;
+import lombok.NoArgsConstructor;
 
 @Data
 @Builder
+@NoArgsConstructor
+@AllArgsConstructor
 public class ComplianceFileResponse {
-    // Success fields
     private byte[] pdfBytes;
-
-    // Error fields
     private boolean error;
     private String message;
     private String details;
 }
 
+

From 6784002b9d527e79361847571135125c99277b6f Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Wed, 4 Feb 2026 13:48:17 -0600
Subject: [PATCH 033/105] refactor: improve ComplianceMailService and
 PdfService for better error handling and code clarity

---
 .../compliance/ComplianceFileResponse.java    | 19 ------
 .../compliance/ComplianceMailService.java     | 56 ++++++++++-------
 .../UtmComplianceReportScheduleService.java   | 63 ++++++++++++-------
 .../utmstack/service/util/PdfService.java     | 54 +---------------
 4 files changed, 74 insertions(+), 118 deletions(-)
 delete mode 100644 backend/src/main/java/com/park/utmstack/service/compliance/ComplianceFileResponse.java

diff --git a/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceFileResponse.java b/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceFileResponse.java
deleted file mode 100644
index 79653e459..000000000
--- a/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceFileResponse.java
+++ /dev/null
@@ -1,19 +0,0 @@
-package com.park.utmstack.service.compliance;
-
-import lombok.AllArgsConstructor;
-import lombok.Builder;
-import lombok.Data;
-import lombok.NoArgsConstructor;
-
-@Data
-@Builder
-@NoArgsConstructor
-@AllArgsConstructor
-public class ComplianceFileResponse {
-    private byte[] pdfBytes;
-    private boolean error;
-    private String message;
-    private String details;
-}
-
-
diff --git a/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceMailService.java b/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceMailService.java
index b553d14ba..4567fc274 100644
--- a/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceMailService.java
+++ b/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceMailService.java
@@ -1,46 +1,56 @@
 package com.park.utmstack.service.compliance;
 
 import com.park.utmstack.service.MailService;
+import com.park.utmstack.service.dto.web_pdf.PdfServiceResponse;
 import com.park.utmstack.service.util.PdfService;
+import lombok.RequiredArgsConstructor;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Service;
-import org.springframework.transaction.annotation.Transactional;
 
 import java.time.Clock;
 import java.time.Instant;
 
-/**
- * Service Implementation for managing Compliance PDF Delivery.
- */
 @Service
-@Transactional
+@RequiredArgsConstructor
 public class ComplianceMailService {
-    private final Logger log = LoggerFactory.getLogger(ComplianceMailService.class);
+
+    private static final Logger log = LoggerFactory.getLogger(ComplianceMailService.class);
     private static final String CLASSNAME = "ComplianceMailService";
+
     private final MailService mailService;
     private final PdfService pdfService;
 
-    public ComplianceMailService(MailService mailService,
-                                 PdfService pdfService) {
-        this.mailService = mailService;
-        this.pdfService = pdfService;
-    }
-
-    /**
-     * Method to generate dashboard in PDF format and send via email
-     */
-    public void sendComplianceByMail(String url, String userEmail) throws Exception {
+    public void sendComplianceByMail(String url, String userEmail) {
         final String ctx = CLASSNAME + ".sendComplianceByMail";
 
         String accessKey = System.getenv("INTERNAL_KEY");
-        byte[] pdfInBytes = pdfService.getPdf(url, accessKey,PdfService.PdfAccessTypes.PDF_TYPE_INTERNAL.get());
-        if (pdfInBytes != null && pdfInBytes.length > 0) {
-            mailService.sendComplianceReportEmail(userEmail, "UTMStack Compliance Report Delivery"
-                , "This is a scheduled email delivery of a Compliance Report, please do not answer this email. ",
-                "Compliance_Report_" + Instant.now(Clock.systemUTC()) + ".pdf", pdfInBytes);
-        } else {
-            log.error(ctx + ": We couldn't send the email, reason: No data returned from PDF service");
+
+        if (accessKey == null || accessKey.isBlank()) {
+            log.error("{}: INTERNAL_KEY environment variable is missing", ctx);
+            return;
         }
+
+        PdfServiceResponse response =
+                pdfService.downloadPdf(url, accessKey, PdfService.PdfAccessTypes.PDF_TYPE_INTERNAL.get());
+
+        if (response.getPdfBytes() == null || response.getPdfBytes().length == 0) {
+            log.error("{}: PDF service returned empty content for URL {}", ctx, url);
+            return;
+        }
+
+        String filename = "Compliance_Report_" + Instant.now(Clock.systemUTC()) + ".pdf";
+
+        mailService.sendComplianceReportEmail(
+                userEmail,
+                "UTMStack Compliance Report Delivery",
+                "This is a scheduled email delivery of a Compliance Report, please do not answer this email.",
+                filename,
+                response.getPdfBytes()
+        );
+
+        log.info("{}: Email successfully sent to {}", ctx, userEmail);
+
     }
 }
+
diff --git a/backend/src/main/java/com/park/utmstack/service/compliance/UtmComplianceReportScheduleService.java b/backend/src/main/java/com/park/utmstack/service/compliance/UtmComplianceReportScheduleService.java
index 9e98a4cd3..67a09fd7e 100644
--- a/backend/src/main/java/com/park/utmstack/service/compliance/UtmComplianceReportScheduleService.java
+++ b/backend/src/main/java/com/park/utmstack/service/compliance/UtmComplianceReportScheduleService.java
@@ -11,12 +11,14 @@
 import com.park.utmstack.service.UserService;
 import com.park.utmstack.service.application_events.ApplicationEventService;
 import com.park.utmstack.service.dto.compliance.UtmComplianceReportScheduleCriteria;
+import com.park.utmstack.util.exceptions.ApiException;
 import com.park.utmstack.web.rest.errors.BadRequestAlertException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
 import org.springframework.data.jpa.domain.Specification;
+import org.springframework.http.HttpStatus;
 import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.scheduling.support.CronExpression;
 import org.springframework.stereotype.Service;
@@ -128,7 +130,7 @@ public Optional findByComplianceReportValues(UtmCom
         log.debug("Request to get UtmComplianceReportSchedule : {}", reportSchedule);
         User user = userService.getCurrentUserLogin();
         return utmComplianceReportScheduleRepository.findFirstByUserIdAndComplianceIdAndScheduleString(user.getId(),
-            reportSchedule.getComplianceId(),reportSchedule.getScheduleString());
+                reportSchedule.getComplianceId(), reportSchedule.getScheduleString());
     }
 
     /**
@@ -144,31 +146,43 @@ public void delete(Long id) {
 
     /**
      * Scheduled method to execute the compliance report pdf generation and email delivery
-     * */
+     *
+     */
     @Scheduled(fixedDelay = 5000, initialDelay = 30000)
     public void scheduleComplianceReport() {
-        final String ctx = CLASSNAME + ".scheduleComplianceReport";
 
         List schedulesList = findAll();
+        schedulesList.forEach(this::processSchedule);
+
+    }
+
+    private void processSchedule(UtmComplianceReportSchedule schedule) {
+
+        Optional userOpt = userService.getUserWithAuthorities(schedule.getUserId());
+
+        if (userOpt.isEmpty()) {
+            log.error("Schedule {} skipped: user {} not found", schedule.getId(), schedule.getUserId());
+            return;
+        }
+
+        User user = userOpt.get();
+
+        Instant now = Instant.now(Clock.systemUTC());
+        Instant next = getNext(schedule.getScheduleString(), schedule.getLastExecutionTime(), now);
+
+        if (!isTimeToExecute(next, now)) {
+            return;
+        }
+
+        complianceMailService.sendComplianceByMail(schedule.getUrlWithParams(), user.getEmail());
+        markExecuted(schedule, next);
 
-        schedulesList.forEach(current -> {
-            Optional user = userService.getUserWithAuthorities(current.getUserId());
-            try {
-                Instant currentDate = Instant.now(Clock.systemUTC());
-                Instant next = getNext(current.getScheduleString(), current.getLastExecutionTime(), currentDate);
-                if (isTimeToExecute(next, currentDate)) {
-                    // Set the next execution time (Base time seed)
-                    current.setLastExecutionTime(next);
-                    utmComplianceReportScheduleRepository.save(current);
-                    complianceMailService.sendComplianceByMail(current.getUrlWithParams(), user.get().getEmail());
-                }
-
-            } catch (Exception e) {
-                String msg = ctx + ": " + e.getLocalizedMessage();
-                log.error(msg);
-                applicationEventService.createEvent(msg, ApplicationEventType.ERROR);
-            }
-        });
+    }
+
+    @Transactional
+    public void markExecuted(UtmComplianceReportSchedule schedule, Instant next) {
+        schedule.setLastExecutionTime(next);
+        utmComplianceReportScheduleRepository.save(schedule);
     }
 
     /***
@@ -180,7 +194,8 @@ private boolean isTimeToExecute(Instant next, Instant currentDate) {
 
     /**
      * Method to know the next valid Instant to execute the task, even if the system was shut down for a while
-     * */
+     *
+     */
     private Instant getNext(String cronExpresion, Instant lastExecution, Instant currentDate) {
         CronExpression parse = CronExpression.parse(cronExpresion);
         Instant possibleNext = Objects.requireNonNull(parse.next(lastExecution.atZone(ZoneOffset.UTC))).toInstant();
@@ -194,7 +209,7 @@ private Instant getNext(String cronExpresion, Instant lastExecution, Instant cur
             // near next execution to avoid extra executions, because the general scheduler that calls these methods,
             // is every 5 seconds
             Long diffBetweenCurrentAndPossibleNext = currentSecs - possibleNext.getEpochSecond();
-            Integer rate = Long.valueOf(diffBetweenCurrentAndPossibleNext/diffBetweenLastAndNext).intValue();
+            Integer rate = Long.valueOf(diffBetweenCurrentAndPossibleNext / diffBetweenLastAndNext).intValue();
             Instant resultNext = lastExecution.atZone(ZoneOffset.UTC).toInstant().plusSeconds(diffBetweenLastAndNext * rate);
             return resultNext.atZone(ZoneOffset.UTC).toInstant();
         }
@@ -205,7 +220,7 @@ private Specification createSpecification(UtmCompli
 
         User user = userService.getCurrentUserLogin();
         Specification specification = Specification.where((root, query, criteriaBuilder) ->
-                                                                                        criteriaBuilder.equal(root.get("userId"), user.getId()));
+                criteriaBuilder.equal(root.get("userId"), user.getId()));
         if (criteria != null) {
             if (criteria.getName() != null) {
                 specification = specification.and(buildSpecification(criteria.getName(),
diff --git a/backend/src/main/java/com/park/utmstack/service/util/PdfService.java b/backend/src/main/java/com/park/utmstack/service/util/PdfService.java
index 5441694b0..758ef9d5f 100644
--- a/backend/src/main/java/com/park/utmstack/service/util/PdfService.java
+++ b/backend/src/main/java/com/park/utmstack/service/util/PdfService.java
@@ -1,11 +1,10 @@
 package com.park.utmstack.service.util;
 
 import com.park.utmstack.config.Constants;
-import com.park.utmstack.service.compliance.ComplianceFileResponse;
 import com.park.utmstack.service.dto.web_pdf.PdfServiceResponse;
-import com.park.utmstack.service.federation_service.UtmFederationServiceClientService;
 import com.park.utmstack.service.web_clients.rest_template.RestTemplateService;
 import com.park.utmstack.util.exceptions.ApiException;
+import lombok.RequiredArgsConstructor;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpStatus;
@@ -14,66 +13,17 @@
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.util.UriComponentsBuilder;
 
-import java.util.Objects;
-
 /**
  * Service Implementation for PDF generation.
  */
 @Service
+@RequiredArgsConstructor
 @Transactional
 public class PdfService {
     private final Logger log = LoggerFactory.getLogger(PdfService.class);
     private static final String CLASSNAME = "PdfService";
-    private final UtmFederationServiceClientService fsService;
     private final RestTemplateService restTemplateService;
 
-    private final String COMPLIANCE_EXPORT_URL = "/dashboard/export-compliance/";
-
-    public PdfService(UtmFederationServiceClientService fsService,
-                      RestTemplateService restTemplateService) {
-        this.fsService = fsService;
-        this.restTemplateService = restTemplateService;
-    }
-
-    /**
-     * Get pdf report in bytes array.
-     *
-     * @param url the url of the compliance report.
-     * @return the pdf report in bytes array.
-     */
-    @Transactional(readOnly = true)
-    public ResponseEntity getPdfReportByUrlInBytes(String url, String accessKey, String accessType) throws Exception{
-        log.debug("Request to get UtmComplianceReportSchedule : {}", url);
-        return ResponseEntity.ok().body(getPdf(Constants.FRONT_BASE_URL + url, accessKey, accessType));
-    }
-
-    /**
-     * Method to get pdf in bytes
-     */
-    public byte[] getPdf(String url, String accessKey, String accessType) throws Exception {
-        final String ctx = CLASSNAME + ".getPdf";
-
-        String urlService = UriComponentsBuilder.fromUriString(Constants.PDF_SERVICE_URL)
-            .queryParam("baseUrl", Constants.FRONT_BASE_URL)
-            .queryParam("url", url)
-            .queryParam("accessKey", accessKey)
-            .queryParam("accessType", accessType)
-            .build().toUriString();
-
-        ResponseEntity rs = restTemplateService.get(urlService, ComplianceFileResponse.class);
-        log.info("Requesting PDF creation to URL : {}", Constants.PDF_SERVICE_URL + "?url=" + url);
-        if (!rs.getStatusCode().is2xxSuccessful()) {
-            log.error(ctx + ": {}", restTemplateService.extractErrorMessage(rs));
-        } else {
-            byte[] pdfInBytes = Objects.requireNonNull(rs.getBody()).getPdfBytes();
-            if (pdfInBytes != null && pdfInBytes.length > 0) {
-                return pdfInBytes;
-            } else {
-                log.error(ctx + ": We couldn't generate the pdf, reason: No data returned from PDF service");
-            }
-        }
-        return null;
-    }
 
     public PdfServiceResponse downloadPdf(String url, String accessKey, String accessType) {
         final String ctx = CLASSNAME + ".getPdf";

From 723c82cb11ec78da9ff644cf200c5e4dd6e382a1 Mon Sep 17 00:00:00 2001
From: JocLRojas 
Date: Wed, 4 Feb 2026 23:15:55 +0300
Subject: [PATCH 034/105] refactor(o365-filter): improve the office365 filter
 to properly complement the correlation rules

---
 filters/office365/o365.yml | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/filters/office365/o365.yml b/filters/office365/o365.yml
index 742e0af55..6ccc68ca9 100755
--- a/filters/office365/o365.yml
+++ b/filters/office365/o365.yml
@@ -1,4 +1,4 @@
-# Microsoft 365 filter, version 1.0.2
+# Microsoft 365 filter, version 1.0.3
 
 # Based on Official documentation
 # See https://learn.microsoft.com/en-us/compliance/assurance/assurance-microsoft-365-audit-log-collection
@@ -72,6 +72,26 @@ pipeline:
             - log.UserId
           to: origin.user
 
+      - rename:  
+          from:
+            - log.Folder.Path
+          to: log.folderPath
+
+      - rename:  
+          from:
+            - log.Folder.Id
+          to: log.folderId
+
+      - rename:  
+          from:
+            - log.DestFolder.Id
+          to: log.destFolderId
+
+      - rename:  
+          from:
+            - log.DestFolder.Path
+          to: log.destFolderPath
+
       # Drop unnecessary events
       - drop:
           where: "['SupervisionRuleMatch', 'SupervisoryReviewTag', 'ComplianceManagerAutomationChange', 'LabelContentExplorerAccessedItem', 'CreateCopilotPlugin', 'CreateCopilotPromptBook', 'DeleteCopilotPlugin', 'DeleteCopilotPromptBook', 'DisableCopilotPlugin', 'DisableCopilotPromptBook', 'EnableCopilotPlugin', 'EnableCopilotPromptBook', 'CopilotInteraction', 'UpdateCopilotPlugin', 'UpdateCopilotPromptBook', 'UpdateCopilotSettings', 'ApproveDisposal', 'ExtendRetention', 'RelabelItem', 'SearchUpdated', 'CaseUpdated', 'SearchPermissionUpdated', 'HoldUpdated', 'PreviewItemDownloaded', 'PreviewItemListed', 'SearchCreated', 'CaseAdded', 'HoldCreated', 'SearchRemoved', 'HoldRemoved', 'SearchExportDownloaded', 'SearchPreviewed', 'SearchResultsPurged', 'RemovedSearchResultsSentToZoom', 'RemovedSearchExported', 'RemovedSearchPreviewed', 'RemovedSearchResultsPurged', 'SearchReportRemoved', 'SearchResultsSentToZoom', 'SearchStarted', 'SearchExported', 'SearchReport', 'SearchStopped', 'SearchViewed', 'ViewedSearchExported', 'ViewedSearchPreviewed', 'AddRemediatedData', 'BurnJob', 'CreateWorkingSet', 'CreateWorkingSetSearch', 'CreateTag', 'DeleteWorkingSetSearch', 'DeleteTag', 'DownloadDocument', 'UpdateTag', 'ExportJob', 'UpdateWorkingSetSearch', 'PreviewWorkingSetSearch', 'ErrorRemediationJob', 'TagFiles', 'TagJob', 'ViewDocument', 'Copy', 'Create', 'ApplyRecordLabel', 'HardDelete', 'Send', 'Update', 'FileAccessed', 'FileAccessedExtended', 'ComplianceSettingChanged', 'LockRecord', 'UnlockRecord', 'FileCheckedIn', 'FileCheckedOut', 'FileCopied', 'FileDeletedFirstStageRecycleBin', 'FileDeletedSecondStageRecycleBin', 'RecordDelete', 'DocumentSensitivityMismatchDetected', 'FileCheckOutDiscarded', 'FileDownloaded', 'FileModifiedExtended', 'FilePreviewed', 'SearchQueryPerformed', 'FileRecycled', 'FolderRecycled', 'FileVersionsAllMinorsRecycled', 'FileVersionsAllRecycled', 'FileVersionRecycled', 'FileRestored', 'FileUploaded', 'PageViewed', 'PageViewedExtended', 'ClientViewSignaled', 'PagePrefetched', 'FolderCopied', 'FolderCreated', 'FolderDeletedFirstStageRecycleBin', 'FolderDeletedSecondStageRecycleBin', 'FolderRestored', 'InformationBarriersInsightsReportCompleted', 'InformationBarriersInsightsReportOneDriveSectionQueried', 'InformationBarriersInsightsReportSchedule', 'InformationBarriersInsightsReportSharePointSectionQueried', 'updateddeviceconfiguration', 'UpdatedPolicyConfigPriority', 'BackupPolicyActivated', 'RestoreTaskActivated', 'BackupItemAdded', 'BackupItemRemoved', 'RestoreTaskCompleted', 'DraftRestoreTaskCreated', 'NewBackupPolicyCreated', 'DraftRestoreTaskDeleted', 'DraftRestoreTaskEdited', 'BackupPolicyPaused', 'GetBackupItem', 'ViewBackupPolicyDetails', 'GetRestoreTaskDetails', 'ListAllBackupPolicies', 'ListAllBackupItemsInPolicies', 'ListAllBackupItemsInTenant', 'ListAllBackupItemsInWorkload', 'GetAllRestoreArtifactsInTask', 'ListAllRestorePoints', 'ListAllRestoreTasks', 'BackupItemRestoreCompleted', 'BackupItemRestoreTriggered', 'SetAdvancedFeatures', 'RunAntiVirusScan', 'LogsCollection', 'TaggingConfigurationUpdated', 'AlertExcelDownloaded', 'RemediationActionAdded', 'RemediationActionUpdated', 'SensorCreated', 'SensorDeploymentAccessKeyReceived', 'SensorDeploymentAccessKeyUpdated', 'SensorActivationMethodConfigurationUpdated', 'DomainControllerCoverageExcelDownloaded', 'MonitoringAlertUpdated', 'ReportDownloaded', 'AlertNotificationsRecipientAdded', 'MonitoringAlertNotificationRecipientAdded', 'WorkspaceCreated', 'AddCommentToIncident.', 'AssignUserToIncident', 'UpdateIncidentStatus', 'AddTagsToIncident', 'RemoveTagsFromIncident', 'CreateComment', 'CreateForm', 'MoveForm', 'ViewForm', 'PreviewForm', 'ExportForm', 'AllowShareFormForCopy', 'DisallowShareFormForCopy', 'AddFormCoauthor', 'RemoveFormCoauthor', 'ViewRuntimeForm', 'CreateResponse', 'UpdateResponse', 'ViewResponses', 'ViewResponse', 'GetSummaryLink', 'DeleteSummaryLink', 'ProInvitation', 'ListForms', 'SubmitResponse', 'ConnectToExcelWorkbook', 'CollectionCreated', 'CollectionUpdated', 'CollectionHardDeleted', 'CollectionSoftDeleted', 'CollectionRenamed', 'MovedFormIntoCollection', 'MovedFormOutofCollection', 'PlanCopied', 'TaskAssigned', 'TaskCompleted', 'PlanListRead', 'TaskListRead', 'ProjectCreated', 'RoadmapCreated', 'RoadmapItemCreated', 'TaskCreated', 'ProjectListAccessed', 'RoadmapAccessed', 'RoadmapItemAccessed', 'TaskAccessed', 'AuditSearchCreated', 'AuditSearchCompleted', 'AuditSearchCancelled', 'AuditSearchExportJobCreated', 'AuditSearchExportJobCompleted', 'AuditSearchExportResultsDownloaded', 'EntityCreated', 'ClassificationAdded', 'ClassificationDefinitionCreated', 'GlossaryTermAssigned', 'GlossaryTermCreated', 'BotAddedToTeam', 'ChannelAdded', 'ConnectorAdded', 'MeetingDetail', 'MeetingParticipantDetail', 'MemberAdded', 'TabAdded', 'SensitivityLabelApplied', 'SensitivityLabelChanged', 'ChatCreated', 'TeamCreated', 'MessageDeleted', 'MessageEditedHasLink', 'MessagesExported', 'RecordingExported', 'TranscriptsExported', 'FailedValidation', 'ChatRetrieved', 'MessageHostedContentsListed', 'PerformedCardAction', 'MessageSent', 'AINotesUpdate', 'LiveNotesUpdate', 'AppPublishedToCatalog', 'MessageRead', 'InviteeResponded', 'ChannelOwnerResponded', 'MessagesListed', 'MessageCreatedHasLink', 'MessageCreatedNotification', 'MessageDeletedNotification', 'MessageUpdatedNotification', 'InviteSent', 'SubscribedToMessages', 'AppUpdatedInCatalog', 'ChatUpdated', 'MessageUpdated', 'TabUpdated', 'AppUpgraded', 'MessageSent', 'ScheduleGroupAdded', 'ShiftAdded', 'TimeOffAdded', 'OpenShiftAdded', 'ScheduleShared', 'ClockedIn', 'ClockedOut', 'BreakEnded', 'TimeClockEntryAdded', 'RequestAdded', 'RequestRespondedTo', 'WorkforceIntegrationAdded', 'OffShiftDialogAccepted', 'CreateUpdateRequest', 'EditUpdateRequest', 'SubmitUpdate', 'ViewUpdate', 'AcceptedSharingLinkOnFolder', 'FolderSharingLinkShared', 'LinkedEntityCreated', 'SubTaskCreated', 'TaskCreated', 'TaskRead', 'TaskListCreated', 'TaskListRead', 'AccessedOdataLink', 'CanceledQuery', 'DeletedResult', 'DownloadedReport', 'ExecutedQuery', 'UploadedOrgData', 'ViewedExplore', 'QuarantineReleaseRequestDeny', 'QuarantinePreview', 'QuarantineReleaseRequest', 'QuarantineViewHeader', 'UpdateUsageReportsPrivacySetting', 'NewAdaptiveScope', 'NewComplianceTag', 'NewRetentionCompliancePolicy', 'RemoveAdaptiveScope', 'RemoveComplianceTag', 'SetRestrictiveRetentionUI', 'ExchangeDataProactivelyPreserved', 'SharePointDataProactivelyPreserved', 'ListCreated', 'ListColumnCreated', 'ListContentTypeCreated', 'ListItemCreated', 'SiteColumnCreated', 'SiteContentTypeCreated', 'ListContentTypeDeleted', 'SiteColumnDeleted', 'SiteContentTypeDeleted', 'ListItemRecycled', 'ListItemRestored', 'ListColumnUpdated', 'ListContentTypeUpdated', 'SiteColumnUpdated', 'SiteContentTypeUpdated', 'SharingInvitationCreated', 'AccessRequestUpdated', 'SharingInvitationUpdated', 'SharingInvitationRevoked', 'AllowedDataLocationAdded', 'SiteGeoMoveCancelled', 'MigrationJobCompleted', 'SiteGeoMoveCompleted', 'SiteCollectionCreated', 'HubSiteOrphanHubDeleted', 'PreviewModeEnabledSet', 'LegacyWorkflowEnabledSet', 'OfficeOnDemandSet', 'PeopleResultsScopeSet', 'NewsFeedEnabledSet', 'HubSiteJoined', 'SiteCollectionQuotaModified', 'HubSiteRegistered', 'SiteGeoMoveScheduled', 'GeoQuotaAllocated', 'SiteAdminChangeRequest', 'ManagedSyncClientAllowed', 'FileSyncDownloadedFull', 'FileSyncUploadedFull', 'DataShareCreated', 'DataShareDeleted', 'GenerateCopyOfLakeData', 'DownloadCopyOfLakeData', 'SoftDeleteSettingsUpdated', 'CloseConversation', 'OpenConversation', 'MessageCreation', 'MessageDeleted', 'FileDownloaded', 'DataExport', 'ThreadAccessFailure', 'MarkedMessageChanged', 'RemoveCuratedTopic', 'UsagePolicyAcceptance', 'AdminThreadMuted', 'AdminThreadUnmuted', 'FileUpdateDescription', 'MessageUpdated', 'FileVisited', 'ThreadViewed', 'PulseSubmit', 'PulseCreate', 'PulseExtendDeadline', 'PulseInvite', 'PulseCancel', 'PulseShareResults', 'PulseCreateDraft', 'PulseDeleteDraft'].exists_one(v, v == action)"

From 1a226a52952380fb1b24f6a2ef5e6b288b5378ef Mon Sep 17 00:00:00 2001
From: JocLRojas 
Date: Wed, 4 Feb 2026 23:18:03 +0300
Subject: [PATCH 035/105] refactor(sonic_wall-filter): improve the sonic_wall
 filter to correctly parse the new types of events received

---
 filters/sonicwall/sonic_wall.yml | 73 ++++++++++++++++++++++----------
 1 file changed, 50 insertions(+), 23 deletions(-)

diff --git a/filters/sonicwall/sonic_wall.yml b/filters/sonicwall/sonic_wall.yml
index aa685a16b..05ab41c48 100644
--- a/filters/sonicwall/sonic_wall.yml
+++ b/filters/sonicwall/sonic_wall.yml
@@ -1,4 +1,4 @@
-# SonicWall Firewall, version 3.0.1
+# SonicWall Firewall, version 3.2.0
 # Based on docs
 # Support Syslog CEF format
 #
@@ -48,6 +48,30 @@ pipeline:
               pattern: '{{.greedy}}'
           source: raw
 
+      - grok:
+          patterns:
+            - fieldName: log.priority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\='
+            - fieldName: log.device
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant1
+              pattern: '{{.data}}\='
+            - fieldName: log.sn
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant2
+              pattern: '{{.data}}\"'
+            - fieldName: log.dvcTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}{{.space}}{{.time}}'
+            - fieldName: log.irrelevant3
+              pattern: '{{.data}}\='
+            - fieldName: log.srcIp
+              pattern: '{{.ipv4}}'
+            - fieldName: log.msgAll
+              pattern: '{{.greedy}}'
+          source: raw
+
       # ......................................................................#
       # Checking if the log is in CEF format
       #......................................................................#
@@ -70,7 +94,7 @@ pipeline:
             - fieldName: log.cefMsgAll
               pattern: '{{.greedy}}'
           source: log.msgAll
-          where: log.msgAll.contains("CEF:")
+          where: contains("log.msgAll", "CEF:")
 
       - grok:
           patterns:
@@ -85,7 +109,7 @@ pipeline:
             - fieldName: log.cefMsgAll
               pattern: '{{.greedy}}'
           source: log.msgAll
-          where: log.msgAll.contains("CEF:")
+          where: contains("log.msgAll", "CEF:")
 
       #......................................................................#
       # Removing unnecessary characters of the syslogHeader
@@ -317,119 +341,119 @@ pipeline:
           params:
             key: log.groupCategory
             value: 'System'
-          where: safe("log.gcat", "") == "1"
+          where: equals("log.gcat", "1")
 
       - add:
           function: 'string'
           params:
             key: log.groupCategory
             value: 'Log'
-          where: safe("log.gcat", "") == "2"
+          where: equals("log.gcat", "2")
 
       - add:
           function: 'string'
           params:
             key: log.groupCategory
             value: 'Security Services'
-          where: safe("log.gcat", "") == "3"
+          where: equals("log.gcat", "3")
 
       - add:
           function: 'string'
           params:
             key: log.groupCategory
             value: 'Users'
-          where: safe("log.gcat", "") == "4"
+          where: equals("log.gcat", "4")
 
       - add:
           function: 'string'
           params:
             key: log.groupCategory
             value: 'Firewall Settings'
-          where: safe("log.gcat", "") == "5"
+          where: equals("log.gcat", "5")
 
       - add:
           function: 'string'
           params:
             key: log.groupCategory
             value: 'Network'
-          where: safe("log.gcat", "") == "6"
+          where: equals("log.gcat", "6")
 
       - add:
           function: 'string'
           params:
             key: log.groupCategory
             value: 'VPN'
-          where: safe("log.gcat", "") == "7"
+          where: equals("log.gcat", "7")
 
       - add:
           function: 'string'
           params:
             key: log.groupCategory
             value: 'High Availability'
-          where: safe("log.gcat", "") == "8"
+          where: equals("log.gcat", "8")
 
       - add:
           function: 'string'
           params:
             key: log.groupCategory
             value: '3G/4G, Modem, and Module'
-          where: safe("log.gcat", "") == "9"
+          where: equals("log.gcat", "9")
 
       - add:
           function: 'string'
           params:
             key: log.groupCategory
             value: 'Firewall'
-          where: safe("log.gcat", "") == "10"
+          where: equals("log.gcat", "10")
 
       - add:
           function: 'string'
           params:
             key: log.groupCategory
             value: 'Wireless'
-          where: safe("log.gcat", "") == "11"
+          where: equals("log.gcat", "11")
 
       - add:
           function: 'string'
           params:
             key: log.groupCategory
             value: 'VoIP'
-          where: safe("log.gcat", "") == "12"
+          where: equals("log.gcat", "12")
 
       - add:
           function: 'string'
           params:
             key: log.groupCategory
             value: 'SSL VPN'
-          where: safe("log.gcat", "") == "13"
+          where: equals("log.gcat", "13")
 
       - add:
           function: 'string'
           params:
             key: log.groupCategory
             value: 'Anti-Spam'
-          where: safe("log.gcat", "") == "14"
+          where: equals("log.gcat", "14")
 
       - add:
           function: 'string'
           params:
             key: log.groupCategory
             value: 'WAN Acceleration'
-          where: safe("log.gcat", "") == "15"
+          where: equals("log.gcat", "15")
 
       - add:
           function: 'string'
           params:
             key: log.groupCategory
             value: 'SD-WAN'
-          where: safe("log.gcat", "") == "16"
+          where: equals("log.gcat", "16")
 
       - add:
           function: 'string'
           params:
             key: log.groupCategory
             value: 'Multi-Tenancy'
-          where: safe("log.gcat", "") == "17"
+          where: equals("log.gcat", "17")
 
       # Adding geolocation to origin.ip
       - dynamic:
@@ -455,19 +479,19 @@ pipeline:
           params:
             key: severity
             value: 'high'
-          where: safe("log.pri", "") in ["0", "1", "2", "3"]
+          where: oneOf("log.pri", ["0", "1", "2", "3"])
       - add:
           function: 'string'
           params:
             key: severity
             value: 'medium'
-          where: safe("log.pri", "") == "4"
+          where: equals("log.pri", "4")
       - add:
           function: 'string'
           params:
             key: severity
             value: 'low'
-          where: safe("log.pri", "") in ["5", "6", "7"]
+          where: oneOf("log.pri", ["5", "6", "7"])
 
       # ..........................................................................#
       # Removing unnuse fields
@@ -475,6 +499,9 @@ pipeline:
       - delete:
           fields:
             - log.irrelevant
+            - log.irrelevant1
+            - log.irrelevant2
+            - log.irrelevant3
             - log.msgAll
             - log.cefMsgAll
             - log.pri

From e5877afeffd891773a4014feb643608d1eafa272 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Wed, 4 Feb 2026 15:06:06 -0600
Subject: [PATCH 036/105] fix: enhance target validation in alert label
 retrieval

Signed-off-by: Manuel Abascal 
---
 .../adversary-alerts-graph/adversary-alerts-graph.component.ts  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/app/data-management/adversary-management/adversary-alerts-graph/adversary-alerts-graph.component.ts b/frontend/src/app/data-management/adversary-management/adversary-alerts-graph/adversary-alerts-graph.component.ts
index 246ec8be7..0753e35fc 100644
--- a/frontend/src/app/data-management/adversary-management/adversary-alerts-graph/adversary-alerts-graph.component.ts
+++ b/frontend/src/app/data-management/adversary-management/adversary-alerts-graph/adversary-alerts-graph.component.ts
@@ -311,7 +311,7 @@ export class AdversaryAlertsGraphComponent implements OnChanges {
   }
 
   private getLabel(alert: UtmAlertType) {
-    if (alert.target) {
+    if (alert.target && Object.keys(alert.target).length > 0) {
       const target: any = alert.target as Side;
       if (target.ip) {
         return target.ip;

From ee7345f25e68242c0b38e068ada2420237bcc879 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Wed, 4 Feb 2026 15:31:53 -0600
Subject: [PATCH 037/105] fix: improve isEmpty checks for alert target and log
 objects

Signed-off-by: Manuel Abascal 
---
 .../alert-host-detail/alert-host-detail.component.ts  | 11 ++++++++++-
 .../alert-view-detail.component.html                  |  2 +-
 .../alert-view-detail/alert-view-detail.component.ts  | 11 ++++++++++-
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/frontend/src/app/data-management/alert-management/shared/components/alert-host-detail/alert-host-detail.component.ts b/frontend/src/app/data-management/alert-management/shared/components/alert-host-detail/alert-host-detail.component.ts
index 932e465fc..74a158436 100644
--- a/frontend/src/app/data-management/alert-management/shared/components/alert-host-detail/alert-host-detail.component.ts
+++ b/frontend/src/app/data-management/alert-management/shared/components/alert-host-detail/alert-host-detail.component.ts
@@ -31,9 +31,18 @@ export class AlertHostDetailComponent implements OnInit {
   }
 
   isEmpty(): boolean {
-    return !this.alert || !this.alert[this.type] || Object.keys(this.alert[this.type]).length === 0;
+    const value = this.alert[this.type];
+
+    if (value == null) { return true; }
+
+    if (typeof value !== 'object') { return true; }
+
+    if (Array.isArray(value)) { return value.length === 0; }
+
+    return Object.keys(value).length === 0 && value.constructor === Object;
   }
 
+
   getFields(obj: any, prefix = ''): { id: string; fieldType: UtmFieldType }[] {
     let fields: { id: string, fieldType: UtmFieldType}[] = [];
 
diff --git a/frontend/src/app/data-management/alert-management/shared/components/alert-view-detail/alert-view-detail.component.html b/frontend/src/app/data-management/alert-management/shared/components/alert-view-detail/alert-view-detail.component.html
index 01e704b1c..8ce80d2f6 100644
--- a/frontend/src/app/data-management/alert-management/shared/components/alert-view-detail/alert-view-detail.component.html
+++ b/frontend/src/app/data-management/alert-management/shared/components/alert-view-detail/alert-view-detail.component.html
@@ -158,7 +158,7 @@
 
 
     

-      
+      
       
     

   

diff --git a/frontend/src/app/data-management/alert-management/shared/components/alert-view-detail/alert-view-detail.component.ts b/frontend/src/app/data-management/alert-management/shared/components/alert-view-detail/alert-view-detail.component.ts
index 2e5ad6098..b87478f4b 100644
--- a/frontend/src/app/data-management/alert-management/shared/components/alert-view-detail/alert-view-detail.component.ts
+++ b/frontend/src/app/data-management/alert-management/shared/components/alert-view-detail/alert-view-detail.component.ts
@@ -161,7 +161,16 @@ export class AlertViewDetailComponent implements OnInit {
     return Object.entries(this.log).length === 0;
   }
 
-  protected readonly ALERT_ADVERSARY_FIELD = ALERT_ADVERSARY_FIELD;
+  isEmpty(obj: any): boolean {
+    if (obj == null) { return true; }
+
+    if (typeof obj !== 'object') { return true; }
+
+    if (Array.isArray(obj)) { return obj.length === 0; }
+
+    return Object.keys(obj).length === 0 && obj.constructor === Object;
+  }
+
 }
 
 export enum AlertDetailTabEnum {

From 2ab8afe5a896af526585e6de04fc4c1dfe4b1a75 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Wed, 4 Feb 2026 16:40:41 -0600
Subject: [PATCH 038/105] feat: update integration filters for Microsoft 365
 and SonicWall

---
 ...60204001_update_filter_o35_integration.xml | 125 ++++
 ...2_update_filter_sonic_wall_integration.xml | 549 ++++++++++++++++++
 .../resources/config/liquibase/master.xml     |   4 +
 3 files changed, 678 insertions(+)
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260204001_update_filter_o35_integration.xml
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260204002_update_filter_sonic_wall_integration.xml

diff --git a/backend/src/main/resources/config/liquibase/changelog/20260204001_update_filter_o35_integration.xml b/backend/src/main/resources/config/liquibase/changelog/20260204001_update_filter_o35_integration.xml
new file mode 100644
index 000000000..a2041510d
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260204001_update_filter_o35_integration.xml
@@ -0,0 +1,125 @@
+
+
+
+    
+        
+            
+        
+    
+
+
diff --git a/backend/src/main/resources/config/liquibase/changelog/20260204002_update_filter_sonic_wall_integration.xml b/backend/src/main/resources/config/liquibase/changelog/20260204002_update_filter_sonic_wall_integration.xml
new file mode 100644
index 000000000..dfa6f5070
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260204002_update_filter_sonic_wall_integration.xml
@@ -0,0 +1,549 @@
+
+
+
+    
+        
+            '
+            - fieldName: log.syslogVersion
+              pattern: '{{.integer}}'
+            - fieldName: log.dvcTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}{{.space}}{{.time}}'
+            - fieldName: log.syslogHost
+              pattern: '{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.word}}\='
+            - fieldName: log.id
+              pattern: '{{.integer}}'
+            - fieldName: log.msgAll
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.dvcTime
+              pattern: '{{.monthName}}{{.space}}{{.monthDay}}{{.space}}{{.time}}'
+            - fieldName: log.srcIp
+              pattern: '{{.ipv4}}'
+            - fieldName: log.msgAll
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.priority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\='
+            - fieldName: log.device
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant1
+              pattern: '{{.data}}\='
+            - fieldName: log.sn
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant2
+              pattern: '{{.data}}\"'
+            - fieldName: log.dvcTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}{{.space}}{{.time}}'
+            - fieldName: log.irrelevant3
+              pattern: '{{.data}}\='
+            - fieldName: log.srcIp
+              pattern: '{{.ipv4}}'
+            - fieldName: log.msgAll
+              pattern: '{{.greedy}}'
+          source: raw
+
+      # ......................................................................#
+      # Checking if the log is in CEF format
+      #......................................................................#
+      # Using grok to parse syslogHeader of the message
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.priority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.syslogVersion
+              pattern: '{{.integer}}'
+            - fieldName: log.dvcTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}{{.space}}{{.time}}'
+            - fieldName: log.syslogHost
+              pattern: '{{.hostname}}'
+            - fieldName: log.formatType
+              pattern: '(CEF:)'
+            - fieldName: log.formatVersion
+              pattern: '(\s)?{{.integer}}'
+            - fieldName: log.cefMsgAll
+              pattern: '{{.greedy}}'
+          source: log.msgAll
+          where: contains("log.msgAll", "CEF:")
+
+      - grok:
+          patterns:
+            - fieldName: log.dvcTime
+              pattern: '((?i)\b(?:jan(?:uary)?|feb(?:ruary)?|mar(?:ch)?|apr(?:il)?|may|jun(?:e)?|jul(?:y)?|aug(?:ust)?|sep(?:tember)?|oct(?:ober)?|nov(?:ember)?|dec(?:ember)?)\b){{.space}}{{.monthDay}}{{.space}}{{.year}}{{.space}}{{.time}}'
+            - fieldName: log.sn
+              pattern: '{{.word}}'
+            - fieldName: log.formatType
+              pattern: '(CEF:)'
+            - fieldName: log.formatVersion
+              pattern: '{{.integer}}'
+            - fieldName: log.cefMsgAll
+              pattern: '{{.greedy}}'
+          source: log.msgAll
+          where: contains("log.msgAll", "CEF:")
+
+      #......................................................................#
+      # Removing unnecessary characters of the syslogHeader
+      #......................................................................#
+      - trim:
+          function: prefix
+          substring: "<"
+          fields:
+            - log.priority
+      - trim:
+          function: suffix
+          substring: ">"
+          fields:
+            - log.priority
+      - trim:
+          function: suffix
+          substring: ":"
+          fields:
+            - log.formatType
+
+      #......................................................................#
+      # Using grok to parse CEF fields
+      #......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.dvcVendor
+              pattern: '\|{{.data}}\|'
+            - fieldName: log.dvcProduct
+              pattern: '{{.data}}\|'
+            - fieldName: log.dvcVersion
+              pattern: '{{.data}}\|'
+            - fieldName: log.eventId
+              pattern: '{{.data}}\|'
+            - fieldName: log.eventName
+              pattern: '{{.data}}\|'
+            - fieldName: log.severity
+              pattern: '{{.data}}\|'
+            - fieldName: log.msgAll
+              pattern: '{{.greedy}}'
+          source: log.cefMsgAll
+
+      - trim:
+          function: prefix
+          substring: "|"
+          fields:
+            - log.dvcVendor
+
+      - trim:
+          function: suffix
+          substring: "|"
+          fields:
+            - log.dvcVendor
+            - log.dvcProduct
+            - log.dvcVersion
+            - log.eventId
+            - log.eventName
+            - log.severity
+
+      # Using grok to extract values with spaces in fields
+      - grok:
+          patterns:
+            - fieldName: log.trash
+              pattern: '{{.data}}msg='
+            - fieldName: log.message
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.trash2
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.trash1
+              pattern: '{{.data}}ipscat='
+            - fieldName: log.ipscat1
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.trash3
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.trash4
+              pattern: '{{.data}}cs6='
+            - fieldName: log.cs61
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.trash5
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.trash6
+              pattern: '{{.data}}rule='
+            - fieldName: log.rule1
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.trash7
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.trash8
+              pattern: '{{.data}}Category='
+            - fieldName: log.category1
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.trash9
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.trash10
+              pattern: '{{.data}}note='
+            - fieldName: log.note1
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.trash11
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - trim:
+          function: prefix
+          substring: '"'
+          fields:
+            - log.message
+            - log.note1
+            - log.ipscat1
+            - log.cs61
+            - log.rule1
+            - log.category1
+            - log.fwaction
+
+      - trim:
+          function: suffix
+          substring: '"'
+          fields:
+            - log.message
+            - log.note1
+            - log.ipscat1
+            - log.cs61
+            - log.rule1
+            - log.category1
+            - log.fwaction
+
+      #......................................................................#
+      # Using kv to parse msgAll components from syslog format only
+      #......................................................................#
+      - kv:
+          fieldSplit: " "
+          valueSplit: "="
+          source: log.msgAll
+
+      # ................................................#
+      # Rename fields
+      # ................................................#
+      - rename:
+          from:
+            - log.dst
+          to: target.ip
+      - rename:
+          from:
+            - log.dstname
+          to: target.host
+      - rename:
+          from:
+            - log.proto
+          to: protocol
+      - rename:
+          from:
+            - log.src
+          to: origin.ip
+      - rename:
+          from:
+            - log.fwaction
+          to: action
+      - rename:
+          from:
+            - log.dstMac
+          to: target.mac
+      - rename:
+          from:
+            - log.srcMac
+          to: origin.mac
+      - rename:
+          from:
+            - log.dmac
+          to: target.mac
+      - rename:
+          from:
+            - log.smac
+          to: origin.mac
+      - rename:
+          from:
+            - log.message
+          to: log.msg
+      - rename:
+          from:
+            - log.note1
+          to: log.note
+      - rename:
+          from:
+            - log.ipscat1
+          to: log.ipscat
+      - rename:
+          from:
+            - log.cs61
+          to: log.cs6
+      - rename:
+          from:
+            - log.rule1
+          to: log.rule
+      - rename:
+          from:
+            - log.category1
+          to: log.category
+
+      # .......................................................................#
+      # Fields conversions
+      # .......................................................................#
+      - cast:
+          fields:
+            - log.gcat
+          to: string
+
+      #......................................................................#
+      # Define Syslog Group Category (gcat) Values
+      #......................................................................#
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: 'System'
+          where: equals("log.gcat", "1")
+
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: 'Log'
+          where: equals("log.gcat", "2")
+
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: 'Security Services'
+          where: equals("log.gcat", "3")
+
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: 'Users'
+          where: equals("log.gcat", "4")
+
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: 'Firewall Settings'
+          where: equals("log.gcat", "5")
+
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: 'Network'
+          where: equals("log.gcat", "6")
+
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: 'VPN'
+          where: equals("log.gcat", "7")
+
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: 'High Availability'
+          where: equals("log.gcat", "8")
+
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: '3G/4G, Modem, and Module'
+          where: equals("log.gcat", "9")
+
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: 'Firewall'
+          where: equals("log.gcat", "10")
+
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: 'Wireless'
+          where: equals("log.gcat", "11")
+
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: 'VoIP'
+          where: equals("log.gcat", "12")
+
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: 'SSL VPN'
+          where: equals("log.gcat", "13")
+
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: 'Anti-Spam'
+          where: equals("log.gcat", "14")
+
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: 'WAN Acceleration'
+          where: equals("log.gcat", "15")
+
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: 'SD-WAN'
+          where: equals("log.gcat", "16")
+
+      - add:
+          function: 'string'
+          params:
+            key: log.groupCategory
+            value: 'Multi-Tenancy'
+          where: equals("log.gcat", "17")
+
+      # Adding geolocation to origin.ip
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: origin.ip
+            destination: origin.geolocation
+          where: exists("origin.ip")
+
+      # Adding geolocation to target.ip
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: target.ip
+            destination: target.geolocation
+          where: exists("target.ip")
+
+      # .......................................................................#
+      # Adding severity based on log.pri
+      # .......................................................................#
+      - add:
+          function: 'string'
+          params:
+            key: severity
+            value: 'high'
+          where: oneOf("log.pri", ["0", "1", "2", "3"])
+      - add:
+          function: 'string'
+          params:
+            key: severity
+            value: 'medium'
+          where: equals("log.pri", "4")
+      - add:
+          function: 'string'
+          params:
+            key: severity
+            value: 'low'
+          where: oneOf("log.pri", ["5", "6", "7"])
+
+      # ..........................................................................#
+      # Removing unnuse fields
+      #.........................................................................#
+      - delete:
+          fields:
+            - log.irrelevant
+            - log.irrelevant1
+            - log.irrelevant2
+            - log.irrelevant3
+            - log.msgAll
+            - log.cefMsgAll
+            - log.pri
+            - log.gcat
+            - log.message
+            - log.note1
+            - log.ipscat1
+            - log.cs61
+            - log.rule1
+            - log.category1
+            - log.trash
+            - log.trash1
+            - log.trash2
+            - log.trash3
+            - log.trash4
+            - log.trash5
+            - log.trash6
+            - log.trash7
+            - log.trash8
+            - log.trash9
+            - log.trash10
+            - log.trash11
+
+$$
+
+            WHERE id=1511
+
+            ]]>
+        
+    
+
+
diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml
index 41ed68e30..4c4d002ff 100644
--- a/backend/src/main/resources/config/liquibase/master.xml
+++ b/backend/src/main/resources/config/liquibase/master.xml
@@ -331,6 +331,10 @@
 
     
 
+    
+
+    
+
 
 
 

From 5f02b0beae833377c95097dc53af4e58697f7793 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Thu, 5 Feb 2026 10:32:06 -0600
Subject: [PATCH 039/105] feat: add error handling and response mapping for
 module configuration validation

---
 .../config/RestTemplateConfiguration.java     |  3 +-
 .../impl/ModuleConfigurationValidator.java    |  3 +-
 .../ModuleConfigurationValidationService.java | 76 ++++++++++++-------
 .../dto/application_modules/CSError.java      |  9 +++
 .../service/dto/application_modules/Meta.java |  9 +++
 .../ModuleConfigValidationErrorMapper.java    | 25 ++++++
 .../ModuleConfigValidationErrorResponse.java  | 13 ++++
 .../rest_template/RestTemplateService.java    |  4 +
 8 files changed, 111 insertions(+), 31 deletions(-)
 create mode 100644 backend/src/main/java/com/park/utmstack/service/dto/application_modules/CSError.java
 create mode 100644 backend/src/main/java/com/park/utmstack/service/dto/application_modules/Meta.java
 create mode 100644 backend/src/main/java/com/park/utmstack/service/dto/application_modules/ModuleConfigValidationErrorMapper.java
 create mode 100644 backend/src/main/java/com/park/utmstack/service/dto/application_modules/ModuleConfigValidationErrorResponse.java

diff --git a/backend/src/main/java/com/park/utmstack/config/RestTemplateConfiguration.java b/backend/src/main/java/com/park/utmstack/config/RestTemplateConfiguration.java
index 5af8523ff..b08dc1764 100644
--- a/backend/src/main/java/com/park/utmstack/config/RestTemplateConfiguration.java
+++ b/backend/src/main/java/com/park/utmstack/config/RestTemplateConfiguration.java
@@ -5,6 +5,7 @@
 import org.apache.http.conn.ssl.TrustStrategy;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
+import org.jetbrains.annotations.NotNull;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.context.annotation.Bean;
@@ -44,7 +45,7 @@ public RestTemplate rawRestTemplate() {
         RestTemplate rest = new RestTemplate();
         rest.setErrorHandler(new DefaultResponseErrorHandler() {
             @Override
-            public boolean hasError(ClientHttpResponse response) {
+            public boolean hasError(@NotNull ClientHttpResponse response) {
                 return false;
             }
         });
diff --git a/backend/src/main/java/com/park/utmstack/domain/application_modules/validators/impl/ModuleConfigurationValidator.java b/backend/src/main/java/com/park/utmstack/domain/application_modules/validators/impl/ModuleConfigurationValidator.java
index 63811ffdd..0bdfb8e36 100644
--- a/backend/src/main/java/com/park/utmstack/domain/application_modules/validators/impl/ModuleConfigurationValidator.java
+++ b/backend/src/main/java/com/park/utmstack/domain/application_modules/validators/impl/ModuleConfigurationValidator.java
@@ -32,8 +32,7 @@ public boolean isValid(GroupConfigurationDTO dto, ConstraintValidatorContext con
             return module.validateConfiguration(utmModule, dto.getKeys());
         } catch (Exception e) {
             context.disableDefaultConstraintViolation();
-            context.buildConstraintViolationWithTemplate("Invalid configuration for selected module.")
-                    .addPropertyNode("keys")
+            context.buildConstraintViolationWithTemplate(e.getMessage())
                     .addConstraintViolation();
             return false;
         }
diff --git a/backend/src/main/java/com/park/utmstack/service/application_modules/connectors/ModuleConfigurationValidationService.java b/backend/src/main/java/com/park/utmstack/service/application_modules/connectors/ModuleConfigurationValidationService.java
index 9c9ca1124..c34c15cbc 100644
--- a/backend/src/main/java/com/park/utmstack/service/application_modules/connectors/ModuleConfigurationValidationService.java
+++ b/backend/src/main/java/com/park/utmstack/service/application_modules/connectors/ModuleConfigurationValidationService.java
@@ -1,6 +1,9 @@
 package com.park.utmstack.service.application_modules.connectors;
 
+import com.fasterxml.jackson.databind.JsonNode;
 import com.park.utmstack.config.Constants;
+import com.park.utmstack.service.dto.application_modules.ModuleConfigValidationErrorMapper;
+import com.park.utmstack.service.dto.application_modules.ModuleConfigValidationErrorResponse;
 import com.park.utmstack.service.dto.application_modules.UtmModuleGroupConfWrapperDTO;
 import com.park.utmstack.service.web_clients.rest_template.RestTemplateService;
 import com.park.utmstack.util.exceptions.ApiException;
@@ -24,44 +27,61 @@ public class ModuleConfigurationValidationService {
 
     public boolean validateModuleConfiguration(String module, UtmModuleGroupConfWrapperDTO configurations) {
         final String ctx = CLASSNAME + ".ModuleConfigurationValidationService";
+
         HttpHeaders headers = new HttpHeaders();
         headers.add("Content-Type", "application/json");
         headers.add("Accept", "*/*");
         headers.set(Constants.EVENT_PROCESSOR_INTERNAL_KEY_HEADER, System.getenv(Constants.ENV_INTERNAL_KEY));
 
-        String baseUrl = "http://" + System.getenv(Constants.ENV_EVENT_PROCESSOR_HOST)  + ":" + System.getenv(Constants.ENV_EVENT_PROCESSOR_PORT);
+        String baseUrl = "http://" + System.getenv(Constants.ENV_EVENT_PROCESSOR_HOST) + ":" + System.getenv(Constants.ENV_EVENT_PROCESSOR_PORT);
         String endPoint = baseUrl + "/api/v1/modules-config/validate?nameShort=" + module;
-        try{
-            ResponseEntity response = restTemplateService.post(
-                    endPoint,
-                    configurations,
-                    String.class,
-                    headers
-            );
-
-            if (!response.getStatusCode().is2xxSuccessful()) {
-                List errors = response.getHeaders().get("X-UtmStack-error");
-                String errorMessage = (errors != null && !errors.isEmpty())
-                        ? String.join(", ", errors)
-                        : "Unknown error occurred during module configuration validation.";
-
-                log.error("{}: Module configuration validation failed for module: {} with status: {}. Cause: {}",
-                        ctx, module, response.getStatusCode(), errorMessage);
-                throw new ApiException(
-                        String.format("Module configuration validation failed for module: %s. Cause: %s", module, errorMessage),
-                        response.getStatusCode()
-                );
+
+        ResponseEntity response = restTemplateService.postRaw(
+                endPoint,
+                configurations,
+                JsonNode.class,
+                headers
+        );
+
+        JsonNode body = response.getBody();
+
+        if (response.getStatusCode().is2xxSuccessful() && body != null && body.has("status")) {
+            return true;
+        }
+
+        if (body != null && body.has("error")) {
+            String errorText = body.get("error").asText();
+
+            if (errorText.contains("{\"meta\"")) {
+                ModuleConfigValidationErrorResponse structured = ModuleConfigValidationErrorMapper.parse(errorText);
+
+                if (structured != null) {
+                    String traceId = structured.getMeta().getTraceId();
+                    String message = structured.getErrors().get(0).getMessage();
+
+                    log.error("{}: External provider validation failed for module {}. TraceId: {}. Message: {}",
+                            ctx, module, traceId, message);
+
+                    throw new ApiException(
+                            "External provider validation failed: " + message + " (traceId=" + traceId + ")",
+                            HttpStatus.UNAUTHORIZED
+                    );
+                }
             }
 
-            return  true;
+            log.error("{}: Module configuration validation failed for module {}. Cause: {}",
+                    ctx, module, errorText);
 
-        } catch (ApiException e) {
-            throw e;
-        } catch (Exception e) {
-            log.error("{}: An error occurred while validating module configuration for module: {}. Cause: {}",
-                    ctx, module, e.getMessage(), e);
-            throw new ApiException("An error occurred while validating module configuration", HttpStatus.INTERNAL_SERVER_ERROR);
+            throw new ApiException(errorText, HttpStatus.BAD_REQUEST);
         }
+
+        log.error("{}: Unexpected response validating module {}.", ctx, module);
+        throw new ApiException(
+                String.format("%s: Unexpected response validating module %s.", ctx, module),
+                HttpStatus.INTERNAL_SERVER_ERROR
+        );
     }
+
+
 }
 
diff --git a/backend/src/main/java/com/park/utmstack/service/dto/application_modules/CSError.java b/backend/src/main/java/com/park/utmstack/service/dto/application_modules/CSError.java
new file mode 100644
index 000000000..901eab291
--- /dev/null
+++ b/backend/src/main/java/com/park/utmstack/service/dto/application_modules/CSError.java
@@ -0,0 +1,9 @@
+package com.park.utmstack.service.dto.application_modules;
+
+import lombok.Data;
+
+@Data
+public class CSError {
+    private int code;
+    private String message;
+}
diff --git a/backend/src/main/java/com/park/utmstack/service/dto/application_modules/Meta.java b/backend/src/main/java/com/park/utmstack/service/dto/application_modules/Meta.java
new file mode 100644
index 000000000..940645656
--- /dev/null
+++ b/backend/src/main/java/com/park/utmstack/service/dto/application_modules/Meta.java
@@ -0,0 +1,9 @@
+package com.park.utmstack.service.dto.application_modules;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Data;
+
+@Data
+public class Meta {
+    @JsonProperty("trace_id") private String traceId;
+}
diff --git a/backend/src/main/java/com/park/utmstack/service/dto/application_modules/ModuleConfigValidationErrorMapper.java b/backend/src/main/java/com/park/utmstack/service/dto/application_modules/ModuleConfigValidationErrorMapper.java
new file mode 100644
index 000000000..9ec10ea1d
--- /dev/null
+++ b/backend/src/main/java/com/park/utmstack/service/dto/application_modules/ModuleConfigValidationErrorMapper.java
@@ -0,0 +1,25 @@
+package com.park.utmstack.service.dto.application_modules;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+public class ModuleConfigValidationErrorMapper {
+
+    private static final ObjectMapper mapper = new ObjectMapper();
+
+    public static ModuleConfigValidationErrorResponse parse(String errorText) {
+        try {
+            ObjectMapper mapper = new ObjectMapper();
+
+            int start = errorText.indexOf("{\"meta\"");
+            if (start == -1) return null;
+
+            String innerJson = errorText.substring(start);
+
+            return mapper.readValue(innerJson, ModuleConfigValidationErrorResponse.class);
+
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+}
diff --git a/backend/src/main/java/com/park/utmstack/service/dto/application_modules/ModuleConfigValidationErrorResponse.java b/backend/src/main/java/com/park/utmstack/service/dto/application_modules/ModuleConfigValidationErrorResponse.java
new file mode 100644
index 000000000..eb7fa8604
--- /dev/null
+++ b/backend/src/main/java/com/park/utmstack/service/dto/application_modules/ModuleConfigValidationErrorResponse.java
@@ -0,0 +1,13 @@
+package com.park.utmstack.service.dto.application_modules;
+
+import lombok.Data;
+
+import java.util.List;
+
+@Data
+public class ModuleConfigValidationErrorResponse {
+    private Meta meta;
+    private List errors;
+}
+
+
diff --git a/backend/src/main/java/com/park/utmstack/service/web_clients/rest_template/RestTemplateService.java b/backend/src/main/java/com/park/utmstack/service/web_clients/rest_template/RestTemplateService.java
index 3cdbfa5be..233249c3b 100644
--- a/backend/src/main/java/com/park/utmstack/service/web_clients/rest_template/RestTemplateService.java
+++ b/backend/src/main/java/com/park/utmstack/service/web_clients/rest_template/RestTemplateService.java
@@ -54,6 +54,10 @@ public  ResponseEntity getRaw(String url, Class type) {
         return rawRestTemplate.exchange(url, HttpMethod.GET, requestEntity, type);
     }
 
+    public  ResponseEntity postRaw(String url, T body, Class type, HttpHeaders headers) {
+        HttpEntity requestEntity = new HttpEntity<>(body, headers);
+        return rawRestTemplate.exchange(url, HttpMethod.POST, requestEntity, type);
+    }
 
     public  ResponseEntity get(String url, Class type, HttpHeaders headers) throws Exception {
         final String ctx = CLASSNAME + ".get";

From a2ca1a605c5c68237c9664f254e6abca402c63d1 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Thu, 5 Feb 2026 11:30:59 -0600
Subject: [PATCH 040/105] fix: add property node to constraint violation for
 better error reporting in module configuration validation

---
 .../validators/impl/ModuleConfigurationValidator.java            | 1 +
 1 file changed, 1 insertion(+)

diff --git a/backend/src/main/java/com/park/utmstack/domain/application_modules/validators/impl/ModuleConfigurationValidator.java b/backend/src/main/java/com/park/utmstack/domain/application_modules/validators/impl/ModuleConfigurationValidator.java
index 0bdfb8e36..7efc54cb9 100644
--- a/backend/src/main/java/com/park/utmstack/domain/application_modules/validators/impl/ModuleConfigurationValidator.java
+++ b/backend/src/main/java/com/park/utmstack/domain/application_modules/validators/impl/ModuleConfigurationValidator.java
@@ -33,6 +33,7 @@ public boolean isValid(GroupConfigurationDTO dto, ConstraintValidatorContext con
         } catch (Exception e) {
             context.disableDefaultConstraintViolation();
             context.buildConstraintViolationWithTemplate(e.getMessage())
+                    .addPropertyNode("keys")
                     .addConstraintViolation();
             return false;
         }

From 1ae95e22763a8ab38f12ba60fd4475932f5b709f Mon Sep 17 00:00:00 2001
From: JocLRojas 
Date: Thu, 5 Feb 2026 21:54:08 +0300
Subject: [PATCH 041/105] fix(crowdstrike-plugin): handle cloud region URL
 parsing to prevent wrong region selection

---
 plugins/crowdstrike/main.go | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/plugins/crowdstrike/main.go b/plugins/crowdstrike/main.go
index 020cd0eff..8ced226be 100644
--- a/plugins/crowdstrike/main.go
+++ b/plugins/crowdstrike/main.go
@@ -129,10 +129,18 @@ func (p *CrowdStrikeProcessor) createClient() (*client.CrowdStrikeAPISpecificati
 			errors.New("client ID or client secret is empty"), map[string]any{"process": "plugin_com.utmstack.crowdstrike"})
 	}
 
+	cloudType, err := extractCloudFromURL(p.Cloud)
+	if err != nil {
+		return nil, catcher.Error("invalid cloud region configuration", err, map[string]any{
+			"process":     "plugin_com.utmstack.crowdstrike",
+			"cloud_value": p.Cloud,
+		})
+	}
+
 	client, err := falcon.NewClient(&falcon.ApiConfig{
 		ClientId:     p.ClientID,
 		ClientSecret: p.ClientSecret,
-		Cloud:        falcon.Cloud(p.Cloud),
+		Cloud:        cloudType,
 		Context:      context.Background(),
 	})
 	if err != nil {
@@ -142,6 +150,29 @@ func (p *CrowdStrikeProcessor) createClient() (*client.CrowdStrikeAPISpecificati
 	return client, nil
 }
 
+func extractCloudFromURL(cloudValue string) (falcon.CloudType, error) {
+	trimmed := strings.TrimSpace(cloudValue)
+
+	urlToRegion := map[string]string{
+		"api.crowdstrike.com":            "us-1",
+		"api.us-2.crowdstrike.com":       "us-2",
+		"api.eu-1.crowdstrike.com":       "eu-1",
+		"api.laggar.gcw.crowdstrike.com": "us-gov-1",
+		"api.us-gov-2.crowdstrike.mil":   "us-gov-2",
+	}
+
+	if strings.Contains(trimmed, "://") || strings.Contains(trimmed, ".crowdstrike.") {
+		for host, region := range urlToRegion {
+			if strings.Contains(trimmed, host) {
+				return falcon.CloudValidate(region)
+			}
+		}
+		return 0, fmt.Errorf("unrecognized CrowdStrike URL: %s", trimmed)
+	}
+
+	return falcon.CloudValidate(trimmed)
+}
+
 func (p *CrowdStrikeProcessor) getEvents() ([]string, error) {
 	client, err := p.createClient()
 	if err != nil {

From 7bf9918cc99eabd06838d2912f9187588cb660e9 Mon Sep 17 00:00:00 2001
From: JocLRojas 
Date: Thu, 5 Feb 2026 21:55:02 +0300
Subject: [PATCH 042/105] fix(modules-config): add cloud region URL parsing for
 CrowdStrike configuration

---
 .../modules-config/validations/crowdstrike.go | 31 ++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/plugins/modules-config/validations/crowdstrike.go b/plugins/modules-config/validations/crowdstrike.go
index 5d02d7816..9eb684098 100644
--- a/plugins/modules-config/validations/crowdstrike.go
+++ b/plugins/modules-config/validations/crowdstrike.go
@@ -3,6 +3,7 @@ package validations
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/crowdstrike/gofalcon/falcon"
@@ -43,10 +44,15 @@ func ValidateCrowdstrikeConfig(config *config.ModuleGroup) error {
 		return fmt.Errorf("App Name is required in CROWDSTRIKE configuration")
 	}
 
+	cloudType, err := extractCloudFromURL(cloud)
+	if err != nil {
+		return fmt.Errorf("invalid cloud region configuration: %w", err)
+	}
+
 	client, err := falcon.NewClient(&falcon.ApiConfig{
 		ClientId:     clientID,
 		ClientSecret: clientSecret,
-		Cloud:        falcon.Cloud(cloud),
+		Cloud:        cloudType,
 		Context:      context.Background(),
 	})
 	if err != nil {
@@ -74,3 +80,26 @@ func ValidateCrowdstrikeConfig(config *config.ModuleGroup) error {
 
 	return nil
 }
+
+func extractCloudFromURL(cloudValue string) (falcon.CloudType, error) {
+	trimmed := strings.TrimSpace(cloudValue)
+
+	urlToRegion := map[string]string{
+		"api.crowdstrike.com":            "us-1",
+		"api.us-2.crowdstrike.com":       "us-2",
+		"api.eu-1.crowdstrike.com":       "eu-1",
+		"api.laggar.gcw.crowdstrike.com": "us-gov-1",
+		"api.us-gov-2.crowdstrike.mil":   "us-gov-2",
+	}
+
+	if strings.Contains(trimmed, "://") || strings.Contains(trimmed, ".crowdstrike.") {
+		for host, region := range urlToRegion {
+			if strings.Contains(trimmed, host) {
+				return falcon.CloudValidate(region)
+			}
+		}
+		return 0, fmt.Errorf("unrecognized CrowdStrike URL: %s", trimmed)
+	}
+
+	return falcon.CloudValidate(trimmed)
+}

From ac1ffc98727b1c1edb0def2f5e90e6b3bffdf904 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Thu, 5 Feb 2026 14:15:13 -0600
Subject: [PATCH 043/105] refactor(import-rule): enhance step indicators and
 improve rule display logic

Signed-off-by: Manuel Abascal 
---
 .../import-rules/import-rule.component.html   | 209 ++++++++++++++----
 .../import-rules/import-rule.component.ts     | 130 ++++++-----
 2 files changed, 233 insertions(+), 106 deletions(-)

diff --git a/frontend/src/app/rule-management/app-rule/components/import-rules/import-rule.component.html b/frontend/src/app/rule-management/app-rule/components/import-rules/import-rule.component.html
index 44b69acd9..a94bd2fe4 100644
--- a/frontend/src/app/rule-management/app-rule/components/import-rules/import-rule.component.html
+++ b/frontend/src/app/rule-management/app-rule/components/import-rules/import-rule.component.html
@@ -1,80 +1,117 @@
 
+
 

+
   

+
+    
     

       

 
+        
         

           Import
           

+            class="round-indicator"
+            [ngClass]="{
+              'step-success': isCompleted(RULE_FORM.STEP0),
+              'step-active': currentStep === RULE_FORM.STEP0,
+              'step-inactive': currentStep !== RULE_FORM.STEP0 && !isCompleted(RULE_FORM.STEP0)
+            }">
             
           

         

-        

 
+        

 
+        
         

           Review
           

-            
+            
           

         

+
         

 
+        
         

           Import
           

-            
+            
           

         

+
       

     

 
-    

-      

-        

-          Info! 
-          The rule import process requires a valid file with a .yml extension.
+    
+    

+      

+        

+          Info!
+          The rule import process requires a valid .yml file.
         

       

-      
+
+      
       
     

 
-    

+    
+    

+
+      

+        
+      

+
       

 
-        

-          
-        

+        

+
+          
+          

 
-        

+            

 
-          

-            

-              
-                
+              
+                
               
+
               
-                {{ rule.rule.name + ' ' }}
-                ({{ rule.status }} )
+                {{ rule.rule.name }}
+                ({{ rule.status }})
               
             

 
-            

+            

               

                 
                 
@@ -83,46 +120,124 @@
             

 
             

-              

+              

                 
               

             

 
           

 
-          

-            
+          
+          

+
+            
+            
+
+          

+
+        

+
+      

+    

+
+    
+    

+
+      

+        

+          Info!
+          You are about to import {{ validRulesCount() }} valid rule(s).
+        

+      

+
+      

+
+        

+
+          

+
+              
+                
+              
+
+            
+                {{ rule.rule.name }}
+                ({{ rule.status }})
+              
+          

+
+          

+            

+              
+              
+              
+            

           

+
         

+
+
       

     

+
   

-  

-    
 
-    
 
-    
 
-    
 
-    
+
   

+
 

diff --git a/frontend/src/app/rule-management/app-rule/components/import-rules/import-rule.component.ts b/frontend/src/app/rule-management/app-rule/components/import-rules/import-rule.component.ts
index b62592634..6e44b04a5 100644
--- a/frontend/src/app/rule-management/app-rule/components/import-rules/import-rule.component.ts
+++ b/frontend/src/app/rule-management/app-rule/components/import-rules/import-rule.component.ts
@@ -17,6 +17,7 @@ interface RuleList {
     status: Status;
     errors: Record;
     isLoading: boolean;
+    showDetail: boolean;
 }
 
 @Component({
@@ -36,6 +37,8 @@ export class ImportRuleComponent implements OnInit, OnDestroy {
   stepCompleted: number[] = [];
   files = [];
   rules: RuleList[] = [];
+  isImportFinished = false;
+  processedFiles: any[] = [];
 
   constructor(private importRuleService: ImportRuleService,
               private dataTypeService: DataTypeService,
@@ -97,6 +100,8 @@ export class ImportRuleComponent implements OnInit, OnDestroy {
             this.utmToastService.showWarning('Import partially successful', 'Some rules were not saved.');
           }
         }
+
+        this.isImportFinished = true;
       }
     });
   }
@@ -116,72 +121,75 @@ export class ImportRuleComponent implements OnInit, OnDestroy {
   }
 
   validRules() {
-    if (this.files.length > 0) {
-      this.loading = true;
-      const filesWithDataTypes = this.files.map(file => {
-          return {
+    if (this.files.length === 0) {
+      this.mode = 'ERROR';
+      return;
+    }
+
+    this.loading = true;
+
+    const newFiles = this.files.filter(f => !this.processedFiles.includes(f));
+
+    if (newFiles.length === 0) {
+      this.loading = false;
+      return;
+    }
+
+    const filesWithDataTypes = newFiles.map(file => ({
+      ...file,
+      dataTypes: file.dataTypes && file.dataTypes.length ? file.dataTypes : []
+    }));
+
+    forkJoin(
+      filesWithDataTypes.map(file =>
+        forkJoin(
+          file.dataTypes.map((dt: string) =>
+            this.dataTypeService.getAll({ search: dt }).pipe(
+              map(res => res.body.find(d => d.dataType === dt))
+            )
+          )
+        ).pipe(
+          map(filteredDataTypes => ({
+            ...file,
+            confidentiality: file.impact.confidentiality || 0,
+            integrity: file.impact.integrity || 0,
+            availability: file.impact.availability || 0,
+            definition: file.where || '',
+            afterEvents: file.afterEvents || file.correlation || [],
+            dataTypes: filteredDataTypes.filter(dt => !!dt)
+          }))
+        )
+      )
+    )
+      .pipe(finalize(() => (this.loading = false)))
+      .subscribe(updatedFiles => {
+
+        const newRules = updatedFiles.map(file => {
+          const rule: Rule = {
             ...file,
-            dataTypes: file.dataTypes && file.dataTypes.length > 0 ? file.dataTypes : []
+            dataTypes: file.dataTypes.length > 0 ? file.dataTypes : [],
           };
-      });
 
-      // Fetch and filter data types for each file
-      forkJoin(
-          filesWithDataTypes.map(file =>
-            forkJoin(
-              file.dataTypes.map((dt: string) =>
-                this.dataTypeService.getAll({ search: dt })
-                  .pipe(
-                      map(res => {
-                        const dataTypes =  res.body;
-
-                        return dataTypes.find(d => d.dataType === dt);
-                      })
-                  )
-              )
-            ).pipe(
-              map(filteredDataTypes => ({
-                ...file,
-                confidentiality: file.impact.confidentiality || 0,
-                integrity: file.impact.integrity || 0,
-                availability: file.impact.availability || 0,
-                definition: file.where || '',
-                afterEvents: file.afterEvents || file.correlation || [],
-                dataTypes: filteredDataTypes.filter(dt => !!dt)
-              }))
-            ),
-          ),
-        ).pipe(finalize(() => (this.loading = false))).subscribe(updatedFiles => {
-          this.rules = updatedFiles.map(file => {
-            let rule: Rule = {
-                ...file,
-                dataTypes: file.dataTypes.length > 0 ? file.dataTypes : [],
-            };
-            const {isValid, errors} = this.importRuleService.isValidRule(rule);
-
-            Object.keys(rule).forEach(key => {
-              if (rule[key] === null) {
-                rule = {[key]: null, ...rule};
-              }
-            });
-
-            return {
-              rule,
-              valid: isValid,
-              status: isValid ? ('valid' as Status) : ('error' as Status),
-              isLoading: false,
-              errors
-            };
-
-          });
+          const { isValid, errors } = this.importRuleService.isValidRule(rule);
+
+          return {
+            rule,
+            valid: isValid,
+            status: isValid ? ('valid' as Status) : ('error' as Status),
+            isLoading: false,
+            errors,
+            showDetail: false
+          };
         });
-    } else {
-      this.mode = 'ERROR';
-    }
+
+        this.rules = [...this.rules, ...newRules];
+        this.processedFiles.push(...newFiles);
+      });
   }
 
 
 
+
   back() {
     this.stepCompleted.pop();
     switch (this.currentStep) {
@@ -205,7 +213,7 @@ export class ImportRuleComponent implements OnInit, OnDestroy {
     this.rules.splice(i, 1);
   }
 
-  showRule(rule: Rule) {
+  showRule(rule: RuleList) {
     rule.showDetail = !rule.showDetail;
   }
 
@@ -213,6 +221,10 @@ export class ImportRuleComponent implements OnInit, OnDestroy {
     this.activeModal.close(true);
   }
 
+  validRulesCount() {
+    return this.rules.filter(r => r.valid).length;
+  }
+
   ngOnDestroy() {
     this.dataTypeService.resetTypes();
   }

From 2e5e6bcc621c81a4b87c1c0fe9a5e845a6af8c5e Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Thu, 5 Feb 2026 14:28:42 -0600
Subject: [PATCH 044/105] refactor(import-rule): enhance step indicators and
 improve rule display logic

Signed-off-by: Manuel Abascal 
---
 .../components/import-rules/import-rule.component.html | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/frontend/src/app/rule-management/app-rule/components/import-rules/import-rule.component.html b/frontend/src/app/rule-management/app-rule/components/import-rules/import-rule.component.html
index a94bd2fe4..0665d74b3 100644
--- a/frontend/src/app/rule-management/app-rule/components/import-rules/import-rule.component.html
+++ b/frontend/src/app/rule-management/app-rule/components/import-rules/import-rule.component.html
@@ -106,6 +106,7 @@
               
 
               
+                
                 {{ rule.rule.name }}
                 ({{ rule.status }})
               
@@ -113,8 +114,7 @@
 
             

               

-                
-                
+                
                 
               

             

@@ -176,6 +176,7 @@
               
 
             
+               
                 {{ rule.rule.name }}
                 ({{ rule.status }})
               
@@ -183,8 +184,7 @@
 
           

             

-              
-              
+              
               
             

           

@@ -218,7 +218,7 @@
     
     

From baa72bebe37210fe06a8af5cb61a4bf87675d1ed Mon Sep 17 00:00:00 2001
From: JocLRojas 
Date: Fri, 6 Feb 2026 19:00:18 +0300
Subject: [PATCH 045/105] feat(netflow-filter): enhance Netflow log parsing
 capabilities

---
 filters/netflow/netflow.yml | 186 ++++++++++++++++++++++++++++++++++--
 1 file changed, 177 insertions(+), 9 deletions(-)

diff --git a/filters/netflow/netflow.yml b/filters/netflow/netflow.yml
index ce2266623..7fecd53fe 100644
--- a/filters/netflow/netflow.yml
+++ b/filters/netflow/netflow.yml
@@ -1,4 +1,4 @@
-# Netflow firewall module filter, version 3.0.1
+# Netflow firewall module filter, version 3.1.0
 # Based in docs and Netflow Generator (Solarwinds) for send log
 # 
 # Documentations
@@ -44,6 +44,103 @@ pipeline:
               pattern: '{{.word}}(=)'
           source: log.msg
 
+      # Using grok to parse fields that have issues with kv filter
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}bytes="['
+            - fieldName: log.totalBytes
+              pattern: '{{.data}}]"'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant1
+              pattern: '{{.data}}packets="['
+            - fieldName: log.totalPackets
+              pattern: '{{.data}}]"'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant2
+              pattern: '{{.data}}inEth="['
+            - fieldName: log.inEthernet
+              pattern: '{{.data}}]"'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant3
+              pattern: '{{.data}}outEth="['
+            - fieldName: log.outEthernet
+              pattern: '{{.data}}]"'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant4
+              pattern: '{{.data}}proto="/['
+            - fieldName: protocol
+              pattern: '{{.data}}]"'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant5
+              pattern: '{{.data}}srcPort="['
+            - fieldName: log.srcPortg
+              pattern: '{{.data}}]"'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant6
+              pattern: '{{.data}}dstPort="['
+            - fieldName: log.dstPortg
+              pattern: '{{.data}}]"'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant7
+              pattern: '{{.data}}dstMask="['
+            - fieldName: log.destMask
+              pattern: '{{.data}}]"'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant8
+              pattern: '{{.data}}srcMask="['
+            - fieldName: log.sourceMask
+              pattern: '{{.data}}]"'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant9
+              pattern: '{{.data}}tcpFlags="['
+            - fieldName: log.tcpFlgs
+              pattern: '{{.data}}]"'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant10
+              pattern: '{{.data}}dstAs="['
+            - fieldName: log.destAs
+              pattern: '{{.data}}]"'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant11
+              pattern: '{{.data}}srcAs="['
+            - fieldName: log.sourceAs
+              pattern: '{{.data}}]"'
+          source: raw
+
       # Rename filds
       - rename:
           from:
@@ -63,11 +160,7 @@ pipeline:
           to: target.ip
       - rename:
           from:
-            - log.proto
-          to: protocol
-      - rename:
-          from:
-            - log.srcPort
+            - log.srcPortg
           to: origin.port
       - rename:
           from:
@@ -75,8 +168,8 @@ pipeline:
           to: origin.port
       - rename:
           from:
-            - log.dstPort
-          to: taget.port
+            - log.dstPortg
+          to: target.port
       - rename:
           from:
             - log.dest_port
@@ -88,6 +181,55 @@ pipeline:
           fields:
             - origin.port
             - target.port
+              
+      # Removing unused caracters
+      - trim:
+          function: prefix
+          substring: '"'
+          fields:
+            - log.bytesIn
+            - log.bytesOut
+            - log.exporter
+            - log.first
+            - log.last
+            - log.nextHop
+            - log.packetsIn
+            - log.packetsOut
+            - log.version
+            - target.ip
+            - origin.ip
+      - trim:
+          function: suffix
+          substring: '"'
+          fields:
+            - log.bytesIn
+            - log.bytesOut
+            - log.exporter
+            - log.first
+            - log.last
+            - log.nextHop
+            - log.packetsIn
+            - log.packetsOut
+            - log.version
+            - target.ip
+            - origin.ip
+
+      - trim:
+          function: suffix
+          substring: ']"'
+          fields:
+            - log.totalBytes
+            - log.totalPackets
+            - log.inEthernet
+            - log.outEthernet
+            - protocol
+            - origin.port
+            - target.port
+            - log.destMask
+            - log.sourceMask
+            - log.tcpFlgs
+            - log.destAs
+            - log.sourceAs
 
       # Adding geolocation to origin.ip
       - dynamic:
@@ -103,4 +245,30 @@ pipeline:
           params:
             source: target.ip
             destination: target.geolocation
-          where: exists("target.ip")
\ No newline at end of file
+          where: exists("target.ip")
+                    
+      # Removing unused fields
+      - delete:
+          fields:
+            - log.bytes
+            - log.packets
+            - log.inEth
+            - log.outEth
+            - log.srcPort
+            - log.dstMask
+            - log.srcMask
+            - log.tcpFlags
+            - log.dstAs
+            - log.srcAs
+            - log.irrelevant
+            - log.irrelevant1
+            - log.irrelevant2
+            - log.irrelevant3
+            - log.irrelevant4
+            - log.irrelevant5
+            - log.irrelevant6
+            - log.irrelevant7
+            - log.irrelevant8
+            - log.irrelevant9
+            - log.irrelevant10
+            - log.irrelevant11
\ No newline at end of file

From 67a33ff7ca536d6b8bb0c2720213bc9afa45269d Mon Sep 17 00:00:00 2001
From: JocLRojas 
Date: Fri, 6 Feb 2026 19:01:36 +0300
Subject: [PATCH 046/105] feat(VMware-filter): enhance VMware log parsing
 capabilities

---
 filters/vmware/vmware-esxi.yml | 49 ++++++++++++++++++++++++++++++++--
 1 file changed, 47 insertions(+), 2 deletions(-)

diff --git a/filters/vmware/vmware-esxi.yml b/filters/vmware/vmware-esxi.yml
index a689943af..7c533dd72 100644
--- a/filters/vmware/vmware-esxi.yml
+++ b/filters/vmware/vmware-esxi.yml
@@ -1,4 +1,4 @@
-# VMWare-ESXi, version 3.0.0
+# VMWare-ESXi, version 3.0.1
 # 
 # Based on docs and real logs provided
 # Support VMWare-ESXi log
@@ -48,6 +48,33 @@ pipeline:
               pattern: '\[{{.data}}\]:'
             - fieldName: log.message
               pattern: '{{.greedy}}'
+
+      - grok:
+          patterns:
+            - fieldName: log.priority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.deviceTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}T{{.time}}Z'
+            - fieldName: origin.hostname
+              pattern: '{{.hostname}}'
+            - fieldName: log.process
+              pattern: '{{.hostname}}'
+            - fieldName: log.pid
+              pattern: '\[{{.data}}\]:'
+            - fieldName: log.originIdComponent
+              pattern: '\[{{.data}}\]'
+            - fieldName: log.message
+              pattern: '{{.greedy}}'
+
+      - grok:
+          patterns:
+            - fieldName: log.moduleIdentifier
+              pattern: '\[{{.data}}\@'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\='
+            - fieldName: log.subModuleIdentifier
+              pattern: '{{.word}}\]'
+          source: log.originIdComponent
               
       # Removing unused caracters
       - trim:
@@ -61,6 +88,12 @@ pipeline:
           fields:
             - log.pid
             - log.eventInfo
+            - log.moduleIdentifier
+      - trim:
+          function: prefix
+          substring: '-'
+          fields:
+            - log.message
       - trim:
           function: suffix
           substring: '>'
@@ -78,8 +111,20 @@ pipeline:
           fields:
             - log.pid
             - log.eventInfo
+            - log.subModuleIdentifier
+      - trim:
+          function: suffix
+          substring: '-'
+          fields:
+            - log.message
+      - trim:
+          function: suffix
+          substring: '@'
+          fields:
+            - log.moduleIdentifier
                     
       # Removing unused fields
       - delete:
           fields:
-            - log.processName
\ No newline at end of file
+            - log.processName
+            - log.irrelevant
\ No newline at end of file

From e7f689266fd047588f7e42fb793d517f0bcb4039 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Fri, 6 Feb 2026 10:57:18 -0600
Subject: [PATCH 047/105] refactor(dashboard): streamline component logic and
 enhance error handling in resolver

Signed-off-by: Manuel Abascal 
---
 .../dashboard-render.component.ts             | 51 +++----------------
 .../services/dashboard-resolver.service.ts    | 17 +++++--
 2 files changed, 21 insertions(+), 47 deletions(-)

diff --git a/frontend/src/app/dashboard/dashboard-render/dashboard-render.component.ts b/frontend/src/app/dashboard/dashboard-render/dashboard-render.component.ts
index f8266ee66..40f49c5bd 100644
--- a/frontend/src/app/dashboard/dashboard-render/dashboard-render.component.ts
+++ b/frontend/src/app/dashboard/dashboard-render/dashboard-render.component.ts
@@ -69,9 +69,7 @@ export class DashboardRenderComponent implements OnInit, OnDestroy, AfterViewIni
               private dashboardBehavior: DashboardBehavior,
               private timeFilterBehavior: TimeFilterBehavior,
               private exportPdfService: ExportPdfService,
-              private spinner: NgxSpinnerService,
-              private refreshService: RefreshService,
-              private router: Router) {
+              private spinner: NgxSpinnerService) {
   }
 
   ngOnInit() {
@@ -82,44 +80,11 @@ export class DashboardRenderComponent implements OnInit, OnDestroy, AfterViewIni
         tap((visualizations) => {
           this.dashboard = this.layoutService.dashboard;
           this.filters = this.dashboard && this.dashboard.filters ? JSON.parse(this.dashboard.filters) : [];
-         /* if (this.dashboard.refreshTime) {
-            console.log(this.dashboard.refreshTime);
-            this.onRefreshTime(this.dashboard.refreshTime);
-          }*/
           this.loadingVisualizations = false;
         }),
         map(data => data.response)
     );
 
-    /*this.activatedRoute.params.subscribe(params => {
-      this.dashboardId = params.id;
-      if (this.dashboardId) {
-        const request = {
-          page: 0,
-          size: 10000,
-          'idDashboard.equals': this.dashboardId,
-          sort: 'order,asc'
-        };
-        this.utmRenderVisualization.query(request).subscribe(response => {
-          this.layoutService.layout = [];
-          this.timeEnable = [];
-          this.visualizationRender = response.body;
-          this.dashboard = this.visualizationRender.length > 0 ? this.visualizationRender[0].dashboard : null;
-          this.filters = this.dashboard.filters ? JSON.parse(this.dashboard.filters) : [];
-          if (this.dashboard.refreshTime) {
-            this.onRefreshTime(this.dashboard.refreshTime);
-          }
-          for (const vis of this.visualizationRender) {
-            if (vis.showTimeFilter) {
-              this.timeEnable.push(vis.visualization.id);
-            }
-            const grid = JSON.parse(vis.gridInfo);
-            this.layoutService.addItem(vis.visualization, grid);
-          }
-          this.loadingVisualizations = false;
-        });
-      }
-    });*/
     this.dashboardBehavior.$filterDashboard.subscribe(dashboardFilter => {
       if (dashboardFilter) {
         mergeParams(dashboardFilter.filter, this.filtersValues).then(newFilters => {
@@ -158,13 +123,6 @@ export class DashboardRenderComponent implements OnInit, OnDestroy, AfterViewIni
     }
   }
 
-  ngOnDestroy(): void {
-    document.body.classList.remove('overflow-hidden');
-    clearInterval(this.interval);
-    this.layoutService.clearLayout();
-    this.dashboardBehavior.$filterDashboard.next(null);
-  }
-
   ngAfterViewInit(): void {
     this.cdr.detectChanges();
   }
@@ -193,5 +151,12 @@ export class DashboardRenderComponent implements OnInit, OnDestroy, AfterViewIni
   trackByFn(index: number, item: { grid: GridsterItem, visualization: VisualizationType }) {
     return item.visualization.id;
   }
+
+  ngOnDestroy(): void {
+    document.body.classList.remove('overflow-hidden');
+    clearInterval(this.interval);
+    this.layoutService.clearLayout();
+    this.dashboardBehavior.$filterDashboard.next(null);
+  }
 }
 
diff --git a/frontend/src/app/dashboard/shared/services/dashboard-resolver.service.ts b/frontend/src/app/dashboard/shared/services/dashboard-resolver.service.ts
index ab7aef481..9d2e46348 100644
--- a/frontend/src/app/dashboard/shared/services/dashboard-resolver.service.ts
+++ b/frontend/src/app/dashboard/shared/services/dashboard-resolver.service.ts
@@ -2,18 +2,20 @@ import {Injectable, Type} from '@angular/core';
 import {ActivatedRouteSnapshot, Resolve, RouterStateSnapshot} from '@angular/router';
 import {GridsterItem} from 'angular-gridster2';
 import {NgxSpinnerService} from 'ngx-spinner';
-import {Observable} from 'rxjs';
-import {map, tap} from 'rxjs/operators';
+import {EMPTY, Observable, of, throwError} from 'rxjs';
+import {catchError, map, tap} from 'rxjs/operators';
 import {VisualizationType} from '../../../shared/chart/types/visualization.type';
 import {RenderLayoutService} from './render-layout.service';
 import {UtmRenderVisualization} from './utm-render-visualization.service';
+import {UtmToastService} from "../../../shared/alert/utm-toast.service";
 
 @Injectable()
 export class DashboardResolverService implements Resolve<{ grid: GridsterItem, visualization: VisualizationType } []> {
 
   constructor(private spinner: NgxSpinnerService,
               private utmRenderVisualization: UtmRenderVisualization,
-              private layoutService: RenderLayoutService) {
+              private layoutService: RenderLayoutService,
+              private toastService: UtmToastService) {
   }
 
   resolve(route: ActivatedRouteSnapshot, state: RouterStateSnapshot):
@@ -42,6 +44,13 @@ export class DashboardResolverService implements Resolve<{ grid: GridsterItem, v
         ),
         tap(() => {
           this.spinner.hide('loadingSpinner');
-        }));
+        }),
+        catchError(error => {
+          this.spinner.hide('loadingSpinner');
+          this.toastService.showError('Error', 'An error occurred while loading the dashboard visualizations.');
+
+          return throwError(() => error);
+        })
+      );
   }
 }

From ed1afc04030e004c6cb840b5d00a9b2bc683eca6 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Fri, 6 Feb 2026 12:31:03 -0600
Subject: [PATCH 048/105] refactor(modals): adjust modal heights and improve
 layout for better responsiveness

Signed-off-by: Manuel Abascal 
---
 .../add-rule/add-rule.component.scss          | 15 ++++++++++++
 .../import-rules/import-rule.component.scss   | 15 ++++++++----
 .../rule-list/rule-list.component.ts          |  2 +-
 .../utm-file-upload.component.html            |  2 +-
 .../utm-file-upload.component.scss            |  9 +++++++
 frontend/src/styles.scss                      | 24 ++++++++++++++++++-
 6 files changed, 60 insertions(+), 7 deletions(-)

diff --git a/frontend/src/app/rule-management/app-rule/components/add-rule/add-rule.component.scss b/frontend/src/app/rule-management/app-rule/components/add-rule/add-rule.component.scss
index 79382b943..0354f0d37 100644
--- a/frontend/src/app/rule-management/app-rule/components/add-rule/add-rule.component.scss
+++ b/frontend/src/app/rule-management/app-rule/components/add-rule/add-rule.component.scss
@@ -135,3 +135,18 @@ fieldset {
   background-color: $success-color !important;
 }
 
+.form-body {
+  min-height: 725px;
+  max-height: 725px;
+  overflow-y: auto!important;
+  overflow-x: hidden!important;
+  flex-grow: 1;
+}
+
+@media screen and (max-height: 867px) {
+  .form-body {
+    min-height: 500px;
+    max-height: 500px;
+  }
+}
+
diff --git a/frontend/src/app/rule-management/app-rule/components/import-rules/import-rule.component.scss b/frontend/src/app/rule-management/app-rule/components/import-rules/import-rule.component.scss
index ac5e8af3c..1a40610a0 100644
--- a/frontend/src/app/rule-management/app-rule/components/import-rules/import-rule.component.scss
+++ b/frontend/src/app/rule-management/app-rule/components/import-rules/import-rule.component.scss
@@ -65,7 +65,7 @@ fieldset {
 
 .form-body {
   min-height: 590px;
-  max-height: 700px;
+  max-height: 615px;
   overflow-y: auto!important;
   overflow-x: hidden!important;
   flex-grow: 1;
@@ -142,7 +142,14 @@ fieldset {
 .step-success {
   background-color: $success-color !important;
 }
-.loader{
-  top:0%;
-  left:0%;
+.loader {
+  top: 0;
+  left: 0;
+}
+
+@media screen and (max-height: 867px) {
+  .form-body {
+    min-height: 500px;
+    max-height: 500px;
+  }
 }
diff --git a/frontend/src/app/rule-management/app-rule/components/rule-list/rule-list.component.ts b/frontend/src/app/rule-management/app-rule/components/rule-list/rule-list.component.ts
index be6a943b6..3cb49ae0b 100644
--- a/frontend/src/app/rule-management/app-rule/components/rule-list/rule-list.component.ts
+++ b/frontend/src/app/rule-management/app-rule/components/rule-list/rule-list.component.ts
@@ -105,7 +105,7 @@ export class RuleListComponent implements OnInit, OnDestroy {
     const modalRef = this.modalService.open(mode === 'ADD' ? AddRuleComponent : ImportRuleComponent, {
       size: 'lg',
       centered: true,
-      windowClass: 'add-rule-modal',
+      windowClass: mode === 'ADD' ? 'add-rule-modal' : 'import-rule-modal',
     });
 
     modalRef.componentInstance.mode = mode;
diff --git a/frontend/src/app/shared/components/utm/util/utm-file-upload/utm-file-upload.component.html b/frontend/src/app/shared/components/utm/util/utm-file-upload/utm-file-upload.component.html
index 755c79a96..e1e8b3a3b 100644
--- a/frontend/src/app/shared/components/utm/util/utm-file-upload/utm-file-upload.component.html
+++ b/frontend/src/app/shared/components/utm/util/utm-file-upload/utm-file-upload.component.html
@@ -10,7 +10,7 @@ 
Drag file or click here to select {{
   
 

 
-

+

   

 
diff --git a/frontend/src/app/shared/components/utm/util/utm-file-upload/utm-file-upload.component.scss b/frontend/src/app/shared/components/utm/util/utm-file-upload/utm-file-upload.component.scss
index e69de29bb..b1d367faa 100644
--- a/frontend/src/app/shared/components/utm/util/utm-file-upload/utm-file-upload.component.scss
+++ b/frontend/src/app/shared/components/utm/util/utm-file-upload/utm-file-upload.component.scss
@@ -0,0 +1,9 @@
+.dropzone-items {
+  height: 250px;
+}
+
+@media screen and (max-height: 967px) {
+  .dropzone-items {
+    height: 120px;
+  }
+}
diff --git a/frontend/src/styles.scss b/frontend/src/styles.scss
index 2faa93b1b..ec84b2497 100644
--- a/frontend/src/styles.scss
+++ b/frontend/src/styles.scss
@@ -635,9 +635,16 @@ app-header {
   border-radius: 0;
 }
 
+.import-rule-modal {
+  .modal-content {
+    max-height: 750px !important;
+    overflow-y: hidden;
+  }
+}
+
 .add-rule-modal {
   .modal-content {
-    max-height: 900px !important;
+    max-height: 850px !important;
     overflow-y: hidden;
   }
 }
@@ -1434,6 +1441,21 @@ app-utm-items-per-page {
   }
 }
 
+@media screen and (max-height: 867px) {
+  .import-rule-modal {
+    .modal-content {
+      max-height: 650px !important;
+    }
+  }
+
+  .add-rule-modal {
+    .modal-content {
+      max-height: 650px !important;
+    }
+  }
+}
+
+
 
 
 

From 3cad800d3a31383f869aeb267dbc1ccc7c787fad Mon Sep 17 00:00:00 2001
From: Osmany Montero 
Date: Fri, 6 Feb 2026 19:38:49 +0000
Subject: [PATCH 049/105] chore(go.mod): upgrade dependencies and adjust index
 method

- Updated `github.com/threatwinds/go-sdk` to v1.1.13.
- Upgraded `google.golang.org/genproto` dependencies to the latest versions.
- Replaced `BuildCurrentIndex` with `BuildCurrentDayIndex` in `IndexDoc`.
---
 plugins/alerts/go.mod  | 6 +++---
 plugins/alerts/go.sum  | 6 ++++++
 plugins/alerts/main.go | 2 +-
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/plugins/alerts/go.mod b/plugins/alerts/go.mod
index 091402ac7..3ec1e0b45 100644
--- a/plugins/alerts/go.mod
+++ b/plugins/alerts/go.mod
@@ -3,7 +3,7 @@ module github.com/utmstack/UTMStack/plugins/alerts
 go 1.25.5
 
 require (
-	github.com/threatwinds/go-sdk v1.1.11
+	github.com/threatwinds/go-sdk v1.1.13
 	github.com/tidwall/gjson v1.18.0
 	google.golang.org/protobuf v1.36.11
 )
@@ -47,8 +47,8 @@ require (
 	golang.org/x/net v0.49.0 // indirect
 	golang.org/x/sys v0.40.0 // indirect
 	golang.org/x/text v0.33.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect
 	google.golang.org/grpc v1.78.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
diff --git a/plugins/alerts/go.sum b/plugins/alerts/go.sum
index 52dbfb2d2..9db40e02e 100644
--- a/plugins/alerts/go.sum
+++ b/plugins/alerts/go.sum
@@ -90,6 +90,8 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/threatwinds/go-sdk v1.1.11 h1:3S/sgT9qZaNK+YthSQ5b7D8ucJu70LhQg6yEFSaSqy8=
 github.com/threatwinds/go-sdk v1.1.11/go.mod h1:N19iqJPaNAoWwZTCuFvV0hIvT0D1jOR1KkKYgAoPLmw=
+github.com/threatwinds/go-sdk v1.1.13 h1:uOKaET5Pvxso+tYSevBiF8n6HP04oY5uf8K9uv+bYGk=
+github.com/threatwinds/go-sdk v1.1.13/go.mod h1:Kfu26gkSZDpNNkPvuQbTAW3dWIQ66pVIrNYW1YBG3Kg=
 github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
 github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
@@ -141,8 +143,12 @@ gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
 google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b h1:SGYyueaEovpqmWmtTvwtVgo638V/QFE2zlTCnRrR3jg=
 google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE=
+google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 h1:7ei4lp52gK1uSejlA8AZl5AJjeLUOHBQscRQZUgAcu0=
+google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b h1:GZxXGdFaHX27ZSMHudWc4FokdD+xl8BC2UJm1OVIEzs=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 h1:Jr5R2J6F6qWyzINc+4AM8t5pfUz6beZpHp678GNrMbE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
 google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
 google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
diff --git a/plugins/alerts/main.go b/plugins/alerts/main.go
index 9245d6b53..6ef440ff4 100644
--- a/plugins/alerts/main.go
+++ b/plugins/alerts/main.go
@@ -361,7 +361,7 @@ func newAlert(alert *plugins.Alert, parentId *string) error {
 	for retry := 0; retry < maxRetries; retry++ {
 		cancelableContext, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 
-		err := sdkos.IndexDoc(cancelableContext, a, sdkos.BuildCurrentIndex("v11", "alert"), alert.Id)
+		err := sdkos.IndexDoc(cancelableContext, a, sdkos.BuildCurrentDayIndex("v11", "alert"), alert.Id)
 		if err == nil {
 			cancel()
 			return nil

From 1d89c6ecc5d7a757cb88c29ba1b987f81ab77575 Mon Sep 17 00:00:00 2001
From: Osmany Montero 
Date: Fri, 6 Feb 2026 19:40:04 +0000
Subject: [PATCH 050/105] chore(indexing): replace `BuildCurrentIndex` with
 `BuildCurrentDayIndex` and update dependencies

- Updated `github.com/threatwinds/go-sdk` to v1.1.13.
- Upgraded `google.golang.org/genproto` dependencies to newer versions.
- Adjusted index method in `queue.go` for improved timestamp-based indexing.
---
 plugins/events/go.mod   |  6 +++---
 plugins/events/go.sum   | 12 ++++++------
 plugins/events/queue.go |  2 +-
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/plugins/events/go.mod b/plugins/events/go.mod
index 4c508d248..9f5635523 100644
--- a/plugins/events/go.mod
+++ b/plugins/events/go.mod
@@ -3,7 +3,7 @@ module github.com/utmstack/UTMStack/plugins/events
 go 1.25.5
 
 require (
-	github.com/threatwinds/go-sdk v1.1.10
+	github.com/threatwinds/go-sdk v1.1.13
 	github.com/tidwall/gjson v1.18.0
 )
 
@@ -46,8 +46,8 @@ require (
 	golang.org/x/net v0.49.0 // indirect
 	golang.org/x/sys v0.40.0 // indirect
 	golang.org/x/text v0.33.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect
 	google.golang.org/grpc v1.78.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
diff --git a/plugins/events/go.sum b/plugins/events/go.sum
index 0c6ce469a..123356719 100644
--- a/plugins/events/go.sum
+++ b/plugins/events/go.sum
@@ -88,8 +88,8 @@ github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXl
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-github.com/threatwinds/go-sdk v1.1.10 h1:joqXa0K8DiiJ135isRi6eOzVTtlPBY2i2yAS2ia2wNU=
-github.com/threatwinds/go-sdk v1.1.10/go.mod h1:N19iqJPaNAoWwZTCuFvV0hIvT0D1jOR1KkKYgAoPLmw=
+github.com/threatwinds/go-sdk v1.1.13 h1:uOKaET5Pvxso+tYSevBiF8n6HP04oY5uf8K9uv+bYGk=
+github.com/threatwinds/go-sdk v1.1.13/go.mod h1:Kfu26gkSZDpNNkPvuQbTAW3dWIQ66pVIrNYW1YBG3Kg=
 github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
 github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
@@ -139,10 +139,10 @@ golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
 golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b h1:SGYyueaEovpqmWmtTvwtVgo638V/QFE2zlTCnRrR3jg=
-google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b h1:GZxXGdFaHX27ZSMHudWc4FokdD+xl8BC2UJm1OVIEzs=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 h1:7ei4lp52gK1uSejlA8AZl5AJjeLUOHBQscRQZUgAcu0=
+google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 h1:Jr5R2J6F6qWyzINc+4AM8t5pfUz6beZpHp678GNrMbE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
 google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
 google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
diff --git a/plugins/events/queue.go b/plugins/events/queue.go
index 53160949b..c796935d5 100644
--- a/plugins/events/queue.go
+++ b/plugins/events/queue.go
@@ -72,7 +72,7 @@ func startQueue() {
 
 				dataType := gjson.Get(l, "dataType").String()
 				id := gjson.Get(l, "id").String()
-				index := sdkos.BuildCurrentIndex("v11", "log", dataType)
+				index := sdkos.BuildCurrentDayIndex("v11", "log", dataType)
 
 				queue.AddItem(sdkos.BulkItem{
 					Index:      index,

From 1df4b154ed93b440821f09ef796a62e2e8353b9a Mon Sep 17 00:00:00 2001
From: Osmany Montero 
Date: Fri, 6 Feb 2026 19:40:54 +0000
Subject: [PATCH 051/105] chore(go.sum): remove unused dependencies and update
 versions

---
 plugins/alerts/go.sum | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/plugins/alerts/go.sum b/plugins/alerts/go.sum
index 9db40e02e..123356719 100644
--- a/plugins/alerts/go.sum
+++ b/plugins/alerts/go.sum
@@ -88,8 +88,6 @@ github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXl
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-github.com/threatwinds/go-sdk v1.1.11 h1:3S/sgT9qZaNK+YthSQ5b7D8ucJu70LhQg6yEFSaSqy8=
-github.com/threatwinds/go-sdk v1.1.11/go.mod h1:N19iqJPaNAoWwZTCuFvV0hIvT0D1jOR1KkKYgAoPLmw=
 github.com/threatwinds/go-sdk v1.1.13 h1:uOKaET5Pvxso+tYSevBiF8n6HP04oY5uf8K9uv+bYGk=
 github.com/threatwinds/go-sdk v1.1.13/go.mod h1:Kfu26gkSZDpNNkPvuQbTAW3dWIQ66pVIrNYW1YBG3Kg=
 github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
@@ -141,12 +139,8 @@ golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
 golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b h1:SGYyueaEovpqmWmtTvwtVgo638V/QFE2zlTCnRrR3jg=
-google.golang.org/genproto/googleapis/api v0.0.0-20260202165425-ce8ad4cf556b/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE=
 google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 h1:7ei4lp52gK1uSejlA8AZl5AJjeLUOHBQscRQZUgAcu0=
 google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b h1:GZxXGdFaHX27ZSMHudWc4FokdD+xl8BC2UJm1OVIEzs=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260202165425-ce8ad4cf556b/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 h1:Jr5R2J6F6qWyzINc+4AM8t5pfUz6beZpHp678GNrMbE=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
 google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=

From d02215b68ffd6088944e4a59b957cbcd138c0463 Mon Sep 17 00:00:00 2001
From: Osmany Montero 
Date: Fri, 6 Feb 2026 19:52:46 +0000
Subject: [PATCH 052/105] chore(alerts): add timestamp-based filtering for the
 last 7 days

---
 plugins/alerts/main.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/plugins/alerts/main.go b/plugins/alerts/main.go
index 6ef440ff4..f7d6a8125 100644
--- a/plugins/alerts/main.go
+++ b/plugins/alerts/main.go
@@ -115,6 +115,9 @@ func isDuplicate(alert *plugins.Alert) bool {
 	// 1. Filter by Name (always)
 	bb.FilterTerm("name", alert.Name)
 
+	bb.FilterRange("@timestamp", "gte", time.Now().UTC().Add(-24*7*time.Hour).Format(time.RFC3339Nano))
+	bb.FilterRange("@timestamp", "lte", time.Now().UTC().Format(time.RFC3339Nano))
+
 	// Compile regex for array index stripping
 	reArrayIndex := regexp.MustCompile(`\.[0-9]+(\.|$)`)
 

From 9ee78981bf30c50750ee502a0d499cf852887951 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Fri, 6 Feb 2026 14:08:35 -0600
Subject: [PATCH 053/105] feat(integration): add VMware and Netflow filter
 updates for enhanced log processing

---
 ...06001_update_filter_vmware_integration.xml | 153 +++++++++
 ...6002_update_filter_netflow_integration.xml | 297 ++++++++++++++++++
 .../resources/config/liquibase/master.xml     |   4 +
 3 files changed, 454 insertions(+)
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260206001_update_filter_vmware_integration.xml
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260206002_update_filter_netflow_integration.xml

diff --git a/backend/src/main/resources/config/liquibase/changelog/20260206001_update_filter_vmware_integration.xml b/backend/src/main/resources/config/liquibase/changelog/20260206001_update_filter_vmware_integration.xml
new file mode 100644
index 000000000..795c8363c
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260206001_update_filter_vmware_integration.xml
@@ -0,0 +1,153 @@
+
+
+
+    
+        
+            '
+            - fieldName: log.deviceTime
+              pattern: '{{.year}}(-){{.monthNumber}}(-){{.monthDay}}(T){{.time}}(Z)'
+            - fieldName: origin.hostname
+              pattern: '{{.hostname}}'
+            - fieldName: log.process
+              pattern: '{{.hostname}}(\:)'
+            - fieldName: severity
+              pattern: '{{.word}}'
+            - fieldName: log.processName
+              pattern: '{{.hostname}}'
+            - fieldName: log.pid
+              pattern: '\[{{.data}}\]'
+            - fieldName: log.eventInfo
+              pattern: '\[{{.data}}\]'
+            - fieldName: log.message
+              pattern: '{{.greedy}}'
+
+      - grok:
+          patterns:
+            - fieldName: log.priority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.deviceTime
+              pattern: '{{.year}}(-){{.monthNumber}}(-){{.monthDay}}(T){{.time}}(Z)'
+            - fieldName: origin.hostname
+              pattern: '{{.hostname}}'
+            - fieldName: log.process
+              pattern: '{{.hostname}}'
+            - fieldName: log.pid
+              pattern: '\[{{.data}}\]:'
+            - fieldName: log.message
+              pattern: '{{.greedy}}'
+
+      - grok:
+          patterns:
+            - fieldName: log.priority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.deviceTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}T{{.time}}Z'
+            - fieldName: origin.hostname
+              pattern: '{{.hostname}}'
+            - fieldName: log.process
+              pattern: '{{.hostname}}'
+            - fieldName: log.pid
+              pattern: '\[{{.data}}\]:'
+            - fieldName: log.originIdComponent
+              pattern: '\[{{.data}}\]'
+            - fieldName: log.message
+              pattern: '{{.greedy}}'
+
+      - grok:
+          patterns:
+            - fieldName: log.moduleIdentifier
+              pattern: '\[{{.data}}\@'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\='
+            - fieldName: log.subModuleIdentifier
+              pattern: '{{.word}}\]'
+          source: log.originIdComponent
+
+      # Removing unused caracters
+      - trim:
+          function: prefix
+          substring: '<'
+          fields:
+            - log.priority
+      - trim:
+          function: prefix
+          substring: '['
+          fields:
+            - log.pid
+            - log.eventInfo
+            - log.moduleIdentifier
+      - trim:
+          function: prefix
+          substring: '-'
+          fields:
+            - log.message
+      - trim:
+          function: suffix
+          substring: '>'
+          fields:
+            - log.priority
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.pid
+            - log.process
+      - trim:
+          function: suffix
+          substring: ']'
+          fields:
+            - log.pid
+            - log.eventInfo
+            - log.subModuleIdentifier
+      - trim:
+          function: suffix
+          substring: '-'
+          fields:
+            - log.message
+      - trim:
+          function: suffix
+          substring: '@'
+          fields:
+            - log.moduleIdentifier
+
+      # Removing unused fields
+      - delete:
+          fields:
+            - log.processName
+            - log.irrelevant
+
+$$
+
+            WHERE id = 1001
+
+            ]]>
+        
+    
+
+
diff --git a/backend/src/main/resources/config/liquibase/changelog/20260206002_update_filter_netflow_integration.xml b/backend/src/main/resources/config/liquibase/changelog/20260206002_update_filter_netflow_integration.xml
new file mode 100644
index 000000000..1a28fef47
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260206002_update_filter_netflow_integration.xml
@@ -0,0 +1,297 @@
+
+
+
+    
+        
+            
+        
+    
+
+
diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml
index 4c4d002ff..e4d0ae96e 100644
--- a/backend/src/main/resources/config/liquibase/master.xml
+++ b/backend/src/main/resources/config/liquibase/master.xml
@@ -335,6 +335,10 @@
 
     
 
+    
+
+    
+
 
 
 

From 19ca2c624900e03e8de72c677bd790f0b87b2d91 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Fri, 6 Feb 2026 14:30:42 -0600
Subject: [PATCH 054/105] feat(integration): add VMware and Netflow filter
 updates for enhanced log processing

---
 .../changelog/20260206002_update_filter_netflow_integration.xml | 2 +-
 backend/src/main/resources/config/liquibase/master.xml          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/src/main/resources/config/liquibase/changelog/20260206002_update_filter_netflow_integration.xml b/backend/src/main/resources/config/liquibase/changelog/20260206002_update_filter_netflow_integration.xml
index 1a28fef47..16de1655f 100644
--- a/backend/src/main/resources/config/liquibase/changelog/20260206002_update_filter_netflow_integration.xml
+++ b/backend/src/main/resources/config/liquibase/changelog/20260206002_update_filter_netflow_integration.xml
@@ -4,7 +4,7 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
 
-    
+    
         
             
 
-    
+    
 
     
 

From b23c9ac15312b1e7d5962662bc8bab91d7bbec5a Mon Sep 17 00:00:00 2001
From: Osmany Montero 
Date: Mon, 9 Feb 2026 11:07:21 +0000
Subject: [PATCH 055/105] refactor: Update filter configurations to use new
 expression functions like `oneOf`, `equals`, and `contains` for conditional
 logic.

---
 filters/antivirus/esmc-eset.yml            |   6 +-
 filters/azure/azure-eventhub.yml           |  20 +-
 filters/cisco/asa.yml                      |  12 +-
 filters/cisco/cs_switch.yml                |   4 +-
 filters/cisco/firepower.yml                | 900 ++++++++++-----------
 filters/cisco/meraki.yml                   | 252 +++---
 filters/crowdstrike/crowdstrike.yml        |  10 +-
 filters/deceptivebytes/deceptive-bytes.yml |   6 +-
 filters/filebeat/apache_module.yml         |  14 +-
 filters/filebeat/elasticsearch_module.yml  |   8 +-
 filters/filebeat/iis_module.yml            |  10 +-
 filters/filebeat/kafka_module.yml          |   6 +-
 filters/filebeat/kibana_module.yml         |   6 +-
 filters/filebeat/logstash_module.yml       |   6 +-
 filters/filebeat/mysql_module.yml          |   6 +-
 filters/filebeat/nginx_module.yml          |  18 +-
 filters/filebeat/redis_module.yml          |   6 +-
 filters/google/gcp.yml                     |  22 +-
 filters/sophos/sophos_xg_firewall.yml      |   2 +-
 filters/suricata/suricata.yml              |  50 +-
 filters/windows/windows-events.yml         | 724 ++++++++---------
 21 files changed, 1044 insertions(+), 1044 deletions(-)

diff --git a/filters/antivirus/esmc-eset.yml b/filters/antivirus/esmc-eset.yml
index 8a6b12f1a..58abdad17 100644
--- a/filters/antivirus/esmc-eset.yml
+++ b/filters/antivirus/esmc-eset.yml
@@ -90,21 +90,21 @@ pipeline:
           params:
             key: severity
             value: 'low'
-          where: safe("log.severity", "") in ["INFO", "Info"]
+          where: oneOf("log.severity", ["INFO", "Info"])
 
       - add:
           function: 'string'
           params:
             key: severity
             value: 'medium'
-          where: safe("log.severity", "") in ["WARNING", "Warning"]
+          where: oneOf("log.severity", ["WARNING", "Warning"])
 
       - add:
           function: 'string'
           params:
             key: severity
             value: 'high'
-          where: safe("log.severity", "") in ["ERROR", "Error"]
+          where: oneOf("log.severity", ["ERROR", "Error"])
 
       # Adding geolocation to origin.ip
       - dynamic:
diff --git a/filters/azure/azure-eventhub.yml b/filters/azure/azure-eventhub.yml
index e1fac0c32..87a7158b4 100644
--- a/filters/azure/azure-eventhub.yml
+++ b/filters/azure/azure-eventhub.yml
@@ -611,19 +611,19 @@ pipeline:
           params:
             key: severity
             value: 'high'
-          where: safe("log.level", "") in ["ERROR", "Error", "FATAL", "CRITICAL", "Critical"]
+          where: oneOf("log.level", ["ERROR", "Error", "FATAL", "CRITICAL", "Critical"])
       - add:
           function: 'string'
           params:
             key: severity
             value: 'medium'
-          where: safe("log.level", "") in ["WARN", "Warning"]
+          where: oneOf("log.level", ["WARN", "Warning"])
       - add:
           function: 'string'
           params:
             key: severity
             value: 'low'
-          where: safe("log.level", "") in ["Information", "Informational", "INFO", "DEBUG", "TRACE"]
+          where: oneOf("log.level", ["Information", "Informational", "INFO", "DEBUG", "TRACE"])
 
       # .......................................................................#
       # Add geolocation to remote.ip
@@ -643,37 +643,37 @@ pipeline:
           params:
             key: action
             value: 'get'
-          where: safe("log.propertiesRequestMethod", "") == "GET"
+          where: equals("log.propertiesRequestMethod", "GET")
       - add:
           function: 'string'
           params:
             key: action
             value: 'post'
-          where: safe("log.propertiesRequestMethod", "") == "POST"
+          where: equals("log.propertiesRequestMethod", "POST")
       - add:
           function: 'string'
           params:
             key: action
             value: 'put'
-          where: safe("log.propertiesRequestMethod", "") == "PUT"
+          where: equals("log.propertiesRequestMethod", "PUT")
       - add:
           function: 'string'
           params:
             key: action
             value: 'delete'
-          where: safe("log.propertiesRequestMethod", "") == "DELETE"
+          where: equals("log.propertiesRequestMethod", "DELETE")
       - add:
           function: 'string'
           params:
             key: action
             value: 'patch'
-          where: safe("log.propertiesRequestMethod", "") == "PATCH"
+          where: equals("log.propertiesRequestMethod", "PATCH")
       - add:
           function: 'string'
           params:
             key: action
             value: 'request'
-          where: safe("log.propertiesRequestMethod", "") == "REQUEST"
+          where: equals("log.propertiesRequestMethod", "REQUEST")
 
       # .......................................................................#
       # Removing log.propertiesRequestMethod if action was set
@@ -716,4 +716,4 @@ pipeline:
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("statusCode", 0.0) >= double(200) && safe("statusCode", 0.0) <= double(299) || (safe("statusCode", 0.0) >= double(300) && safe("statusCode", 0.0) <= double(399) && safe("origin.bytesReceived", 0.0) > double(0))
\ No newline at end of file
+          where: (greaterOrEqual("statusCode", 200) && lessOrEqual("statusCode", 299)) || (greaterOrEqual("statusCode", 300) && lessOrEqual("statusCode", 399) && greaterThan("origin.bytesReceived", 0))
\ No newline at end of file
diff --git a/filters/cisco/asa.yml b/filters/cisco/asa.yml
index 7d0827de6..feb0cfc21 100644
--- a/filters/cisco/asa.yml
+++ b/filters/cisco/asa.yml
@@ -314,14 +314,14 @@ pipeline:
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("actionResult", "") && (safe("log.messageId", 0.0) == double(106102) || safe("log.messageId", 0.0) == double(106103)) && (safe("actionResult", "") == "Permitted" || safe("actionResult", "") == "permitted")
+          where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && equalsIgnoreCase("actionResult", "Permitted")
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("actionResult", "") && (safe("log.messageId", 0.0) == double(106102) || safe("log.messageId", 0.0) == double(106103)) && (safe("actionResult", "") != "Permitted" && safe("actionResult", "") != "permitted")
+          where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && !equalsIgnoreCase("actionResult", "Permitted")
       #......................................................................#
       # ASA-4-109017
       - grok:
@@ -5754,13 +5754,13 @@ pipeline:
           params:
             key: action
             value: 'Threat-detection add host to shun list'
-          where: (safe("log.messageId", 0.0)==double(733102) || safe("log.messageId", 0.0)==double(733103)) && safe("log.msg", "").contains("add")
+          where: (equals("log.messageId", 733102) || equals("log.messageId", 733103)) && contains("log.msg", "add")
       - add:
           function: 'string'
           params:
             key: action
             value: 'Threat-detection removes host to shun list'
-          where: (safe("log.messageId", 0.0)==double(733102) || safe("log.messageId", 0.0)==double(733103)) && safe("log.msg", "").contains("removes")
+          where: (equals("log.messageId", 733102) || equals("log.messageId", 733103)) && contains("log.msg", "removes")
       #......................................................................#
       # Decoding severity
       - add:
@@ -5768,7 +5768,7 @@ pipeline:
           params:
             key: severity
             value: 'high'
-          where: safe("log.severity", "") in ["1", "2", "3"]
+          where: oneOf("log.severity", ["1", "2", "3"])
       - add:
           function: 'string'
           params:
@@ -5780,7 +5780,7 @@ pipeline:
           params:
             key: severity
             value: 'low'
-          where: safe("log.severity", "") in ["5", "6", "7"]
+          where: oneOf("log.severity", ["5", "6", "7"])
       #......................................................................#
       # Adding common geolocation
       - dynamic:
diff --git a/filters/cisco/cs_switch.yml b/filters/cisco/cs_switch.yml
index 9b9496fd0..612a86a84 100644
--- a/filters/cisco/cs_switch.yml
+++ b/filters/cisco/cs_switch.yml
@@ -139,7 +139,7 @@ pipeline:
           params:
             key: severity
             value: 'high'
-          where: safe("log.severity", "") in ["0", "1", "2", "3"]
+          where: oneOf("log.severity", ["0", "1", "2", "3"])
       - add:
           function: 'string'
           params:
@@ -151,7 +151,7 @@ pipeline:
           params:
             key: severity
             value: 'low'
-          where: safe("log.severity", "") in ["5", "6", "7"]
+          where: oneOf("log.severity", ["5", "6", "7"])
       #......................................................................#
       # Removing unused fields
       - delete:
diff --git a/filters/cisco/firepower.yml b/filters/cisco/firepower.yml
index e6c5f9c9d..d3f4482de 100644
--- a/filters/cisco/firepower.yml
+++ b/filters/cisco/firepower.yml
@@ -97,7 +97,7 @@ pipeline:
             - fieldName: log.srcInterface
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(106001)
+          where: equals("log.messageId", 106001)
 
       - trim:
           function: prefix
@@ -105,7 +105,7 @@ pipeline:
           fields:
             - origin.port
             - target.port
-          where: safe("log.messageId", 0.0) == double(106001)
+          where: equals("log.messageId", 106001)
       #......................................................................#
       # FTD-2-106017
       - grok:
@@ -123,13 +123,13 @@ pipeline:
             - fieldName: target.ip
               pattern: '({{.ipv4}}|{{.ipv6}})'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(106017)
+          where: equals("log.messageId", 106017)
       - trim:
           function: suffix
           substring: 'from'
           fields:
             - action
-          where: safe("log.messageId", 0.0) == double(106017)
+          where: equals("log.messageId", 106017)
       #......................................................................#
       # FTD-1-106021
       - grok:
@@ -149,19 +149,19 @@ pipeline:
             - fieldName: log.srcInterface
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(106021)
+          where: equals("log.messageId", 106021)
       - trim:
           function: suffix
           substring: 'from'
           fields:
             - action
-          where: safe("log.messageId", 0.0) == double(106021)
+          where: equals("log.messageId", 106021)
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(106021)
+          where: equals("log.messageId", 106021)
       #......................................................................#
       # FTD-2-106101
       - grok:
@@ -171,7 +171,7 @@ pipeline:
             - fieldName: log.rest
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(106101)
+          where: equals("log.messageId", 106101)
       - grok:
           patterns:
             - fieldName: log.irrelevant
@@ -181,7 +181,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(106101)
+          where: equals("log.messageId", 106101)
       # Parsing the limit number
       - grok:
           patterns:
@@ -192,13 +192,13 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.rest
-          where: safe("log.messageId", 0.0) == double(106101)
+          where: equals("log.messageId", 106101)
       # Field conversions
       - cast:
           fields:
             - log.numFlows
           to: int
-          where: safe("log.messageId", 0.0) == double(106101)
+          where: equals("log.messageId", 106101)
       #......................................................................#
       # FTD-6-106102,FTD-4-106103
       # First variant
@@ -235,7 +235,7 @@ pipeline:
             - fieldName: log.rest
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(106102) || safe("log.messageId", 0.0)==double(106103)
+          where: equals("log.messageId", 106102) || equals("log.messageId", 106103)
       # Second variant
       - grok:
           patterns:
@@ -272,54 +272,54 @@ pipeline:
             - fieldName: log.rest
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(106102) || safe("log.messageId", 0.0)==106103
+          where: equals("log.messageId", 106102) || equals("log.messageId", 106103)
       - trim:
           function: suffix
           substring: '/'
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(106102) || safe("log.messageId", 0.0)==106103
+          where: equals("log.messageId", 106102) || equals("log.messageId", 106103)
       - trim:
           function: prefix
           substring: ''''
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(106102) || safe("log.messageId", 0.0)==106103
+          where: equals("log.messageId", 106102) || equals("log.messageId", 106103)
       - trim:
           function: suffix
           substring: ''''
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(106102) || safe("log.messageId", 0.0)==106103
+          where: equals("log.messageId", 106102) || equals("log.messageId", 106103)
       - trim:
           function: prefix
           substring: '('
           fields:
             - origin.port
             - target.port
-          where: safe("log.messageId", 0.0) == double(106102) || safe("log.messageId", 0.0)==106103
+          where: equals("log.messageId", 106102) || equals("log.messageId", 106103)
       - trim:
           function: suffix
           substring: ')'
           fields:
             - origin.port
             - target.port
-          where: safe("log.messageId", 0.0) == double(106102) || safe("log.messageId", 0.0)==106103
+          where: equals("log.messageId", 106102) || equals("log.messageId", 106103)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("actionResult", "") && (safe("log.messageId", 0.0)==106102 || safe("log.messageId", 0.0)==106103) && (safe("actionResult", "") == "Permitted" || safe("actionResult", "") == "permitted")
+          where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && equalsIgnoreCase("actionResult", "Permitted")
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("actionResult", "") && (safe("log.messageId", 0.0)==106102 || safe("log.messageId", 0.0)==106103) && (safe("actionResult", "") != "Permitted" && safe("actionResult", "") != "permitted")
+          where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && !equalsIgnoreCase("actionResult", "Permitted")
       #......................................................................#
       # FTD-6-109101
       - grok:
@@ -339,7 +339,7 @@ pipeline:
             - fieldName: log.auditSessionId
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(109101)
+          where: equals("log.messageId", 109101)
       # Action result
       - grok:
           patterns:
@@ -350,19 +350,19 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(109101)
+          where: equals("log.messageId", 109101)
       - trim:
           function: suffix
           substring: ','
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(109101)
+          where: equals("log.messageId", 109101)
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(109101)
+          where: equals("log.messageId", 109101)
       #......................................................................#
       # FTD-4-109102
       - grok:
@@ -378,7 +378,7 @@ pipeline:
             - fieldName: log.auditSessionId
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(109102)
+          where: equals("log.messageId", 109102)
       # Action result
       - grok:
           patterns:
@@ -387,13 +387,13 @@ pipeline:
             - fieldName: log.ciscoResult
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(109102)
+          where: equals("log.messageId", 109102)
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(109102)
+          where: equals("log.messageId", 109102)
       #......................................................................#
       # FTD-3-109103
       - grok:
@@ -413,7 +413,7 @@ pipeline:
             - fieldName: log.auditSessionId
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(109103)
+          where: equals("log.messageId", 109103)
       # Action result
       - grok:
           patterns:
@@ -422,19 +422,19 @@ pipeline:
             - fieldName: log.ciscoResult
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(109103)
+          where: equals("log.messageId", 109103)
       - trim:
           function: suffix
           substring: ','
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(109103)
+          where: equals("log.messageId", 109103)
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(109103)
+          where: equals("log.messageId", 109103)
       #......................................................................#
       # FTD-109201 to 109213
       - grok:
@@ -456,21 +456,21 @@ pipeline:
             - fieldName: action
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0)>=109201 && log.messageId<=109213
+          where: greaterOrEqual("log.messageId", 109201) && log.messageId<=109213
       - trim:
           function: suffix
           substring: ','
           fields:
             - log.session
             - origin.user
-          where: lsafe("log.messageId", 0.0)>=109201 && log.messageId<=109213
+          where: lgreaterOrEqual("log.messageId", 109201) && log.messageId<=109213
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0)>=109201 && log.messageId<=109213
+          where: greaterOrEqual("log.messageId", 109201) && log.messageId<=109213
       #......................................................................#
       # FTD-6-113004
       - grok:
@@ -488,7 +488,7 @@ pipeline:
             - fieldName: origin.user
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113004)
+          where: equals("log.messageId", 113004)
       # Action result
       - grok:
           patterns:
@@ -497,25 +497,25 @@ pipeline:
             - fieldName: log.ciscoResult
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(113004)
+          where: equals("log.messageId", 113004)
       - trim:
           function: suffix
           substring: ':'
           fields:
             - target.ip
-          where: safe("log.messageId", 0.0) == double(113004)
+          where: equals("log.messageId", 113004)
       - trim:
           function: suffix
           substring: ','
           fields:
             - target.ip
-          where: safe("log.messageId", 0.0) == double(113004)
+          where: equals("log.messageId", 113004)
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(113004)
+          where: equals("log.messageId", 113004)
       #......................................................................#
       # FTD-6-113005
       - grok:
@@ -539,7 +539,7 @@ pipeline:
             - fieldName: origin.ip
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113005)
+          where: equals("log.messageId", 113005)
       # Action result
       - grok:
           patterns:
@@ -548,7 +548,7 @@ pipeline:
             - fieldName: log.ciscoResult
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(113005)
+          where: equals("log.messageId", 113005)
       - trim:
           function: suffix
           substring: ':'
@@ -556,13 +556,13 @@ pipeline:
             - log.reason
             - target.ip
             - origin.user
-          where: safe("log.messageId", 0.0) == double(113005)
+          where: equals("log.messageId", 113005)
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(113005)
+          where: equals("log.messageId", 113005)
       #......................................................................#
       # FTD-6-113008
       - grok:
@@ -574,14 +574,14 @@ pipeline:
             - fieldName: origin.user
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113008)
+          where: equals("log.messageId", 113008)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(113008)
+          where: equals("log.messageId", 113008)
       #......................................................................#
       # FTD-6-113009
       # First variant
@@ -596,19 +596,19 @@ pipeline:
             - fieldName: origin.user
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113009)
+          where: equals("log.messageId", 113009)
       - trim:
           function: prefix
           substring: '('
           fields:
             - log.policy
-          where: safe("log.messageId", 0.0) == double(113009)
+          where: equals("log.messageId", 113009)
       - trim:
           function: suffix
           substring: ')'
           fields:
             - log.policy
-          where: safe("log.messageId", 0.0) == double(113009)
+          where: equals("log.messageId", 113009)
       # Second variant
       - grok:
           patterns:
@@ -621,20 +621,20 @@ pipeline:
             - fieldName: origin.user
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113009)
+          where: equals("log.messageId", 113009)
       - trim:
           function: suffix
           substring: 'for'
           fields:
             - log.policy
-          where: safe("log.messageId", 0.0) == double(113009)
+          where: equals("log.messageId", 113009)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(113009)
+          where: equals("log.messageId", 113009)
       #......................................................................#
       # FTD-6-113010
       - grok:
@@ -646,13 +646,13 @@ pipeline:
             - fieldName: origin.ip
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113010)
+          where: equals("log.messageId", 113010)
       - trim:
           function: suffix
           substring: 'from server'
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(113010)
+          where: equals("log.messageId", 113010)
       #......................................................................#
       # FTD-6-113011
       # First variant
@@ -667,19 +667,19 @@ pipeline:
             - fieldName: origin.user
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113011)
+          where: equals("log.messageId", 113011)
       - trim:
           function: prefix
           substring: '('
           fields:
             - log.policy
-          where: safe("log.messageId", 0.0) == double(113011)
+          where: equals("log.messageId", 113011)
       - trim:
           function: suffix
           substring: ')'
           fields:
             - log.policy
-          where: safe("log.messageId", 0.0) == double(113011)
+          where: equals("log.messageId", 113011)
       # Second variant
       - grok:
           patterns:
@@ -692,13 +692,13 @@ pipeline:
             - fieldName: origin.user
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113011)
+          where: equals("log.messageId", 113011)
       - trim:
           function: suffix
           substring: 'for'
           fields:
             - log.policy
-          where: safe("log.messageId", 0.0) == double(113011)
+          where: equals("log.messageId", 113011)
       #......................................................................#
       # FTD-6-113012
       - grok:
@@ -710,7 +710,7 @@ pipeline:
             - fieldName: origin.user
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113012)
+          where: equals("log.messageId", 113012)
       # Action result
       - grok:
           patterns:
@@ -719,13 +719,13 @@ pipeline:
             - fieldName: log.ciscoResult
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(113012)
+          where: equals("log.messageId", 113012)
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(113012)
+          where: equals("log.messageId", 113012)
       #......................................................................#
       # FTD-6-113013
       - grok:
@@ -741,13 +741,13 @@ pipeline:
             - fieldName: origin.user
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113013)
+          where: equals("log.messageId", 113013)
       - trim:
           function: suffix
           substring: ':'
           fields:
             - log.reason
-          where: safe("log.messageId", 0.0) == double(113013)
+          where: equals("log.messageId", 113013)
       #......................................................................#
       # FTD-6-113014
       - grok:
@@ -763,7 +763,7 @@ pipeline:
             - fieldName: origin.user
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113014)
+          where: equals("log.messageId", 113014)
       #......................................................................#
       # FTD-6-113015, 113017
       - grok:
@@ -783,14 +783,14 @@ pipeline:
             - fieldName: target.ip
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113015) || log.messageId==113017
+          where: equals("log.messageId", 113015) || equals("log.messageId", 113017)
       - trim:
           function: suffix
           substring: ':'
           fields:
             - log.reason
             - origin.user
-          where: safe("log.messageId", 0.0) == double(113015) || log.messageId==113017
+          where: equals("log.messageId", 113015) || equals("log.messageId", 113017)
       # Action result
       - grok:
           patterns:
@@ -799,13 +799,13 @@ pipeline:
             - fieldName: log.ciscoResult
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(113015) || log.messageId==113017
+          where: equals("log.messageId", 113015) || equals("log.messageId", 113017)
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(113015) || log.messageId==113017
+          where: equals("log.messageId", 113015) || equals("log.messageId", 113017)
       #......................................................................#
       # FTD-6-113016
       - grok:
@@ -829,7 +829,7 @@ pipeline:
             - fieldName: origin.ip
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113016)
+          where: equals("log.messageId", 113016)
       - trim:
           function: suffix
           substring: ':'
@@ -837,7 +837,7 @@ pipeline:
             - log.reason
             - target.ip
             - origin.user
-          where: safe("log.messageId", 0.0) == double(113016)
+          where: equals("log.messageId", 113016)
       # Action result
       - grok:
           patterns:
@@ -846,13 +846,13 @@ pipeline:
             - fieldName: log.ciscoResult
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(113016)
+          where: equals("log.messageId", 113016)
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(113016)
+          where: equals("log.messageId", 113016)
       #......................................................................#
       # FTD-4-113019
       - grok:
@@ -892,7 +892,7 @@ pipeline:
             - fieldName: log.reason
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113019)
+          where: equals("log.messageId", 113019)
       - trim:
           function: suffix
           substring: ','
@@ -904,20 +904,20 @@ pipeline:
             - log.duration
             - origin.bytesSent
             - origin.bytesReceived
-          where: safe("log.messageId", 0.0) == double(113019)
+          where: equals("log.messageId", 113019)
       - cast:
           fields:
             - origin.bytesSent
             - origin.bytesReceived
           to: int
-          where: safe("log.messageId", 0.0) == double(113019)
+          where: equals("log.messageId", 113019)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(113019)
+          where: equals("log.messageId", 113019)
       #......................................................................#
       # FTD-113031,113032,113033
       # Common fields
@@ -934,19 +934,19 @@ pipeline:
             - fieldName: log.rest
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113031) || log.messageId==113032 || log.messageId==113033
+          where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033
       - trim:
           function: suffix
           substring: 'User'
           fields:
             - origin.group
-          where: safe("log.messageId", 0.0) == double(113031) || log.messageId==113032 || log.messageId==113033
+          where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033
       - trim:
           function: suffix
           substring: 'IP'
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(113031) || log.messageId==113032 || log.messageId==113033
+          where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033
       # Specific fields
       - grok:
           patterns:
@@ -957,7 +957,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.rest
-          where: safe("log.messageId", 0.0) == double(113031) || log.messageId==113032 || log.messageId==113033
+          where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033
       - grok:
           patterns:
             - fieldName: action
@@ -965,20 +965,20 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.rest
-          where: safe("log.messageId", 0.0) == double(113031) || log.messageId==113032 || log.messageId==113033
+          where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033
       - trim:
           function: suffix
           substring: 'is'
           fields:
             - log.filter
-          where: safe("log.messageId", 0.0) == double(113031) || log.messageId==113032 || log.messageId==113033
+          where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(113031) || log.messageId==113032 || log.messageId==113033
+          where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033
       #......................................................................#
       # FTD-113034,113035,113036,113038,113039
       - grok:
@@ -994,20 +994,20 @@ pipeline:
             - fieldName: log.rest
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
+          where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
       # Cleaning fields
       - trim:
           function: suffix
           substring: 'User'
           fields:
             - origin.group
-          where: safe("log.messageId", 0.0) == double(113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
+          where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
       - trim:
           function: suffix
           substring: 'IP'
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
+          where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
       - trim:
           function: prefix
           substring: '<'
@@ -1015,7 +1015,7 @@ pipeline:
             - origin.group
             - origin.user
             - origin.ip
-          where: safe("log.messageId", 0.0) == double(113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
+          where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
       - trim:
           function: suffix
           substring: '>'
@@ -1023,21 +1023,21 @@ pipeline:
             - origin.group
             - origin.user
             - origin.ip
-          where: safe("log.messageId", 0.0) == double(113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
+          where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(113039)
+          where: equals("log.messageId", 113039)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(113035) || log.messageId==113038
+          where: equals("log.messageId", 113035) || log.messageId==113038
       #......................................................................#
       # FTD-4-113042
       - grok:
@@ -1069,33 +1069,33 @@ pipeline:
             - fieldName: log.rest
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(113042)
+          where: equals("log.messageId", 113042)
       - trim:
           function: suffix
           substring: 'from'
           fields:
             - action
-          where: safe("log.messageId", 0.0) == double(113042)
+          where: equals("log.messageId", 113042)
       - trim:
           function: suffix
           substring: ':'
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(113042)
+          where: equals("log.messageId", 113042)
       - trim:
           function: suffix
           substring: '/'
           fields:
             - origin.ip
             - target.ip
-          where: safe("log.messageId", 0.0) == double(113042)
+          where: equals("log.messageId", 113042)
       - trim:
           function: suffix
           substring: 'at'
           fields:
             - log.remoteUser
-          where: safe("log.messageId", 0.0) == double(113042)
+          where: equals("log.messageId", 113042)
       #......................................................................#
       # FTD-2-201003
       - grok:
@@ -1129,26 +1129,26 @@ pipeline:
             - fieldName: log.dstInterface
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(201003)
+          where: equals("log.messageId", 201003)
       - trim:
           function: prefix
           substring: '('
           fields:
             - log.globalIp
-          where: safe("log.messageId", 0.0) == double(201003)
+          where: equals("log.messageId", 201003)
       - trim:
           function: suffix
           substring: ')'
           fields:
             - log.globalIp
-          where: safe("log.messageId", 0.0) == double(201003)
+          where: equals("log.messageId", 201003)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(201003)
+          where: equals("log.messageId", 201003)
       #......................................................................#
       # FTD-4-209003
       - grok:
@@ -1174,7 +1174,7 @@ pipeline:
             - fieldName: log.id
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(209003)
+          where: equals("log.messageId", 209003)
       - trim:
           function: suffix
           substring: ','
@@ -1182,19 +1182,19 @@ pipeline:
             - origin.ip
             - target.ip
             - protocol
-          where: safe("log.messageId", 0.0) == double(209003)
+          where: equals("log.messageId", 209003)
       - cast:
           fields:
             - log.limit
           to: int
-          where: safe("log.messageId", 0.0) == double(209003)
+          where: equals("log.messageId", 209003)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(209003)
+          where: equals("log.messageId", 209003)
       #......................................................................#
       # FTD-3-316001
       - grok:
@@ -1208,7 +1208,7 @@ pipeline:
             - fieldName: log.rest
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(316001)
+          where: equals("log.messageId", 316001)
       # Action result
       - grok:
           patterns:
@@ -1217,14 +1217,14 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(316001)
+          where: equals("log.messageId", 316001)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(316001)
+          where: equals("log.messageId", 316001)
       #......................................................................#
       # FTD-3-316002
       - grok:
@@ -1252,26 +1252,26 @@ pipeline:
             - fieldName: target.ip
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(316002)
+          where: equals("log.messageId", 316002)
       - trim:
           function: suffix
           substring: ','
           fields:
             - protocol
-          where: safe("log.messageId", 0.0) == double(316002)
+          where: equals("log.messageId", 316002)
       - cast:
           fields:
             - log.inIfNum
             - log.outIfNum
           to: int
-          where: safe("log.messageId", 0.0) == double(316002)
+          where: equals("log.messageId", 316002)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(316002)
+          where: equals("log.messageId", 316002)
       #......................................................................#
       # FTD-6-302003,302004
       # First variant
@@ -1292,7 +1292,7 @@ pipeline:
             - fieldName: log.tmpFromip
               pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(302003) || log.messageId==302004
+          where: equals("log.messageId", 302003) || log.messageId==302004
       # Second variant
       - grok:
           patterns:
@@ -1309,7 +1309,7 @@ pipeline:
             - fieldName: log.tmpFromip
               pattern: '({{.ipv4}}|{{.ipv6}})((\s)?/(\s)?{{.integer}}|(\s)?/)?'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(302003) || log.messageId==302004
+          where: equals("log.messageId", 302003) || log.messageId==302004
       # Parsing from/to ip and port
       - grok:
           patterns:
@@ -1318,13 +1318,13 @@ pipeline:
             - fieldName: target.port
               pattern: '{{.greedy}}'      
           source: log.tmpToip
-          where: safe("log.messageId", 0.0) == double(302003) || log.messageId==302004
+          where: equals("log.messageId", 302003) || log.messageId==302004
       - grok:
           patterns:
             - fieldName: target.ip
               pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'        
           source: log.tmpToip
-          where: safe("log.messageId", 0.0) == double(302003) || log.messageId==302004
+          where: equals("log.messageId", 302003) || log.messageId==302004
       - grok:
           patterns:
             - fieldName: origin.ip
@@ -1332,33 +1332,33 @@ pipeline:
             - fieldName: origin.port
               pattern: '{{.greedy}}'         
           source: log.tmpFromip
-          where: safe("log.messageId", 0.0) == double(302003) || log.messageId==302004
+          where: equals("log.messageId", 302003) || log.messageId==302004
       - grok:
           patterns:
             - fieldName: origin.ip
               pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'        
           source: log.tmpFromip
-          where: safe("log.messageId", 0.0) == double(302003) || log.messageId==302004
+          where: equals("log.messageId", 302003) || log.messageId==302004
       - trim:
           function: prefix
           substring: '/'
           fields:
             - origin.port
             - target.port
-          where: safe("log.messageId", 0.0) == double(302003) || log.messageId==302004
+          where: equals("log.messageId", 302003) || log.messageId==302004
       # Removing temp fields
       - delete:
           fields:
             - log.tmpFromip
             - log.tmpToip
-          where: safe("log.messageId", 0.0) == double(302003) || log.messageId==302004
+          where: equals("log.messageId", 302003) || log.messageId==302004
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(302003) || log.messageId==302004
+          where: equals("log.messageId", 302003) || log.messageId==302004
       #......................................................................#
       # FTD-6-302012
       - grok:
@@ -1376,20 +1376,20 @@ pipeline:
             - fieldName: target.ip
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(302012)
+          where: equals("log.messageId", 302012)
       - trim:
           function: prefix
           substring: '/'
           fields:
             - origin.port
-          where: safe("log.messageId", 0.0) == double(302012)
+          where: equals("log.messageId", 302012)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(302012)
+          where: equals("log.messageId", 302012)
       #......................................................................#
       # FTD-6-302013
       - grok:
@@ -1431,7 +1431,7 @@ pipeline:
             - fieldName: log.rest
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(302013)
+          where: equals("log.messageId", 302013)
       # Parsing direction field
       - grok:
           patterns:
@@ -1442,7 +1442,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpDirection
-          where: safe("log.messageId", 0.0) == double(302013)
+          where: equals("log.messageId", 302013)
       # Parsing firewall user from
       - grok:
           patterns:
@@ -1453,7 +1453,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserFrom
-          where: safe("log.messageId", 0.0) == double(302013)
+          where: equals("log.messageId", 302013)
       # Parsing firewall user to, and AAA name of the user if exists
       - grok:
           patterns:
@@ -1468,7 +1468,7 @@ pipeline:
             - fieldName: origin.user
               pattern: '{{.data}}\)'  
           source: log.rest
-          where: safe("log.messageId", 0.0) == double(302013)
+          where: equals("log.messageId", 302013)
 
       - grok:
           patterns:
@@ -1479,7 +1479,7 @@ pipeline:
             - fieldName: log.firewallUserTo
               pattern: '{{.data}}\)'
           source: log.rest
-          where: safe("log.messageId", 0.0) == double(302013)
+          where: equals("log.messageId", 302013)
 
       - trim:
           function: suffix
@@ -1488,13 +1488,13 @@ pipeline:
             - log.firewallUserFrom
             - log.firewallUserTo
             - origin.user
-          where: safe("log.messageId", 0.0) == double(302013)
+          where: equals("log.messageId", 302013)
       # Removing tmp fields
       - delete:
           fields:
             - log.tmpDirection
             - log.tmpFwUserFrom
-          where: safe("log.messageId", 0.0) == double(302013)
+          where: equals("log.messageId", 302013)
 
       # Cleaning fields
       - trim:
@@ -1503,7 +1503,7 @@ pipeline:
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(302013)
+          where: equals("log.messageId", 302013)
       - trim:
           function: suffix
           substring: '/'
@@ -1512,20 +1512,20 @@ pipeline:
             - target.ip
             - log.mappedIpFrom
             - log.mappedIpTo
-          where: safe("log.messageId", 0.0) == double(302013)
+          where: equals("log.messageId", 302013)
       - trim:
           function: suffix
           substring: 'for'
           fields:
             - log.connectionId
-          where: safe("log.messageId", 0.0) == double(302013)
+          where: equals("log.messageId", 302013)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(302013)
+          where: equals("log.messageId", 302013)
       #......................................................................#
       # FTD-6-302014
       - grok:
@@ -1563,7 +1563,7 @@ pipeline:
             - fieldName: log.rest
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(302014)
+          where: equals("log.messageId", 302014)
       # Parsing firewall user from
       - grok:
           patterns:
@@ -1574,7 +1574,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserFrom
-          where: safe("log.messageId", 0.0) == double(302014)
+          where: equals("log.messageId", 302014)
       # Parsing firewall user to
       - grok:
           patterns:
@@ -1585,7 +1585,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserTo
-          where: safe("log.messageId", 0.0) == double(302014)
+          where: equals("log.messageId", 302014)
       # Parsing AAA user if exists
       - grok:
           patterns:
@@ -1594,7 +1594,7 @@ pipeline:
             - fieldName: origin.user
               pattern: '{{.data}}\)'
           source: log.rest
-          where: safe("log.messageId", 0.0) == double(302014)
+          where: equals("log.messageId", 302014)
 
       - trim:
           function: suffix
@@ -1603,13 +1603,13 @@ pipeline:
             - log.firewallUserFrom
             - log.firewallUserTo
             - origin.user
-          where: safe("log.messageId", 0.0) == double(302014)
+          where: equals("log.messageId", 302014)
       # Removing tmp fields
       - delete:
           fields:
             - log.tmpFwUserFrom
             - log.tmpFwUserTo
-          where: safe("log.messageId", 0.0) == double(302014)
+          where: equals("log.messageId", 302014)
 
       # Cleaning fields
       - trim:
@@ -1618,27 +1618,27 @@ pipeline:
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(302014)
+          where: equals("log.messageId", 302014)
       - trim:
           function: suffix
           substring: '/'
           fields:
             - origin.ip
             - target.ip
-          where: safe("log.messageId", 0.0) == double(302014)
+          where: equals("log.messageId", 302014)
       - trim:
           function: suffix
           substring: 'for'
           fields:
             - log.connectionId
-          where: safe("log.messageId", 0.0) == double(302014)
+          where: equals("log.messageId", 302014)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(302014)
+          where: equals("log.messageId", 302014)
       #......................................................................#
       # FTD-6-302015
       - grok:
@@ -1682,7 +1682,7 @@ pipeline:
             - fieldName: log.rest
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(302015)
+          where: equals("log.messageId", 302015)
       # Parsing direction field
       - grok:
           patterns:
@@ -1691,7 +1691,7 @@ pipeline:
             - fieldName: log.direction
               pattern: '{{.greedy}}'
           source: log.tmpDirection
-          where: safe("log.messageId", 0.0) == double(302015)
+          where: equals("log.messageId", 302015)
       # Parsing firewall user from
       - grok:
           patterns:
@@ -1702,7 +1702,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserFrom
-          where: safe("log.messageId", 0.0) == double(302015)
+          where: equals("log.messageId", 302015)
       # Parsing firewall user to, and AAA name of the user if exists
       - grok:
           patterns:
@@ -1717,7 +1717,7 @@ pipeline:
             - fieldName: origin.user
               pattern: '{{.data}}\)'  
           source: log.rest
-          where: safe("log.messageId", 0.0) == double(302015)
+          where: equals("log.messageId", 302015)
 
       - grok:
           patterns:
@@ -1728,7 +1728,7 @@ pipeline:
             - fieldName: log.firewallUserTo
               pattern: '{{.data}}\)'
           source: log.rest
-          where: safe("log.messageId", 0.0) == double(302015)
+          where: equals("log.messageId", 302015)
 
       - trim:
           function: suffix
@@ -1737,13 +1737,13 @@ pipeline:
             - log.firewallUserFrom
             - log.firewallUserTo
             - origin.user
-          where: safe("log.messageId", 0.0) == double(302015)
+          where: equals("log.messageId", 302015)
       # Removing tmp fields
       - delete:
           fields:
             - log.tmpDirection
             - log.tmpFwUserFrom
-          where: safe("log.messageId", 0.0) == double(302015)
+          where: equals("log.messageId", 302015)
 
       # Cleaning fields
       - trim:
@@ -1752,7 +1752,7 @@ pipeline:
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(302015)
+          where: equals("log.messageId", 302015)
       - trim:
           function: suffix
           substring: '/'
@@ -1761,20 +1761,20 @@ pipeline:
             - target.ip
             - log.mappedIpFrom
             - log.mappedIpTo
-          where: safe("log.messageId", 0.0) == double(302015)
+          where: equals("log.messageId", 302015)
       - trim:
           function: suffix
           substring: 'for'
           fields:
             - log.connectionId
-          where: safe("log.messageId", 0.0) == double(302015)
+          where: equals("log.messageId", 302015)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(302015)
+          where: equals("log.messageId", 302015)
       #......................................................................#
       # FTD-6-302016
       - grok:
@@ -1808,7 +1808,7 @@ pipeline:
             - fieldName: log.rest
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(302016)
+          where: equals("log.messageId", 302016)
       # Parsing firewall user from
       - grok:
           patterns:
@@ -1819,7 +1819,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserFrom
-          where: safe("log.messageId", 0.0) == double(302016)
+          where: equals("log.messageId", 302016)
       # Parsing firewall user to
       - grok:
           patterns:
@@ -1830,7 +1830,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserTo
-          where: safe("log.messageId", 0.0) == double(302016)
+          where: equals("log.messageId", 302016)
       # Parsing firewall user to, and AAA name of the user if exists
       - grok:
           patterns:
@@ -1839,7 +1839,7 @@ pipeline:
             - fieldName: origin.bytesSent
               pattern: '{{.integer}}'  
           source: log.rest
-          where: safe("log.messageId", 0.0) == double(302016)
+          where: equals("log.messageId", 302016)
 
       - grok:
           patterns:
@@ -1852,7 +1852,7 @@ pipeline:
             - fieldName: origin.user
               pattern: '{{.data}}\)'
           source: log.rest
-          where: safe("log.messageId", 0.0) == double(302016)
+          where: equals("log.messageId", 302016)
 
       - trim:
           function: suffix
@@ -1861,13 +1861,13 @@ pipeline:
             - log.firewallUserFrom
             - log.firewallUserTo
             - origin.user
-          where: safe("log.messageId", 0.0) == double(302016)
+          where: equals("log.messageId", 302016)
       # Removing tmp fields
       - delete:
           fields:
             - log.tmpFwUserFrom
             - log.tmpFwUserTo
-          where: safe("log.messageId", 0.0) == double(302016)
+          where: equals("log.messageId", 302016)
 
       # Cleaning fields
       - trim:
@@ -1876,27 +1876,27 @@ pipeline:
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(302016)
+          where: equals("log.messageId", 302016)
       - trim:
           function: suffix
           substring: '/'
           fields:
             - origin.ip
             - target.ip
-          where: safe("log.messageId", 0.0) == double(302016)
+          where: equals("log.messageId", 302016)
       - trim:
           function: suffix
           substring: 'for'
           fields:
             - log.connectionId
-          where: safe("log.messageId", 0.0) == double(302016)
+          where: equals("log.messageId", 302016)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(302016)
+          where: equals("log.messageId", 302016)
       #......................................................................#
       # FTD-6-302017
       - grok:
@@ -1932,7 +1932,7 @@ pipeline:
             - fieldName: log.rest
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(302017)
+          where: equals("log.messageId", 302017)
       # Parsing firewall user from
       - grok:
           patterns:
@@ -1943,7 +1943,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserFrom
-          where: safe("log.messageId", 0.0) == double(302017)
+          where: equals("log.messageId", 302017)
       # Parsing translatedCid and, firewall user to and AAA user if present
       - grok:
           patterns:
@@ -1952,13 +1952,13 @@ pipeline:
             - fieldName: log.tmpUserInfo
               pattern: '{{.greedy}}'
           source: log.rest
-          where: safe("log.messageId", 0.0) == double(302017)
+          where: equals("log.messageId", 302017)
       - grok:
           patterns:
             - fieldName: log.translatedCid
               pattern: '{{.data}}\)'
           source: log.rest
-          where: safe("log.messageId", 0.0) == double(302017)
+          where: equals("log.messageId", 302017)
       # FW user and AAA user
       - grok:
           patterns:
@@ -1967,13 +1967,13 @@ pipeline:
             - fieldName: target.user
               pattern: '\({{.data}}\)'
           source: log.tmpUserInfo
-          where: safe("log.messageId", 0.0) == double(302017)
+          where: equals("log.messageId", 302017)
       - grok:
           patterns:
             - fieldName: log.tmpFwUserTo
               pattern: '\({{.data}}\)'
           source: log.tmpUserInfo
-          where: safe("log.messageId", 0.0) == double(302017)
+          where: equals("log.messageId", 302017)
       # Parsing firewall user to
       - grok:
           patterns:
@@ -1984,7 +1984,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserTo
-          where: safe("log.messageId", 0.0) == double(302017)
+          where: equals("log.messageId", 302017)
       - trim:
           function: suffix
           substring: ')'
@@ -1993,14 +1993,14 @@ pipeline:
             - log.firewallUserTo
             - target.user
             - log.translatedCid
-          where: safe("log.messageId", 0.0) == double(302017)
+          where: equals("log.messageId", 302017)
       - trim:
           function: suffix
           substring: '('
           fields:
             - log.realCid
             - target.user
-          where: safe("log.messageId", 0.0) == double(302017)
+          where: equals("log.messageId", 302017)
       # Removing tmp fields
       - delete:
           fields:
@@ -2008,7 +2008,7 @@ pipeline:
             - log.tmpFwUserFrom
             - log.tmpFwUserTo
             - log.tmpUserInfo
-          where: safe("log.messageId", 0.0) == double(302017)
+          where: equals("log.messageId", 302017)
       # Cleaning fields
       - trim:
           function: suffix
@@ -2016,27 +2016,27 @@ pipeline:
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(302017)
+          where: equals("log.messageId", 302017)
       - trim:
           function: suffix
           substring: '/'
           fields:
             - target.ip
             - log.translatedIpTo
-          where: safe("log.messageId", 0.0) == double(302017)
+          where: equals("log.messageId", 302017)
       - trim:
           function: suffix
           substring: 'from'
           fields:
             - log.connectionId
-          where: safe("log.messageId", 0.0) == double(302017)
+          where: equals("log.messageId", 302017)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(302017)
+          where: equals("log.messageId", 302017)
       #......................................................................#
       # FTD-6-302018
       - grok:
@@ -2074,7 +2074,7 @@ pipeline:
             - fieldName: log.rest
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(302018)
+          where: equals("log.messageId", 302018)
       # Parsing firewall user from
       - grok:
           patterns:
@@ -2085,7 +2085,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserFrom
-          where: safe("log.messageId", 0.0) == double(302018)
+          where: equals("log.messageId", 302018)
       # Parsing firewall user to
       - grok:
           patterns:
@@ -2096,7 +2096,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserTo
-          where: safe("log.messageId", 0.0) == double(302018)
+          where: equals("log.messageId", 302018)
       # Parsing firewall user to, and AAA name of the user if exists
       - grok:
           patterns:
@@ -2105,7 +2105,7 @@ pipeline:
             - fieldName: origin.bytesSent
               pattern: '{{.integer}}'  
           source: log.rest
-          where: safe("log.messageId", 0.0) == double(302018)
+          where: equals("log.messageId", 302018)
 
       - grok:
           patterns:
@@ -2118,7 +2118,7 @@ pipeline:
             - fieldName: origin.user
               pattern: '{{.data}}\)'
           source: log.rest
-          where: safe("log.messageId", 0.0) == double(302018)
+          where: equals("log.messageId", 302018)
 
       - trim:
           function: suffix
@@ -2128,47 +2128,47 @@ pipeline:
             - log.firewallUserTo
             - origin.user
             - log.translatedCid
-          where: safe("log.messageId", 0.0) == double(302018)
+          where: equals("log.messageId", 302018)
       # Removing tmp fields
       - delete:
           fields:
             - log.tmpFwUserFrom
             - log.tmpFwUserTo
-          where: safe("log.messageId", 0.0) == double(302018)
+          where: equals("log.messageId", 302018)
       # Cleaning fields
       - trim:
           function: suffix
           substring: '('
           fields:
             - log.realCid
-          where: safe("log.messageId", 0.0) == double(302018)
+          where: equals("log.messageId", 302018)
       - trim:
           function: suffix
           substring: ':'
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(302018)
+          where: equals("log.messageId", 302018)
       - trim:
           function: suffix
           substring: '/'
           fields:
             - target.ip
             - log.translatedIpTo
-          where: safe("log.messageId", 0.0) == double(302018)
+          where: equals("log.messageId", 302018)
       - trim:
           function: suffix
           substring: 'from'
           fields:
             - log.connectionId
-          where: safe("log.messageId", 0.0) == double(302018)
+          where: equals("log.messageId", 302018)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(302018)
+          where: equals("log.messageId", 302018)
       #......................................................................#
       # FTD-6-302020, 302021
       # 302020
@@ -2193,7 +2193,7 @@ pipeline:
             - fieldName: log.icmpCode
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(302020)
+          where: equals("log.messageId", 302020)
       # 302021
       - grok:
           patterns:
@@ -2214,7 +2214,7 @@ pipeline:
             - fieldName: log.icmpCode
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(302021)
+          where: equals("log.messageId", 302021)
       # Common parsing for 302020 and 302021
       # For parsing faddr and fwuser from (Begin with ip/port), or icmpSeqNum
       - grok:
@@ -2226,7 +2226,7 @@ pipeline:
             - fieldName: log.tmpFwUserFrom
               pattern: '{{.greedy}}'
           source: log.tmpFaddrAndFwUser
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       - grok:
           patterns:
             - fieldName: origin.ip
@@ -2234,7 +2234,7 @@ pipeline:
             - fieldName: log.tmpFwUserFrom
               pattern: '{{.greedy}}'
           source: log.tmpFaddrAndFwUser
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       # icmpSeqNum variants
       - grok:
           patterns:
@@ -2245,7 +2245,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: 'gaddr'
           source: log.tmpFaddrAndFwUser
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       - grok:
           patterns:
             - fieldName: log.icmpSeqNum
@@ -2253,14 +2253,14 @@ pipeline:
             - fieldName: log.tmpFwUserFrom
               pattern: 'gaddr'
           source: log.tmpFaddrAndFwUser
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       # Cleaning icmpSeqNum
       - trim:
           function: suffix
           substring: 'gaddr'
           fields:
             - log.icmpSeqNum
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       # Continue with firewall user from
       - grok:
           patterns:
@@ -2271,7 +2271,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserFrom
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       # For parsing gaddr and global fwuser (Begin with ip/port), or icmpType
       - grok:
           patterns:
@@ -2282,7 +2282,7 @@ pipeline:
             - fieldName: log.tmpFwUserGlobal
               pattern: '{{.greedy}}'
           source: log.tmpGaddrAndFwUser
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       - grok:
           patterns:
             - fieldName: log.globalIp
@@ -2290,7 +2290,7 @@ pipeline:
             - fieldName: log.tmpFwUserGlobal
               pattern: '{{.greedy}}'
           source: log.tmpGaddrAndFwUser
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       # icmpType variants
       - grok:
           patterns:
@@ -2301,7 +2301,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: 'laddr'
           source: log.tmpGaddrAndFwUser
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       - grok:
           patterns:
             - fieldName: log.icmpType
@@ -2309,20 +2309,20 @@ pipeline:
             - fieldName: log.tmpFwUserGlobal
               pattern: 'laddr'
           source: log.tmpGaddrAndFwUser
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       # Cleaning icmpType
       - trim:
           function: suffix
           substring: 'laddr'
           fields:
             - log.icmpType
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       - trim:
           function: suffix
           substring: 'code'
           fields:
             - log.icmpType
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       # Continue with global firewall
       - grok:
           patterns:
@@ -2333,7 +2333,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserGlobal
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       # For parsing laddr and fwuser to (Begin with ip/port)
       - grok:
           patterns:
@@ -2344,7 +2344,7 @@ pipeline:
             - fieldName: log.tmpFwUserTo
               pattern: '{{.greedy}}'
           source: log.tmpLaddrAndFwUser
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       - grok:
           patterns:
             - fieldName: target.ip
@@ -2352,7 +2352,7 @@ pipeline:
             - fieldName: log.tmpFwUserTo
               pattern: '{{.greedy}}'
           source: log.tmpLaddrAndFwUser
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       # Continue with firewall user to
       - grok:
           patterns:
@@ -2363,7 +2363,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserTo
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       # Cleaning fields
       - trim:
           function: suffix
@@ -2371,7 +2371,7 @@ pipeline:
           fields:
             - target.ip
             - origin.ip
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       - trim:
           function: suffix
           substring: ')'
@@ -2379,7 +2379,7 @@ pipeline:
             - log.firewallUserFrom
             - log.firewallUserTo
             - log.globalFirewallUser
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       # Removing tmp fields
       - delete:
           fields:
@@ -2389,14 +2389,14 @@ pipeline:
             - log.tmpFaddrAndFwUser
             - log.tmpGaddrAndFwUser
             - log.tmpLaddrAndFwUser
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(302020) || log.messageId==302021
+          where: equals("log.messageId", 302020) || log.messageId==302021
       #......................................................................#
       # FTD-6-302022, 302024, 302026
       - grok:
@@ -2428,7 +2428,7 @@ pipeline:
             - fieldName: log.tmpMappedIpPortTo
               pattern: '\({{.data}}\)'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(302022) || log.messageId==302024 || log.messageId==302026
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
       # Parsing mapped ip,port from tmp fields
       # With port
       - grok:
@@ -2442,7 +2442,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '\)'
           source: log.tmpMappedIpPortFrom
-          where: safe("log.messageId", 0.0) == double(302022) || log.messageId==302024 || log.messageId==302026
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
       # Without port
       - grok:
           patterns:
@@ -2453,7 +2453,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '\)'
           source: log.tmpMappedIpPortFrom
-          where: safe("log.messageId", 0.0) == double(302022) || log.messageId==302024 || log.messageId==302026
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
       # Parsing mapped ip,port to, from tmp fields
       # With port
       - grok:
@@ -2467,7 +2467,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '\)'
           source: log.tmpMappedIpPortTo
-          where: safe("log.messageId", 0.0) == double(302022) || log.messageId==302024 || log.messageId==302026
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
       # Without port
       - grok:
           patterns:
@@ -2478,21 +2478,21 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '\)'
           source: log.tmpMappedIpPortTo
-          where: safe("log.messageId", 0.0) == double(302022) || log.messageId==302024 || log.messageId==302026
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
       # Cleaning fields
       - trim:
           function: suffix
           substring: 'stub'
           fields:
             - log.role
-          where: safe("log.messageId", 0.0) == double(302022) || log.messageId==302024 || log.messageId==302026
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
       - trim:
           function: suffix
           substring: ':'
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(302022) || log.messageId==302024 || log.messageId==302026
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
       - trim:
           function: suffix
           substring: '/'
@@ -2501,20 +2501,20 @@ pipeline:
             - target.ip
             - log.mappedIpFrom
             - log.mappedIpTo
-          where: safe("log.messageId", 0.0) == double(302022) || log.messageId==302024 || log.messageId==302026
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
       # Removing tmp fields
       - delete:
           fields:
             - log.tmpMappedIpPortFrom
             - log.tmpMappedIpPortTo
-          where: safe("log.messageId", 0.0) == double(302022) || log.messageId==302024 || log.messageId==302026
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(302022) || log.messageId==302024 || log.messageId==302026
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
       #......................................................................#
       # FTD-6-302023, 302025, 302027
       - grok:
@@ -2550,7 +2550,7 @@ pipeline:
             - fieldName: log.reason
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(302023) || log.messageId==302025 || log.messageId==302027
+          where: equals("log.messageId", 302023) || log.messageId==302025 || log.messageId==302027
       # Cleaning fields
       - trim:
           function: suffix
@@ -2558,21 +2558,21 @@ pipeline:
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(302023) || log.messageId==302025 || log.messageId==302027
+          where: equals("log.messageId", 302023) || log.messageId==302025 || log.messageId==302027
       - trim:
           function: suffix
           substring: '/'
           fields:
             - origin.ip
             - target.ip
-          where: safe("log.messageId", 0.0) == double(302023) || log.messageId==302025 || log.messageId==302027
+          where: equals("log.messageId", 302023) || log.messageId==302025 || log.messageId==302027
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(302023) || log.messageId==302025 || log.messageId==302027
+          where: equals("log.messageId", 302023) || log.messageId==302025 || log.messageId==302027
       #......................................................................#
       # FTD-302033,302034
       - grok:
@@ -2592,7 +2592,7 @@ pipeline:
             - fieldName: log.tmpIpPortTo
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(302033) || log.messageId==302034
+          where: equals("log.messageId", 302033) || log.messageId==302034
       # Parsing optional ports from y to
       - grok:
           patterns:
@@ -2601,7 +2601,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpPortFrom
-          where: safe("log.messageId", 0.0) == double(302033) || log.messageId==302034
+          where: equals("log.messageId", 302033) || log.messageId==302034
       - grok:
           patterns:
             - fieldName: target.ip
@@ -2609,13 +2609,13 @@ pipeline:
             - fieldName: target.port
               pattern: '{{.greedy}}'
           source: log.tmpIpPortTo
-          where: safe("log.messageId", 0.0) == double(302033) || log.messageId==302034
+          where: equals("log.messageId", 302033) || log.messageId==302034
       - grok:
           patterns:
             - fieldName: target.ip
               pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?'
           source: log.tmpIpPortTo
-          where: safe("log.messageId", 0.0) == double(302033) || log.messageId==302034
+          where: equals("log.messageId", 302033) || log.messageId==302034
       # Cleaning fields
       - trim:
           function: suffix
@@ -2623,33 +2623,33 @@ pipeline:
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(302033) || log.messageId==302034
+          where: equals("log.messageId", 302033) || log.messageId==302034
       - trim:
           function: suffix
           substring: '/'
           fields:
             - origin.ip
             - target.ip
-          where: safe("log.messageId", 0.0) == double(302033) || log.messageId==302034
+          where: equals("log.messageId", 302033) || log.messageId==302034
       # Remove tmp fields
       - delete:
           fields:
             - log.tmpPortFrom
             - log.tmpIpPortTo
-          where: safe("log.messageId", 0.0) == double(302033) || log.messageId==302034
+          where: equals("log.messageId", 302033) || log.messageId==302034
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(302033)
+          where: equals("log.messageId", 302033)
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(302034)
+          where: equals("log.messageId", 302034)
       #......................................................................#
       # FTD-6-302303
       - grok:
@@ -2689,7 +2689,7 @@ pipeline:
             - fieldName: log.rest
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(302303)
+          where: equals("log.messageId", 302303)
       # Protocol
       - grok:
           patterns:
@@ -2700,7 +2700,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(302303)
+          where: equals("log.messageId", 302303)
       # Cleaning fields
       - trim:
           function: suffix
@@ -2708,7 +2708,7 @@ pipeline:
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(302303)
+          where: equals("log.messageId", 302303)
       - trim:
           function: suffix
           substring: '/'
@@ -2717,20 +2717,20 @@ pipeline:
             - target.ip
             - log.mappedIpFrom
             - log.mappedIpTo
-          where: safe("log.messageId", 0.0) == double(302303)
+          where: equals("log.messageId", 302303)
       - trim:
           function: suffix
           substring: 'from'
           fields:
             - log.connectionId
-          where: safe("log.messageId", 0.0) == double(302303)
+          where: equals("log.messageId", 302303)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(302303)
+          where: equals("log.messageId", 302303)
       #......................................................................#
       # FTD-6-302304
       - grok:
@@ -2764,7 +2764,7 @@ pipeline:
             - fieldName: log.reason
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(302304)
+          where: equals("log.messageId", 302304)
       # Protocol
       - grok:
           patterns:
@@ -2775,7 +2775,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(302304)
+          where: equals("log.messageId", 302304)
       # Cleaning fields
       - trim:
           function: suffix
@@ -2783,27 +2783,27 @@ pipeline:
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(302304)
+          where: equals("log.messageId", 302304)
       - trim:
           function: suffix
           substring: '/'
           fields:
             - origin.ip
             - target.ip
-          where: safe("log.messageId", 0.0) == double(302304)
+          where: equals("log.messageId", 302304)
       - trim:
           function: suffix
           substring: 'from'
           fields:
             - log.connectionId
-          where: safe("log.messageId", 0.0) == double(302304)
+          where: equals("log.messageId", 302304)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(302304)
+          where: equals("log.messageId", 302304)
       #......................................................................#
       # FTD-6-305009
       - grok:
@@ -2823,7 +2823,7 @@ pipeline:
             - fieldName: log.mappedIpTo
               pattern: '{{.greedy}}' 
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(305009)
+          where: equals("log.messageId", 305009)
       # Parsing srcInterface
       # With ACL
       - grok:
@@ -2835,14 +2835,14 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpAclSrcInterface
-          where: safe("log.messageId", 0.0) == double(305009)
+          where: equals("log.messageId", 305009)
       # Without ACL
       - grok:
           patterns:
             - fieldName: log.srcInterface
               pattern: '{{.data}}:'
           source: log.tmpAclSrcInterface
-          where: safe("log.messageId", 0.0) == double(305009)
+          where: equals("log.messageId", 305009)
       # Parsing firewall user from
       - grok:
           patterns:
@@ -2853,7 +2853,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserFrom
-          where: safe("log.messageId", 0.0) == double(305009)
+          where: equals("log.messageId", 305009)
       # Removing tmp fields
       - delete:
           fields:
@@ -2866,20 +2866,20 @@ pipeline:
           fields:
             - log.firewallUserFrom
             - log.accessList
-          where: safe("log.messageId", 0.0) == double(305009)
+          where: equals("log.messageId", 305009)
       - trim:
           function: suffix
           substring: '('
           fields:
             - log.srcInterface
-          where: safe("log.messageId", 0.0) == double(305009)
+          where: equals("log.messageId", 305009)
       - trim:
           function: suffix
           substring: ':'
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(305009)
+          where: equals("log.messageId", 305009)
       #......................................................................#
       # FTD-6-305010
       - grok:
@@ -2903,7 +2903,7 @@ pipeline:
             - fieldName: log.duration
               pattern: '{{.time}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(305010)
+          where: equals("log.messageId", 305010)
       # Parsing firewall user from
       - grok:
           patterns:
@@ -2914,7 +2914,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserFrom
-          where: safe("log.messageId", 0.0) == double(305010)
+          where: equals("log.messageId", 305010)
       # Removing tmp fields
       - delete:
           fields:
@@ -2925,14 +2925,14 @@ pipeline:
           substring: ')'
           fields:
             - log.firewallUserFrom
-          where: safe("log.messageId", 0.0) == double(305010)
+          where: equals("log.messageId", 305010)
       - trim:
           function: suffix
           substring: ':'
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(305010)
+          where: equals("log.messageId", 305010)
       #......................................................................#
       # FTD-6-305011
       - grok:
@@ -2956,7 +2956,7 @@ pipeline:
             - fieldName: target.port
               pattern: '{{.integer}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(305011)
+          where: equals("log.messageId", 305011)
       # Parsing firewall user from
       - grok:
           patterns:
@@ -2967,7 +2967,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserFrom
-          where: safe("log.messageId", 0.0) == double(305011)
+          where: equals("log.messageId", 305011)
       # Parsing protocol
       - grok:
           patterns:
@@ -2978,19 +2978,19 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(305011)
+          where: equals("log.messageId", 305011)
       
       - trim:
           function: suffix
           substring: ')'
           fields:
             - log.firewallUserFrom
-          where: safe("log.messageId", 0.0) == double(305011)
+          where: equals("log.messageId", 305011)
       # Removing tmp fields
       - delete:
           fields:
             - log.tmpFwUserFrom
-          where: safe("log.messageId", 0.0) == double(305011)
+          where: equals("log.messageId", 305011)
 
       # Cleaning fields
       - trim:
@@ -2999,14 +2999,14 @@ pipeline:
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(305011)
+          where: equals("log.messageId", 305011)
       - trim:
           function: suffix
           substring: '/'
           fields:
             - origin.ip
             - target.ip
-          where: safe("log.messageId", 0.0) == double(305011)
+          where: equals("log.messageId", 305011)
       #......................................................................#
       # FTD-6-305012
       - grok:
@@ -3034,7 +3034,7 @@ pipeline:
             - fieldName: log.duration
               pattern: '{{.time}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(305012)
+          where: equals("log.messageId", 305012)
       # Parsing firewall user from
       - grok:
           patterns:
@@ -3045,7 +3045,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpFwUserFrom
-          where: safe("log.messageId", 0.0) == double(305012)
+          where: equals("log.messageId", 305012)
       # Parsing protocol
       - grok:
           patterns:
@@ -3056,7 +3056,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(305012)
+          where: equals("log.messageId", 305012)
       # Parsing srcInterface
       # With ACL
       - grok:
@@ -3068,14 +3068,14 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.tmpAclSrcInterface
-          where: safe("log.messageId", 0.0) == double(305012)
+          where: equals("log.messageId", 305012)
       # Without ACL
       - grok:
           patterns:
             - fieldName: log.srcInterface
               pattern: '{{.data}}:'
           source: log.tmpAclSrcInterface
-          where: safe("log.messageId", 0.0) == double(305012)
+          where: equals("log.messageId", 305012)
       # Parsing srcInterface from himself to avoid parsing issues
       - grok:
           patterns:
@@ -3084,7 +3084,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.srcInterface
-          where: safe("log.messageId", 0.0) == double(305012)
+          where: equals("log.messageId", 305012)
       
       - trim:
           function: suffix
@@ -3092,13 +3092,13 @@ pipeline:
           fields:
             - log.firewallUserFrom
             - log.accessList
-          where: safe("log.messageId", 0.0) == double(305012)
+          where: equals("log.messageId", 305012)
       # Removing tmp fields
       - delete:
           fields:
             - log.tmpFwUserFrom
             - log.tmpAclSrcInterface
-          where: safe("log.messageId", 0.0) == double(305012)
+          where: equals("log.messageId", 305012)
 
       # Cleaning fields
       - trim:
@@ -3107,20 +3107,20 @@ pipeline:
           fields:
             - log.srcInterface
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(305012)
+          where: equals("log.messageId", 305012)
       - trim:
           function: suffix
           substring: '('
           fields:
             - log.srcInterface
-          where: safe("log.messageId", 0.0) == double(305012)
+          where: equals("log.messageId", 305012)
       - trim:
           function: suffix
           substring: '/'
           fields:
             - origin.ip
             - target.ip
-          where: safe("log.messageId", 0.0) == double(305012)
+          where: equals("log.messageId", 305012)
       #......................................................................#
       # FTD-3-322001
       - grok:
@@ -3136,7 +3136,7 @@ pipeline:
             - fieldName: log.srcInterface
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(322001)
+          where: equals("log.messageId", 322001)
       # Action result
       - grok:
           patterns:
@@ -3145,20 +3145,20 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(322001)
+          where: equals("log.messageId", 322001)
       # Cleaning fields
       - trim:
           function: suffix
           substring: ','
           fields:
             - log.localMac
-          where: safe("log.messageId", 0.0) == double(322001)
+          where: equals("log.messageId", 322001)
       - trim:
           function: suffix
           substring: 'on'
           fields:
             - log.reason
-          where: safe("log.messageId", 0.0) == double(322001)
+          where: equals("log.messageId", 322001)
       #......................................................................#
       # FTD-3-322002
       - grok:
@@ -3192,7 +3192,7 @@ pipeline:
             - fieldName: log.boudSrcMac
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(322002)
+          where: equals("log.messageId", 322002)
       # Protocol
       - grok:
           patterns:
@@ -3201,26 +3201,26 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: 'inspection check'
           source: action
-          where: safe("log.messageId", 0.0) == double(322002)
+          where: equals("log.messageId", 322002)
       # Cleaning fields
       - trim:
           function: suffix
           substring: 'on'
           fields:
             - origin.mac
-          where: safe("log.messageId", 0.0) == double(322002)
+          where: equals("log.messageId", 322002)
       - trim:
           function: suffix
           substring: 'for'
           fields:
             - log.fakeSrcMac
-          where: safe("log.messageId", 0.0) == double(322002)
+          where: equals("log.messageId", 322002)
       - trim:
           function: suffix
           substring: '.'
           fields:
             - log.srcInterface
-          where: safe("log.messageId", 0.0) == double(322002)
+          where: equals("log.messageId", 322002)
       #......................................................................#
       # FTD-3-322003
       - grok:
@@ -3252,7 +3252,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(322003)
+          where: equals("log.messageId", 322003)
       # Protocol
       - grok:
           patterns:
@@ -3261,26 +3261,26 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: 'inspection check'
           source: action
-          where: safe("log.messageId", 0.0) == double(322003)
+          where: equals("log.messageId", 322003)
       # Cleaning fields
       - trim:
           function: suffix
           substring: 'on'
           fields:
             - origin.mac
-          where: safe("log.messageId", 0.0) == double(322003)
+          where: equals("log.messageId", 322003)
       - trim:
           function: suffix
           substring: 'for'
           fields:
             - log.fakeSrcMac
-          where: safe("log.messageId", 0.0) == double(322003)
+          where: equals("log.messageId", 322003)
       - trim:
           function: suffix
           substring: '.'
           fields:
             - log.srcInterface
-          where: safe("log.messageId", 0.0) == double(322003)
+          where: equals("log.messageId", 322003)
       #......................................................................#
       # FTD-4-402114
       - grok:
@@ -3308,7 +3308,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(402114)
+          where: equals("log.messageId", 402114)
       # Protocol
       - grok:
           patterns:
@@ -3319,27 +3319,27 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(402114)
+          where: equals("log.messageId", 402114)
       # Cleaning fields
       - trim:
           function: suffix
           substring: ','
           fields:
             - log.spi
-          where: safe("log.messageId", 0.0) == double(402114)
+          where: equals("log.messageId", 402114)
       - trim:
           function: suffix
           substring: ')'
           fields:
             - log.seqNum
-          where: safe("log.messageId", 0.0) == double(402114)
+          where: equals("log.messageId", 402114)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(402114)
+          where: equals("log.messageId", 402114)
       #......................................................................#
       # FTD-4-402115
       - grok:
@@ -3367,14 +3367,14 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(402115)
+          where: equals("log.messageId", 402115)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(402115)
+          where: equals("log.messageId", 402115)
       #......................................................................#
       # FTD-4-402116
       - grok:
@@ -3436,7 +3436,7 @@ pipeline:
             - fieldName: log.remoteProxyPort
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(402116)
+          where: equals("log.messageId", 402116)
       # Protocol
       - grok:
           patterns:
@@ -3447,21 +3447,21 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(402116)
+          where: equals("log.messageId", 402116)
       # Cleaning fields
       - trim:
           function: suffix
           substring: ','
           fields:
             - log.spi
-          where: safe("log.messageId", 0.0) == double(402116)
+          where: equals("log.messageId", 402116)
       - trim:
           function: suffix
           substring: ')'
           fields:
             - log.seqNum
             - origin.user
-          where: safe("log.messageId", 0.0) == double(402116)
+          where: equals("log.messageId", 402116)
       - trim:
           function: suffix
           substring: '/'
@@ -3473,27 +3473,27 @@ pipeline:
             - log.remoteProxyIpMask
             - log.remoteProxyPort
             - log.remoteProxyProto
-          where: safe("log.messageId", 0.0) == double(402116)
+          where: equals("log.messageId", 402116)
       - trim:
           function: suffix
           substring: ')'
           fields:
             - log.seqNum
             - origin.user
-          where: safe("log.messageId", 0.0) == double(402116)
+          where: equals("log.messageId", 402116)
       - trim:
           function: suffix
           substring: 'and'
           fields:
             - log.localProxyPort
-          where: safe("log.messageId", 0.0) == double(402116)
+          where: equals("log.messageId", 402116)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(402116)
+          where: equals("log.messageId", 402116)
       #......................................................................#
       # FTD-4-402117
       - grok:
@@ -3511,7 +3511,7 @@ pipeline:
             - fieldName: target.ip
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(402117)
+          where: equals("log.messageId", 402117)
       # Protocol
       - grok:
           patterns:
@@ -3522,14 +3522,14 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(402117)
+          where: equals("log.messageId", 402117)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(402117)
+          where: equals("log.messageId", 402117)
       #......................................................................#
       # FTD-4-402118
       - grok:
@@ -3567,7 +3567,7 @@ pipeline:
             - fieldName: log.fragmentOffset
               pattern: '{{.integer}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(402118)
+          where: equals("log.messageId", 402118)
       # Protocol
       - grok:
           patterns:
@@ -3578,7 +3578,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(402118)
+          where: equals("log.messageId", 402118)
       # Cleaning fields
       - trim:
           function: suffix
@@ -3586,20 +3586,20 @@ pipeline:
           fields:
             - log.seqNum
             - origin.user
-          where: safe("log.messageId", 0.0) == double(402118)
+          where: equals("log.messageId", 402118)
       - trim:
           function: suffix
           substring: ','
           fields:
             - log.spi
-          where: safe("log.messageId", 0.0) == double(402118)
+          where: equals("log.messageId", 402118)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(402118)
+          where: equals("log.messageId", 402118)
       #......................................................................#
       # FTD-4-402119, 402120
       - grok:
@@ -3631,7 +3631,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(402119) || log.messageId==402120
+          where: equals("log.messageId", 402119) || log.messageId==402120
       # Protocol
       - grok:
           patterns:
@@ -3642,7 +3642,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(402119) || log.messageId==402120
+          where: equals("log.messageId", 402119) || log.messageId==402120
       # Cleaning fields
       - trim:
           function: suffix
@@ -3650,20 +3650,20 @@ pipeline:
           fields:
             - log.seqNum
             - origin.user
-          where: safe("log.messageId", 0.0) == double(402119) || log.messageId==402120
+          where: equals("log.messageId", 402119) || log.messageId==402120
       - trim:
           function: suffix
           substring: ','
           fields:
             - log.spi
-          where: safe("log.messageId", 0.0) == double(402119) || log.messageId==402120
+          where: equals("log.messageId", 402119) || log.messageId==402120
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(402119) || log.messageId==402120
+          where: equals("log.messageId", 402119) || log.messageId==402120
       #......................................................................#
       # FTD-5-402128
       - grok:
@@ -3683,7 +3683,7 @@ pipeline:
             - fieldName: log.memoryLimit
               pattern: '{{.integer}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(402128)
+          where: equals("log.messageId", 402128)
       #......................................................................#
       # FTD-4-405001
       - grok:
@@ -3707,14 +3707,14 @@ pipeline:
             - fieldName: target.mac
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(405001)
+          where: equals("log.messageId", 405001)
       # Adding protocol
       - add:
           function: 'string'
           params:
             key: protocol
             value: 'ARP'
-          where: safe("log.messageId", 0.0) == double(405001)
+          where: equals("log.messageId", 405001)
       # Cleaning fields
       - trim:
           function: suffix
@@ -3722,19 +3722,19 @@ pipeline:
           fields:
             - origin.ip
             - target.ip
-          where: safe("log.messageId", 0.0) == double(405001)
+          where: equals("log.messageId", 405001)
       - trim:
           function: suffix
           substring: 'on'
           fields:
             - origin.mac
-          where: safe("log.messageId", 0.0) == double(405001)
+          where: equals("log.messageId", 405001)
       - trim:
           function: suffix
           substring: 'with'
           fields:
             - log.srcInterface
-          where: safe("log.messageId", 0.0) == double(405001)
+          where: equals("log.messageId", 405001)
       #......................................................................#
       # FTD-4-405002
       - grok:
@@ -3750,20 +3750,20 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(405002)
+          where: equals("log.messageId", 405002)
       # Cleaning fields
       - trim:
           function: suffix
           substring: 'for'
           fields:
             - origin.mac
-          where: safe("log.messageId", 0.0) == double(405002)
+          where: equals("log.messageId", 405002)
       - trim:
           function: suffix
           substring: '/'
           fields:
             - origin.ip
-          where: safe("log.messageId", 0.0) == double(405002)
+          where: equals("log.messageId", 405002)
       #......................................................................#
       # FTD-4-406001
       - grok:
@@ -3783,27 +3783,27 @@ pipeline:
             - fieldName: log.srcInterface
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(406001)
+          where: equals("log.messageId", 406001)
       # Adding protocol
       - add:
           function: 'string'
           params:
             key: protocol
             value: 'FTP'
-          where: safe("log.messageId", 0.0) == double(406001)
+          where: equals("log.messageId", 406001)
       # Cleaning fields
       - trim:
           function: suffix
           substring: ':'
           fields:
             - action
-          where: safe("log.messageId", 0.0) == double(406001)
+          where: equals("log.messageId", 406001)
       - trim:
           function: suffix
           substring: '/'
           fields:
             - origin.ip
-          where: safe("log.messageId", 0.0) == double(406001)
+          where: equals("log.messageId", 406001)
       #......................................................................#
       # FTD-4-406002
       - grok:
@@ -3827,21 +3827,21 @@ pipeline:
             - fieldName: log.srcInterface
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(406002)
+          where: equals("log.messageId", 406002)
       # Adding protocol
       - add:
           function: 'string'
           params:
             key: protocol
             value: 'FTP'
-          where: safe("log.messageId", 0.0) == double(406002)
+          where: equals("log.messageId", 406002)
       # Cleaning fields
       - trim:
           function: suffix
           substring: ':'
           fields:
             - action
-          where: safe("log.messageId", 0.0) == double(406002)
+          where: equals("log.messageId", 406002)
       #......................................................................#
       # FTD-4-407002
       - grok:
@@ -3871,7 +3871,7 @@ pipeline:
             - fieldName: log.srcInterface
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(407002)
+          where: equals("log.messageId", 407002)
       # Connection number and connection limit
       - grok:
           patterns:
@@ -3886,7 +3886,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(407002)
+          where: equals("log.messageId", 407002)
       # Cleaning fields
       - trim:
           function: suffix
@@ -3894,7 +3894,7 @@ pipeline:
           fields:
             - origin.ip
             - target.ip
-          where: safe("log.messageId", 0.0) == double(407002)
+          where: equals("log.messageId", 407002)
       #......................................................................#
       # FTD-6-605004
       - grok:
@@ -3920,7 +3920,7 @@ pipeline:
             - fieldName: origin.user
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(605004)
+          where: equals("log.messageId", 605004)
       # Action result
       - grok:
           patterns:
@@ -3929,13 +3929,13 @@ pipeline:
             - fieldName: log.ciscoResult
               pattern: '{{.word}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(605004)
+          where: equals("log.messageId", 605004)
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(605004)
+          where: equals("log.messageId", 605004)
       # Cleaning fields
       - trim:
           function: suffix
@@ -3943,31 +3943,31 @@ pipeline:
           fields:
             - origin.ip
             - target.ip
-          where: safe("log.messageId", 0.0) == double(605004)
+          where: equals("log.messageId", 605004)
       - trim:
           function: suffix
           substring: 'for'
           fields:
             - log.service
-          where: safe("log.messageId", 0.0) == double(605004)
+          where: equals("log.messageId", 605004)
       - trim:
           function: suffix
           substring: ':'
           fields:
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(605004)
+          where: equals("log.messageId", 605004)
       - trim:
           function: prefix
           substring: '"'
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(605004)
+          where: equals("log.messageId", 605004)
       - trim:
           function: suffix
           substring: '"'
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(605004)
+          where: equals("log.messageId", 605004)
       #......................................................................#
       # FTD-2-106018
       - grok:
@@ -3995,28 +3995,28 @@ pipeline:
             - fieldName: target.ip
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(106018)
+          where: equals("log.messageId", 106018)
       # Adding protocol
       - add:
           function: 'string'
           params:
             key: protocol
             value: 'ICMP'
-          where: safe("log.messageId", 0.0) == double(106018)
+          where: equals("log.messageId", 106018)
       # Cleaning fields
       - trim:
           function: suffix
           substring: 'src'
           fields:
             - log.accessList
-          where: safe("log.messageId", 0.0) == double(106018)
+          where: equals("log.messageId", 106018)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(106018)
+          where: equals("log.messageId", 106018)
       #......................................................................#
       # FTD-2-106020
       - grok:
@@ -4040,21 +4040,21 @@ pipeline:
             - fieldName: target.ip
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(106020)
+          where: equals("log.messageId", 106020)
       # Adding log.ciscoResult
       - add:
           function: 'string'
           params:
             key: log.ciscoResult
             value: 'Denied'
-          where: safe("log.messageId", 0.0) == double(106020)
+          where: equals("log.messageId", 106020)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(106020)
+          where: equals("log.messageId", 106020)
       #......................................................................#
       # FTD-6-611301
       - grok:
@@ -4068,14 +4068,14 @@ pipeline:
             - fieldName: log.mappedIp
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(611301)
+          where: equals("log.messageId", 611301)
       # Adding protocol
       - add:
           function: 'string'
           params:
             key: protocol
             value: 'NAT'
-          where: safe("log.messageId", 0.0) == double(611301)
+          where: equals("log.messageId", 611301)
       #......................................................................#
       # FTD-6-611303
       - grok:
@@ -4099,14 +4099,14 @@ pipeline:
             - fieldName: log.netmaskTo
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(611303)
+          where: equals("log.messageId", 611303)
       # Adding protocol
       - add:
           function: 'string'
           params:
             key: protocol
             value: 'NAT'
-          where: safe("log.messageId", 0.0) == double(611303)
+          where: equals("log.messageId", 611303)
       # Cleaning fields
       - trim:
           function: suffix
@@ -4114,7 +4114,7 @@ pipeline:
           fields:
             - origin.ip
             - target.ip
-          where: safe("log.messageId", 0.0) == double(611303)
+          where: equals("log.messageId", 611303)
       #......................................................................#
       # FTD-6-611304
       - grok:
@@ -4134,14 +4134,14 @@ pipeline:
             - fieldName: log.netmaskTo
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(611304)
+          where: equals("log.messageId", 611304)
       # Adding protocol
       - add:
           function: 'string'
           params:
             key: protocol
             value: 'NAT'
-          where: safe("log.messageId", 0.0) == double(611304)
+          where: equals("log.messageId", 611304)
       # Cleaning fields
       - trim:
           function: suffix
@@ -4149,7 +4149,7 @@ pipeline:
           fields:
             - origin.ip
             - target.ip
-          where: safe("log.messageId", 0.0) == double(611304)
+          where: equals("log.messageId", 611304)
       #......................................................................#
       # FTD-6-611307
       - grok:
@@ -4159,21 +4159,21 @@ pipeline:
             - fieldName: target.ip
               pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(611307)
+          where: equals("log.messageId", 611307)
       # Adding action and log.ciscoResult
       - add:
           function: 'string'
           params:
             key: action
             value: 'The VPN client is connected to the specified headend'
-          where: safe("log.messageId", 0.0) == double(611307)
+          where: equals("log.messageId", 611307)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(611307)
+          where: equals("log.messageId", 611307)
       #......................................................................#
       # FTD-6-611309
       - grok:
@@ -4187,14 +4187,14 @@ pipeline:
             - fieldName: origin.ip
               pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(611309)
+          where: equals("log.messageId", 611309)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(611309)
+          where: equals("log.messageId", 611309)
       #......................................................................#
       # FTD-6-611310,611311
       - grok:
@@ -4210,20 +4210,20 @@ pipeline:
             - fieldName: target.ip
               pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(611310) || log.messageId==611311
+          where: equals("log.messageId", 611310) || log.messageId==611311
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(611310)
+          where: equals("log.messageId", 611310)
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(611311)
+          where: equals("log.messageId", 611311)
       #......................................................................#
       # FTD-6-611314
       - grok:
@@ -4237,21 +4237,21 @@ pipeline:
             - fieldName: target.ip
               pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(611314)
+          where: equals("log.messageId", 611314)
       # Adding action
       - add:
           function: 'string'
           params:
             key: action
             value: 'Load Balancing Cluster redirected the Secure Firewall'
-          where: safe("log.messageId", 0.0) == double(611314)
+          where: equals("log.messageId", 611314)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(611314)
+          where: equals("log.messageId", 611314)
       #......................................................................#
       # FTD-6-611315
       - grok:
@@ -4261,21 +4261,21 @@ pipeline:
             - fieldName: origin.ip
               pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(611315)
+          where: equals("log.messageId", 611315)
       # Adding action
       - add:
           function: 'string'
           params:
             key: action
             value: 'Disconnecting from Load Balancing Cluster'
-          where: safe("log.messageId", 0.0) == double(611315)
+          where: equals("log.messageId", 611315)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(611315)
+          where: equals("log.messageId", 611315)
       #......................................................................#
       # FTD-6-611318
       - grok:
@@ -4297,7 +4297,7 @@ pipeline:
             - fieldName: log.timeOut
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(611318)
+          where: equals("log.messageId", 611318)
       #......................................................................#
       # FTD-3-710003
       - grok:
@@ -4319,7 +4319,7 @@ pipeline:
             - fieldName: target.port
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(710003)
+          where: equals("log.messageId", 710003)
       # Protocol and log.ciscoResult
       - grok:
           patterns:
@@ -4332,7 +4332,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(710003)
+          where: equals("log.messageId", 710003)
       # Cleaning fields
       - trim:
           function: suffix
@@ -4340,20 +4340,20 @@ pipeline:
           fields:
             - origin.ip
             - target.ip
-          where: safe("log.messageId", 0.0) == double(710003)
+          where: equals("log.messageId", 710003)
       - trim:
           function: suffix
           substring: ':'
           fields:
             - log.dstInterface
-          where: safe("log.messageId", 0.0) == double(710003)
+          where: equals("log.messageId", 710003)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(710003)
+          where: equals("log.messageId", 710003)
       #......................................................................#
       # FTD-5-713252,713253
       - grok:
@@ -4375,7 +4375,7 @@ pipeline:
             - fieldName: action
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(713252) || safe("log.messageId", 0.0)==double(713253)
+          where: equals("log.messageId", 713252) || equals("log.messageId", 713253)
       # Cleaning fields
       - trim:
           function: suffix
@@ -4384,32 +4384,32 @@ pipeline:
             - origin.group
             - origin.user
             - origin.ip
-          where: safe("log.messageId", 0.0) == double(713252) || safe("log.messageId", 0.0)==double(713253)
+          where: equals("log.messageId", 713252) || equals("log.messageId", 713253)
       - trim:
           function: prefix
           substring: ''''
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(713252) || safe("log.messageId", 0.0)==double(713253)
+          where: equals("log.messageId", 713252) || equals("log.messageId", 713253)
       - trim:
           function: suffix
           substring: ''''
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(713252) || safe("log.messageId", 0.0)==double(713253)
+          where: equals("log.messageId", 713252) || equals("log.messageId", 713253)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(713252)
+          where: equals("log.messageId", 713252)
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(713253)
+          where: equals("log.messageId", 713253)
       #......................................................................#
       # FTD-6-716001,716002,716003
       - grok:
@@ -4425,20 +4425,20 @@ pipeline:
             - fieldName: action
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(716001) || log.messageId==716002 || log.messageId==716003
+          where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003
       # Cleaning fields
       - trim:
           function: suffix
           substring: 'User'
           fields:
             - origin.group
-          where: safe("log.messageId", 0.0) == double(716001) || log.messageId==716002 || log.messageId==716003
+          where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003
       - trim:
           function: suffix
           substring: 'IP'
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(716001) || log.messageId==716002 || log.messageId==716003
+          where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003
       - trim:
           function: prefix
           substring: '<'
@@ -4446,7 +4446,7 @@ pipeline:
             - origin.group
             - origin.user
             - origin.ip
-          where: safe("log.messageId", 0.0) == double(716001) || log.messageId==716002 || log.messageId==716003
+          where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003
       - trim:
           function: suffix
           substring: '>'
@@ -4454,26 +4454,26 @@ pipeline:
             - origin.group
             - origin.user
             - origin.ip
-          where: safe("log.messageId", 0.0) == double(716001) || log.messageId==716002 || log.messageId==716003
+          where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003
       - trim:
           function: prefix
           substring: ''''
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(716001) || log.messageId==716002 || log.messageId==716003
+          where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003
       - trim:
           function: suffix
           substring: ''''
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(716001) || log.messageId==716002 || log.messageId==716003
+          where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(716001) || log.messageId==716002
+          where: equals("log.messageId", 716001) || log.messageId==716002
       #......................................................................#
       # FTD-6-716004,716005,716006,716007,716009
       - grok:
@@ -4487,53 +4487,53 @@ pipeline:
             - fieldName: action
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+          where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
       # Cleaning fields
       - trim:
           function: suffix
           substring: 'User'
           fields:
             - origin.group
-          where: safe("log.messageId", 0.0) == double(716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+          where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
       - trim:
           function: prefix
           substring: '<'
           fields:
             - origin.group
             - origin.user
-          where: safe("log.messageId", 0.0) == double(716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+          where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
       - trim:
           function: suffix
           substring: '>'
           fields:
             - origin.group
             - origin.user
-          where: safe("log.messageId", 0.0) == double(716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+          where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
       - trim:
           function: prefix
           substring: ''''
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+          where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
       - trim:
           function: suffix
           substring: ''''
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+          where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(716004) || log.messageId==716007 || log.messageId==716009
+          where: equals("log.messageId", 716004) || log.messageId==716007 || log.messageId==716009
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(716006)
+          where: equals("log.messageId", 716006)
       #......................................................................#
       # FTD-6-716038
       - grok:
@@ -4551,27 +4551,27 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(716038)
+          where: equals("log.messageId", 716038)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(716038)
+          where: equals("log.messageId", 716038)
       # Cleaning fields
       - trim:
           function: suffix
           substring: 'User'
           fields:
             - origin.group
-          where: safe("log.messageId", 0.0) == double(716038)
+          where: equals("log.messageId", 716038)
       - trim:
           function: suffix
           substring: 'IP'
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(716038)
+          where: equals("log.messageId", 716038)
       - trim:
           function: prefix
           substring: '<'
@@ -4579,7 +4579,7 @@ pipeline:
             - origin.group
             - origin.user
             - origin.ip
-          where: safe("log.messageId", 0.0) == double(716038)
+          where: equals("log.messageId", 716038)
       - trim:
           function: suffix
           substring: '>'
@@ -4587,25 +4587,25 @@ pipeline:
             - origin.group
             - origin.user
             - origin.ip
-          where: safe("log.messageId", 0.0) == double(716038)
+          where: equals("log.messageId", 716038)
       - trim:
           function: prefix
           substring: ''''
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(716038)
+          where: equals("log.messageId", 716038)
       - trim:
           function: suffix
           substring: ''''
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(716038)
+          where: equals("log.messageId", 716038)
       - trim:
           function: suffix
           substring: ','
           fields:
             - action
-          where: safe("log.messageId", 0.0) == double(716038)
+          where: equals("log.messageId", 716038)
       #......................................................................#
       # FTD-6-716039
       - grok:
@@ -4623,14 +4623,14 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(716039)
+          where: equals("log.messageId", 716039)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(716039)
+          where: equals("log.messageId", 716039)
       # Cleaning fields
       - trim:
           function: suffix
@@ -4638,13 +4638,13 @@ pipeline:
           fields:
             - action
             - origin.user
-          where: safe("log.messageId", 0.0) == double(716039)
+          where: equals("log.messageId", 716039)
       - trim:
           function: suffix
           substring: 'user'
           fields:
             - origin.group
-          where: safe("log.messageId", 0.0) == double(716039)
+          where: equals("log.messageId", 716039)
       #......................................................................#
       # FTD-6-719017,719019,719020,719021,719022,719023
       - grok:
@@ -4656,7 +4656,7 @@ pipeline:
             - fieldName: action
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(719017) || (log.messageId>=719019 && log.messageId<=719023)
+          where: equals("log.messageId", 719017) || (log.messageId>=719019 && log.messageId<=719023)
       # Adding log.ciscoResult and modifying some actions
       # Adding action result
       - add:
@@ -4664,44 +4664,44 @@ pipeline:
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(719019) || log.messageId==719023
+          where: equals("log.messageId", 719019) || log.messageId==719023
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(719020) || log.messageId==719022
+          where: equals("log.messageId", 719020) || log.messageId==719022
       - add:
           function: 'string'
           params:
             key: action
             value: 'WebVPN user is not checked against ACL'
-          where: safe("log.messageId", 0.0) == double(719021)
+          where: equals("log.messageId", 719021)
       - add:
           function: 'string'
           params:
             key: action
             value: 'WebVPN user has been authenticated'
-          where: safe("log.messageId", 0.0) == double(719022)
+          where: equals("log.messageId", 719022)
       - add:
           function: 'string'
           params:
             key: action
             value: 'WebVPN user has not been authenticated'
-          where: safe("log.messageId", 0.0) == double(719023)
+          where: equals("log.messageId", 719023)
       # Cleaning fields
       - trim:
           function: prefix
           substring: ''''
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(719017) || (log.messageId>=719019 && log.messageId<=719023)
+          where: equals("log.messageId", 719017) || (log.messageId>=719019 && log.messageId<=719023)
       - trim:
           function: suffix
           substring: ''''
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(719017) || (log.messageId>=719019 && log.messageId<=719023)
+          where: equals("log.messageId", 719017) || (log.messageId>=719019 && log.messageId<=719023)
       #......................................................................#
       # FTD-6-719018
       - grok:
@@ -4717,20 +4717,20 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(719018)
+          where: equals("log.messageId", 719018)
       # Cleaning fields
       - trim:
           function: suffix
           substring: ''''
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(719018)
+          where: equals("log.messageId", 719018)
       - trim:
           function: suffix
           substring: 'not'
           fields:
             - log.accessList
-          where: safe("log.messageId", 0.0) == double(719018)
+          where: equals("log.messageId", 719018)
       #......................................................................#
       # FTD-6-719024
       - grok:
@@ -4750,27 +4750,27 @@ pipeline:
             - fieldName: origin.ip
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(719024)
+          where: equals("log.messageId", 719024)
       # Cleaning fields
       - trim:
           function: suffix
           substring: 'user'
           fields:
             - log.sessionPointer
-          where: safe("log.messageId", 0.0) == double(719024)
+          where: equals("log.messageId", 719024)
       - trim:
           function: suffix
           substring: 'addr'
           fields:
             - origin.user
-          where: safe("log.messageId", 0.0) == double(719024)
+          where: equals("log.messageId", 719024)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.messageId", 0.0) == double(719024)
+          where: equals("log.messageId", 719024)
       #......................................................................#
       # FTD-7-609002
       - grok:
@@ -4788,21 +4788,21 @@ pipeline:
             - fieldName: log.duration
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(609002)
+          where: equals("log.messageId", 609002)
       # Cleaning fields
       - trim:
           function: suffix
           substring: '/'
           fields:
             - log.zoneName
-          where: safe("log.messageId", 0.0) == double(609002)
+          where: equals("log.messageId", 609002)
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(609002)
+          where: equals("log.messageId", 609002)
       #......................................................................#
       # FTD-6-611305
       - grok:
@@ -4828,7 +4828,7 @@ pipeline:
             - fieldName: log.secondaryWins
               pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(611305)
+          where: equals("log.messageId", 611305)
       #......................................................................#
       # FTD-4-733100
       - grok:
@@ -4856,7 +4856,7 @@ pipeline:
             - fieldName: log.cumulativeTotalCount
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(733100)
+          where: equals("log.messageId", 733100)
       # Cleaning cumulative total count
       - grok:
           patterns:
@@ -4865,7 +4865,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.cumulativeTotalCount
-          where: safe("log.messageId", 0.0) == double(733100)
+          where: equals("log.messageId", 733100)
       # Parsing drop source object
       - grok:
           patterns:
@@ -4874,26 +4874,26 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(733100)
+          where: equals("log.messageId", 733100)
       # Cleaning fields
       - trim:
           function: suffix
           substring: 'drop'
           fields:
             - log.dropSourceObject
-          where: safe("log.messageId", 0.0) == double(733100)
+          where: equals("log.messageId", 733100)
       - trim:
           function: suffix
           substring: ']'
           fields:
             - log.dropSourceObject
-          where: safe("log.messageId", 0.0) == double(733100)
+          where: equals("log.messageId", 733100)
       - trim:
           function: prefix
           substring: '['
           fields:
             - log.dropSourceObject
-          where: safe("log.messageId", 0.0) == double(733100)
+          where: equals("log.messageId", 733100)
       #......................................................................#
       # FTD-4-733101
       - grok:
@@ -4921,7 +4921,7 @@ pipeline:
             - fieldName: log.cumulativeTotalCount
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(733101)
+          where: equals("log.messageId", 733101)
       # Cleaning cumulative total count
       - grok:
           patterns:
@@ -4930,7 +4930,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.cumulativeTotalCount
-          where: safe("log.messageId", 0.0) == double(733101)
+          where: equals("log.messageId", 733101)
       # Parsing drop source object
       - grok:
           patterns:
@@ -4941,25 +4941,25 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.messageId", 0.0) == double(733101)
+          where: equals("log.messageId", 733101)
       # Renaming from or to ip, according to -> if (targeted|attacking)
       - rename:
           from:
             - log.tmpIp
           to: origin.ip
-          where: safe("log.messageId", 0.0) == double(733101) && action.contains("attacking")
+          where: equals("log.messageId", 733101) && action.contains("attacking")
       - rename:
           from:
             - log.tmpIp
           to: target.ip
-          where: safe("log.messageId", 0.0) == double(733101) && action.contains("targeted")
+          where: equals("log.messageId", 733101) && action.contains("targeted")
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.messageId", 0.0) == double(733101)
+          where: equals("log.messageId", 733101)
       #......................................................................#
       # FTD-4-733102, 733103
       - grok:
@@ -4971,20 +4971,20 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.messageId", 0.0) == double(733102) || log.messageId==733103
+          where: equals("log.messageId", 733102) || log.messageId==733103
       # Adding action
       - add:
           function: 'string'
           params:
             key: action
             value: 'Threat-detection add host to shun list'
-          where: (safe("log.messageId", 0.0)==733102 || log.messageId==733103) && log.msg.contains("add")
+          where: (equals("log.messageId", 733102) || log.messageId==733103) && log.msg.contains("add")
       - add:
           function: 'string'
           params:
             key: action
             value: 'Threat-detection removes host to shun list'
-          where: (safe("log.messageId", 0.0)==733102 || log.messageId==733103) && log.msg.contains("removes")
+          where: (equals("log.messageId", 733102) || log.messageId==733103) && log.msg.contains("removes")
       #......................................................................#
       # Decoding severity
       - add:
diff --git a/filters/cisco/meraki.yml b/filters/cisco/meraki.yml
index d019b25a4..adc643285 100644
--- a/filters/cisco/meraki.yml
+++ b/filters/cisco/meraki.yml
@@ -30,17 +30,17 @@ pipeline:
             - fieldName: log.msg
               pattern: '{{.greedy}}'
           source: raw
-      # Adding control safe("log.controlFlag", "") field (Used to know if the message don't contains the header INT.INT mx_type mx_group)
+      # Adding control log.controlFlag field (Used to know if the message don't contains the header INT.INT mx_type mx_group)
       - add:
           function: 'string'
           params:
-            key: safe("log.controlFlag", "")
+            key: log.controlFlag
             value: 'Init'
       # Begin message parsing
       # First extract the generic message, then parse it
       - grok:
           patterns:
-            - fieldName: safe("log.controlFlag", "")
+            - fieldName: log.controlFlag
               pattern: '{{.data}}(\s)(events|flows|urls|ids-alerts|security_event)'
             - fieldName: log.genericEvent
               pattern: '{{.greedy}}'
@@ -61,8 +61,8 @@ pipeline:
               pattern: '{{.data}}\s'
             - fieldName: log.merakiGroup
               pattern: '{{.greedy}}'
-          source: safe("log.controlFlag", "")
-          where: safe("log.controlFlag", "") != "Init"
+          source: log.controlFlag
+          where: '!equals("log.controlFlag", "Init")'
       - grok:
           patterns:
             - fieldName: log.msgEventTime
@@ -71,8 +71,8 @@ pipeline:
               pattern: '{{.data}}\s'
             - fieldName: log.merakiGroup
               pattern: '{{.greedy}}'
-          source: safe("log.controlFlag", "")
-          where: safe("log.controlFlag", "") != "Init"
+          source: log.controlFlag
+          where: '!equals("log.controlFlag", "Init")'
       # ........................................
       # event vpn connectivity change
       - grok:
@@ -100,21 +100,21 @@ pipeline:
             - fieldName: log.connectivity
               pattern: '{{.greedy}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "") != "Init"
+          where: '!equals("log.controlFlag", "Init")'
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.connectivity", "") == "true"
+          where: equals("log.connectivity", "true")
       # ........................................
       # event uplink connectivity change
       - rename:
           from:
             - log.genericEvent
           to: action
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").contains("failover to")
+          where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "failover to")'
       # ........................................
       # event uplink connectivity change
       # Event: urls, HTTP GET requests in MR Access Points
@@ -122,7 +122,7 @@ pipeline:
           from:
             - log.genericEvent
           to: action
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").contains("Cellular connection")
+          where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "Cellular connection")'
       - grok:
           patterns:
             - fieldName: action
@@ -158,7 +158,7 @@ pipeline:
             - fieldName: target.url
               pattern: '{{.greedy}}'
           source: action
-          where: safe("log.controlFlag", "")!="Init" && safe("action", "").contains("Cellular connection")
+          where: '!equals("log.controlFlag", "Init") && contains("action", "Cellular connection")'
       - grok:
           patterns:
             - fieldName: action
@@ -166,14 +166,14 @@ pipeline:
             - fieldName: log.connectionState
               pattern: '(up|Up|down|Down)'
           source: action
-          where: safe("log.controlFlag", "")!="Init" && safe("action", "").contains("Cellular connection")
+          where: '!equals("log.controlFlag", "Init") && contains("action", "Cellular connection")'
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.connectionState", "") == "up" || safe("log.connectionState", "") == "Up"
+          where: equalsIgnoreCase("log.connectionState", "up")
       # ........................................
       # Event: event, dhcp no offers
       - grok:
@@ -187,13 +187,13 @@ pipeline:
             - fieldName: origin.ip
               pattern: '{{.greedy}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").contains("dhcp no offers")
+          where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "dhcp no offers")'
       - trim:
           function: suffix
           substring: 'for mac'
           fields:
             - action
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").contains("dhcp no offers")
+          where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "dhcp no offers")'
       # ........................................
       # Event: event, dhcp lease
       - grok:
@@ -227,20 +227,20 @@ pipeline:
             - fieldName: log.dns1
               pattern: '{{.greedy}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").contains("dhcp lease")
+          where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "dhcp lease")'
       - trim:
           function: suffix
           substring: 'of ip'
           fields:
             - action
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").contains("dhcp lease")
+          where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "dhcp lease")'
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.genericEvent", "").contains("dhcp lease")
+          where: contains("log.genericEvent", "dhcp lease")
       # ........................................
       # Event: event, HTTP GET requests in Meraki MX Security Appliance
       - grok:
@@ -268,14 +268,14 @@ pipeline:
             - fieldName: target.url
               pattern: '{{.greedy}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("src") && log.merakiGroup=="urls"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="urls"'
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("src") && log.merakiGroup=="urls"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="urls"'
       # ........................................
       # Event: flows, IP session initiated in Meraki MX Security Appliance
       # First variant
@@ -310,7 +310,7 @@ pipeline:
             - fieldName: log.pattern
               pattern: '{{.greedy}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("src") && log.merakiGroup=="flows"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows"'
       # Second variant
       - grok:
           patterns:
@@ -339,20 +339,20 @@ pipeline:
             - fieldName: log.pattern
               pattern: '{{.greedy}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("src") && log.merakiGroup=="flows"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows"'
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("src") && log.merakiGroup=="flows" && (log.pattern.startsWith("0") || log.pattern.startsWith("allow") || log.pattern.startsWith("Allow"))
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows" && (log.pattern.startsWith("0") || log.pattern.startsWith("allow") || log.pattern.startsWith("Allow"))'
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("src") && log.merakiGroup=="flows" && (log.pattern.startsWith("deny") || log.pattern.startsWith("Deny"))
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows" && (log.pattern.startsWith("deny") || log.pattern.startsWith("Deny"))'
       # ........................................
       # Event: ids-alerts, ids signature matched in Meraki MX Security Appliance
       - grok:
@@ -384,13 +384,13 @@ pipeline:
             - fieldName: origin.port
               pattern: '{{.integer}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("signature") && log.merakiGroup=="ids-alerts"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "signature") && log.merakiGroup=="ids-alerts"'
       - trim:
           function: suffix
           substring: 'priority'
           fields:
             - log.signature
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("signature") && log.merakiGroup=="ids-alerts"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "signature") && log.merakiGroup=="ids-alerts"'
       # ........................................
       # Event: event IPsec-SA request queued due to no phase 1 found, phase2 negotiation failed, initiate new phase 1 negotiation, 
       # ISAKMP-SA established, initiate new phase 2 negotiation, IPsec-SA established, ISAKMP-SA established, and ISAKMP-SA deleted 
@@ -416,7 +416,7 @@ pipeline:
             - fieldName: log.spi
               pattern: '{{.greedy}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("Site") && log.merakiGroup=="events"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"'
       # Second variant
       - grok:
           patterns:
@@ -427,7 +427,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("Site") && log.merakiGroup=="events"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"'
       # Third variant
       - grok:
           patterns:
@@ -446,7 +446,7 @@ pipeline:
             - fieldName: target.port
               pattern: '\[(\s)?{{.integer}}(\s)?\]'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("Site") && log.merakiGroup=="events"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"'
       # Fourth variant
       - grok:
           patterns:
@@ -463,7 +463,7 @@ pipeline:
             - fieldName: target.port
               pattern: '\[(\s)?{{.integer}}(\s)?\]'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("Site") && log.merakiGroup=="events"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"'
       # Fifth variant
       - grok:
           patterns:
@@ -484,28 +484,28 @@ pipeline:
             - fieldName: log.spi
               pattern: '{{.greedy}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("Site") && log.merakiGroup=="events"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"'
       - trim:
           function: prefix
           substring: '['
           fields:
             - origin.port
             - target.port
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("Site") && log.merakiGroup=="events"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"'
       - trim:
           function: suffix
           substring: ']'
           fields:
             - origin.port
             - target.port
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("Site") && log.merakiGroup=="events"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"'
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("Site") && log.merakiGroup=="events" && (safe("log.genericEvent", "").contains("queued due to no phase 1") || safe("log.genericEvent", "").contains("queued due to no phase1") || || safe("log.genericEvent", "").contains("established"))
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events" && (contains("log.genericEvent", "queued due to no phase 1") || contains("log.genericEvent", "queued due to no phase1") || || contains("log.genericEvent", "established"))'
       # ........................................
       # Event: event spanning-tree guard state change in Meraki MS Switches
       - grok:
@@ -527,26 +527,26 @@ pipeline:
             - fieldName: actionResult
               pattern: '{{.greedy}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("Port") && log.merakiGroup=="events"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Port") && log.merakiGroup=="events"'
       - trim:
           function: suffix
           substring: 'BPDU'
           fields:
             - protocol
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("Port") && log.merakiGroup=="events"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Port") && log.merakiGroup=="events"'
       - trim:
           function: suffix
           substring: 'so'
           fields:
             - origin.mac
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("Port") && log.merakiGroup=="events"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Port") && log.merakiGroup=="events"'
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("Port") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("blocked")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Port") && log.merakiGroup=="events" && contains("log.genericEvent", "blocked")'
       # ........................................
       # Event: event blocked DHCP server response in Meraki MS Switches
       - grok:
@@ -564,19 +564,19 @@ pipeline:
             - fieldName: log.vlan
               pattern: '{{.greedy}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("Blocked") && log.merakiGroup=="events"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Blocked") && log.merakiGroup=="events"'
       - trim:
           function: suffix
           substring: 'server'
           fields:
             - protocol
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("Blocked") && log.merakiGroup=="events"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Blocked") && log.merakiGroup=="events"'
       - trim:
           function: suffix
           substring: 'on'
           fields:
             - origin.mac
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("Blocked") && log.merakiGroup=="events"
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Blocked") && log.merakiGroup=="events"'
       # ........................................
       # Event: event 802.1X (all events) in Meraki MS Switches
       - grok:
@@ -594,27 +594,27 @@ pipeline:
             - fieldName: log.identity
               pattern: '{{.greedy}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("identity") && safe("log.genericEvent", "").contains("port")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "identity") && contains("log.genericEvent", "port")'
       - trim:
           function: suffix
           substring: 'port'
           fields:
             - action
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("identity") && safe("log.genericEvent", "").contains("port")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "identity") && contains("log.genericEvent", "port")'
       - trim:
           function: prefix
           substring: ''''
           fields:
             - origin.port
             - log.identity
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("identity") && safe("log.genericEvent", "").contains("port")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "identity") && contains("log.genericEvent", "port")'
       - trim:
           function: suffix
           substring: ''''
           fields:
             - origin.port
             - log.identity
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("identity") && safe("log.genericEvent", "").contains("port")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "identity") && contains("log.genericEvent", "port")'
       # ........................................
       # Event: event 802.11 disassociation in Meraki MR Access Points
       - grok:
@@ -696,115 +696,115 @@ pipeline:
             - fieldName: log.aid
               pattern: '{{.greedy}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'radio'
           fields:
             - action
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'vap'
           fields:
             - log.radio
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'channel'
           fields:
             - log.vap
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'reason'
           fields:
             - log.channel
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'instigator'
           fields:
             - log.reason
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'duration'
           fields:
             - log.instigator
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'auth_neg_dur'
           fields:
             - log.duration
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'last_auth_ago'
           fields:
             - log.authNegDur
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'is_wpa'
           fields:
             - log.lastAuthAgo
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'full_conn'
           fields:
             - log.isWpa
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'ip_resp'
           fields:
             - log.fullConn
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'ip_src'
           fields:
             - log.ipResp
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'arp_resp'
           fields:
             - origin.ip
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'arp_src'
           fields:
             - log.arpResp
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'dns_server'
           fields:
             - log.arpSrc
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'dns_req_rtt'
           fields:
             - log.dnsServer
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'dns_resp'
           fields:
             - log.dnsReqRtt
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: 'aid'
           fields:
             - log.dnsResp
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: prefix
           substring: ''''
@@ -827,7 +827,7 @@ pipeline:
             - log.dnsReqRtt
             - log.dnsResp
             - log.aid
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       - trim:
           function: suffix
           substring: ''''
@@ -850,14 +850,14 @@ pipeline:
             - log.dnsReqRtt
             - log.dnsResp
             - log.aid
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("channel") && safe("log.genericEvent", "").contains("auth_neg_dur") && safe("log.genericEvent", "").contains("last_auth_ago")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
       # ........................................
       # Event: event 802.1X (all events) in Meraki MR Access Points
       - grok:
@@ -883,31 +883,31 @@ pipeline:
             - fieldName: log.aid
               pattern: '{{.greedy}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("vap") && safe("log.genericEvent", "").contains("identity") && safe("log.genericEvent", "").contains("aid")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")'
       - trim:
           function: suffix
           substring: 'radio'
           fields:
             - action
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("vap") && safe("log.genericEvent", "").contains("identity") && safe("log.genericEvent", "").contains("aid")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")'
       - trim:
           function: suffix
           substring: 'vap'
           fields:
             - log.radio
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("vap") && safe("log.genericEvent", "").contains("identity") && safe("log.genericEvent", "").contains("aid")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")'
       - trim:
           function: suffix
           substring: 'identity'
           fields:
             - log.vap
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("vap") && safe("log.genericEvent", "").contains("identity") && safe("log.genericEvent", "").contains("aid")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")'
       - trim:
           function: suffix
           substring: 'aid'
           fields:
             - log.identity
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("vap") && safe("log.genericEvent", "").contains("identity") && safe("log.genericEvent", "").contains("aid")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")'
       - trim:
           function: prefix
           substring: ''''
@@ -916,7 +916,7 @@ pipeline:
             - log.vap
             - log.identity
             - log.aid
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("vap") && safe("log.genericEvent", "").contains("identity") && safe("log.genericEvent", "").contains("aid")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")'
       - trim:
           function: suffix
           substring: ''''
@@ -925,7 +925,7 @@ pipeline:
             - log.vap
             - log.identity
             - log.aid
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("radio") && safe("log.genericEvent", "").contains("vap") && safe("log.genericEvent", "").contains("identity") && safe("log.genericEvent", "").contains("aid")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")'
       # ........................................
       # Event: event splash authentication in Meraki MR Access Points
       - grok:
@@ -955,37 +955,37 @@ pipeline:
             - fieldName: log.upload
               pattern: '{{.greedy}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("ip") && safe("log.genericEvent", "").contains("vap") && safe("log.genericEvent", "").contains("duration") && safe("log.genericEvent", "").contains("download") && safe("log.genericEvent", "").contains("upload")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
       - trim:
           function: suffix
           substring: 'ip'
           fields:
             - action
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("ip") && safe("log.genericEvent", "").contains("vap") && safe("log.genericEvent", "").contains("duration") && safe("log.genericEvent", "").contains("download") && safe("log.genericEvent", "").contains("upload")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
       - trim:
           function: suffix
           substring: 'duration'
           fields:
             - origin.ip
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("ip") && safe("log.genericEvent", "").contains("vap") && safe("log.genericEvent", "").contains("duration") && safe("log.genericEvent", "").contains("download") && safe("log.genericEvent", "").contains("upload")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
       - trim:
           function: suffix
           substring: 'vap'
           fields:
             - log.duration
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("ip") && safe("log.genericEvent", "").contains("vap") && safe("log.genericEvent", "").contains("duration") && safe("log.genericEvent", "").contains("download") && safe("log.genericEvent", "").contains("upload")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
       - trim:
           function: suffix
           substring: 'download'
           fields:
             - log.vap
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("ip") && safe("log.genericEvent", "").contains("vap") && safe("log.genericEvent", "").contains("duration") && safe("log.genericEvent", "").contains("download") && safe("log.genericEvent", "").contains("upload")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
       - trim:
           function: suffix
           substring: 'upload'
           fields:
             - log.download
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("ip") && safe("log.genericEvent", "").contains("vap") && safe("log.genericEvent", "").contains("duration") && safe("log.genericEvent", "").contains("download") && safe("log.genericEvent", "").contains("upload")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
       - trim:
           function: prefix
           substring: ''''
@@ -995,7 +995,7 @@ pipeline:
             - log.duration
             - log.download
             - log.upload
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("ip") && safe("log.genericEvent", "").contains("vap") && safe("log.genericEvent", "").contains("duration") && safe("log.genericEvent", "").contains("download") && safe("log.genericEvent", "").contains("upload")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
       - trim:
           function: suffix
           substring: ''''
@@ -1005,14 +1005,14 @@ pipeline:
             - log.duration
             - log.download
             - log.upload
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("ip") && safe("log.genericEvent", "").contains("vap") && safe("log.genericEvent", "").contains("duration") && safe("log.genericEvent", "").contains("download") && safe("log.genericEvent", "").contains("upload")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("ip") && safe("log.genericEvent", "").contains("vap") && safe("log.genericEvent", "").contains("duration") && safe("log.genericEvent", "").contains("download") && safe("log.genericEvent", "").contains("upload")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
       # ........................................
       # Event: event wireless packet flood detected in Meraki MR Access Points
       - grok:
@@ -1050,49 +1050,49 @@ pipeline:
             - fieldName: log.interArrival
               pattern: '{{.greedy}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("packet") && safe("log.genericEvent", "").contains("device") && safe("log.genericEvent", "").contains("state") && safe("log.genericEvent", "").contains("alarm_id") && safe("log.genericEvent", "").contains("dos_count")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
       - trim:
           function: suffix
           substring: 'packet'
           fields:
             - action
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("packet") && safe("log.genericEvent", "").contains("device") && safe("log.genericEvent", "").contains("state") && safe("log.genericEvent", "").contains("alarm_id") && safe("log.genericEvent", "").contains("dos_count")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
       - trim:
           function: suffix
           substring: 'device'
           fields:
             - log.packet
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("packet") && safe("log.genericEvent", "").contains("device") && safe("log.genericEvent", "").contains("state") && safe("log.genericEvent", "").contains("alarm_id") && safe("log.genericEvent", "").contains("dos_count")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
       - trim:
           function: suffix
           substring: 'radio'
           fields:
             - origin.mac
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("packet") && safe("log.genericEvent", "").contains("device") && safe("log.genericEvent", "").contains("state") && safe("log.genericEvent", "").contains("alarm_id") && safe("log.genericEvent", "").contains("dos_count")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
       - trim:
           function: suffix
           substring: 'state'
           fields:
             - log.radio
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("packet") && safe("log.genericEvent", "").contains("device") && safe("log.genericEvent", "").contains("state") && safe("log.genericEvent", "").contains("alarm_id") && safe("log.genericEvent", "").contains("dos_count")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
       - trim:
           function: suffix
           substring: 'alarm_id'
           fields:
             - log.state
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("packet") && safe("log.genericEvent", "").contains("device") && safe("log.genericEvent", "").contains("state") && safe("log.genericEvent", "").contains("alarm_id") && safe("log.genericEvent", "").contains("dos_count")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
       - trim:
           function: suffix
           substring: 'dos_count'
           fields:
             - log.alarmId
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("packet") && safe("log.genericEvent", "").contains("device") && safe("log.genericEvent", "").contains("state") && safe("log.genericEvent", "").contains("alarm_id") && safe("log.genericEvent", "").contains("dos_count")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
       - trim:
           function: suffix
           substring: 'inter_arrival'
           fields:
             - log.dosCount
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("packet") && safe("log.genericEvent", "").contains("device") && safe("log.genericEvent", "").contains("state") && safe("log.genericEvent", "").contains("alarm_id") && safe("log.genericEvent", "").contains("dos_count")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
       - trim:
           function: prefix
           substring: ''''
@@ -1105,7 +1105,7 @@ pipeline:
             - log.alarmId
             - log.state
             - log.interArrival
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("packet") && safe("log.genericEvent", "").contains("device") && safe("log.genericEvent", "").contains("state") && safe("log.genericEvent", "").contains("alarm_id") && safe("log.genericEvent", "").contains("dos_count")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
       - trim:
           function: suffix
           substring: ''''
@@ -1118,7 +1118,7 @@ pipeline:
             - log.alarmId
             - log.state
             - log.interArrival
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("type") && log.merakiGroup=="events" && safe("log.genericEvent", "").contains("packet") && safe("log.genericEvent", "").contains("device") && safe("log.genericEvent", "").contains("state") && safe("log.genericEvent", "").contains("alarm_id") && safe("log.genericEvent", "").contains("dos_count")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
       # ........................................
       # Event: flows, flow allowed by Layer 3 firewall in Meraki MR Access Points
       - grok:
@@ -1150,33 +1150,33 @@ pipeline:
             - fieldName: target.port
               pattern: '{{.integer}}'
           source: log.genericEvent
-          where: safe("log.controlFlag", "")!="Init" && (safe("log.genericEvent", "").startsWith("allow") || safe("log.genericEvent", "").startsWith("deny")) && log.merakiGroup=="flows" && safe("log.genericEvent", "").contains("src") && safe("log.genericEvent", "").contains("dst") && safe("log.genericEvent", "").contains("sport") && safe("log.genericEvent", "").contains("dport") && safe("log.genericEvent", "").contains("mac")
+          where: '!equals("log.controlFlag", "Init") && (startsWith("log.genericEvent", "allow") || startsWith("log.genericEvent", "deny")) && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")'
       - trim:
           function: suffix
           substring: 'sport'
           fields:
             - protocol
-          where: safe("log.controlFlag", "")!="Init" && (safe("log.genericEvent", "").startsWith("allow") || safe("log.genericEvent", "").startsWith("deny")) && log.merakiGroup=="flows" && safe("log.genericEvent", "").contains("src") && safe("log.genericEvent", "").contains("dst") && safe("log.genericEvent", "").contains("sport") && safe("log.genericEvent", "").contains("dport") && safe("log.genericEvent", "").contains("mac")
+          where: '!equals("log.controlFlag", "Init") && (startsWith("log.genericEvent", "allow") || startsWith("log.genericEvent", "deny")) && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")'
       - trim:
           function: suffix
           substring: 'protocol'
           fields:
             - origin.mac
-          where: safe("log.controlFlag", "")!="Init" && (safe("log.genericEvent", "").startsWith("allow") || safe("log.genericEvent", "").startsWith("deny")) && log.merakiGroup=="flows" && safe("log.genericEvent", "").contains("src") && safe("log.genericEvent", "").contains("dst") && safe("log.genericEvent", "").contains("sport") && safe("log.genericEvent", "").contains("dport") && safe("log.genericEvent", "").contains("mac")
+          where: '!equals("log.controlFlag", "Init") && (startsWith("log.genericEvent", "allow") || startsWith("log.genericEvent", "deny")) && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")'
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("allow") && log.merakiGroup=="flows" && safe("log.genericEvent", "").contains("src") && safe("log.genericEvent", "").contains("dst") && safe("log.genericEvent", "").contains("sport") && safe("log.genericEvent", "").contains("dport") && safe("log.genericEvent", "").contains("mac")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "allow") && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")'
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: safe("log.controlFlag", "")!="Init" && safe("log.genericEvent", "").startsWith("deny") && log.merakiGroup=="flows" && safe("log.genericEvent", "").contains("src") && safe("log.genericEvent", "").contains("dst") && safe("log.genericEvent", "").contains("sport") && safe("log.genericEvent", "").contains("dport") && safe("log.genericEvent", "").contains("mac")
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "deny") && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")'
       # ........................................
       # Event: event rogue SSID detected and SSID spoofing detected in Meraki MR Access Points
       # First variant
@@ -1225,7 +1225,7 @@ pipeline:
             - fieldName: log.fcSubType
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       # Second variant
       - grok:
           patterns:
@@ -1268,91 +1268,91 @@ pipeline:
             - fieldName: log.fcSubType
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       - trim:
           function: suffix
           substring: '='
           fields:
             - action
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       - trim:
           function: suffix
           substring: 'ssid'
           fields:
             - action
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       - trim:
           function: suffix
           substring: 'bssid'
           fields:
             - log.ssid
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       - trim:
           function: suffix
           substring: 'vap'
           fields:
             - log.ssid
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       - trim:
           function: suffix
           substring: 'bssid'
           fields:
             - log.vap
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       - trim:
           function: suffix
           substring: 'src'
           fields:
             - log.bssid
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       - trim:
           function: suffix
           substring: 'dst'
           fields:
             - origin.mac
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       - trim:
           function: suffix
           substring: 'wired_mac'
           fields:
             - target.mac
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       - trim:
           function: suffix
           substring: 'channel'
           fields:
             - target.mac
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       - trim:
           function: suffix
           substring: 'vlan_id'
           fields:
             - log.wiredMac
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       - trim:
           function: suffix
           substring: 'channel'
           fields:
             - log.vlanId
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       - trim:
           function: suffix
           substring: 'rssi'
           fields:
             - log.channel
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       - trim:
           function: suffix
           substring: 'fc_type'
           fields:
             - log.rssi
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       - trim:
           function: suffix
           substring: 'fc_subtype'
           fields:
             - log.fcType
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       - trim:
           function: prefix
           substring: ''''
@@ -1369,7 +1369,7 @@ pipeline:
             - log.fcType
             - log.fcSubType
             - log.vap
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       - trim:
           function: suffix
           substring: ''''
@@ -1386,14 +1386,14 @@ pipeline:
             - log.fcType
             - log.fcSubType
             - log.vap
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.genericEvent", "").startsWith("airmarshal_events") && safe("log.genericEvent", "").contains("type") && safe("log.genericEvent", "").contains("ssid") && safe("log.genericEvent", "").contains("bssid")
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
       # ........................................
       # Event: security_event ids_alerted, ids signature matched in Meraki MX Security Appliance
       - grok:
@@ -1437,44 +1437,44 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: log.msg
-          where: safe("log.genericEvent", "").startsWith("signature") && safe("log.genericEvent", "").contains("priority") && safe("log.genericEvent", "").contains("timestamp") && safe("log.genericEvent", "").contains("direction") && safe("log.genericEvent", "").contains("dhost")
+          where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost")
       - trim:
           function: suffix
           substring: 'priority'
           fields:
             - log.signature
-          where: safe("log.genericEvent", "").startsWith("signature") && safe("log.genericEvent", "").contains("priority") && safe("log.genericEvent", "").contains("timestamp") && safe("log.genericEvent", "").contains("direction") && safe("log.genericEvent", "").contains("dhost")
+          where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost")
       - trim:
           function: suffix
           substring: 'dhost'
           fields:
             - log.msgEventTime
-          where: safe("log.genericEvent", "").startsWith("signature") && safe("log.genericEvent", "").contains("priority") && safe("log.genericEvent", "").contains("timestamp") && safe("log.genericEvent", "").contains("direction") && safe("log.genericEvent", "").contains("dhost")
+          where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost")
       - trim:
           function: suffix
           substring: 'direction'
           fields:
             - origin.mac
-          where: safe("log.genericEvent", "").startsWith("signature") && safe("log.genericEvent", "").contains("priority") && safe("log.genericEvent", "").contains("timestamp") && safe("log.genericEvent", "").contains("direction") && safe("log.genericEvent", "").contains("dhost")
+          where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost")
       - trim:
           function: suffix
           substring: 'protocol'
           fields:
             - log.direction
-          where: safe("log.genericEvent", "").startsWith("signature") && safe("log.genericEvent", "").contains("priority") && safe("log.genericEvent", "").contains("timestamp") && safe("log.genericEvent", "").contains("direction") && safe("log.genericEvent", "").contains("dhost")
+          where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost")
       - trim:
           function: suffix
           substring: 'src'
           fields:
             - protocol
-          where: safe("log.genericEvent", "").startsWith("signature") && safe("log.genericEvent", "").contains("priority") && safe("log.genericEvent", "").contains("timestamp") && safe("log.genericEvent", "").contains("direction") && safe("log.genericEvent", "").contains("dhost")
+          where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost")
       # Adding action result
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.genericEvent", "").startsWith("signature") && safe("log.genericEvent", "").contains("priority") && safe("log.genericEvent", "").contains("timestamp") && safe("log.genericEvent", "").contains("direction") && safe("log.genericEvent", "").contains("dhost")
+          where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost")
       # ............................................................................
       # Cleaning common fields
       - trim:
@@ -1544,6 +1544,6 @@ pipeline:
       # Removing unused fields
       - delete:
           fields:
-            - safe("log.controlFlag", "")
+            - log.controlFlag
             - log.irrelevant
             - log.genericEvent
\ No newline at end of file
diff --git a/filters/crowdstrike/crowdstrike.yml b/filters/crowdstrike/crowdstrike.yml
index 40d8d1bde..8c5e1399a 100644
--- a/filters/crowdstrike/crowdstrike.yml
+++ b/filters/crowdstrike/crowdstrike.yml
@@ -263,35 +263,35 @@ pipeline:
           params:
             key: action
             value: 'get'
-          where: safe("log.eventAttributesRequestMethod", "") == "GET"
+          where: equals("log.eventAttributesRequestMethod", "GET")
 
       - add:
           function: 'string'
           params:
             key: action
             value: 'post'
-          where: safe("log.eventAttributesRequestMethod", "") == "POST"
+          where: equals("log.eventAttributesRequestMethod", "POST")
 
       - add:
           function: 'string'
           params:
             key: action
             value: 'put'
-          where: safe("log.eventAttributesRequestMethod", "") == "PUT"
+          where: equals("log.eventAttributesRequestMethod", "PUT")
 
       - add:
           function: 'string'
           params:
             key: action
             value: 'delete'
-          where: safe("log.eventAttributesRequestMethod", "") == "DELETE"
+          where: equals("log.eventAttributesRequestMethod", "DELETE")
 
       - add:
           function: 'string'
           params:
             key: action
             value: 'request'
-          where: safe("log.eventAttributesRequestMethod", "") == "REQUEST"
+          where: equals("log.eventAttributesRequestMethod", "REQUEST")
 
       # .......................................................................#
       # Removing unused fields
diff --git a/filters/deceptivebytes/deceptive-bytes.yml b/filters/deceptivebytes/deceptive-bytes.yml
index 89f3d5800..524c2deaa 100644
--- a/filters/deceptivebytes/deceptive-bytes.yml
+++ b/filters/deceptivebytes/deceptive-bytes.yml
@@ -467,21 +467,21 @@ pipeline:
           params:
             key: severity
             value: 'high'
-          where: safe("log.severityLabelCharacter", "") in ["C", "A", "E"]
+          where: oneOf("log.severityLabelCharacter", ["C", "A", "E"])
 
       - add:
           function: 'string'
           params:
             key: severity
             value: 'medium'
-          where: safe("log.severityLabelCharacter", "") == "W"
+          where: equals("log.severityLabelCharacter", "W")
 
       - add:
           function: 'string'
           params:
             key: severity
             value: 'low'
-          where: safe("log.severityLabelCharacter", "") in ["D", "V", "N", "I", "T"]
+          where: oneOf("log.severityLabelCharacter", ["D", "V", "N", "I", "T"])
 
       # Removing unused fields
       - delete:
diff --git a/filters/filebeat/apache_module.yml b/filters/filebeat/apache_module.yml
index 9c0826810..91c42dbfa 100644
--- a/filters/filebeat/apache_module.yml
+++ b/filters/filebeat/apache_module.yml
@@ -155,37 +155,37 @@ pipeline:
           params:
             key: action
             value: 'get'
-          where: safe("log.method", "") == "GET"
+          where: equals("log.method", "GET")
       - add:
           function: 'string'
           params:
             key: action
             value: 'post'
-          where: safe("log.method", "") == "POST"
+          where: equals("log.method", "POST")
       - add:
           function: 'string'
           params:
             key: action
             value: 'put'
-          where: safe("log.method", "") == "PUT"
+          where: equals("log.method", "PUT")
       - add:
           function: 'string'
           params:
             key: action
             value: 'delete'
-          where: safe("log.method", "") == "DELETE"
+          where: equals("log.method", "DELETE")
       - add:
           function: 'string'
           params:
             key: action
             value: 'patch'
-          where: safe("log.method", "") == "PATCH"
+          where: equals("log.method", "PATCH")
       - add:
           function: 'string'
           params:
             key: action
             value: 'request'
-          where: safe("log.method", "") == "REQUEST"
+          where: equals("log.method", "REQUEST")
       # Removing log.method if action was set
       - delete:
           fields:
@@ -215,7 +215,7 @@ pipeline:
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("log.statusCode", 0.0) >= double(200) && safe("log.statusCode", 0.0) <= double(299) || (safe("log.statusCode", 0.0) >= double(300) && safe("log.statusCode", 0.0) <= double(399) && safe("origin.bytesReceived", 0.0) > double(0))
+          where: (greaterOrEqual("log.statusCode", 200) && lessOrEqual("log.statusCode", 299)) || (greaterOrEqual("log.statusCode", 300) && lessOrEqual("log.statusCode", 399) && greaterThan("origin.bytesReceived", 0))
       # Removing unused fields
       - delete:
           fields:
diff --git a/filters/filebeat/elasticsearch_module.yml b/filters/filebeat/elasticsearch_module.yml
index 4c64db303..ed992c073 100644
--- a/filters/filebeat/elasticsearch_module.yml
+++ b/filters/filebeat/elasticsearch_module.yml
@@ -381,19 +381,19 @@ pipeline:
           params:
             key: severity
             value: 'high'
-          where: safe("log.level", "") in ["ERROR", "Error", "FATAL", "CRITICAL", "Critical"]
+          where: oneOf("log.level", ["ERROR", "Error", "FATAL", "CRITICAL", "Critical"])
       - add:
           function: 'string'
           params:
             key: severity
             value: 'medium'
-          where: safe("log.level", "") in ["WARN", "Warning"]
+          where: oneOf("log.level", ["WARN", "Warning"])
       - add:
           function: 'string'
           params:
             key: severity
             value: 'low'
-          where: safe("log.level", "") in ["Information", "Informational", "INFO", "DEBUG", "TRACE"]
+          where: oneOf("log.level", ["Information", "Informational", "INFO", "DEBUG", "TRACE"])
 
       # Removing unused fields
       - delete:
@@ -420,4 +420,4 @@ pipeline:
 
       # Droping unwanted logs
       - drop:
-          where: safe("log.eventDataset", "") && safe("log.component", "") && ( (safe("log.eventDataset", "") != "elasticsearch.server" && safe("log.eventDataset", "") != "elasticsearch.audit") || (safe("log.eventDataset", "") == "elasticsearch.server" && (safe("log.component", "").matches("(A|a)udit")==false && safe("log.component", "").matches("(S|s)(S|s)(L|l)")==false && safe("log.component", "").matches("(S|s)ecurity")==false ) ) )
\ No newline at end of file
+          where: exists("log.eventDataset") && exists("log.component") && ( (!equals("log.eventDataset", "elasticsearch.server") && !equals("log.eventDataset", "elasticsearch.audit")) || (equals("log.eventDataset", "elasticsearch.server") && (!equalsIgnoreCase("log.component", "audit") && !equalsIgnoreCase("log.component", "ssl") && !equalsIgnoreCase("log.component", "security") ) ) )
\ No newline at end of file
diff --git a/filters/filebeat/iis_module.yml b/filters/filebeat/iis_module.yml
index 1943e0ad9..23c9e5cee 100644
--- a/filters/filebeat/iis_module.yml
+++ b/filters/filebeat/iis_module.yml
@@ -132,35 +132,35 @@ pipeline:
           params:
             key: action
             value: 'get'
-          where: safe("log.method", "") == "GET"
+          where: equals("log.method", "GET")
 
       - add:
           function: 'string'
           params:
             key: action
             value: 'post'
-          where: safe("log.method", "") == "POST"
+          where: equals("log.method", "POST")
 
       - add:
           function: 'string'
           params:
             key: action
             value: 'put'
-          where: safe("log.method", "") == "PUT"
+          where: equals("log.method", "PUT")
 
       - add:
           function: 'string'
           params:
             key: action
             value: 'delete'
-          where: safe("log.method", "") == "DELETE"
+          where: equals("log.method", "DELETE")
 
       - add:
           function: 'string'
           params:
             key: action
             value: 'request'
-          where: safe("log.method", "") == "REQUEST"
+          where: equals("log.method", "REQUEST")
 
       # Removing log.method if action was set
       - delete:
diff --git a/filters/filebeat/kafka_module.yml b/filters/filebeat/kafka_module.yml
index d89a8f1b6..1a2c29733 100644
--- a/filters/filebeat/kafka_module.yml
+++ b/filters/filebeat/kafka_module.yml
@@ -142,21 +142,21 @@ pipeline:
           params:
             key: severity
             value: 'low'
-          where: safe("log.severity", "") in ["INFO", "TRACE", "DEBUG"]
+          where: oneOf("log.severity", ["INFO", "TRACE", "DEBUG"])
 
       - add:
           function: 'string'
           params:
             key: severity
             value: 'medium'
-          where: safe("log.severity", "") in ["WARNING", "WARN"]
+          where: oneOf("log.severity", ["WARNING", "WARN"])
 
       - add:
           function: 'string'
           params:
             key: severity
             value: 'high'
-          where: safe("log.severity", "") == "ERROR"
+          where: equals("log.severity", "ERROR")
       
       # Removing unused fields
       - delete:
diff --git a/filters/filebeat/kibana_module.yml b/filters/filebeat/kibana_module.yml
index 7a5e65f9a..dacfac024 100644
--- a/filters/filebeat/kibana_module.yml
+++ b/filters/filebeat/kibana_module.yml
@@ -150,21 +150,21 @@ pipeline:
           params:
             key: log.severity
             value: 'high'
-          where: safe("log.severityLabel", "") in ["critical", "alert", "error"]
+          where: oneOf("log.severityLabel", ["critical", "alert", "error"])
 
       - add:
           function: 'string'
           params:
             key: log.severity
             value: 'medium'
-          where: safe("log.severityLabel", "") == "warning"
+          where: equals("log.severityLabel", "warning")
 
       - add:
           function: 'string'
           params:
             key: log.severity
             value: 'low'
-          where: safe("log.severityLabel", "") in ["debug", "verbose", "notice", "information", "trace"]
+          where: oneOf("log.severityLabel", ["debug", "verbose", "notice", "information", "trace"])
 
       # Removing unused fields
       - delete:
diff --git a/filters/filebeat/logstash_module.yml b/filters/filebeat/logstash_module.yml
index d4b1d3e96..c259fbd59 100644
--- a/filters/filebeat/logstash_module.yml
+++ b/filters/filebeat/logstash_module.yml
@@ -114,19 +114,19 @@ pipeline:
           params:
             key: severity
             value: 'high'
-          where: safe("log.level", "") in ["ERROR", "Error", "FATAL", "CRITICAL", "Critical"]
+          where: oneOf("log.level", ["ERROR", "Error", "FATAL", "CRITICAL", "Critical"])
       - add:
           function: 'string'
           params:
             key: severity
             value: 'medium'
-          where: safe("log.level", "") in ["WARN", "Warning"]
+          where: oneOf("log.level", ["WARN", "Warning"])
       - add:
           function: 'string'
           params:
             key: severity
             value: 'low'
-          where: safe("log.level", "") in ["Information", "Informational", "INFO", "DEBUG", "TRACE"]
+          where: oneOf("log.level", ["Information", "Informational", "INFO", "DEBUG", "TRACE"])
       # Removing unused fields
       - delete:
           fields:
diff --git a/filters/filebeat/mysql_module.yml b/filters/filebeat/mysql_module.yml
index 135a400e9..47394d334 100644
--- a/filters/filebeat/mysql_module.yml
+++ b/filters/filebeat/mysql_module.yml
@@ -105,19 +105,19 @@ pipeline:
           params:
             key: severity
             value: 'high'
-          where: safe("log.level", "") == "Internal" || safe("log.level", "") == "internal" || safe("log.level", "") == "INTERNAL" || safe("log.level", "") == "Error" || safe("log.level", "") == "error" || safe("log.level", "") == "ERROR"
+          where: oneOf("log.level", ["Internal", "internal", "INTERNAL", "Error", "error", "ERROR"])
       - add:
           function: 'string'
           params:
             key: severity
             value: 'medium'
-          where: safe("log.level", "") && (safe("log.level", "") == "Warning" || safe("log.level", "") == "warning" || safe("log.level", "") == "WARNING")
+          where: exists("log.level") && oneOf("log.level", ["Warning", "warning", "WARNING"])
       - add:
           function: 'string'
           params:
             key: severity
             value: 'low'
-          where: safe("log.level", "") && safe("log.level", "") != "Internal" && safe("log.level", "") != "internal" && safe("log.level", "") != "INTERNAL" && safe("log.level", "") != "Error" && safe("log.level", "") != "error" && safe("log.level", "") != "ERROR" && safe("log.level", "") != "Warning" && safe("log.level", "") != "warning" && safe("log.level", "") != "WARNING"
+          where: exists("log.level") && !oneOf("log.level", ["Internal", "internal", "INTERNAL", "Error", "error", "ERROR", "Warning", "warning", "WARNING"])
       # Removing unused fields
       - delete:
           fields:
diff --git a/filters/filebeat/nginx_module.yml b/filters/filebeat/nginx_module.yml
index 8cf858831..721eb94b2 100644
--- a/filters/filebeat/nginx_module.yml
+++ b/filters/filebeat/nginx_module.yml
@@ -306,35 +306,35 @@ pipeline:
           params:
             key: action
             value: 'get'
-          where: safe("log.method", "") == "GET"
+          where: equals("log.method", "GET")
 
       - add:
           function: 'string'
           params:
             key: action
             value: 'post'
-          where: safe("log.method", "") == "POST"
+          where: equals("log.method", "POST")
 
       - add:
           function: 'string'
           params:
             key: action
             value: 'put'
-          where: safe("log.method", "") == "PUT"
+          where: equals("log.method", "PUT")
 
       - add:
           function: 'string'
           params:
             key: action
             value: 'delete'
-          where: safe("log.method", "") == "DELETE"
+          where: equals("log.method", "DELETE")
 
       - add:
           function: 'string'
           params:
             key: action
             value: 'request'
-          where: safe("log.method", "") == "REQUEST"
+          where: equals("log.method", "REQUEST")
 
       # Adding actionResult
       # denied by default
@@ -349,7 +349,7 @@ pipeline:
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("statusCode", 0.0) >= double(200) && safe("statusCode", 0.0) <= double(299) || (safe("statusCode", 0.0) >= double(300) && safe("statusCode", 0.0) <= double(399) && safe("origin.bytesReceived", 0.0) > double(0))
+          where: (greaterOrEqual("statusCode", 200) && lessOrEqual("statusCode", 299)) || (greaterOrEqual("statusCode", 300) && lessOrEqual("statusCode", 399) && greaterThan("origin.bytesReceived", 0))
 
       # Adding severity based on log.severityLabel
       - add:
@@ -357,21 +357,21 @@ pipeline:
           params:
             key: log.severity
             value: 'high'
-          where: safe("log.severityLabel", "") in ["critical", "alert", "error"]
+          where: oneOf("log.severityLabel", ["critical", "alert", "error"])
 
       - add:
           function: 'string'
           params:
             key: log.severity
             value: 'medium'
-          where: safe("log.severityLabel", "") == "warning"
+          where: equals("log.severityLabel", "warning")
 
       - add:
           function: 'string'
           params:
             key: log.severity
             value: 'low'
-          where: safe("log.severityLabel", "") in ["debug", "verbose", "notice", "information", "trace"]
+          where: oneOf("log.severityLabel", ["debug", "verbose", "notice", "information", "trace"])
 
       # Removing log.method if action was set
       - delete:
diff --git a/filters/filebeat/redis_module.yml b/filters/filebeat/redis_module.yml
index a99ff7a1d..985702485 100644
--- a/filters/filebeat/redis_module.yml
+++ b/filters/filebeat/redis_module.yml
@@ -148,21 +148,21 @@ pipeline:
           params:
             key: severity
             value: 'low'
-          where: safe("log.severity", "") in ["debug", "verbose"]
+          where: oneOf("log.severity", ["debug", "verbose"])
 
       - add:
           function: 'string'
           params:
             key: severity
             value: 'medium'
-          where: safe("log.severity", "") in ["notice", "warning"]
+          where: oneOf("log.severity", ["notice", "warning"])
 
       - add:
           function: 'string'
           params:
             key: severity
             value: 'high'
-          where: safe("log.severity", "") in ["error"]
+          where: oneOf("log.severity", ["error"])
 
       # Parse beats field
       - rename:
diff --git a/filters/google/gcp.yml b/filters/google/gcp.yml
index 51b73d125..6ced48da9 100644
--- a/filters/google/gcp.yml
+++ b/filters/google/gcp.yml
@@ -309,21 +309,21 @@ pipeline:
           params:
             key: severity
             value: "low"
-          where: safe("log.severity", "") in ["INFO", "NOTICE"]
+          where: oneOf("log.severity", ["INFO", "NOTICE"])
 
       - add:
           function: "string"
           params:
             key: severity
             value: "medium"
-          where: safe("log.severity", "") == "WARNING"
+          where: equals("log.severity", "WARNING")
 
       - add:
           function: "string"
           params:
             key: severity
             value: "high"
-          where: safe("log.severity", "") == "ERROR"
+          where: equals("log.severity", "ERROR")
 
       # Adding action field based on log.httpRequestMethod
       - add:
@@ -331,42 +331,42 @@ pipeline:
           params:
             key: action
             value: "get"
-          where: safe("log.httpRequestMethod", "") == "GET"
+          where: equals("log.httpRequestMethod", "GET")
 
       - add:
           function: "string"
           params:
             key: action
             value: "post"
-          where: safe("log.httpRequestMethod", "") == "POST"
+          where: equals("log.httpRequestMethod", "POST")
 
       - add:
           function: "string"
           params:
             key: action
             value: "put"
-          where: safe("log.httpRequestMethod", "") == "PUT"
+          where: equals("log.httpRequestMethod", "PUT")
 
       - add:
           function: "string"
           params:
             key: action
             value: "patch"
-          where: safe("log.httpRequestMethod", "") == "PATCH"
+          where: equals("log.httpRequestMethod", "PATCH")
 
       - add:
           function: "string"
           params:
             key: action
             value: "request"
-          where: safe("log.httpRequestMethod", "") == "REQUEST"
+          where: equals("log.httpRequestMethod", "REQUEST")
 
       - add:
           function: "string"
           params:
             key: action
             value: "delete"
-          where: safe("log.httpRequestMethod", "") == "DELETE"
+          where: equals("log.httpRequestMethod", "DELETE")
 
       # Adding actionResult field based on log.jsonPayloadEnforcedEdgeSecurityPolicyOutcome
       - add:
@@ -374,14 +374,14 @@ pipeline:
           params:
             key: actionResult
             value: "accepted"
-          where: safe("log.jsonPayloadEnforcedEdgeSecurityPolicyOutcome", "") == "ACCEPT"
+          where: equals("log.jsonPayloadEnforcedEdgeSecurityPolicyOutcome", "ACCEPT")
 
       - add:
           function: "string"
           params:
             key: actionResult
             value: "denied"
-          where: safe("log.jsonPayloadEnforcedEdgeSecurityPolicyOutcome", "") == "DENY"
+          where: equals("log.jsonPayloadEnforcedEdgeSecurityPolicyOutcome", "DENY")
 
       # Adding geolocation to origin.ip
       - dynamic:
diff --git a/filters/sophos/sophos_xg_firewall.yml b/filters/sophos/sophos_xg_firewall.yml
index 980737252..3d377139c 100644
--- a/filters/sophos/sophos_xg_firewall.yml
+++ b/filters/sophos/sophos_xg_firewall.yml
@@ -701,7 +701,7 @@ pipeline:
           params:
             key: actionResult
             value: 'accepted'
-          where: safe("statusCode", 0.0) >= double(200) && safe("statusCode", 0.0) <= double(299) || (safe("statusCode", 0.0) >= double(300) && safe("statusCode", 0.0) <= double(399) && safe("origin.bytesReceived", 0.0) > double(0))
+          where: (greaterOrEqual("statusCode", 200) && lessOrEqual("statusCode", 299)) || (greaterOrEqual("statusCode", 300) && lessOrEqual("statusCode", 399) && greaterThan("origin.bytesReceived", 0))
 
       # Removing unused fields
       - delete:
diff --git a/filters/suricata/suricata.yml b/filters/suricata/suricata.yml
index d49de1ff1..986dc5157 100644
--- a/filters/suricata/suricata.yml
+++ b/filters/suricata/suricata.yml
@@ -9,7 +9,7 @@ pipeline:
     steps:
       # Drop log incomplete jSon structure
       - drop:
-          where: safe("raw", "").matches(".*\\\"event_type\\\"\\s*:\\s*\\\"stats\\\".*")
+          where: regexMatch("raw", ".*\\\"event_type\\\"\\s*:\\s*\\\"stats\\\".*")
 
       # Parsing RAW field log
       - grok:
@@ -30,7 +30,7 @@ pipeline:
       # Parse Suricata JSON logs
       - json:
           source: log.suricataJson
-          where: safe("log.suricataJson", "").matches("^\\{.*\\}$")
+          where: regexMatch("log.suricataJson", "^\\{.*\\}$")
 
       # Rename fields to conversion v11 schema
       - rename:
@@ -95,21 +95,21 @@ pipeline:
           params:
             key: severity
             value: "low"
-          where: safe("log.alert.severity", 0.0) == double(1)
+          where: equals("log.alert.severity", 1)
 
       - add:
           function: "string"
           params:
             key: severity
             value: "medium"
-          where: safe("log.alert.severity", 0.0) == double(2)
+          where: equals("log.alert.severity", 2)
 
       - add:
           function: "string"
           params:
             key: severity
             value: "high"
-          where: safe("log.alert.severity", 0.0) == double(3)
+          where: equals("log.alert.severity", 3)
 
       #.......................................................................
       # Add new eventtypes to logx structure, detected in real logs, present in suricata 7.0.0
@@ -129,26 +129,26 @@ pipeline:
           params:
             key: action
             value: "success"
-          where: (safe("log.eventType", "") == "tls" && exists("log.tls.sessionresumed")) ||
-            (safe("log.eventType", "") == "dns" && safe("log.dns.type", "") == "answer") ||
-            (safe("log.eventType", "") == "flow" && exists("origin.ip") && exists("target.ip") && safe("log.flow.bytestoserver", 0.0) > double(0) && safe("log.flow.bytestoclient", 0.0) > double(0)) ||
-            (safe("log.eventType", "") == "ssh" && exists("log.ssh.server") && exists("log.ssh.client")) ||
-            (safe("log.eventType", "") == "alert" && exists("origin.ip") && exists("target.ip") && safe("log.alert.action", "") == "allowed" && safe("log.flow.bytestoserver", 0.0) > double(0) && safe("log.flow.bytestoclient", 0.0) > double(0)) ||
-            (safe("log.eventType", "") == "http" && exists("origin.ip") && exists("target.ip") && exists("log.http.status")) ||
-            (safe("log.eventType", "") == "ftp" && exists("origin.ip") && exists("target.ip") && exists("log.ftp.completioncode")) ||
-            (safe("log.eventType", "") == "tftp" && exists("origin.ip") && exists("target.ip") && safe("log.tftp.packet", "") != "error") ||
-            (safe("log.eventType", "") == "smb" && exists("origin.ip") && exists("target.ip") && safe("log.smb.command", "") in ["NEGOTIATE"] && safe("log.smb.status", "") in ["SUCCESS", "GRANTED", "CONNECTED"]) ||
-            (safe("log.eventType", "") == "rdp" && exists("origin.ip") && exists("target.ip") && (safe("log.rdp.eventType", "") == "connectresponse" || safe("log.rdp.eventType", "") == "tlshandshake")) ||
-            (safe("log.eventType", "") == "rfb" && exists("origin.ip") && exists("target.ip") && safe("log.rfb.authentication.security-result", "") == "OK") ||
-            (safe("log.eventType", "") == "mqtt" && exists("origin.ip") && exists("target.ip") && (safe("log.mqtt.connack.returncode", "") == "0" ||  safe("log.mqtt.connack.returncode", "") == "0x00")) ||
-            (safe("log.eventType", "") == "pgsql" && exists("origin.ip") && exists("target.ip") && (exists("log.pgsql.request.simplequery") ||  exists("log.pgsql.response.commandcompleted") || safe("log.pgsql.response.sslaccepted", "") == "true" || safe("log.pgsql.response.accepted", "") == "true" || exists("log.pgsql.response.authenticationmd5password"))) ||
-            ((safe("log.eventType", "") == "ike" || safe("log.eventType", "") == "ikev1" || safe("log.eventType", "") == "ikev2") && exists("origin.ip") && exists("target.ip")) ||
-            (safe("log.eventType", "") == "modbus" && exists("origin.ip") && exists("target.ip")) ||
-            (safe("log.eventType", "") == "sip" && exists("origin.ip") && exists("target.ip")) ||
-            (safe("log.eventType", "") == "quic" && exists("origin.ip") && exists("target.ip")) ||
-            (safe("log.eventType", "") == "fileinfo" && exists("origin.ip") && exists("target.ip")) ||
-            (safe("log.eventType", "") == "snmp" && exists("origin.ip") && exists("target.ip")) ||
-            (safe("log.eventType", "") == "dhcp" && exists("origin.ip") && exists("target.ip") && safe("log.dhcp.assignedip", "") != "0")
+          where: (equals("log.eventType", "tls") && exists("log.tls.sessionresumed")) ||
+            (equals("log.eventType", "dns") && equals("log.dns.type", "answer")) ||
+            (equals("log.eventType", "flow") && exists("origin.ip") && exists("target.ip") && greaterThan("log.flow.bytestoserver", 0) && greaterThan("log.flow.bytestoclient", 0)) ||
+            (equals("log.eventType", "ssh") && exists("log.ssh.server") && exists("log.ssh.client")) ||
+            (equals("log.eventType", "alert") && exists("origin.ip") && exists("target.ip") && equals("log.alert.action", "allowed") && greaterThan("log.flow.bytestoserver", 0) && greaterThan("log.flow.bytestoclient", 0)) ||
+            (equals("log.eventType", "http") && exists("origin.ip") && exists("target.ip") && exists("log.http.status")) ||
+            (equals("log.eventType", "ftp") && exists("origin.ip") && exists("target.ip") && exists("log.ftp.completioncode")) ||
+            (equals("log.eventType", "tftp") && exists("origin.ip") && exists("target.ip") && !equals("log.tftp.packet", "error")) ||
+            (equals("log.eventType", "smb") && exists("origin.ip") && exists("target.ip") && oneOf("log.smb.command", ["NEGOTIATE"]) && oneOf("log.smb.status", ["SUCCESS", "GRANTED", "CONNECTED"])) ||
+            (equals("log.eventType", "rdp") && exists("origin.ip") && exists("target.ip") && (equals("log.rdp.eventType", "connectresponse") || equals("log.rdp.eventType", "tlshandshake"))) ||
+            (equals("log.eventType", "rfb") && exists("origin.ip") && exists("target.ip") && equals("log.rfb.authentication.security-result", "OK")) ||
+            (equals("log.eventType", "mqtt") && exists("origin.ip") && exists("target.ip") && (equals("log.mqtt.connack.returncode", "0") ||  equals("log.mqtt.connack.returncode", "0x00"))) ||
+            (equals("log.eventType", "pgsql") && exists("origin.ip") && exists("target.ip") && (exists("log.pgsql.request.simplequery") ||  exists("log.pgsql.response.commandcompleted") || equals("log.pgsql.response.sslaccepted", "true") || equals("log.pgsql.response.accepted", "true") || exists("log.pgsql.response.authenticationmd5password"))) ||
+            ((equals("log.eventType", "ike") || equals("log.eventType", "ikev1") || equals("log.eventType", "ikev2")) && exists("origin.ip") && exists("target.ip")) ||
+            (equals("log.eventType", "modbus") && exists("origin.ip") && exists("target.ip")) ||
+            (equals("log.eventType", "sip") && exists("origin.ip") && exists("target.ip")) ||
+            (equals("log.eventType", "quic") && exists("origin.ip") && exists("target.ip")) ||
+            (equals("log.eventType", "fileinfo") && exists("origin.ip") && exists("target.ip")) ||
+            (equals("log.eventType", "snmp") && exists("origin.ip") && exists("target.ip")) ||
+            (equals("log.eventType", "dhcp") && exists("origin.ip") && exists("target.ip") && !equals("log.dhcp.assignedip", "0"))
           
 
       # Adding geolocation to origin.ip
diff --git a/filters/windows/windows-events.yml b/filters/windows/windows-events.yml
index 42275399e..4ab01daa1 100644
--- a/filters/windows/windows-events.yml
+++ b/filters/windows/windows-events.yml
@@ -430,1862 +430,1862 @@ pipeline:
           params:
             key: log.eventName
             value: 'A product has been installed successfully'
-          where: safe("log.eventCode", 0.0)==double(1033)
+          where: equals("log.eventCode", 1033)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The event logging service has shut down'
-          where: safe("log.eventCode", 0.0)==double(1100)
+          where: equals("log.eventCode", 1100)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Audit events have been dropped by the transport.'
-          where: safe("log.eventCode", 0.0)==double(1101)
+          where: equals("log.eventCode", 1101)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The audit log was cleared'
-          where: safe("log.eventCode", 0.0)==double(1102)
+          where: equals("log.eventCode", 1102)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The security Log is now full'
-          where: safe("log.eventCode", 0.0)==double(1104)
+          where: equals("log.eventCode", 1104)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The event logging service encountered an error'
-          where: safe("log.eventCode", 0.0)==double(1108)
+          where: equals("log.eventCode", 1108)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A PowerShell script block has been executed and the script text has been logged to the event viewer.'
-          where: safe("log.eventCode", 0.0)==double(4104)
+          where: equals("log.eventCode", 4104)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An authentication package has been loaded by the Local Security Authority'
-          where: safe("log.eventCode", 0.0)==double(4610)
+          where: equals("log.eventCode", 4610)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A trusted logon process has been registered with the Local Security Authority'
-          where: safe("log.eventCode", 0.0)==double(4611)
+          where: equals("log.eventCode", 4611)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Internal resources allocated for the queuing of audit messages have been exhausted: leading to the loss of some audits.'
-          where: safe("log.eventCode", 0.0)==double(4612)
+          where: equals("log.eventCode", 4612)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A monitored security event pattern has occurred'
-          where: safe("log.eventCode", 0.0)==double(4618)
+          where: equals("log.eventCode", 4618)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Administrator recovered system from CrashOnAuditFail'
-          where: safe("log.eventCode", 0.0)==double(4621)
+          where: equals("log.eventCode", 4621)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security package has been loaded by the Local Security Authority.'
-          where: safe("log.eventCode", 0.0)==double(4622)
+          where: equals("log.eventCode", 4622)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An account was successfully logged on'
-          where: safe("log.eventCode", 0.0)==double(4624)
+          where: equals("log.eventCode", 4624)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An account failed to log on'
-          where: safe("log.eventCode", 0.0)==double(4625)
+          where: equals("log.eventCode", 4625)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An account was logged off'
-          where: safe("log.eventCode", 0.0)==double(4634)
+          where: equals("log.eventCode", 4634)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'IKE DoS-prevention mode started'
-          where: safe("log.eventCode", 0.0)==double(4646)
+          where: equals("log.eventCode", 4646)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'User initiated logoff'
-          where: safe("log.eventCode", 0.0)==double(4647)
+          where: equals("log.eventCode", 4647)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A logon was attempted using explicit credentials'
-          where: safe("log.eventCode", 0.0)==double(4648)
+          where: equals("log.eventCode", 4648)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A replay attack was detected'
-          where: safe("log.eventCode", 0.0)==double(4649)
+          where: equals("log.eventCode", 4649)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A handle to an object was requested'
-          where: safe("log.eventCode", 0.0)==double(4656)
+          where: equals("log.eventCode", 4656)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A registry value was modified'
-          where: safe("log.eventCode", 0.0)==double(4657)
+          where: equals("log.eventCode", 4657)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The handle to an object was closed'
-          where: safe("log.eventCode", 0.0)==double(4658)
+          where: equals("log.eventCode", 4658)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An object was deleted'
-          where: safe("log.eventCode", 0.0)==double(4660)
+          where: equals("log.eventCode", 4660)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A handle to an object was requested'
-          where: safe("log.eventCode", 0.0)==double(4661)
+          where: equals("log.eventCode", 4661)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An operation was performed on an object'
-          where: safe("log.eventCode", 0.0)==double(4662)
+          where: equals("log.eventCode", 4662)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An attempt was made to access an object'
-          where: safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An attempt was made to create a hard link'
-          where: safe("log.eventCode", 0.0)==double(4664)
+          where: equals("log.eventCode", 4664)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Permissions on an object were changed'
-          where: safe("log.eventCode", 0.0)==double(4670)
+          where: equals("log.eventCode", 4670)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An application attempted to access a blocked ordinal through the TBS'
-          where: safe("log.eventCode", 0.0)==double(4671)
+          where: equals("log.eventCode", 4671)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Special privileges assigned to new logon'
-          where: safe("log.eventCode", 0.0)==double(4672)
+          where: equals("log.eventCode", 4672)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A privileged service was called'
-          where: safe("log.eventCode", 0.0)==double(4673)
+          where: equals("log.eventCode", 4673)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An operation was attempted on a privileged object'
-          where: safe("log.eventCode", 0.0)==double(4674)
+          where: equals("log.eventCode", 4674)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'SIDs were filtered'
-          where: safe("log.eventCode", 0.0)==double(4675)
+          where: equals("log.eventCode", 4675)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An attempt was made to duplicate a handle to an object'
-          where: safe("log.eventCode", 0.0)==double(4690)
+          where: equals("log.eventCode", 4690)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Indirect access to an object was requested'
-          where: safe("log.eventCode", 0.0)==double(4691)
+          where: equals("log.eventCode", 4691)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Backup of data protection master key was attempted'
-          where: safe("log.eventCode", 0.0)==double(4692)
+          where: equals("log.eventCode", 4692)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Recovery of data protection master key was attempted'
-          where: safe("log.eventCode", 0.0)==double(4693)
+          where: equals("log.eventCode", 4693)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Protection of auditable protected data was attempted'
-          where: safe("log.eventCode", 0.0)==double(4694)
+          where: equals("log.eventCode", 4694)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Unprotection of auditable protected data was attempted'
-          where: safe("log.eventCode", 0.0)==double(4695)
+          where: equals("log.eventCode", 4695)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A service was installed in the system'
-          where: safe("log.eventCode", 0.0)==double(4697)
+          where: equals("log.eventCode", 4697)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A scheduled task was created'
-          where: safe("log.eventCode", 0.0)==double(4698)
+          where: equals("log.eventCode", 4698)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A scheduled task was deleted'
-          where: safe("log.eventCode", 0.0)==double(4699)
+          where: equals("log.eventCode", 4699)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A scheduled task was enabled'
-          where: safe("log.eventCode", 0.0)==double(4700)
+          where: equals("log.eventCode", 4700)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A scheduled task was disabled'
-          where: safe("log.eventCode", 0.0)==double(4701)
+          where: equals("log.eventCode", 4701)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A scheduled task was updated'
-          where: safe("log.eventCode", 0.0)==double(4702)
+          where: equals("log.eventCode", 4702)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A token right was adjusted'
-          where: safe("log.eventCode", 0.0)==double(4703)
+          where: equals("log.eventCode", 4703)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A user right was assigned'
-          where: safe("log.eventCode", 0.0)==double(4704)
+          where: equals("log.eventCode", 4704)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A user right was removed'
-          where: safe("log.eventCode", 0.0)==double(4705)
+          where: equals("log.eventCode", 4705)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A new trust was created to a domain'
-          where: safe("log.eventCode", 0.0)==double(4706)
+          where: equals("log.eventCode", 4706)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A trust to a domain was removed'
-          where: safe("log.eventCode", 0.0)==double(4707)
+          where: equals("log.eventCode", 4707)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Kerberos policy was changed'
-          where: safe("log.eventCode", 0.0)==double(4713)
+          where: equals("log.eventCode", 4713)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Encrypted data recovery policy was changed'
-          where: safe("log.eventCode", 0.0)==double(4714)
+          where: equals("log.eventCode", 4714)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The audit policy (SACL) on an object was changed'
-          where: safe("log.eventCode", 0.0)==double(4715)
+          where: equals("log.eventCode", 4715)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Trusted domain information was modified'
-          where: safe("log.eventCode", 0.0)==double(4716)
+          where: equals("log.eventCode", 4716)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'System security access was granted to an account'
-          where: safe("log.eventCode", 0.0)==double(4717)
+          where: equals("log.eventCode", 4717)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'System security access was removed from an account'
-          where: safe("log.eventCode", 0.0)==double(4718)
+          where: equals("log.eventCode", 4718)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'System audit policy was changed'
-          where: safe("log.eventCode", 0.0)==double(4719)
+          where: equals("log.eventCode", 4719)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A user account was created'
-          where: safe("log.eventCode", 0.0)==double(4720)
+          where: equals("log.eventCode", 4720)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A user account was enabled'
-          where: safe("log.eventCode", 0.0)==double(4722)
+          where: equals("log.eventCode", 4722)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An attempt was made to change the password for an account'
-          where: safe("log.eventCode", 0.0)==double(4723)
+          where: equals("log.eventCode", 4723)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An attempt was made to reset an accounts password'
-          where: safe("log.eventCode", 0.0)==double(4724)
+          where: equals("log.eventCode", 4724)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A user account was disabled'
-          where: safe("log.eventCode", 0.0)==double(4725)
+          where: equals("log.eventCode", 4725)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A user account was deleted'
-          where: safe("log.eventCode", 0.0)==double(4726)
+          where: equals("log.eventCode", 4726)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-enabled global group was created'
-          where: safe("log.eventCode", 0.0)==double(4727)
+          where: equals("log.eventCode", 4727)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A member was added to a security-enabled global group'
-          where: safe("log.eventCode", 0.0)==double(4728)
+          where: equals("log.eventCode", 4728)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A member was removed from a security-enabled global group'
-          where: safe("log.eventCode", 0.0)==double(4729)
+          where: equals("log.eventCode", 4729)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-enabled global group was deleted'
-          where: safe("log.eventCode", 0.0)==double(4730)
+          where: equals("log.eventCode", 4730)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-enabled local group was created'
-          where: safe("log.eventCode", 0.0)==double(4731)
+          where: equals("log.eventCode", 4731)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A member was added to a security-enabled local group'
-          where: safe("log.eventCode", 0.0)==double(4732)
+          where: equals("log.eventCode", 4732)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A member was removed from a security-enabled local group'
-          where: safe("log.eventCode", 0.0)==double(4733)
+          where: equals("log.eventCode", 4733)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-enabled local group was deleted'
-          where: safe("log.eventCode", 0.0)==double(4734)
+          where: equals("log.eventCode", 4734)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-enabled local group was changed'
-          where: safe("log.eventCode", 0.0)==double(4735)
+          where: equals("log.eventCode", 4735)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-enabled global group was changed'
-          where: safe("log.eventCode", 0.0)==double(4737)
+          where: equals("log.eventCode", 4737)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A user account was changed'
-          where: safe("log.eventCode", 0.0)==double(4738)
+          where: equals("log.eventCode", 4738)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Domain Policy was changed'
-          where: safe("log.eventCode", 0.0)==double(4739)
+          where: equals("log.eventCode", 4739)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A user account was locked out'
-          where: safe("log.eventCode", 0.0)==double(4740)
+          where: equals("log.eventCode", 4740)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A computer account was created'
-          where: safe("log.eventCode", 0.0)==double(4741)
+          where: equals("log.eventCode", 4741)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A computer account was changed'
-          where: safe("log.eventCode", 0.0)==double(4742)
+          where: equals("log.eventCode", 4742)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A computer account was deleted'
-          where: safe("log.eventCode", 0.0)==double(4743)
+          where: equals("log.eventCode", 4743)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-disabled local group was created'
-          where: safe("log.eventCode", 0.0)==double(4744)
+          where: equals("log.eventCode", 4744)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-disabled local group was changed'
-          where: safe("log.eventCode", 0.0)==double(4745)
+          where: equals("log.eventCode", 4745)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A member was added to a security-disabled local group'
-          where: safe("log.eventCode", 0.0)==double(4746)
+          where: equals("log.eventCode", 4746)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A member was removed from a security-disabled local group'
-          where: safe("log.eventCode", 0.0)==double(4747)
+          where: equals("log.eventCode", 4747)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-disabled local group was deleted'
-          where: safe("log.eventCode", 0.0)==double(4748)
+          where: equals("log.eventCode", 4748)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-disabled global group was created'
-          where: safe("log.eventCode", 0.0)==double(4749)
+          where: equals("log.eventCode", 4749)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-disabled global group was changed'
-          where: safe("log.eventCode", 0.0)==double(4750)
+          where: equals("log.eventCode", 4750)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A member was added to a security-disabled global group'
-          where: safe("log.eventCode", 0.0)==double(4751)
+          where: equals("log.eventCode", 4751)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A member was removed from a security-disabled global group'
-          where: safe("log.eventCode", 0.0)==double(4752)
+          where: equals("log.eventCode", 4752)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-disabled global group was deleted'
-          where: safe("log.eventCode", 0.0)==double(4753)
+          where: equals("log.eventCode", 4753)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-enabled universal group was created'
-          where: safe("log.eventCode", 0.0)==double(4754)
+          where: equals("log.eventCode", 4754)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-enabled universal group was changed'
-          where: safe("log.eventCode", 0.0)==double(4755)
+          where: equals("log.eventCode", 4755)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A member was added to a security-enabled universal group'
-          where: safe("log.eventCode", 0.0)==double(4756)
+          where: equals("log.eventCode", 4756)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A member was removed from a security-enabled universal group'
-          where: safe("log.eventCode", 0.0)==double(4757)
+          where: equals("log.eventCode", 4757)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-enabled universal group was deleted'
-          where: safe("log.eventCode", 0.0)==double(4758)
+          where: equals("log.eventCode", 4758)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-disabled universal group was created'
-          where: safe("log.eventCode", 0.0)==double(4759)
+          where: equals("log.eventCode", 4759)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-disabled universal group was changed'
-          where: safe("log.eventCode", 0.0)==double(4760)
+          where: equals("log.eventCode", 4760)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A member was added to a security-disabled universal group'
-          where: safe("log.eventCode", 0.0)==double(4761)
+          where: equals("log.eventCode", 4761)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A member was removed from a security-disabled universal group'
-          where: safe("log.eventCode", 0.0)==double(4762)
+          where: equals("log.eventCode", 4762)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-disabled universal group was deleted'
-          where: safe("log.eventCode", 0.0)==double(4763)
+          where: equals("log.eventCode", 4763)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A groups type was changed'
-          where: safe("log.eventCode", 0.0)==double(4764)
+          where: equals("log.eventCode", 4764)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'SID History was added to an account'
-          where: safe("log.eventCode", 0.0)==double(4765)
+          where: equals("log.eventCode", 4765)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An attempt to add SID History to an account failed'
-          where: safe("log.eventCode", 0.0)==double(4766)
+          where: equals("log.eventCode", 4766)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A user account was unlocked'
-          where: safe("log.eventCode", 0.0)==double(4767)
+          where: equals("log.eventCode", 4767)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A Kerberos authentication ticket (TGT) was requested'
-          where: safe("log.eventCode", 0.0)==double(4768)
+          where: equals("log.eventCode", 4768)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A Kerberos service ticket was requested'
-          where: safe("log.eventCode", 0.0)==double(4769)
+          where: equals("log.eventCode", 4769)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A Kerberos service ticket was renewed'
-          where: safe("log.eventCode", 0.0)==double(4770)
+          where: equals("log.eventCode", 4770)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Kerberos pre-authentication failed'
-          where: safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A Kerberos authentication ticket request failed'
-          where: safe("log.eventCode", 0.0)==double(4772)
+          where: equals("log.eventCode", 4772)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A Kerberos service ticket request failed'
-          where: safe("log.eventCode", 0.0)==double(4773)
+          where: equals("log.eventCode", 4773)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An account was mapped for logon'
-          where: safe("log.eventCode", 0.0)==double(4774)
+          where: equals("log.eventCode", 4774)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An account could not be mapped for logon'
-          where: safe("log.eventCode", 0.0)==double(4775)
+          where: equals("log.eventCode", 4775)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The domain controller attempted to validate the credentials for an account'
-          where: safe("log.eventCode", 0.0)==double(4776)
+          where: equals("log.eventCode", 4776)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The domain controller failed to validate the credentials for an account'
-          where: safe("log.eventCode", 0.0)==double(4777)
+          where: equals("log.eventCode", 4777)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The ACL was set on accounts which are members of administrators groups'
-          where: safe("log.eventCode", 0.0)==double(4780)
+          where: equals("log.eventCode", 4780)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The name of an account was changed'
-          where: safe("log.eventCode", 0.0)==double(4781)
+          where: equals("log.eventCode", 4781)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The password hash an account was accessed'
-          where: safe("log.eventCode", 0.0)==double(4782)
+          where: equals("log.eventCode", 4782)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A basic application group was created'
-          where: safe("log.eventCode", 0.0)==double(4783)
+          where: equals("log.eventCode", 4783)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A basic application group was changed'
-          where: safe("log.eventCode", 0.0)==double(4784)
+          where: equals("log.eventCode", 4784)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A member was added to a basic application group'
-          where: safe("log.eventCode", 0.0)==double(4785)
+          where: equals("log.eventCode", 4785)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A member was removed from a basic application group'
-          where: safe("log.eventCode", 0.0)==double(4786)
+          where: equals("log.eventCode", 4786)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A non-member was added to a basic application group'
-          where: safe("log.eventCode", 0.0)==double(4787)
+          where: equals("log.eventCode", 4787)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A non-member was removed from a basic application group.'
-          where: safe("log.eventCode", 0.0)==double(4788)
+          where: equals("log.eventCode", 4788)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A basic application group was deleted'
-          where: safe("log.eventCode", 0.0)==double(4789)
+          where: equals("log.eventCode", 4789)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An LDAP query group was created'
-          where: safe("log.eventCode", 0.0)==double(4790)
+          where: equals("log.eventCode", 4790)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A basic application group was changed'
-          where: safe("log.eventCode", 0.0)==double(4791)
+          where: equals("log.eventCode", 4791)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An LDAP query group was deleted'
-          where: safe("log.eventCode", 0.0)==double(4792)
+          where: equals("log.eventCode", 4792)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Password Policy Checking API was called'
-          where: safe("log.eventCode", 0.0)==double(4793)
+          where: equals("log.eventCode", 4793)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An attempt was made to set the Directory Services Restore Mode administrator password'
-          where: safe("log.eventCode", 0.0)==double(4794)
+          where: equals("log.eventCode", 4794)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An attempt was made to query the existence of a blank password for an account'
-          where: safe("log.eventCode", 0.0)==double(4797)
+          where: equals("log.eventCode", 4797)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A users local group membership was enumerated.'
-          where: safe("log.eventCode", 0.0)==double(4798)
+          where: equals("log.eventCode", 4798)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security-enabled local group membership was enumerated'
-          where: safe("log.eventCode", 0.0)==double(4799)
+          where: equals("log.eventCode", 4799)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The workstation was locked'
-          where: safe("log.eventCode", 0.0)==double(4800)
+          where: equals("log.eventCode", 4800)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The workstation was unlocked'
-          where: safe("log.eventCode", 0.0)==double(4801)
+          where: equals("log.eventCode", 4801)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The screen saver was invoked'
-          where: safe("log.eventCode", 0.0)==double(4802)
+          where: equals("log.eventCode", 4802)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The screen saver was dismissed'
-          where: safe("log.eventCode", 0.0)==double(4803)
+          where: equals("log.eventCode", 4803)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'RPC detected an integrity violation while decrypting an incoming message'
-          where: safe("log.eventCode", 0.0)==double(4816)
+          where: equals("log.eventCode", 4816)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Auditing settings on object were changed.'
-          where: safe("log.eventCode", 0.0)==double(4817)
+          where: equals("log.eventCode", 4817)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy'
-          where: safe("log.eventCode", 0.0)==double(4818)
+          where: equals("log.eventCode", 4818)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Central Access Policies on the machine have been changed'
-          where: safe("log.eventCode", 0.0)==double(4819)
+          where: equals("log.eventCode", 4819)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions'
-          where: safe("log.eventCode", 0.0)==double(4820)
+          where: equals("log.eventCode", 4820)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A Kerberos service ticket was denied because the user: device: or both does not meet the access control restrictions'
-          where: safe("log.eventCode", 0.0)==double(4821)
+          where: equals("log.eventCode", 4821)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'NTLM authentication failed because the account was a member of the Protected User group'
-          where: safe("log.eventCode", 0.0)==double(4822)
+          where: equals("log.eventCode", 4822)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'NTLM authentication failed because access control restrictions are required'
-          where: safe("log.eventCode", 0.0)==double(4823)
+          where: equals("log.eventCode", 4823)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group'
-          where: safe("log.eventCode", 0.0)==double(4824)
+          where: equals("log.eventCode", 4824)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A user was denied the access to Remote Desktop. By default: users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group'
-          where: safe("log.eventCode", 0.0)==double(4825)
+          where: equals("log.eventCode", 4825)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'SID History was removed from an account'
-          where: safe("log.eventCode", 0.0)==double(4830)
+          where: equals("log.eventCode", 4830)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A trusted forest information entry was added'
-          where: safe("log.eventCode", 0.0)==double(4865)
+          where: equals("log.eventCode", 4865)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A trusted forest information entry was modified'
-          where: safe("log.eventCode", 0.0)==double(4867)
+          where: equals("log.eventCode", 4867)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The certificate manager denied a pending certificate request'
-          where: safe("log.eventCode", 0.0)==double(4868)
+          where: equals("log.eventCode", 4868)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services received a resubmitted certificate request'
-          where: safe("log.eventCode", 0.0)==double(4869)
+          where: equals("log.eventCode", 4869)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services revoked a certificate'
-          where: safe("log.eventCode", 0.0)==double(4870)
+          where: equals("log.eventCode", 4870)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services received a request to publish the certificate revocation list (CRL)'
-          where: safe("log.eventCode", 0.0)==double(4871)
+          where: equals("log.eventCode", 4871)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services published the certificate revocation list (CRL)'
-          where: safe("log.eventCode", 0.0)==double(4872)
+          where: equals("log.eventCode", 4872)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A certificate request extension changed'
-          where: safe("log.eventCode", 0.0)==double(4873)
+          where: equals("log.eventCode", 4873)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'One or more certificate request attributes changed.'
-          where: safe("log.eventCode", 0.0)==double(4874)
+          where: equals("log.eventCode", 4874)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services received a request to shut down'
-          where: safe("log.eventCode", 0.0)==double(4875)
+          where: equals("log.eventCode", 4875)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services backup started'
-          where: safe("log.eventCode", 0.0)==double(4876)
+          where: equals("log.eventCode", 4876)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services backup completed'
-          where: safe("log.eventCode", 0.0)==double(4877)
+          where: equals("log.eventCode", 4877)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services restore started'
-          where: safe("log.eventCode", 0.0)==double(4878)
+          where: equals("log.eventCode", 4878)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services restore completed'
-          where: safe("log.eventCode", 0.0)==double(4879)
+          where: equals("log.eventCode", 4879)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services started'
-          where: safe("log.eventCode", 0.0)==double(4880)
+          where: equals("log.eventCode", 4880)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services stopped'
-          where: safe("log.eventCode", 0.0)==double(4881)
+          where: equals("log.eventCode", 4881)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The security permissions for Certificate Services changed'
-          where: safe("log.eventCode", 0.0)==double(4882)
+          where: equals("log.eventCode", 4882)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services retrieved an archived key'
-          where: safe("log.eventCode", 0.0)==double(4883)
+          where: equals("log.eventCode", 4883)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services imported a certificate into its database'
-          where: safe("log.eventCode", 0.0)==double(4884)
+          where: equals("log.eventCode", 4884)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The audit filter for Certificate Services changed'
-          where: safe("log.eventCode", 0.0)==double(4885)
+          where: equals("log.eventCode", 4885)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services received a certificate request'
-          where: safe("log.eventCode", 0.0)==double(4886)
+          where: equals("log.eventCode", 4886)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services approved a certificate request and issued a certificate'
-          where: safe("log.eventCode", 0.0)==double(4887)
+          where: equals("log.eventCode", 4887)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services denied a certificate request'
-          where: safe("log.eventCode", 0.0)==double(4888)
+          where: equals("log.eventCode", 4888)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services set the status of a certificate request to pending'
-          where: safe("log.eventCode", 0.0)==double(4889)
+          where: equals("log.eventCode", 4889)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The certificate manager settings for Certificate Services changed.'
-          where: safe("log.eventCode", 0.0)==double(4890)
+          where: equals("log.eventCode", 4890)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A configuration entry changed in Certificate Services'
-          where: safe("log.eventCode", 0.0)==double(4891)
+          where: equals("log.eventCode", 4891)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A property of Certificate Services changed'
-          where: safe("log.eventCode", 0.0)==double(4892)
+          where: equals("log.eventCode", 4892)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services archived a key'
-          where: safe("log.eventCode", 0.0)==double(4893)
+          where: equals("log.eventCode", 4893)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services imported and archived a key'
-          where: safe("log.eventCode", 0.0)==double(4894)
+          where: equals("log.eventCode", 4894)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services published the CA certificate to Active Directory Domain Services'
-          where: safe("log.eventCode", 0.0)==double(4895)
+          where: equals("log.eventCode", 4895)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'One or more rows have been deleted from the certificate database'
-          where: safe("log.eventCode", 0.0)==double(4896)
+          where: equals("log.eventCode", 4896)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Role separation enabled'
-          where: safe("log.eventCode", 0.0)==double(4897)
+          where: equals("log.eventCode", 4897)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Certificate Services template security was updated'
-          where: safe("log.eventCode", 0.0)==double(4900)
+          where: equals("log.eventCode", 4900)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Auditing settings on object were changed'
-          where: safe("log.eventCode", 0.0)==double(4907)
+          where: equals("log.eventCode", 4907)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Special Groups Logon table modified'
-          where: safe("log.eventCode", 0.0)==double(4908)
+          where: equals("log.eventCode", 4908)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Per User Audit Policy was changed'
-          where: safe("log.eventCode", 0.0)==double(4912)
+          where: equals("log.eventCode", 4912)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Central Access Policy on the object was changed'
-          where: safe("log.eventCode", 0.0)==double(4913)
+          where: equals("log.eventCode", 4913)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A change has been made to Windows Firewall exception list. A rule was added'
-          where: safe("log.eventCode", 0.0)==double(4946)
+          where: equals("log.eventCode", 4946)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A change has been made to Windows Firewall exception list. A rule was modified'
-          where: safe("log.eventCode", 0.0)==double(4947)
+          where: equals("log.eventCode", 4947)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A change has been made to Windows Firewall exception list. A rule was deleted'
-          where: safe("log.eventCode", 0.0)==double(4948)
+          where: equals("log.eventCode", 4948)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Windows Firewall settings were restored to the default values'
-          where: safe("log.eventCode", 0.0)==double(4949)
+          where: equals("log.eventCode", 4949)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A Windows Firewall setting has changed'
-          where: safe("log.eventCode", 0.0)==double(4950)
+          where: equals("log.eventCode", 4950)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Windows Firewall Group Policy settings has changed. The new settings have been applied'
-          where: safe("log.eventCode", 0.0)==double(4954)
+          where: equals("log.eventCode", 4954)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Windows Firewall has changed the active profile'
-          where: safe("log.eventCode", 0.0)==double(4956)
+          where: equals("log.eventCode", 4956)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'IPsec dropped an inbound packet that failed an integrity check'
-          where: safe("log.eventCode", 0.0)==double(4960)
+          where: equals("log.eventCode", 4960)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'IPsec dropped an inbound packet that failed a replay check'
-          where: safe("log.eventCode", 0.0)==double(4961)
+          where: equals("log.eventCode", 4961)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'IPsec dropped an inbound packet that failed a replay check'
-          where: safe("log.eventCode", 0.0)==double(4962)
+          where: equals("log.eventCode", 4962)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'IPsec dropped an inbound clear text packet that should have been secured'
-          where: safe("log.eventCode", 0.0)==double(4963)
+          where: equals("log.eventCode", 4963)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Special groups have been assigned to a new logon'
-          where: safe("log.eventCode", 0.0)==double(4964)
+          where: equals("log.eventCode", 4964)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'During Main Mode negotiation: IPsec received an invalid negotiation packet.'
-          where: safe("log.eventCode", 0.0)==double(4976)
+          where: equals("log.eventCode", 4976)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'During Quick Mode negotiation: IPsec received an invalid negotiation packet.'
-          where: safe("log.eventCode", 0.0)==double(4977)
+          where: equals("log.eventCode", 4977)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'During Extended Mode negotiation: IPsec received an invalid negotiation packet.'
-          where: safe("log.eventCode", 0.0)==double(4978)
+          where: equals("log.eventCode", 4978)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Antimalware engine encountered an error and failed'
-          where: safe("log.eventCode", 0.0)==double(5008)
+          where: equals("log.eventCode", 5008)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Windows Firewall Service has been stopped'
-          where: safe("log.eventCode", 0.0)==double(5025)
+          where: equals("log.eventCode", 5025)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Windows Firewall Service failed to start'
-          where: safe("log.eventCode", 0.0)==double(5030)
+          where: equals("log.eventCode", 5030)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Windows Firewall Service blocked an application from accepting incoming connections on the network.'
-          where: safe("log.eventCode", 0.0)==double(5031)
+          where: equals("log.eventCode", 5031)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network'
-          where: safe("log.eventCode", 0.0)==double(5032)
+          where: equals("log.eventCode", 5032)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Windows Firewall Driver detected critical runtime error. Terminating'
-          where: safe("log.eventCode", 0.0)==double(5037)
+          where: equals("log.eventCode", 5037)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A change has been made to IPsec settings. An Authentication Set was added.'
-          where: safe("log.eventCode", 0.0)==double(5040)
+          where: equals("log.eventCode", 5040)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A change has been made to IPsec settings. An Authentication Set was modified'
-          where: safe("log.eventCode", 0.0)==double(5041)
+          where: equals("log.eventCode", 5041)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A change has been made to IPsec settings. An Authentication Set was deleted'
-          where: safe("log.eventCode", 0.0)==double(5042)
+          where: equals("log.eventCode", 5042)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A change has been made to IPsec settings. A Connection Security Rule was added'
-          where: safe("log.eventCode", 0.0)==double(5043)
+          where: equals("log.eventCode", 5043)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A change has been made to IPsec settings. A Connection Security Rule was modified'
-          where: safe("log.eventCode", 0.0)==double(5044)
+          where: equals("log.eventCode", 5044)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A change has been made to IPsec settings. A Connection Security Rule was deleted'
-          where: safe("log.eventCode", 0.0)==double(5045)
+          where: equals("log.eventCode", 5045)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A change has been made to IPsec settings. A Crypto Set was added'
-          where: safe("log.eventCode", 0.0)==double(5046)
+          where: equals("log.eventCode", 5046)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A change has been made to IPsec settings. A Crypto Set was modified'
-          where: safe("log.eventCode", 0.0)==double(5047)
+          where: equals("log.eventCode", 5047)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A change has been made to IPsec settings. A Crypto Set was deleted'
-          where: safe("log.eventCode", 0.0)==double(5048)
+          where: equals("log.eventCode", 5048)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An IPsec Security Association was deleted'
-          where: safe("log.eventCode", 0.0)==double(5049)
+          where: equals("log.eventCode", 5049)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE)'
-          where: safe("log.eventCode", 0.0)==double(5050)
+          where: equals("log.eventCode", 5050)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A security setting was updated on OCSP Responder Service'
-          where: safe("log.eventCode", 0.0)==double(5124)
+          where: equals("log.eventCode", 5124)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A directory service object was modified'
-          where: safe("log.eventCode", 0.0)==double(5136)
+          where: equals("log.eventCode", 5136)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A network share object was accessed'
-          where: safe("log.eventCode", 0.0)==double(5140)
+          where: equals("log.eventCode", 5140)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A network share object was added.'
-          where: safe("log.eventCode", 0.0)==double(5142)
+          where: equals("log.eventCode", 5142)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A network share object was modified'
-          where: safe("log.eventCode", 0.0)==double(5143)
+          where: equals("log.eventCode", 5143)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A network share object was deleted.'
-          where: safe("log.eventCode", 0.0)==double(5144)
+          where: equals("log.eventCode", 5144)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Windows Filtering Platform has blocked a packet'
-          where: safe("log.eventCode", 0.0)==double(5146)
+          where: equals("log.eventCode", 5146)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A more restrictive Windows Filtering Platform filter has blocked a packet'
-          where: safe("log.eventCode", 0.0)==double(5147)
+          where: equals("log.eventCode", 5147)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.'
-          where: safe("log.eventCode", 0.0)==double(5148)
+          where: equals("log.eventCode", 5148)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The DoS attack has subsided and normal processing is being resumed.'
-          where: safe("log.eventCode", 0.0)==double(5149)
+          where: equals("log.eventCode", 5149)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Windows Filtering Platform has blocked a packet.'
-          where: safe("log.eventCode", 0.0)==double(5150)
+          where: equals("log.eventCode", 5150)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A more restrictive Windows Filtering Platform filter has blocked a packet.'
-          where: safe("log.eventCode", 0.0)==double(5151)
+          where: equals("log.eventCode", 5151)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Windows Filtering Platform blocked a packet'
-          where: safe("log.eventCode", 0.0)==double(5152)
+          where: equals("log.eventCode", 5152)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A more restrictive Windows Filtering Platform filter has blocked a packet'
-          where: safe("log.eventCode", 0.0)==double(5153)
+          where: equals("log.eventCode", 5153)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections'
-          where: safe("log.eventCode", 0.0)==double(5154)
+          where: equals("log.eventCode", 5154)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections'
-          where: safe("log.eventCode", 0.0)==double(5155)
+          where: equals("log.eventCode", 5155)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Windows Filtering Platform has allowed a connection'
-          where: safe("log.eventCode", 0.0)==double(5156)
+          where: equals("log.eventCode", 5156)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Windows Filtering Platform has blocked a connection'
-          where: safe("log.eventCode", 0.0)==double(5157)
+          where: equals("log.eventCode", 5157)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Windows Filtering Platform has permitted a bind to a local port'
-          where: safe("log.eventCode", 0.0)==double(5158)
+          where: equals("log.eventCode", 5158)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Windows Filtering Platform has blocked a bind to a local port'
-          where: safe("log.eventCode", 0.0)==double(5159)
+          where: equals("log.eventCode", 5159)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A Windows Filtering Platform filter has been changed'
-          where: safe("log.eventCode", 0.0)==double(5447)
+          where: equals("log.eventCode", 5447)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A Windows Filtering Platform provider has been changed'
-          where: safe("log.eventCode", 0.0)==double(5448)
+          where: equals("log.eventCode", 5448)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A Windows Filtering Platform provider context has been changed'
-          where: safe("log.eventCode", 0.0)==double(5449)
+          where: equals("log.eventCode", 5449)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started'
-          where: safe("log.eventCode", 0.0)==double(5453)
+          where: equals("log.eventCode", 5453)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'IPsec Services has been shut down successfully'
-          where: safe("log.eventCode", 0.0)==double(5479)
+          where: equals("log.eventCode", 5479)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'IPsec Services failed to get the complete list of network interfaces on the computer'
-          where: safe("log.eventCode", 0.0)==double(5480)
+          where: equals("log.eventCode", 5480)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'IPsec Services failed to initialize RPC server. IPsec Services could not be started'
-          where: safe("log.eventCode", 0.0)==double(5483)
+          where: equals("log.eventCode", 5483)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'IPsec Services has experienced a critical failure and has been shut down'
-          where: safe("log.eventCode", 0.0)==double(5484)
+          where: equals("log.eventCode", 5484)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces'
-          where: safe("log.eventCode", 0.0)==double(5485)
+          where: equals("log.eventCode", 5485)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A request was made to authenticate to a wireless network'
-          where: safe("log.eventCode", 0.0)==double(5632)
+          where: equals("log.eventCode", 5632)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A request was made to authenticate to a wired network'
-          where: safe("log.eventCode", 0.0)==double(5633)
+          where: equals("log.eventCode", 5633)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account.'
-          where: safe("log.eventCode", 0.0)==double(5827)
+          where: equals("log.eventCode", 5827)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'The Netlogon service denied a vulnerable Netlogon secure channel connection using a trust account.'
-          where: safe("log.eventCode", 0.0)==double(5828)
+          where: equals("log.eventCode", 5828)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Security policy in the group policy objects has been applied successfully'
-          where: safe("log.eventCode", 0.0)==double(6144)
+          where: equals("log.eventCode", 6144)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Network Policy Server granted access to a user'
-          where: safe("log.eventCode", 0.0)==double(6272)
+          where: equals("log.eventCode", 6272)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Network Policy Server denied access to a user'
-          where: safe("log.eventCode", 0.0)==double(6273)
+          where: equals("log.eventCode", 6273)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Network Policy Server quarantined a user'
-          where: safe("log.eventCode", 0.0)==double(6276)
+          where: equals("log.eventCode", 6276)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy'
-          where: safe("log.eventCode", 0.0)==double(6277)
+          where: equals("log.eventCode", 6277)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Network Policy Server granted full access to a user because the host met the defined health policy'
-          where: safe("log.eventCode", 0.0)==double(6278)
+          where: equals("log.eventCode", 6278)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Network Policy Server locked the user account due to repeated failed authentication attempts'
-          where: safe("log.eventCode", 0.0)==double(6279)
+          where: equals("log.eventCode", 6279)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Network Policy Server unlocked the user account'
-          where: safe("log.eventCode", 0.0)==double(6280)
+          where: equals("log.eventCode", 6280)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.'
-          where: safe("log.eventCode", 0.0)==double(6404)
+          where: equals("log.eventCode", 6404)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A new external device was recognized by the system.'
-          where: safe("log.eventCode", 0.0)==double(6416)
+          where: equals("log.eventCode", 6416)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A request was made to disable a device'
-          where: safe("log.eventCode", 0.0)==double(6419)
+          where: equals("log.eventCode", 6419)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A device was disabled'
-          where: safe("log.eventCode", 0.0)==double(6420)
+          where: equals("log.eventCode", 6420)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A request was made to enable a device'
-          where: safe("log.eventCode", 0.0)==double(6421)
+          where: equals("log.eventCode", 6421)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'A device was enabled'
-          where: safe("log.eventCode", 0.0)==double(6422)
+          where: equals("log.eventCode", 6422)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'An application or service has attempted to use DCOM without having the necessary permissions.'
-          where: safe("log.eventCode", 0.0)==double(10016)
+          where: equals("log.eventCode", 10016)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Encryption of volume started.'
-          where: safe("log.eventCode", 0.0)==double(24577)
+          where: equals("log.eventCode", 24577)
 
       - add:
           function: 'string'
           params:
             key: log.eventName
             value: 'Decryption of volume started.'
-          where: safe("log.eventCode", 0.0)==double(24580)
+          where: equals("log.eventCode", 24580)
 
       # Decoding the "failureReason" field when the event code is 4625 and adding the "failureReasonDescription" field
       - add:
@@ -2293,49 +2293,49 @@ pipeline:
           params:
             key: log.failureReasonDescription
             value: 'The specified user account has expired.'
-          where: safe("log.winlogEventDataFailureReason", "") == "%%2305" && safe("log.eventCode", 0.0)==double(4625)
+          where: equals("log.winlogEventDataFailureReason", "%%2305") && equals("log.eventCode", 4625)
 
       - add:
           function: 'string'
           params:
             key: log.failureReasonDescription
             value: 'The password for the specified account has expired'
-          where: safe("log.winlogEventDataFailureReason", "") == "%%2309" && safe("log.eventCode", 0.0)==double(4625)
+          where: equals("log.winlogEventDataFailureReason", "%%2309") && equals("log.eventCode", 4625)
 
       - add:
           function: 'string'
           params:
             key: log.failureReasonDescription
             value: 'Account currently disabled'
-          where: safe("log.winlogEventDataFailureReason", "") == "%%2310" && safe("log.eventCode", 0.0)==double(4625)
+          where: equals("log.winlogEventDataFailureReason", "%%2310") && equals("log.eventCode", 4625)
 
       - add:
           function: 'string'
           params:
             key: log.failureReasonDescription
             value: 'Account logon time restriction violation'
-          where: safe("log.winlogEventDataFailureReason", "") == "%%2311" && safe("log.eventCode", 0.0)==double(4625)
+          where: equals("log.winlogEventDataFailureReason", "%%2311") && equals("log.eventCode", 4625)
 
       - add:
           function: 'string'
           params:
             key: log.failureReasonDescription
             value: 'User not allowed to logon at this computer'
-          where: safe("log.winlogEventDataFailureReason", "") == "%%2312" && safe("log.eventCode", 0.0)==double(4625)
+          where: equals("log.winlogEventDataFailureReason", "%%2312") && equals("log.eventCode", 4625)
 
       - add:
           function: 'string'
           params:
             key: log.failureReasonDescription
             value: 'Unknown user name or bad password'
-          where: safe("log.winlogEventDataFailureReason", "") == "%%2313" && safe("log.eventCode", 0.0)==double(4625)
+          where: equals("log.winlogEventDataFailureReason", "%%2313") && equals("log.eventCode", 4625)
 
       - add:
           function: 'string'
           params:
             key: log.failureReasonDescription
             value: 'An Error occurred during Logon'
-          where: safe("log.winlogEventDataFailureReason", "") == "%%2304" && safe("log.eventCode", 0.0)==double(4625)
+          where: equals("log.winlogEventDataFailureReason", "%%2304") && equals("log.eventCode", 4625)
 
       # Decoding the "AccessMask" field when the event code is 4663 and adding the "accessType" and "accessDescription" field
       - add:
@@ -2343,210 +2343,210 @@ pipeline:
           params:
             key: log.accessType
             value: 'read'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x1" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x1") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessDescription
             value: 'For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.\n For a directory, the right to list the contents of the directory.\n For registry objects, this is, Query key value.'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x1" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x1") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessType
             value: 'write'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x2" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x2") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessDescription
             value: 'For a file object, the right to write data to the file.\n For a directory object, the right to create a file in the directory.\n For registry objects, this is, Set key value.'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x2" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x2") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessType
             value: 'append'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x4" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x4") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessDescription
             value: 'For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without FILE_WRITE_DATA.)\n For a directory object, the right to create a subdirectory.\n For a named pipe, the right to create a pipe.'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x4" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x4") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessType
             value: 'read_extended_attributes'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x8" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x8") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessDescription
             value: 'The right to read extended file attributes.\n For registry objects, this is, Enumerate sub-keys.'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x8" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x8") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessType
             value: 'write_extended_attributes'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x10" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x10") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessDescription
             value: 'The right to write extended file attributes.'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x10" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x10") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessType
             value: 'execute'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x20" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x20") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessDescription
             value: 'For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.\n For a directory, the right to traverse the directory. By default, users are assigned the BYPASS_TRAVERSE_CHECKING privilege, which ignores the FILE_TRAVERSE access right.'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x20" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x20") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessType
             value: 'delete_child'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x40" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x40") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessDescription
             value: 'For a directory, the right to delete a directory and all the files it contains, including read-only files.'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x40" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x40") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessType
             value: 'read_attributes'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x80" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x80") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessDescription
             value: 'The right to read file attributes.'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x80" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x80") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessType
             value: 'write_attributes'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x100" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x100") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessDescription
             value: 'The right to write file attributes.'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x100" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x100") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessType
             value: 'delete'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x10000" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x10000") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessDescription
             value: 'The right to delete the object.'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x10000" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x10000") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessType
             value: 'read_control'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x20000" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x20000") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessDescription
             value: 'The right to read information in the security descriptor object, without including the information in the system access control list (SACL).'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x20000" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x20000") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessType
             value: 'write_dac'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x40000" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x40000") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessDescription
             value: 'The right to modify the discretionary access control list (DACL) in the security descriptor object.'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x40000" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x40000") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessType
             value: 'write_owner'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x80000" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x80000") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessDescription
             value: 'The right to change the owner in the security descriptor object'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x80000" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x80000") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessType
             value: 'synchronize'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x100000" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x100000") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessDescription
             value: 'The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x100000" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x100000") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessType
             value: 'access_sys_sec'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x1000000" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x1000000") && equals("log.eventCode", 4663)
 
       - add:
           function: 'string'
           params:
             key: log.accessDescription
             value: 'The ACCESS_SYS_SEC access right controls the ability to get or set the SACL in an security descriptor object.'
-          where: safe("log.winlogEeventDataAccessMask", "") == "0x1000000" && safe("log.eventCode", 0.0)==double(4663)
+          where: equals("log.winlogEeventDataAccessMask", "0x1000000") && equals("log.eventCode", 4663)
 
       # Decoding the "eventStatus" field
       - add:
@@ -2554,91 +2554,91 @@ pipeline:
           params:
             key: log.statusDescription
             value: 'Account locked out'
-          where: safe("log.winlogEventDataStatus", "") == "0xC0000234"
+          where: equals("log.winlogEventDataStatus", "0xC0000234")
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Account expired'
-          where: safe("log.winlogEventDataStatus", "") == "0xC0000193"
+          where: equals("log.winlogEventDataStatus", "0xC0000193")
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Clocks out of sync'
-          where: safe("log.winlogEventDataStatus", "") == "0xC0000133"
+          where: equals("log.winlogEventDataStatus", "0xC0000133")
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Password change required'
-          where: safe("log.winlogEventDataStatus", "") == "0xC0000224"
+          where: equals("log.winlogEventDataStatus", "0xC0000224")
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'User does not have logon right'
-          where: safe("log.winlogEventDataStatus", "") == "0xc000015b"
+          where: equals("log.winlogEventDataStatus", "0xc000015b")
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Logon failure'
-          where: safe("log.winlogEventDataStatus", "") == "0xc000006d"
+          where: equals("log.winlogEventDataStatus", "0xc000006d")
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Account restriction'
-          where: safe("log.winlogEventDataStatus", "") == "0xc000006e"
+          where: equals("log.winlogEventDataStatus", "0xc000006e")
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'An error occurred during logon'
-          where: safe("log.winlogEventDataStatus", "") == "0xc00002ee"
+          where: equals("log.winlogEventDataStatus", "0xc00002ee")
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Password expired'
-          where: safe("log.winlogEventDataStatus", "") == "0xC0000071"
+          where: equals("log.winlogEventDataStatus", "0xC0000071")
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Account disabled'
-          where: safe("log.winlogEventDataStatus", "") == "0xC0000072"
+          where: equals("log.winlogEventDataStatus", "0xC0000072")
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Authentication firewall prohibits logon'
-          where: safe("log.winlogEventDataStatus", "") == "0xC0000413"
+          where: equals("log.winlogEventDataStatus", "0xC0000413")
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Incorrect password'
-          where: safe("log.winlogEventDataStatus", "") == "0xc000006a"
+          where: equals("log.winlogEventDataStatus", "0xc000006a")
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Account does not exist'
-          where: safe("log.winlogEventDataStatus", "") == "0xc0000064"
+          where: equals("log.winlogEventDataStatus", "0xc0000064")
 
       # Decoding the "eventStatus" field when the event code is 4771 and adding the "statusDescription"
       - add:
@@ -2646,322 +2646,322 @@ pipeline:
           params:
             key: log.statusDescription
             value: 'Customer database entry has expired'
-          where: safe("log.winlogEventDataStatus", "") == "0x1" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x1") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'The server database entry has expired'
-          where: safe("log.winlogEventDataStatus", "") =="0x2" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x2") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Requested protocol version not supported'
-          where: safe("log.winlogEventDataStatus", "") == "0x3" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x3") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Customer key encrypted in old master key'
-          where: safe("log.winlogEventDataStatus", "") == "0x4" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x4") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Server key encrypted with old master key'
-          where: safe("log.winlogEventDataStatus", "") == "0x5" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x5") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Client not found in Kerberos database'
-          where: safe("log.winlogEventDataStatus", "") == "0x6" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x6") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Server not found in Kerberos database'
-          where: safe("log.winlogEventDataStatus", "") == "0x7" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x7") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Multiple principal entries in database'
-          where: safe("log.winlogEventDataStatus", "") == "0x8" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x8") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'The client or server has a null key'
-          where: safe("log.winlogEventDataStatus", "") == "0x9" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x9") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Ticket not eligible for postdating'
-          where: safe("log.winlogEventDataStatus", "") == "0xA" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0xA") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Requested start time is later than end time'
-          where: safe("log.winlogEventDataStatus", "") == "0xB" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0xB") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'KDC policy rejects request'
-          where: safe("log.winlogEventDataStatus", "") == "0xC" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0xC") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'KDC cannot accommodate requested option'
-          where: safe("log.winlogEventDataStatus", "") == "0xD" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0xD") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'KDC has no support for encryption type'
-          where: safe("log.winlogEventDataStatus", "") == "0xE" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0xE") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'KDC has no support for checksum type'
-          where: safe("log.winlogEventDataStatus", "") == "0xF" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0xF") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'KDC has no support for padata type'
-          where: safe("log.winlogEventDataStatus", "") == "0x10" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x10") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'KDC has no support for transited type'
-          where: safe("log.winlogEventDataStatus", "") == "0x11" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x11") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Clients credentials have been revoked'
-          where: safe("log.winlogEventDataStatus", "") == "0x12" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x12") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Credentials for server have been revoked'
-          where: safe("log.winlogEventDataStatus", "") == "0x13" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x13") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'TGT has been revoked'
-          where: safe("log.winlogEventDataStatus", "") == "0x14" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x14") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Client not yet valid - try again later'
-          where: safe("log.winlogEventDataStatus", "") == "0x15" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x15") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Server not yet valid - try again later'
-          where: safe("log.winlogEventDataStatus", "") == "0x16" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x16") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Password has expired'
-          where: safe("log.winlogEventDataStatus", "") == "0x17" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x17") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Pre-authentication information was invalid'
-          where: safe("log.winlogEventDataStatus", "") == "0x18" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x18") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Additional pre-authentication required'
-          where: safe("log.winlogEventDataStatus", "") == "0x19" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x19") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Integrity check on decrypted field failed'
-          where: safe("log.winlogEventDataStatus", "") == "0x1F" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x1F") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Ticket expired'
-          where: safe("log.winlogEventDataStatus", "") == "0x20" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x20") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Ticket not yet valid'
-          where: safe("log.winlogEventDataStatus", "") == "0x21" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x21") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Request is a replay'
-          where: safe("log.winlogEventDataStatus", "") == "0x22" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x22") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'The ticket is not for us'
-          where: safe("log.winlogEventDataStatus", "") == "0x23" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x23") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Ticket and authenticator is not match'
-          where: safe("log.winlogEventDataStatus", "") == "0x24" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x24") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Clock skew too great'
-          where: safe("log.winlogEventDataStatus", "") == "0x25" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x25") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Incorrect net address'
-          where: safe("log.winlogEventDataStatus", "") == "0x26" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x26") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Protocol version mismatch'
-          where: safe("log.winlogEventDataStatus", "") == "0x27" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x27") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Invalid msg type'
-          where: safe("log.winlogEventDataStatus", "") == "0x28" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x28") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Message stream modified'
-          where: safe("log.winlogEventDataStatus", "") == "0x29" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x29") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Message out of order'
-          where: safe("log.winlogEventDataStatus", "") == "0x2A" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x2A") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Specified version of key is not available'
-          where: safe("log.winlogEventDataStatus", "") == "0x2C" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x2C") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Service key not available'
-          where: safe("log.winlogEventDataStatus", "") == "0x2D" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x2D") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Mutual authentication failed'
-          where: safe("log.winlogEventDataStatus", "") == "0x2E" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x2E") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Incorrect message direction'
-          where: safe("log.winlogEventDataStatus", "") == "0x2F" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x2F") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Alternative authentication method required'
-          where: safe("log.winlogEventDataStatus", "") == "0x30" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x30") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Incorrect sequence number in message'
-          where: safe("log.winlogEventDataStatus", "") == "0x31" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x31") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Inappropriate type of checksum in message'
-          where: safe("log.winlogEventDataStatus", "") == "0x32" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x32") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Generic error (description in e-text)'
-          where: safe("log.winlogEventDataStatus", "") == "0x3C" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x3C") && equals("log.eventCode", 4771)
 
       - add:
           function: 'string'
           params:
             key: log.statusDescription
             value: 'Field is too long for this implementation'
-          where: safe("log.winlogEventDataStatus", "") == "0x3D" && safe("log.eventCode", 0.0)==double(4771)
+          where: equals("log.winlogEventDataStatus", "0x3D") && equals("log.eventCode", 4771)
 
       - delete:
           fields:

From 2462e5fe9cd155fd96c699f81e96342b09001f45 Mon Sep 17 00:00:00 2001
From: Osmany Montero 
Date: Mon, 9 Feb 2026 11:30:49 +0000
Subject: [PATCH 056/105] refactor: Migrate filter configurations from .conf to
 .yml format.

---
 filters/antivirus/checkpoint.conf   | 139 --------
 filters/antivirus/checkpoint.yml    |  49 +++
 filters/hids/hids-wazuh.conf        | 143 ---------
 filters/hids/hids-wazuh.yml         |  59 ++++
 filters/linux/linux-ufw.conf        |  99 ------
 filters/linux/linux-ufw.yml         |  84 +++++
 filters/linux/linux.conf            |  75 -----
 filters/linux/linux.yml             |  55 ++++
 filters/macos/macos-syslog.conf     |  40 ---
 filters/macos/macos-syslog.yml      |  22 ++
 filters/paloalto/pa_cortex_xdr.conf | 470 ----------------------------
 filters/paloalto/pa_cortex_xdr.yml  | 295 +++++++++++++++++
 12 files changed, 564 insertions(+), 966 deletions(-)
 delete mode 100644 filters/antivirus/checkpoint.conf
 create mode 100644 filters/antivirus/checkpoint.yml
 delete mode 100644 filters/hids/hids-wazuh.conf
 create mode 100644 filters/hids/hids-wazuh.yml
 delete mode 100644 filters/linux/linux-ufw.conf
 create mode 100644 filters/linux/linux-ufw.yml
 delete mode 100644 filters/linux/linux.conf
 create mode 100644 filters/linux/linux.yml
 delete mode 100644 filters/macos/macos-syslog.conf
 create mode 100644 filters/macos/macos-syslog.yml
 delete mode 100644 filters/paloalto/pa_cortex_xdr.conf
 create mode 100644 filters/paloalto/pa_cortex_xdr.yml

diff --git a/filters/antivirus/checkpoint.conf b/filters/antivirus/checkpoint.conf
deleted file mode 100644
index 85bb7f135..000000000
--- a/filters/antivirus/checkpoint.conf
+++ /dev/null
@@ -1,139 +0,0 @@
-filter {
-    # CheckPoint filter version 2.0.0
-
-    split {
-     field => "message"
-     terminator => ""
-    }
-    
-    if ![dataType] {
-        #First, define the entry point
-        if [message] and ([message]=~/ CheckPoint \d+ - \[(.+)\]/){
-            
-            #......................................................................# 
-            #Generating dataType and dataSource field required by CurrelationRulesEngine
-            if (![dataSource]){
-              mutate {
-               add_field => { "dataSource" => "%{host}" }
-              }
-           }
-
-            mutate {
-                add_field => { "dataType" => "antivirus-checkpoint" }
-            }
-            
-            #......................................................................#
-            #Using grok to parse header of the message
-            grok {
-                match => {
-                    "message" => "(%{INT:not_defined})?(\s)?(<%{NUMBER:priority}>)?(%{INT:syslog_version})? %{DATA:syslog_time} %{DATA:syslog_host} %{DATA:syslog_app} %{INT:pid} - \[%{GREEDYDATA:json_msg}; \]"
-                }
-            }
-
-            #......................................................................#
-            #Checking that the json_msg field exists
-            if ([json_msg]){
-                
-                #Checking json_msg field
-                if [json_msg]=~/\w+:\"[A-Za-z0-9.:,;_=@&\/\{\}\[\]\s\\\-]+\"/{
-                    mutate {
-                        gsub => ["json_msg", ':"(.*?)"', ':""\1""']
-                    }
-                }
-                    #Converting to a valid json structure
-                mutate {
-                    gsub => ["json_msg", '"" ""', '""X0X""']
-                    gsub => ["json_msg", '(.+)""', '{"\1"}']
-                    gsub => ["json_msg", ':"<', ':""<']
-                    gsub => ["json_msg", '""; ', '","']
-                    gsub => ["json_msg", ':""', '":"']
-                    gsub => ["json_msg", '\[', ';']
-                    gsub => ["json_msg", '\\]', '']
-                }
-                #Parsing json structure
-                json {
-                    source => "json_msg"
-                    target => "[json_fields]"
-                }
-            }
-            
-            #......................................................................#
-            #Adding all fields to json tree structure
-            mutate {
-                rename => { "syslog_app" => "[json_fields][syslog_app]" }
-                rename => { "syslog_time" => "[json_fields][syslog_time]" }
-                rename => { "pid" => "[json_fields][pid]" }
-                rename => { "syslog_host" => "[json_fields][syslog_host]" }
-                rename => { "priority" => "[json_fields][priority]" }
-            }
-
-            #......................................................................#
-            #Removing fields with empty values
-            if [json_fields] {  
-                ruby {
-                    code => '
-                        event.get("[json_fields]").each do |k, v|
-                            if (v != "X0X") 
-                                event.set("[logx][checkpoint][#{k}]",v)
-                            end
-                        end   
-                        '
-                }
-            }
-
-            if [logx][checkpoint][src]{
-                mutate {
-                    rename => { "[logx][checkpoint][src]" => "[logx][checkpoint][src_ip]"}
-                }
-            }
-            if [logx][checkpoint][__policy_id_tag]{
-                
-                #Converting to a valid kv structure
-                mutate {
-                    gsub => ["[logx][checkpoint][__policy_id_tag]", ';', ' ']
-                }
-
-                #......................................................................#
-                #Using the kv filter with default config, usefull in key-value logs
-                kv { 
-                    source => "[logx][checkpoint][__policy_id_tag]" 
-                    allow_duplicate_values => false
-                    target => "[logx][checkpoint][policy_id_tag]"
-                }
-
-                #......................................................................#
-                #Remove fields that have issues with kv filter (spaces or = in value)
-                mutate {
-                    remove_field => ["[logx][checkpoint][policy_id_tag][mgmt]","[logx][checkpoint][policy_id_tag][policy_name]"]
-                }
-                #......................................................................#
-                #Using grok to parse kv issued fields
-                grok {
-                    match => {"[logx][checkpoint][__policy_id_tag]" => [
-                        "mgmt=%{DATA:[logx][checkpoint][policy_id_tag][mgmt]} %{WORD}=",
-                        "mgmt=%{GREEDYDATA:[logx][checkpoint][policy_id_tag][mgmt]}"
-                        ]
-                    }
-                }
-                grok {
-                    match => {"[logx][checkpoint][__policy_id_tag]" => [
-                        "policy_name=%{DATA:[logx][checkpoint][policy_id_tag][policy_name]} %{WORD}=",
-                        "policy_name=%{GREEDYDATA:[logx][checkpoint][policy_id_tag][policy_name]}"
-                        ]
-                    }
-                }
-
-                mutate {
-                    remove_field => ["[logx][checkpoint][__policy_id_tag]"]
-                }
-            }
-            
-            #......................................................................#
-            #Finally, remove unnecessary fields
-            mutate {
-                remove_field => ["@version","timestamp","path","type","syslog_version",
-                "not_defined","msg_all","irrelevant", "json_msg", "json_fields"]
-            }
-        } 
-    }
-}
\ No newline at end of file
diff --git a/filters/antivirus/checkpoint.yml b/filters/antivirus/checkpoint.yml
new file mode 100644
index 000000000..f6a5c1a4a
--- /dev/null
+++ b/filters/antivirus/checkpoint.yml
@@ -0,0 +1,49 @@
+pipeline:
+  - dataTypes:
+      - antivirus-checkpoint
+    steps:
+      # 1. Parse header to extract the payload inside brackets
+      - grok:
+          source: raw
+          patterns:
+            - fieldName: log.header
+              pattern: '{{.data}} - \['
+            - fieldName: log.payload
+              pattern: '{{.data}}'
+            - fieldName: log.footer
+              pattern: '; \]'
+
+      # 2. Parse the payload as Key-Value pairs
+      - kv:
+          source: log.payload
+          fieldSplit: " "
+          valueSplit: ":"
+          
+      # 3. Clean up quotes from values (since we don't have trim_value in kv)
+      # We would need a trim step for every field, but since we don't know all dynamic fields, 
+      # we assume the KV parser handles basic quotes or we accept them. 
+      # However, Logstash config suggests fields might be quoted like field:"value".
+      # The CEL-based KV step usually handles standard formats.
+      
+      # 4. Standard Reference Mapping
+      - rename:
+          from: [log.src]
+          to: origin.ip
+      - rename:
+          from: [log.dst]
+          to: target.ip
+      - rename:
+          from: [log.s_port]
+          to: origin.port
+      - rename:
+          from: [log.service]
+          to: target.port
+
+      # 5. Type Casting
+      - cast:
+          fields: [origin.port, target.port]
+          to: int
+
+      # 6. Clean up
+      - delete:
+          fields: [log.header, log.footer]
diff --git a/filters/hids/hids-wazuh.conf b/filters/hids/hids-wazuh.conf
deleted file mode 100644
index 02e844389..000000000
--- a/filters/hids/hids-wazuh.conf
+++ /dev/null
@@ -1,143 +0,0 @@
-filter {
-    if [path] and [path] == "/var/ossec/logs/alerts/alerts.json" {
-#......................................................................#
-# Filter version 1.0.7
-# Checking agent.id, when value == 000, dataSource is always hids
-        if ([agent][id] and [agent][id] == "000") {
-            mutate {
-            add_field => {
-                "dataSource" => "hids"
-            }
-        }
-        } else {
-        # Make a copy of agent.name
-        mutate {
-               add_field => { "original_agent" => "%{[agent][name]}" }
-            }
-        mutate {
-            rename => ["[agent][name]" , "[dataSrc]"]
-        }
-        # Check if [agent][name] renamed to [dataSrc] exists 
-        if ([dataSrc]) {
-            # Then check computer common naming conventions: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou
-            if([dataSrc] =~ /^(\w)(\w|\.|-)+$/) and !([dataSrc] =~ /^(\d)(\d|\.)+(\d)$/) {
-               mutate {
-                 rename => ["[dataSrc]" , "[dataSource]"]
-               }
-            } else {
-               # If [dataSrc] not match, means that [agent][name] have wrong values so reset to default field name
-               mutate {
-                 rename => ["[dataSrc]" , "[agent][name]"]
-               } 
-            } 
-        }
-        }
-        # If could be parsed, there are no errors so, do the rest
-        # If errors detected in [agent][name], [dataSource] is not in the flow so, do nothing
-        if ([dataSource]) {
-        mutate {
-            add_field => {
-                "dataType" => "hids"
-            }
-            rename => ["[agent][id]" , "[logx][hids][agent_id]"]
-            rename => ["[agent][ip]" , "[logx][hids][agent_ip]"]
-            rename => ["[manager][name]" , "[logx][hids][manager]"]
-        }
-        # Adding agent.name
-        if[agent][name]{
-            mutate { rename => ["[agent][name]" , "[logx][hids][agent_name]"] }
-        } else {
-            mutate { rename => ["[original_agent]" , "[logx][hids][agent_name]"] }
-        }
-        if [data] {
-            mutate {
-                rename => ["[data]", "[logx][hids][data]"]
-            }
-        }
-        if [decoder] and [decoder][name] {
-            mutate {
-                rename => ["[decoder][name]", "[logx][hids][decoder_name]"]
-            }
-            # Separating remove from rename mutations
-            mutate {
-                remove_field => ["decoder"]
-            }
-        }
-        if [location] {
-            mutate {
-                rename => ["[location]", "[logx][hids][location]"]
-            }
-        }
-        if [rule] {
-            mutate {
-                rename => ["[rule]", "[logx][hids][rule]"]
-            }
-          if [logx][hids][rule][level] {
-            if [logx][hids][rule][level] > 11 {
-                mutate {
-                    add_field => {
-                        "[logx][hids][severity]" => 3
-                    }
-                    add_field => {
-                        "[logx][hids][severity_label]" => "High"
-                    }
-                    add_field => {
-                        "[logx][hids][category]" => "Potentially Compromised System"
-                    }
-                }
-            }
-            if [logx][hids][rule][level] <= 11 and [logx][hids][rule][level] >= 7 {
-                mutate {
-                    add_field => {
-                        "[logx][hids][severity]" => 2
-                    }
-                    add_field => {
-                        "[logx][hids][severity_label]" => "Medium"
-                    }
-                    add_field => {
-                        "[logx][hids][category]" => "Potentially Malicious Activity"
-                    }
-                }
-            }
-            if [logx][hids][rule][level] < 7 {
-                mutate {
-                    add_field => {
-                        "[logx][hids][severity]" => 1
-                    }
-                    add_field => {
-                        "[logx][hids][severity_label]" => "Low"
-                    }
-                    add_field => {
-                        "[logx][hids][category]" => "Low Risk or Informational Event"
-                    }
-                }
-            }
-          }
-      }
-
-#......................................................................#
-# Checking again agent.id, when value == 000, dataSource is always hids
-        if ([logx][hids][agent_id] and [logx][hids][agent_id] == "000") {
-            ruby { code => 'event.set("dataSource", "hids")' }
-        }
-#......................................................................#
-# Adding field for filter execution verification 
-        mutate {
-            add_field => {
-                "[logx][hids][filter_version]" => "1.0.7"
-            }
-        }
-#......................................................................#
-# Remove unwanted fields
-        mutate {
-           remove_field => ["host", "type", "timestamp", "manager", "path", "agent"]
-        }
-      }
-
-#......................................................................#
-# If "_jsonparsefailure" in tags, was errors in the incoming json file, so, remove the entire message
-      if "_jsonparsefailure" in [tags] and ![dataSource]{
-        drop {}
-      }
-    }
-}
diff --git a/filters/hids/hids-wazuh.yml b/filters/hids/hids-wazuh.yml
new file mode 100644
index 000000000..4bbc2cc6d
--- /dev/null
+++ b/filters/hids/hids-wazuh.yml
@@ -0,0 +1,59 @@
+pipeline:
+  - dataTypes:
+      - hids
+    steps:
+      # 1. Parse JSON
+      - json:
+          source: raw
+
+      # 2. Rename Agent Fields
+      - rename:
+          from: [log.agent.id]
+          to: log.agent_id
+      - rename:
+          from: [log.agent.ip]
+          to: log.agent_ip
+      - rename:
+          from: [log.agent.name]
+          to: log.agent_name
+      - rename:
+          from: [log.manager.name]
+          to: log.manager
+      
+      # 3. Handle Special "000" Agent Case (from conf)
+      # In the new system, we might just keep the values as is, 
+      # or if we need to enforce dataSource changes, we relies on pipeline logic.
+      # The old conf set "dataSource" => "hids" if agent.id == "000".
+      # This is likely handled by defining the dataType as "hids" for this pipeline.
+
+      # 4. Rename Other Fields
+      - rename:
+          from: [log.decoder.name]
+          to: log.decoder_name
+      - rename:
+          from: [log.rule]
+          to: log.rule
+      - rename:
+          from: [log.location]
+          to: log.location
+      - rename:
+          from: [log.data]
+          to: log.data
+
+      # 5. Severity Mapping based on Rule Level
+      - add:
+          function: string
+          params: { key: severity, value: high }
+          where: 'exists("log.rule.level") && greaterThan("log.rule.level", 11)'
+      - add:
+          function: string
+          params: { key: severity, value: medium }
+          where: 'exists("log.rule.level") && lessOrEqual("log.rule.level", 11) && greaterOrEqual("log.rule.level", 7)'
+      - add:
+          function: string
+          params: { key: severity, value: low }
+          where: 'exists("log.rule.level") && lessThan("log.rule.level", 7)'
+      
+      # 6. Standard UTMStack Fields
+      # If these exist in log.data or elsewhere, they should be mapped.
+      # The conf didn't map to origin.ip/target.ip explicitly unless they were in "data".
diff --git a/filters/linux/linux-ufw.conf b/filters/linux/linux-ufw.conf
deleted file mode 100644
index c3db13d57..000000000
--- a/filters/linux/linux-ufw.conf
+++ /dev/null
@@ -1,99 +0,0 @@
-filter {
-    # Linux UFW filter version 2.0.1
-    split {
-      field => "message"
-      terminator => ""
-    }
-
-    #Looking for datasource generated by an agent and parse original message
-    if [message]=~/\[utm_stack_agent_ds=(.+)\]-(.+)/ {
-      grok {
-        match => {
-          "message" => [ "\[utm_stack_agent_ds=%{DATA:dataSource}\]-%{GREEDYDATA:original_log_message}" ]
-        }
-      }
-    }
-    if [original_log_message] {
-      mutate {
-        update => { "message" => "%{[original_log_message]}" }
-      }
-    }
-    
-    if ![dataType]{
-      if [message] {
-        grok {
-            match => {
-                "message" => [
-                    "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:ufwDataSource} %{DATA:process}(?:\[%{POSINT:pid}\])?:( \[%{NUMBER}\])? \[UFW %{WORD:ufw_action}\] IN=%{DATA:ufw_interface} OUT= MAC=%{DATA:ufw_mac} SRC=%{IP:ufw_src_ip} DST=%{IP:ufw_dest_ip} %{GREEDYDATA} PROTO=%{WORD:ufw_proto} SPT=%{INT:ufw_src_port} DPT=%{INT:ufw_dst_port} %{GREEDYDATA}",
-                    "%{GREEDYDATA}%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:ufwDataSource} %{DATA:process}(?:\[%{POSINT:pid}\])?:( \[%{NUMBER}\])? \[UFW %{WORD:ufw_action}\] IN=%{DATA:ufw_interface} OUT= MAC=%{DATA:ufw_mac} SRC=%{IP:ufw_src_ip} DST=%{IP:ufw_dest_ip} %{GREEDYDATA} PROTO=%{WORD:ufw_proto} SPT=%{INT:ufw_src_port} DPT=%{INT:ufw_dst_port} %{GREEDYDATA}"
-                ]
-            }
-        }
-      }
-    }
-
-#......................................................................#
-#Generating dataSource field required by CurrelationRulesEngine
-#Checks if ufwDataSource exists, if true, the dataSource field take its value, if not, take the agent dataSource value
-    if ([ufwDataSource]){
-        if [dataSource] {
-          mutate {
-            update => { "dataSource" => "%{[ufwDataSource]}" }
-          }
-        } else {
-          mutate {
-            add_field => { "dataSource" => "%{ufwDataSource}" }
-          }
-        }
-    }
-#Finally evaluates to the host variable if can not be calculated
-    if ![dataSource] {
-       mutate {
-          add_field => { "dataSource" => "%{host}" }
-       }
-    }
-
-    if [ufw_action] and ([ufw_action] == "BLOCK" or [ufw_action] == "ALLOW") {
-        mutate {
-            remove_field => [ "message" ]
-            add_field => {"[dataType]" => "firewall-ufw"}
-            rename => {
-                "[process]" => "[logx][ufw][process]"
-            }
-            rename => {
-                "[pid]" => "[logx][ufw][pid]"
-            }
-            rename => {
-                "[ufw_action]" => "[logx][ufw][action]"
-            }
-            rename => {
-                "[ufw_interface]" => "[logx][ufw][interface]"
-            }
-            rename => {
-                "[ufw_mac]" => "[logx][ufw][mac]"
-            }
-            rename => {
-                "[ufw_src_ip]" => "[logx][ufw][src_ip]"
-            }
-            rename => {
-                "[ufw_dest_ip]" => "[logx][ufw][dest_ip]"
-            }
-            rename => {
-                "[ufw_proto]" => "[logx][ufw][proto]"
-            }
-            rename => {
-                "[ufw_src_port]" => "[logx][ufw][src_port]"
-            }
-            rename => {
-                "[ufw_dst_port]" => "[logx][ufw][dest_port]"
-            }
-            rename => {
-                "[timestamp]" => "[logx][ufw][timestamp]"
-            }
-        }
-    }
-   #Also, remove unwanted fields if the message not match with conditions
-   mutate {
-      remove_field => ["@version","ufwDataSource","original_log_message","headers"]
-   }
-}
diff --git a/filters/linux/linux-ufw.yml b/filters/linux/linux-ufw.yml
new file mode 100644
index 000000000..f5840f837
--- /dev/null
+++ b/filters/linux/linux-ufw.yml
@@ -0,0 +1,84 @@
+pipeline:
+  - dataTypes:
+      - firewall-ufw
+    steps:
+      # 1. Handle Agent Wrapper (Optional)
+      - grok:
+          source: raw
+          patterns:
+            - fieldName: log.wrapper_open
+              pattern: '\[utm_stack_agent_ds='
+            - fieldName: log.datasource_override
+              pattern: '{{.data}}'
+            - fieldName: log.wrapper_close
+              pattern: '\]-'
+            - fieldName: log.inner_msg
+              pattern: '{{.greedy}}'
+            - fieldName: log.inner_msg # Fallback if no wrapper, match everything
+              pattern: '{{.greedy}}' 
+
+      # 2. Parse UFW Log
+      - grok:
+          source: log.inner_msg
+          patterns:
+            - fieldName: log.timestamp
+              pattern: '{{.monthName}}(\s+){{.monthDay}}(\s+){{.time}}'
+            - fieldName: log.separator
+              pattern: '{{.space}}'
+            - fieldName: log.ufw_host
+              pattern: '{{.hostname}}'
+            - fieldName: log.separator
+              pattern: '{{.space}}'
+            - fieldName: log.process
+              pattern: '{{.data}}'
+            - fieldName: log.separator
+              pattern: '\[UFW '
+            - fieldName: log.action
+              pattern: '{{.word}}'
+            - fieldName: log.separator
+              pattern: '\] '
+            - fieldName: log.ufw_data
+              pattern: '{{.greedy}}' 
+
+      # 2b. Parse the Key-Value part of UFW
+      - kv:
+          source: log.ufw_data
+          fieldSplit: " "
+          valueSplit: "="
+
+      # 3. Standardize Fields from KV
+      - rename:
+          from: [SRC]
+          to: origin.ip
+      - rename:
+          from: [DST]
+          to: target.ip
+      - rename:
+          from: [SPT]
+          to: origin.port
+      - rename:
+          from: [DPT]
+          to: target.port
+      - rename:
+          from: [PROTO]
+          to: protocol
+      - rename:
+          from: [MAC]
+          to: log.mac
+      - rename:
+          from: [IN]
+          to: log.interface
+
+      # 4. Standardize Action
+      - rename:
+          from: [log.action]
+          to: action
+      
+      # 5. Cast Types
+      - cast:
+          fields: [origin.port, target.port]
+          to: int
+      
+      # 6. Cleanup
+      - delete:
+          fields: [log.wrapper_open, log.wrapper_close, log.inner_msg, log.ufw_data, log.separator]
diff --git a/filters/linux/linux.conf b/filters/linux/linux.conf
deleted file mode 100644
index 8d8e9c39b..000000000
--- a/filters/linux/linux.conf
+++ /dev/null
@@ -1,75 +0,0 @@
-filter {
-    # Linux filter version 2.0.2
-    split {
-      field => "message"
-      terminator => ""
-    }
-
-    #Looking for datasource generated by an agent and parse original message
-    if [message]=~/\[utm_stack_agent_ds=(.+)\]-(.+)/ {
-      grok {
-        match => {
-          "message" => [ "\[utm_stack_agent_ds=%{DATA:dataSource}\]-%{GREEDYDATA:original_log_message}" ]
-        }
-      }
-    }
-    if [original_log_message] {
-      mutate {
-        update => { "message" => "%{[original_log_message]}" }
-      }
-    }
-
-    if ![dataType]{
-      if [message] and !([message]=~/\[UFW \w+\]/){
-        grok {
-            match => {
-                "message" => [
-                    "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:rsyslogDataSource} %{DATA:process}(\[%{POSINT:pid}\])?: %{GREEDYDATA:msg}",
-                    "%{GREEDYDATA}%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:rsyslogDataSource} %{DATA:process}(\[%{POSINT:pid}\])?: %{GREEDYDATA:msg}"
-                ]
-            }
-        }
-
-        #......................................................................#
-        #Generating dataSource field required by CurrelationRulesEngine
-        #Checks if rsyslogDataSource exists, if true, the dataSource field take its value, if not, take the agent dataSource value
-        if ([rsyslogDataSource]){
-            if [dataSource] {
-              mutate {
-                update => { "dataSource" => "%{[rsyslogDataSource]}" }
-              }
-            } else {
-              mutate {
-                add_field => { "dataSource" => "%{rsyslogDataSource}" }
-              }
-            }
-        }
-        #Finally evaluates to the host variable if can not be calculated
-        if ![dataSource] {
-           mutate {
-              add_field => { "dataSource" => "%{host}" }
-           }
-        }
-        
-        if [timestamp] and [dataSource] and [process]{
-            mutate {
-              remove_field => [ "message" ]
-              #Generating dataType field required by CurrelationRulesEngine
-              add_field => {"[dataType]" => "rsyslog-linux"}
-
-              # Rename fields
-              rename => { "[process]" => "[logx][rsyslog_linux][process]" }
-              rename => { "[pid]" => "[logx][rsyslog_linux][pid]" }
-              rename => { "[msg]" => "[logx][rsyslog_linux][msg]" }
-
-              #Finally, remove unnecessary fields
-              remove_field => ["timestamp", "@version","path","type"]
-           }
-        }
-      }
-    }
-   #Also, remove unwanted fields if the message not match with conditions
-   mutate {
-      remove_field => ["@version","rsyslogDataSource","original_log_message","headers"]
-   }
-}
diff --git a/filters/linux/linux.yml b/filters/linux/linux.yml
new file mode 100644
index 000000000..7dad671a1
--- /dev/null
+++ b/filters/linux/linux.yml
@@ -0,0 +1,55 @@
+pipeline:
+  - dataTypes:
+      - rsyslog-linux
+    steps:
+      # 1. Handle Agent Wrapper (Optional)
+      - grok:
+          source: raw
+          patterns:
+            - fieldName: log.wrapper_open
+              pattern: '\[utm_stack_agent_ds='
+            - fieldName: log.datasource_override
+              pattern: '{{.data}}'
+            - fieldName: log.wrapper_close
+              pattern: '\]-'
+            - fieldName: log.inner_msg
+              pattern: '{{.greedy}}'
+            - fieldName: log.inner_msg
+              pattern: '{{.greedy}}'
+
+      # 2. Parse Syslog
+      - grok:
+          source: log.inner_msg
+          patterns:
+            - fieldName: log.timestamp
+              pattern: '{{.monthName}}(\s+){{.monthDay}}(\s+){{.time}}'
+            - fieldName: log.separator
+              pattern: '{{.space}}'
+            - fieldName: log.syslog_host
+              pattern: '{{.hostname}}'
+            - fieldName: log.separator
+              pattern: '{{.space}}'
+            - fieldName: log.process_info
+              pattern: '{{.data}}:'
+            - fieldName: log.message
+              pattern: '{{.greedy}}'
+
+      # 3. Rename Fields
+      # Extract PID if present in process info (e.g. sshd[123])
+      - grok:
+          source: log.process_info
+          patterns:
+            - fieldName: log.process_name
+              pattern: '{{.word}}'
+            - fieldName: log.pid_wrapper
+              pattern: '\[{{.integer}}\]'
+          where: 'contains(log.process_info, "[")'
+      
+      - rename:
+          from: [log.process_info]
+          to: log.process_name
+          where: '!contains(log.process_info, "[")'
+      
+      # 4. Cleanup
+      - delete:
+          fields: [log.wrapper_open, log.wrapper_close, log.inner_msg, log.separator, log.pid_wrapper]
diff --git a/filters/macos/macos-syslog.conf b/filters/macos/macos-syslog.conf
deleted file mode 100644
index 85d297dea..000000000
--- a/filters/macos/macos-syslog.conf
+++ /dev/null
@@ -1,40 +0,0 @@
-filter {
-# MacOS filter, version 3.0.0
-    
-split {
- field => "message"
- terminator => ""
-}
-
-#Looking for datasource generated by an agent and parse original message
-if [message]=~/\[utm_stack_agent_ds=(.+)\]-(.+)/ {
-  grok {
-    match => {
-     "message" => [ "\[utm_stack_agent_ds=%{DATA:dataSource}\]-%{GREEDYDATA:original_log_message}" ]
-    }
-  }
-}
-if [original_log_message] {
-  mutate {
-    update => { "message" => "%{[original_log_message]}" }
-  }
-}
-#......................................................................#
-#Generating dataSource field required by CurrelationRulesEngine
-if ![dataSource] {
-  mutate {
-    add_field => { "dataSource" => "%{host}" }
-  }
-}
-#......................................................................#
-#Generating logx structure
-  mutate {
-    add_field => {"dataType" => "macos"}
-    rename => ["message", "[logx][macos][message]"]
-  }
-
-#Remove unwanted fields if the message not match with conditions
-  mutate {
-    remove_field => ["@version","original_log_message","headers"]
-  }
-}
diff --git a/filters/macos/macos-syslog.yml b/filters/macos/macos-syslog.yml
new file mode 100644
index 000000000..71ac66c8b
--- /dev/null
+++ b/filters/macos/macos-syslog.yml
@@ -0,0 +1,22 @@
+pipeline:
+  - dataTypes:
+      - macos
+    steps:
+      # 1. Handle Agent Wrapper (Optional)
+      - grok:
+          source: raw
+          patterns:
+            - fieldName: log.wrapper_open
+              pattern: '\[utm_stack_agent_ds='
+            - fieldName: log.datasource_override
+              pattern: '{{.data}}'
+            - fieldName: log.wrapper_close
+              pattern: '\]-'
+            - fieldName: log.message
+              pattern: '{{.greedy}}'
+            - fieldName: log.message
+              pattern: '{{.greedy}}'
+      
+      # 2. Cleanup
+      - delete:
+          fields: [log.wrapper_open, log.wrapper_close]
diff --git a/filters/paloalto/pa_cortex_xdr.conf b/filters/paloalto/pa_cortex_xdr.conf
deleted file mode 100644
index a954a7479..000000000
--- a/filters/paloalto/pa_cortex_xdr.conf
+++ /dev/null
@@ -1,470 +0,0 @@
-filter {
-
-# Palo Alto Cortex XDR filter version 2.0.0
-# Support Syslog CEF format and Syslog CSV format
-# Based on CORTEX XDR Pro Administrators Guide version 3.3
-# https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs/cortex-xdr-log-notification-formats (june, 2022)
-
-    split {
-     field => "message"
-     terminator => ""
-    }
-
-    if ![dataType] {
-        #First, search to define the entry point contain CEF:, contain |something, or look for Palo Alto
-        #Also can be syslog CSV format
-        if [message] and ( ( ("CEF:" in [message] or "LEEF:" in [message]) and [message] =~/\|(\w+)?(\s)?Palo(\s)Alto(\s)Networks(\s)?(\w+)?\|/ and [message] =~/\|(\w+)?(\s)?Cortex XDR(\s)?(\w+)?\|/ ) 
-        or ( [message] =~/(threat)(\s)?,(.+),(\s)?(AgentActionReport|AgentDeviceControlViolation|AgentGenericMessage|AgentSamReport|AgentScanReport|AgentSecurityEvent|AgentStatistics|AgentTimelineEvent|ServerLogPerAgent|ServerLogPerTenant|ServerLogSystem)(\s)?,(.+),(\s)?(CYSTATUS_)(.+)/ ) 
-        or (( [message] =~/(config)(\s)?,(\s)?(config)(\s)?,(.+),(\s)?(deviceManagement|distributionManagement|reportManagement|securityEventManagement|systemManagement)(\s)?,(.+)/ ) 
-               or ( [message] =~/(config)(\s)?,(\s)?(policy)(\s)?,(.+),(\s)?(exceptionManagement|policyManagement|profileManagement|sam)(\s)?,(.+)/ ) 
-               or ( [message] =~/(config)(\s)?,(\s)?(system)(\s)?,(.+),(\s)?(licensing|provisioning|tenant|userAuthentication|workerProcessing)(\s)?,(.+)/ ) 
-               or ( [message] =~/(config)(\s)?,(\s)?(agent_log)(\s)?,(.+),(\s)?(agentFlow)(\s)?,(.+)/ ) ) 
-        or (( [message] =~/(analytics)(\s)?,(\s)?(config)(\s)?,(.+),(\s)?(deviceManagement|distributionManagement|reportManagement|securityEventManagement|systemManagement)(\s)?,(.+)/ ) 
-               or ( [message] =~/(analytics)(\s)?,(\s)?(policy)(\s)?,(.+),(\s)?(exceptionManagement|policyManagement|profileManagement|sam)(\s)?,(.+)/ ) 
-               or ( [message] =~/(analytics)(\s)?,(\s)?(system)(\s)?,(.+),(\s)?(licensing|provisioning|tenant|userAuthentication|workerProcessing)(\s)?,(.+)/ ) 
-               or ( [message] =~/(analytics)(\s)?,(\s)?(agent_log)(\s)?,(.+),(\s)?(agentFlow)(\s)?,(.+)/ ) ) 
-        or (( [message] =~/(system)(\s)?,(\s)?(system)(\s)?,(.+),(\s)?(licensing|provisioning|tenant|userAuthentication|workerProcessing)(\s)?,(.+)/ ) ) ){
-#......................................................................#
-#Generating dataSource field required by CurrelationRulesEngine
-#Checks if exists, if not evaluate to the host variable
-           if (![dataSource]){
-              mutate {
-               add_field => { "dataSource" => "%{host}" }
-              }
-           }
-#......................................................................# 
-#Generating dataType field required by CurrelationRulesEngine
-              mutate {
-               add_field => { "dataType" => "paloalto-cortex-xdr" }
-              }
-#......................................................................#
-#If CEF formatted log do the parsing of the message
-        if ("CEF:" in [message] or "LEEF:" in [message]) {
-#......................................................................#
-#Using grok to parse header of the message
-            grok {
-              match => {
-                "message" => [
-                   "(%{INT:not_defined})?(\s)?(<%{NUMBER:priority}>)?(%{INT:syslog_version})?((\s)%{GREEDYDATA:syslog_date_host}(\s))?(?(CEF|LEEF)):(\s)?(?(%{INT}\.%{INT}|%{INT}))%{GREEDYDATA:cef_or_leef_msg_all}"
-                ]
-              }
-            }
-#......................................................................#
-#If CSV formatted log do the parsing of the message (Threat Logs) 
-        } else if ( [message] =~/(threat)(\s)?,(.+),(\s)?(AgentActionReport|AgentDeviceControlViolation|AgentGenericMessage|AgentSamReport|AgentScanReport|AgentSecurityEvent|AgentStatistics|AgentTimelineEvent|ServerLogPerAgent|ServerLogPerTenant|ServerLogSystem)(\s)?,(.+),(\s)?(CYSTATUS_)(.+)/ ) {
-           csv {
-              source => "message"
-              skip_header => "true"
-              columns => ["recordType", "class", "FUTURE_USE", "eventType", "generatedTime", "serverTime", 
-                         "agentTime", "tzOffset", "FUTURE_USE", "facility", "customerId", "trapsId", "serverHost", 
-                         "serverComponentVersion", "regionId", "isEndpoint", "agentId", "osType", "isVdi", "osVersion", "is64", 
-                         "agentIp", "deviceName", "deviceDomain", "severity", "trapsSeverity", "agentVersion", "contentVersion", 
-                         "protectionStatus", "preventionKey", "moduleId", "profile", "moduleStatusId", "verdict", "preventionMode", 
-                         "terminate", "terminateTarget", "quarantine", "block", "postDetected", "eventParameters", 
-                         "sourceProcessIdx", "targetProcessIdx", "fileIdx", "processes", "files", 
-                         "users", "urls", "description"]
-           }
-# Then, move fields to logx structure
-           mutate {
-              rename => { "[recordType]" => "[kv_field][recordType]" }
-              rename => { "[class]" => "[kv_field][class]" }
-              rename => { "[FUTURE_USE]" => "[kv_field][FUTURE_USE]" }
-              rename => { "[eventType]" => "[kv_field][eventType]" }
-              rename => { "[generatedTime]" => "[kv_field][generatedTime]" }
-              rename => { "[serverTime]" => "[kv_field][serverTime]" }
-              rename => { "[agentTime]" => "[kv_field][agentTime]" }
-              rename => { "[tzOffset]" => "[kv_field][tzOffset]" }
-              rename => { "[facility]" => "[kv_field][facility]" }
-              rename => { "[customerId]" => "[kv_field][customerId]" }
-              rename => { "[trapsId]" => "[kv_field][trapsId]" }
-              rename => { "[serverHost]" => "[kv_field][serverHost]" }
-              rename => { "[serverComponentVersion]" => "[kv_field][serverComponentVersion]" }
-              rename => { "[regionId]" => "[kv_field][regionId]" }
-              rename => { "[isEndpoint]" => "[kv_field][isEndpoint]" }
-              rename => { "[agentId]" => "[kv_field][agentId]" }
-              rename => { "[osType]" => "[kv_field][osType]" }
-              rename => { "[isVdi]" => "[kv_field][isVdi]" }
-              rename => { "[osVersion]" => "[kv_field][osVersion]" }
-              rename => { "[is64]" => "[kv_field][is64]" }
-              rename => { "[agentIp]" => "[kv_field][agentIp]" }
-              rename => { "[deviceName]" => "[kv_field][deviceName]" }
-              rename => { "[deviceDomain]" => "[kv_field][deviceDomain]" }
-              rename => { "[severity]" => "[kv_field][severity]" }
-              rename => { "[trapsSeverity]" => "[kv_field][trapsSeverity]" }
-              rename => { "[agentVersion]" => "[kv_field][agentVersion]" }
-              rename => { "[contentVersion]" => "[kv_field][contentVersion]" }
-              rename => { "[protectionStatus]" => "[kv_field][protectionStatus]" }
-              rename => { "[preventionKey]" => "[kv_field][preventionKey]" }
-              rename => { "[moduleId]" => "[kv_field][moduleId]" }
-              rename => { "[profile]" => "[kv_field][profile]" }
-              rename => { "[moduleStatusId]" => "[kv_field][moduleStatusId]" }
-              rename => { "[verdict]" => "[kv_field][verdict]" }
-              rename => { "[preventionMode]" => "[kv_field][preventionMode]" }
-              rename => { "[terminate]" => "[kv_field][terminate]" }
-              rename => { "[terminateTarget]" => "[kv_field][terminateTarget]" }
-              rename => { "[quarantine]" => "[kv_field][quarantine]" }
-              rename => { "[block]" => "[kv_field][block]" }
-              rename => { "[postDetected]" => "[kv_field][postDetected]" }
-              rename => { "[eventParameters]" => "[kv_field][eventParameters]" }
-              rename => { "[sourceProcessIdx]" => "[kv_field][sourceProcessIdx]" }
-              rename => { "[targetProcessIdx]" => "[kv_field][targetProcessIdx]" }
-              rename => { "[fileIdx]" => "[kv_field][fileIdx]" }
-              rename => { "[processes]" => "[kv_field][processes]" }
-              rename => { "[files]" => "[kv_field][files]" }
-              rename => { "[users]" => "[kv_field][users]" }
-              rename => { "[urls]" => "[kv_field][urls]" }
-              rename => { "[description]" => "[kv_field][description]" }
-           }
-#CSV formatted log do the parsing of the message (Config Logs)
-        } else if ( [message] =~/(config)(\s)?,(\s)?(config)(\s)?,(.+),(\s)?(deviceManagement|distributionManagement|reportManagement|securityEventManagement|systemManagement)(\s)?,(.+)/ ) 
-               or ( [message] =~/(config)(\s)?,(\s)?(policy)(\s)?,(.+),(\s)?(exceptionManagement|policyManagement|profileManagement|sam)(\s)?,(.+)/ ) 
-               or ( [message] =~/(config)(\s)?,(\s)?(system)(\s)?,(.+),(\s)?(licensing|provisioning|tenant|userAuthentication|workerProcessing)(\s)?,(.+)/ ) 
-               or ( [message] =~/(config)(\s)?,(\s)?(agent_log)(\s)?,(.+),(\s)?(agentFlow)(\s)?,(.+)/ ) {
-           csv {
-              source => "message"
-              skip_header => "true"
-              columns => ["recordType", "class", "FUTURE_USE", "subClassId", "eventType", "eventCategory", 
-                          "generatedTime", "serverTime", "FUTURE_USE", "facility", "customerId", "trapsId", "serverHost", 
-                          "serverComponentVersion", "regionId", "isEndpoint", "severity", "trapsSeverity", "messageCode", 
-                          "friendlyName", "FUTURE_USE", "msgTextEn", "userFullName", "userName", "userRole", "userDomain", 
-                          "additionalData", "messageCode2", "errorText", "errorData", "resultData"
-              ]
-           }
-# Then, move fields to logx structure
-           mutate {
-              rename => { "[recordType]" => "[kv_field][recordType]" }
-              rename => { "[class]" => "[kv_field][class]" }
-              rename => { "[FUTURE_USE]" => "[kv_field][FUTURE_USE]" }
-              rename => { "[subClassId]" => "[kv_field][subClassId]" }
-              rename => { "[eventType]" => "[kv_field][eventType]" }
-              rename => { "[eventCategory]" => "[kv_field][eventCategory]" }
-              rename => { "[generatedTime]" => "[kv_field][generatedTime]" }
-              rename => { "[serverTime]" => "[kv_field][serverTime]" }
-              rename => { "[facility]" => "[kv_field][facility]" }
-              rename => { "[customerId]" => "[kv_field][customerId]" }
-              rename => { "[trapsId]" => "[kv_field][trapsId]" }
-              rename => { "[serverHost]" => "[kv_field][serverHost]" }
-              rename => { "[serverComponentVersion]" => "[kv_field][serverComponentVersion]" }
-              rename => { "[regionId]" => "[kv_field][regionId]" }
-              rename => { "[isEndpoint]" => "[kv_field][isEndpoint]" }
-              rename => { "[severity]" => "[kv_field][severity]" }
-              rename => { "[trapsSeverity]" => "[kv_field][trapsSeverity]" }
-              rename => { "[messageCode]" => "[kv_field][messageCode]" }
-              rename => { "[friendlyName]" => "[kv_field][friendlyName]" }
-              rename => { "[msgTextEn]" => "[kv_field][msgTextEn]" }
-              rename => { "[userFullName]" => "[kv_field][userFullName]" }
-              rename => { "[userName]" => "[kv_field][userName]" }
-              rename => { "[userRole]" => "[kv_field][userRole]" }
-              rename => { "[userDomain]" => "[kv_field][userDomain]" }
-              rename => { "[additionalData]" => "[kv_field][additionalData]" }
-              rename => { "[messageCode2]" => "[kv_field][messageCode2]" }
-              rename => { "[errorText]" => "[kv_field][errorText]" }
-              rename => { "[errorData]" => "[kv_field][errorData]" }
-              rename => { "[resultData]" => "[kv_field][resultData]" }
-           }
-#CSV formatted log do the parsing of the message (Analytics Logs)
-        } else if ( [message] =~/(analytics)(\s)?,(\s)?(config)(\s)?,(.+),(\s)?(deviceManagement|distributionManagement|reportManagement|securityEventManagement|systemManagement)(\s)?,(.+)/ ) 
-               or ( [message] =~/(analytics)(\s)?,(\s)?(policy)(\s)?,(.+),(\s)?(exceptionManagement|policyManagement|profileManagement|sam)(\s)?,(.+)/ ) 
-               or ( [message] =~/(analytics)(\s)?,(\s)?(system)(\s)?,(.+),(\s)?(licensing|provisioning|tenant|userAuthentication|workerProcessing)(\s)?,(.+)/ ) 
-               or ( [message] =~/(analytics)(\s)?,(\s)?(agent_log)(\s)?,(.+),(\s)?(agentFlow)(\s)?,(.+)/ ) {
-           csv {
-              source => "message"
-              skip_header => "true"
-              columns => ["recordType", "class", "FUTURE_USE", "eventType", "eventCategory", "generatedTime", 
-              "serverTime", "agentTime", "tzOffset", "FUTURE_USE", "facility", "customerId", "trapsId", "serverHost", 
-              "serverComponentVersion", "regionId", "isEndpoint", "agentId", "osType", "isVdi", "osVersion", "is64", 
-              "agentIp", "deviceName", "deviceDomain", "severity", "agentVersion", "contentVersion", 
-              "protectionStatus", "sha256", "type", "parentSha256", "lastSeen", "fileName", "filePath", 
-              "fileSize", "localAnalysisResult", "reported", "blocked", "executionCount"
-              ]
-           }
-# Then, move fields to logx structure
-           mutate {
-              rename => { "[recordType]" => "[kv_field][recordType]" }
-              rename => { "[class]" => "[kv_field][class]" }
-              rename => { "[FUTURE_USE]" => "[kv_field][FUTURE_USE]" }
-              rename => { "[eventType]" => "[kv_field][eventType]" }
-              rename => { "[eventCategory]" => "[kv_field][eventCategory]" }
-              rename => { "[generatedTime]" => "[kv_field][generatedTime]" }
-              rename => { "[serverTime]" => "[kv_field][serverTime]" }
-              rename => { "[agentTime]" => "[kv_field][agentTime]" }
-              rename => { "[tzOffset]" => "[kv_field][tzOffset]" }
-              rename => { "[facility]" => "[kv_field][facility]" }
-              rename => { "[customerId]" => "[kv_field][customerId]" }
-              rename => { "[trapsId]" => "[kv_field][trapsId]" }
-              rename => { "[serverHost]" => "[kv_field][serverHost]" }
-              rename => { "[serverComponentVersion]" => "[kv_field][serverComponentVersion]" }
-              rename => { "[regionId]" => "[kv_field][regionId]" }
-              rename => { "[isEndpoint]" => "[kv_field][isEndpoint]" }
-              rename => { "[agentId]" => "[kv_field][agentId]" }
-              rename => { "[osType]" => "[kv_field][osType]" }
-              rename => { "[isVdi]" => "[kv_field][isVdi]" }
-              rename => { "[osVersion]" => "[kv_field][osVersion]" }
-              rename => { "[is64]" => "[kv_field][is64]" }
-              rename => { "[agentIp]" => "[kv_field][agentIp]" }
-              rename => { "[deviceName]" => "[kv_field][deviceName]" }
-              rename => { "[deviceDomain]" => "[kv_field][deviceDomain]" }
-              rename => { "[severity]" => "[kv_field][severity]" }
-              rename => { "[agentVersion]" => "[kv_field][agentVersion]" }
-              rename => { "[contentVersion]" => "[kv_field][contentVersion]" }
-              rename => { "[protectionStatus]" => "[kv_field][protectionStatus]" }
-              rename => { "[sha256]" => "[kv_field][sha256]" }
-              rename => { "[type]" => "[kv_field][type]" }
-              rename => { "[parentSha256]" => "[kv_field][parentSha256]" }
-              rename => { "[lastSeen]" => "[kv_field][lastSeen]" }
-              rename => { "[fileName]" => "[kv_field][fileName]" }
-              rename => { "[filePath]" => "[kv_field][filePath]" }
-              rename => { "[fileSize]" => "[kv_field][fileSize]" }
-              rename => { "[localAnalysisResult]" => "[kv_field][localAnalysisResult]" }
-              rename => { "[reported]" => "[kv_field][reported]" }
-              rename => { "[blocked]" => "[kv_field][blocked]" }
-              rename => { "[executionCount]" => "[kv_field][executionCount]" }
-           }
-#CSV formatted log do the parsing of the message (System Logs)
-        } else if ( [message] =~/(system)(\s)?,(\s)?(system)(\s)?,(.+),(\s)?(licensing|provisioning|tenant|userAuthentication|workerProcessing)(\s)?,(.+)/ ) {
-           csv {
-              source => "message"
-              skip_header => "true"
-              columns => ["recordType", "class", "FUTURE_USE", "subClassId", "eventType", "eventCategory", 
-                         "generatedTime", "serverTime", "FUTURE_USE", "facility", "customerId", "trapsId", "serverHost", 
-                         "serverComponentVersion", "regionId", "isEndpoint", "agentId", "severity", "trapsSeverity", "messageCode", 
-                         "friendlyName", "FUTURE_USE", "msgTextEn", "userFullName", "username", "userRole", "userDomain", 
-                         "agentTime", "tzOffset", "osType", "isVdi", "osVersion", "is64", "agentIp", "deviceName", "deviceDomain", 
-                         "agentVersion", "contentVersion", "protectionStatus", "userFullName2", "username2", "userRole2", "userDomain2", 
-                         "messageName", "messageId", "processStatus", "errorText", "errorData", "resultData", "parameters", 
-                         "additionalData"
-              ]
-           }
-# Then, move fields to logx structure
-           mutate {
-              rename => { "[recordType]" => "[kv_field][recordType]" }
-              rename => { "[class]" => "[kv_field][class]" }
-              rename => { "[FUTURE_USE]" => "[kv_field][FUTURE_USE]" }
-              rename => { "[subClassId]" => "[kv_field][subClassId]" }
-              rename => { "[eventType]" => "[kv_field][eventType]" }
-              rename => { "[eventCategory]" => "[kv_field][eventCategory]" }
-              rename => { "[generatedTime]" => "[kv_field][generatedTime]" }
-              rename => { "[serverTime]" => "[kv_field][serverTime]" }
-              rename => { "[facility]" => "[kv_field][facility]" }
-              rename => { "[customerId]" => "[kv_field][customerId]" }
-              rename => { "[trapsId]" => "[kv_field][trapsId]" }
-              rename => { "[serverHost]" => "[kv_field][serverHost]" }
-              rename => { "[serverComponentVersion]" => "[kv_field][serverComponentVersion]" }
-              rename => { "[regionId]" => "[kv_field][regionId]" }
-              rename => { "[isEndpoint]" => "[kv_field][isEndpoint]" }
-              rename => { "[agentId]" => "[kv_field][agentId]" }
-              rename => { "[severity]" => "[kv_field][severity]" }
-              rename => { "[trapsSeverity]" => "[kv_field][trapsSeverity]" }
-              rename => { "[messageCode]" => "[kv_field][messageCode]" }
-              rename => { "[friendlyName]" => "[kv_field][friendlyName]" }
-              rename => { "[msgTextEn]" => "[kv_field][msgTextEn]" }
-              rename => { "[userFullName]" => "[kv_field][userFullName]" }
-              rename => { "[username]" => "[kv_field][username]" }
-              rename => { "[userRole]" => "[kv_field][userRole]" }
-              rename => { "[userDomain]" => "[kv_field][userDomain]" }
-              rename => { "[agentTime]" => "[kv_field][agentTime]" }
-              rename => { "[tzOffset]" => "[kv_field][tzOffset]" }
-              rename => { "[osType]" => "[kv_field][osType]" }
-              rename => { "[isVdi]" => "[kv_field][isVdi]" }
-              rename => { "[osVersion]" => "[kv_field][osVersion]" }
-              rename => { "[is64]" => "[kv_field][is64]" }
-              rename => { "[agentIp]" => "[kv_field][agentIp]" }
-              rename => { "[deviceName]" => "[kv_field][deviceName]" }
-              rename => { "[deviceDomain]" => "[kv_field][deviceDomain]" }
-              rename => { "[agentVersion]" => "[kv_field][agentVersion]" }
-              rename => { "[contentVersion]" => "[kv_field][contentVersion]" }
-              rename => { "[protectionStatus]" => "[kv_field][protectionStatus]" }
-              rename => { "[userFullName2]" => "[kv_field][userFullName2]" }
-              rename => { "[username2]" => "[kv_field][username2]" }
-              rename => { "[userRole2]" => "[kv_field][userRole2]" }
-              rename => { "[userDomain2]" => "[kv_field][userDomain2]" }
-              rename => { "[messageName]" => "[kv_field][messageName]" }
-              rename => { "[messageId]" => "[kv_field][messageId]" }
-              rename => { "[processStatus]" => "[kv_field][processStatus]" }
-              rename => { "[errorText]" => "[kv_field][errorText]" }
-              rename => { "[errorData]" => "[kv_field][errorData]" }
-              rename => { "[resultData]" => "[kv_field][resultData]" }
-              rename => { "[parameters]" => "[kv_field][parameters]" }
-              rename => { "[additionalData]" => "[kv_field][additionalData]" }
-              
-           }
-
-        }
-        if ("CEF:" in [message] ) {
-#......................................................................#
-#Logs have different structure according to CORTEX XDR Log Types, so first, define Log Type
-#Using grok to parse components of the cef_message
-#......................................................................#
-
-          if ([cef_or_leef_msg_all]){
-              grok {
-               match => {
-                 "cef_or_leef_msg_all" => [
-                    "\|%{DATA:embDeviceVendor}\|%{DATA:embDeviceProduct}\|%{DATA:embDeviceVersion}\|%{DATA:embDeviceEventClass}\|%{DATA:act_msg}\|%{DATA:severity}\|%{GREEDYDATA:cef_or_leef_msg}"
-                  ]
-               }
-              }
-
-#......................................................................#
-#Using grok to parse individual fields 
-             grok { match => { "cef_or_leef_msg" => ["act=%{DATA:act} %{WORD}=","act=%{GREEDYDATA:act}"] } }
-             grok { match => { "cef_or_leef_msg" => ["cat=%{DATA:cat} %{WORD}=","cat=%{GREEDYDATA:cat}"] } }
-             grok { match => { "cef_or_leef_msg" => ["cs1=%{DATA:cs1} %{WORD}=","cs1=%{GREEDYDATA:cs1}"] } }
-             grok { match => { "cef_or_leef_msg" => ["cs1Label=%{DATA:cs1Label} %{WORD}=","cs1Label=%{GREEDYDATA:cs1Label}"] } }
-             grok { match => { "cef_or_leef_msg" => ["cs2=%{DATA:cs2} %{WORD}=","cs2=%{GREEDYDATA:cs2}"] } }
-             grok { match => { "cef_or_leef_msg" => ["cs2Label=%{DATA:cs2Label} %{WORD}=","cs2Label=%{GREEDYDATA:cs2Label}"] } }
-             grok { match => { "cef_or_leef_msg" => ["cs3=%{DATA:cs3} %{WORD}=","cs3=%{GREEDYDATA:cs3}"] } }
-             grok { match => { "cef_or_leef_msg" => ["cs3Label=%{DATA:cs3Label} %{WORD}=","cs3Label=%{GREEDYDATA:cs3Label}"] } }
-             grok { match => { "cef_or_leef_msg" => ["cs4=%{DATA:cs4} %{WORD}=","cs4=%{GREEDYDATA:cs4}"] } }
-             grok { match => { "cef_or_leef_msg" => ["cs4Label=%{DATA:cs4Label} %{WORD}=","cs4Label=%{GREEDYDATA:cs4Label}"] } }
-             grok { match => { "cef_or_leef_msg" => ["cs5=%{DATA:cs5} %{WORD}=","cs5=%{GREEDYDATA:cs5}"] } }
-             grok { match => { "cef_or_leef_msg" => ["cs5Label=%{DATA:cs5Label} %{WORD}=","cs5Label=%{GREEDYDATA:cs5Label}"] } }
-             grok { match => { "cef_or_leef_msg" => ["cs6=%{DATA:cs6} %{WORD}=","cs6=%{GREEDYDATA:cs6}"] } }
-             grok { match => { "cef_or_leef_msg" => ["cs6Label=%{DATA:cs6Label} %{WORD}=","cs6Label=%{GREEDYDATA:cs6Label}"] } }
-             grok { match => { "cef_or_leef_msg" => ["CSPaccountname=%{DATA:CSPaccountname} %{WORD}=","CSPaccountname=%{GREEDYDATA:CSPaccountname}"] } }
-             grok { match => { "cef_or_leef_msg" => ["deviceFacility=%{DATA:deviceFacility} %{WORD}=","deviceFacility=%{GREEDYDATA:deviceFacility}"] } }
-             grok { match => { "cef_or_leef_msg" => ["dpt=%{DATA:dpt} %{WORD}=","dpt=%{GREEDYDATA:dpt}"] } }
-             grok { match => { "cef_or_leef_msg" => ["dst=%{DATA:dst} %{WORD}=","dst=%{GREEDYDATA:dst}"] } }
-             grok { match => { "cef_or_leef_msg" => ["dvchost=%{DATA:dvchost} %{WORD}=","dvchost=%{GREEDYDATA:dvchost}"] } }
-             grok { match => { "cef_or_leef_msg" => ["end=%{DATA:end} %{WORD}=","end=%{GREEDYDATA:end}"] } }
-             grok { match => { "cef_or_leef_msg" => ["externalId=%{DATA:externalId} %{WORD}=","externalId=%{GREEDYDATA:externalId}"] } }
-             grok { match => { "cef_or_leef_msg" => ["fileHash=%{DATA:fileHash} %{WORD}=","fileHash=%{GREEDYDATA:fileHash}"] } }
-             grok { match => { "cef_or_leef_msg" => ["filePath=%{DATA:filePath} %{WORD}=","filePath=%{GREEDYDATA:filePath}"] } }
-             grok { match => { "cef_or_leef_msg" => ["incident=%{DATA:incident} %{WORD}=","incident=%{GREEDYDATA:incident}"] } }
-             grok { match => { "cef_or_leef_msg" => ["initiatorPath=%{DATA:initiatorPath} %{WORD}=","initiatorPath=%{GREEDYDATA:initiatorPath}"] } }
-             grok { match => { "cef_or_leef_msg" => ["initiatorSha256=%{DATA:initiatorSha256} %{WORD}=","initiatorSha256=%{GREEDYDATA:initiatorSha256}"] } }
-             grok { match => { "cef_or_leef_msg" => ["msg=%{DATA:msg} %{WORD}=","msg=%{GREEDYDATA:msg}"] } }
-             grok { match => { "cef_or_leef_msg" => ["osParentCmd=%{DATA:osParentCmd} %{WORD}=","osParentCmd=%{GREEDYDATA:osParentCmd}"] } }
-             grok { match => { "cef_or_leef_msg" => ["osParentName=%{DATA:osParentName} %{WORD}=","osParentName=%{GREEDYDATA:osParentName}"] } }
-             grok { match => { "cef_or_leef_msg" => ["osParentSha256=%{DATA:osParentSha256} %{WORD}=","osParentSha256=%{GREEDYDATA:osParentSha256}"] } }
-             grok { match => { "cef_or_leef_msg" => ["osParentSignature=%{DATA:osParentSignature} %{WORD}=","osParentSignature=%{GREEDYDATA:osParentSignature}"] } }
-             grok { match => { "cef_or_leef_msg" => ["osParentSigner=%{DATA:osParentSigner} %{WORD}=","osParentSigner=%{GREEDYDATA:osParentSigner}"] } }
-             grok { match => { "cef_or_leef_msg" => ["request=%{DATA:request} %{WORD}=","request=%{GREEDYDATA:request}"] } }
-             grok { match => { "cef_or_leef_msg" => ["rt=%{DATA:rt} %{WORD}=","rt=%{GREEDYDATA:rt}"] } }
-             grok { match => { "cef_or_leef_msg" => ["shost=%{DATA:shost} %{WORD}=","shost=%{GREEDYDATA:shost}"] } }
-             grok { match => { "cef_or_leef_msg" => ["spt=%{DATA:spt} %{WORD}=","spt=%{GREEDYDATA:spt}"] } }
-             grok { match => { "cef_or_leef_msg" => ["src=%{DATA:src} %{WORD}=","src=%{GREEDYDATA:src}"] } }
-             grok { match => { "cef_or_leef_msg" => ["suser=%{DATA:suser} %{WORD}=","suser=%{GREEDYDATA:suser}"] } }
-             grok { match => { "cef_or_leef_msg" => ["targetprocesssignature=%{DATA:targetprocesssignature} %{WORD}=","targetprocesssignature=%{GREEDYDATA:targetprocesssignature}"] } }
-             grok { match => { "cef_or_leef_msg" => ["tenantCDLid=%{DATA:tenantCDLid} %{WORD}=","tenantCDLid=%{GREEDYDATA:tenantCDLid}"] } }
-             grok { match => { "cef_or_leef_msg" => ["tenantname=%{DATA:tenantname} %{WORD}=","tenantname=%{GREEDYDATA:tenantname}"] } }
-
-        #......................................................................# 
-        #First, replace whitespaces with default string after = to avoid issues, example:
-
-            mutate {
-              gsub => [
-                "cef_or_leef_msg", "(\w+)= ", "\1=X0X "
-              ]
-            }
-            mutate {
-         #Rename fields (individual groks)
-              rename => { "[act]" => "[kv_field][act]" }
-              rename => { "[cat]" => "[kv_field][cat]" }
-              rename => { "[cs1]" => "[kv_field][cs1]" }
-              rename => { "[cs1Label]" => "[kv_field][cs1Label]" }
-              rename => { "[cs2]" => "[kv_field][cs2]" }
-              rename => { "[cs2Label]" => "[kv_field][cs2Label]" }
-              rename => { "[cs3]" => "[kv_field][cs3]" }
-              rename => { "[cs3Label]" => "[kv_field][cs3Label]" }
-              rename => { "[cs4]" => "[kv_field][cs4]" }
-              rename => { "[cs4Label]" => "[kv_field][cs4Label]" }
-              rename => { "[cs5]" => "[kv_field][cs5]" }
-              rename => { "[cs5Label]" => "[kv_field][cs5Label]" }
-              rename => { "[cs6]" => "[kv_field][cs6]" }
-              rename => { "[cs6Label]" => "[kv_field][cs6Label]" }
-              rename => { "[CSPaccountname]" => "[kv_field][CSPaccountname]" }
-              rename => { "[deviceFacility]" => "[kv_field][deviceFacility]" }
-              rename => { "[dpt]" => "[kv_field][dpt]" }
-              rename => { "[dst]" => "[kv_field][dst]" }
-              rename => { "[dvchost]" => "[kv_field][dvchost]" }
-              rename => { "[end]" => "[kv_field][end]" }
-              rename => { "[externalId]" => "[kv_field][externalId]" }
-              rename => { "[fileHash]" => "[kv_field][fileHash]" }
-              rename => { "[filePath]" => "[kv_field][filePath]" }
-              rename => { "[incident]" => "[kv_field][incident]" }
-              rename => { "[initiatorPath]" => "[kv_field][initiatorPath]" }
-              rename => { "[initiatorSha256]" => "[kv_field][initiatorSha256]" }
-              rename => { "[msg]" => "[kv_field][msg]" }
-              rename => { "[osParentCmd]" => "[kv_field][osParentCmd]" }
-              rename => { "[osParentName]" => "[kv_field][osParentName]" }
-              rename => { "[osParentSha256]" => "[kv_field][osParentSha256]" }
-              rename => { "[osParentSignature]" => "[kv_field][osParentSignature]" }
-              rename => { "[osParentSigner]" => "[kv_field][osParentSigner]" }
-              rename => { "[request]" => "[kv_field][request]" }
-              rename => { "[rt]" => "[kv_field][rt]" }
-              rename => { "[shost]" => "[kv_field][shost]" }
-              rename => { "[spt]" => "[kv_field][spt]" }
-              rename => { "[src]" => "[kv_field][src]" }
-              rename => { "[suser]" => "[kv_field][suser]" }
-              rename => { "[targetprocesssignature]" => "[kv_field][targetprocesssignature]" }
-              rename => { "[tenantCDLid]" => "[kv_field][tenantCDLid]" }
-              rename => { "[tenantname]" => "[kv_field][tenantname]" }
-            }
-          }
-        }
-#......................................................................#
-#Add standard fields to the tree structure
-#......................................................................#
-        mutate {
-          #Rename the fileds
-          rename => { "[embDeviceVendor]" => "[kv_field][embDeviceVendor]" }
-          rename => { "[embDeviceProduct]" => "[kv_field][embDeviceProduct]" }
-          rename => { "[format_version]" => "[kv_field][format_version]" }
-          rename => { "[format_type]" => "[kv_field][format_type]" }
-          rename => { "[embDeviceVersion]" => "[kv_field][embDeviceVersion]" }
-          rename => { "[priority]" => "[kv_field][priority]" }
-          rename => { "[severity]" => "[kv_field][severity]" }
-          rename => { "[embDeviceEventClass]" => "[kv_field][embDeviceEventClass]" }
-          rename => { "[act_msg]" => "[kv_field][act_msg]" }
-          rename => { "[message]" => "[kv_field][message]" }
-        }
-
-#......................................................................#
-#Correlation standard fields
-#......................................................................#
-    #src can be in multiple fields
-    if [kv_field][src] {
-        mutate {
-          rename => { "[kv_field][src]" => "[kv_field][src_ip]" }
-        }
-    }
-
-        mutate {
-          rename => { "[kv_field][dst]" => "[kv_field][dest_ip]" }
-          rename => { "[kv_field][spt]" => "[kv_field][src_port]" }
-          rename => { "[kv_field][dpt]" => "[kv_field][dest_port]" }
-        }
-
-#......................................................................#
-#Set null the fields with de X0X value (default string for null), and replace simple and double quotation
-#also generate logx tree structure dynamically
-          if [kv_field] {
-            ruby {
-                code => '
-                    event.get("[kv_field]").each do |k, v|
-                          if (v == "X0X") 
-                            event.set("[logx][paloalto_cortex_xdr][#{k}]",nil)
-                          elsif (k=~/(\W)$/)
-                              event.remove(k)
-                          elsif !(v.kind_of?(Array))
-                              new_v = v.to_s.gsub(/\"/, "")
-                              new_v = new_v.gsub(/\'/, "")
-                              event.set("[logx][paloalto_cortex_xdr][#{k}]",new_v)
-                          else
-                              event.set("[logx][paloalto_cortex_xdr][#{k}]",v)
-                          end
-                       end   
-                    '
-            }
-          }
-#......................................................................#
-   #Finally, remove unnecessary fields
-   mutate {
-      remove_field => ["@version","path","tags","type","syslog_version","kv_field",
-      "not_defined","cef_or_leef_msg_all","cef_or_leef_msg","syslog_date_host",
-      "irrelevant","init_msg","[logx][paloalto_cortex_xdr][FUTURE_USE]"]
-   }
-  }
- }
-}
diff --git a/filters/paloalto/pa_cortex_xdr.yml b/filters/paloalto/pa_cortex_xdr.yml
new file mode 100644
index 000000000..81a664a47
--- /dev/null
+++ b/filters/paloalto/pa_cortex_xdr.yml
@@ -0,0 +1,295 @@
+pipeline:
+  - dataTypes:
+      - paloalto-cortex-xdr
+    steps:
+      # ==================================================================================
+      # 1. CEF / LEEF Handling
+      # ==================================================================================
+      - grok:
+          source: raw
+          where: 'contains(raw, "CEF:") || contains(raw, "LEEF:")'
+          patterns:
+            - fieldName: log.format_type
+              pattern: '{{.word}}'   # Extracts CEF or LEEF
+            - fieldName: log.ignore
+              pattern: ':'
+            - fieldName: log.format_version
+              pattern: '{{.data}}'   # Extracts version until next |
+            - fieldName: log.ignore
+              pattern: '\|'
+            - fieldName: log.vendor
+              pattern: '{{.data}}'
+            - fieldName: log.ignore
+              pattern: '\|'
+            - fieldName: log.product
+              pattern: '{{.data}}'
+            - fieldName: log.ignore
+              pattern: '\|'
+            - fieldName: log.device_version
+              pattern: '{{.data}}'
+            - fieldName: log.ignore
+              pattern: '\|'
+            - fieldName: log.event_class
+              pattern: '{{.data}}'
+            - fieldName: log.ignore
+              pattern: '\|'
+            - fieldName: log.name
+              pattern: '{{.data}}'
+            - fieldName: log.ignore
+              pattern: '\|'
+            - fieldName: log.severity
+              pattern: '{{.data}}'
+            - fieldName: log.ignore
+              pattern: '\|'
+            - fieldName: log.extension
+              pattern: '{{.greedy}}'
+
+      - kv:
+          source: log.extension
+          where: 'exists("log.extension")'
+          fieldSplit: " "
+          valueSplit: "="
+      
+      # Cleanup CEF fields
+      - delete:
+          fields: [log.ignore]
+
+      # ==================================================================================
+      # 2. CSV Handling - Threat Logs
+      # ==================================================================================
+      # Regex: (threat)(\s)?,...
+      - csv:
+          source: raw
+          where: 'regexMatch(raw, "^(threat)(\\s)?,.*")'
+          separator: ","
+          headers: 
+            - log.recordType
+            - log.class
+            - log.FUTURE_USE
+            - log.eventType
+            - log.generatedTime
+            - log.serverTime
+            - log.agentTime
+            - log.tzOffset
+            - log.FUTURE_USE_2
+            - log.facility
+            - log.customerId
+            - log.trapsId
+            - log.serverHost
+            - log.serverComponentVersion
+            - log.regionId
+            - log.isEndpoint
+            - log.agentId
+            - log.osType
+            - log.isVdi
+            - log.osVersion
+            - log.is64
+            - log.agentIp
+            - log.deviceName
+            - log.deviceDomain
+            - log.severity
+            - log.trapsSeverity
+            - log.agentVersion
+            - log.contentVersion
+            - log.protectionStatus
+            - log.preventionKey
+            - log.moduleId
+            - log.profile
+            - log.moduleStatusId
+            - log.verdict
+            - log.preventionMode
+            - log.terminate
+            - log.terminateTarget
+            - log.quarantine
+            - log.block
+            - log.postDetected
+            - log.eventParameters
+            - log.sourceProcessIdx
+            - log.targetProcessIdx
+            - log.fileIdx
+            - log.processes
+            - log.files
+            - log.users
+            - log.urls
+            - log.description
+
+      # ==================================================================================
+      # 3. CSV Handling - Config / Policy / System Management
+      # ==================================================================================
+      # Regex: ^(config|system),.*
+      # Note: The conf groups these together for Config Logs + System Logs separate.
+      # Config Logs column mapping:
+      - csv:
+          source: raw
+          where: 'regexMatch(raw, "^config,.*")'
+          separator: ","
+          headers:
+            - log.recordType
+            - log.class
+            - log.FUTURE_USE
+            - log.subClassId
+            - log.eventType
+            - log.eventCategory
+            - log.generatedTime
+            - log.serverTime
+            - log.FUTURE_USE_2
+            - log.facility
+            - log.customerId
+            - log.trapsId
+            - log.serverHost
+            - log.serverComponentVersion
+            - log.regionId
+            - log.isEndpoint
+            - log.severity
+            - log.trapsSeverity
+            - log.messageCode
+            - log.friendlyName
+            - log.FUTURE_USE_3
+            - log.msgTextEn
+            - log.userFullName
+            - log.userName
+            - log.userRole
+            - log.userDomain
+            - log.additionalData
+            - log.messageCode2
+            - log.errorText
+            - log.errorData
+            - log.resultData
+
+      # ==================================================================================
+      # 4. CSV Handling - Analytics Logs
+      # ==================================================================================
+      - csv:
+          source: raw
+          where: 'regexMatch(raw, "^analytics,.*")'
+          separator: ","
+          headers:
+            - log.recordType
+            - log.class
+            - log.FUTURE_USE
+            - log.eventType
+            - log.eventCategory
+            - log.generatedTime
+            - log.serverTime
+            - log.agentTime
+            - log.tzOffset
+            - log.FUTURE_USE_2
+            - log.facility
+            - log.customerId
+            - log.trapsId
+            - log.serverHost
+            - log.serverComponentVersion
+            - log.regionId
+            - log.isEndpoint
+            - log.agentId
+            - log.osType
+            - log.isVdi
+            - log.osVersion
+            - log.is64
+            - log.agentIp
+            - log.deviceName
+            - log.deviceDomain
+            - log.severity
+            - log.agentVersion
+            - log.contentVersion
+            - log.protectionStatus
+            - log.sha256
+            - log.type
+            - log.parentSha256
+            - log.lastSeen
+            - log.fileName
+            - log.filePath
+            - log.fileSize
+            - log.localAnalysisResult
+            - log.reported
+            - log.blocked
+            - log.executionCount
+
+      # ==================================================================================
+      # 5. CSV Handling - System Logs
+      # ==================================================================================
+      - csv:
+          source: raw
+          where: 'regexMatch(raw, "^system,.*")'
+          separator: ","
+          headers: 
+             - log.recordType
+             - log.class
+             - log.FUTURE_USE
+             - log.subClassId
+             - log.eventType
+             - log.eventCategory
+             - log.generatedTime
+             - log.serverTime
+             - log.FUTURE_USE_2
+             - log.facility
+             - log.customerId
+             - log.trapsId
+             - log.serverHost
+             - log.serverComponentVersion
+             - log.regionId
+             - log.isEndpoint
+             - log.agentId
+             - log.severity
+             - log.trapsSeverity
+             - log.messageCode
+             - log.friendlyName
+             - log.FUTURE_USE_3
+             - log.msgTextEn
+             - log.userFullName
+             - log.userName
+             - log.userRole
+             - log.userDomain
+             - log.agentTime
+             - log.tzOffset
+             - log.osType
+             - log.isVdi
+             - log.osVersion
+             - log.is64
+             - log.agentIp
+             - log.deviceName
+             - log.deviceDomain
+             - log.agentVersion
+             - log.contentVersion
+             - log.protectionStatus
+             - log.userFullName2
+             - log.username2
+             - log.userRole2
+             - log.userDomain2
+             - log.messageName
+             - log.messageId
+             - log.processStatus
+             - log.errorText
+             - log.errorData
+             - log.resultData
+             - log.parameters
+             - log.additionalData
+
+      # ==================================================================================
+      # 6. Standard Mappings
+      # ==================================================================================
+      # Map fields extracted from CEF/CSV to standard UTMStack schema (origin.ip, target.ip, etc)
+      # Assuming KV filter extracted typical CEF keys like src, dst, spt, dpt
+      
+      - rename:
+          from: [log.src, log.u_srcIp] # u_srcIp might be from CSV if named differently? No, CSV columns are named above.
+          to: origin.ip
+          where: 'exists("log.src")'
+      - rename:
+          from: [log.agentIp] # From CSV
+          to: origin.ip
+          where: 'exists("log.agentIp") && !exists("origin.ip")'
+
+      - rename:
+          from: [log.dst]
+          to: target.ip
+      - rename:
+          from: [log.spt, log.srcPort]
+          to: origin.port
+      - rename:
+          from: [log.dpt, log.dstPort]
+          to: target.port
+      
+      # Clean up FUTURE_USE fields
+      - delete:
+          fields: [log.FUTURE_USE, log.FUTURE_USE_2, log.FUTURE_USE_3]

From d43b73db255e66419e33a68376b83d4a2bb38ad4 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Mon, 9 Feb 2026 11:33:40 -0600
Subject: [PATCH 057/105] feat(correlation): add updates for correlation rules
 and system owner configuration

---
 .../20260209001_update_correlation_rules.xml  |    22 +
 ..._update_system_owner_correlation_rules.xml |    13 +
 .../data/20260209/utm_correlation_rules.sql   | 12946 ++++++++++++++++
 .../20260209/utm_group_rules_data_type.sql    |   890 ++
 .../resources/config/liquibase/master.xml     |     4 +
 5 files changed, 13875 insertions(+)
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260209001_update_correlation_rules.xml
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260209002_update_system_owner_correlation_rules.xml
 create mode 100644 backend/src/main/resources/config/liquibase/data/20260209/utm_correlation_rules.sql
 create mode 100644 backend/src/main/resources/config/liquibase/data/20260209/utm_group_rules_data_type.sql

diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209001_update_correlation_rules.xml b/backend/src/main/resources/config/liquibase/changelog/20260209001_update_correlation_rules.xml
new file mode 100644
index 000000000..3f6ea5317
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260209001_update_correlation_rules.xml
@@ -0,0 +1,22 @@
+
+
+
+    
+        
+        
+    
+
+
\ No newline at end of file
diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209002_update_system_owner_correlation_rules.xml b/backend/src/main/resources/config/liquibase/changelog/20260209002_update_system_owner_correlation_rules.xml
new file mode 100644
index 000000000..446eea0aa
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260209002_update_system_owner_correlation_rules.xml
@@ -0,0 +1,13 @@
+
+
+
+    
+        
+            
+        
+    
+
+
\ No newline at end of file
diff --git a/backend/src/main/resources/config/liquibase/data/20260209/utm_correlation_rules.sql b/backend/src/main/resources/config/liquibase/data/20260209/utm_correlation_rules.sql
new file mode 100644
index 000000000..dd1820cca
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/data/20260209/utm_correlation_rules.sql
@@ -0,0 +1,12946 @@
+TRUNCATE TABLE utm_correlation_rules RESTART IDENTITY CASCADE;
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (1, 'Antivirus Service Stopped or Disabled', 2, 3, 3, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects when the Bitdefender antivirus service or critical security modules are stopped, disabled, or experiencing failures. This is a critical security event that could indicate malicious tampering or system issues.
+
+Next Steps:
+- Verify if the service was intentionally stopped by authorized personnel
+- Check system logs for any errors or crashes that may have caused the service to stop
+- Look for signs of malware or unauthorized access attempts around the time of the event
+- Review recent system changes or updates that might have affected the antivirus service
+- If tampering is suspected, isolate the affected system and perform a forensic analysis
+- Restart the Bitdefender service and ensure all modules are functioning properly
+- Monitor for recurring issues that might indicate persistent threats
+', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1562/001/"]', '(equals("log.eventType", "modules") ||
+ equals("log.eventType", "Product ModulesStatus") ||
+ equals("log.eventType", "registration")) &&
+(oneOf("log.severity", ["high", "5"]) ||
+ contains("log.product", "disabled") ||
+ contains("log.product", "stopped") ||
+ (contains("log.restData", "module") && contains("log.restData", "stopped")) ||
+ (contains("log.restData", "module") && contains("log.restData", "disabled")) ||
+ (contains("log.restData", "av") && contains("log.restData", "failure")))
+', '2026-02-09 16:28:45.181415', true, false, 'origin', null, '[]', '["lastEvent.log.eventType","lastEvent.log.hostId"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (2, 'Bitdefender AV Policy Weakened', 3, 3, 2, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects when Bitdefender GravityZone antivirus policies are weakened by administrators, such as disabling real-time protection, reducing scan aggressiveness, or adding broad exclusions. This could indicate a compromised admin account or insider threat.
+
+Next Steps:
+1. Identify the administrator who modified the policy
+2. Verify the policy change was authorized through change management
+3. Review the specific settings that were weakened
+4. Check for concurrent suspicious activity on managed endpoints
+5. Restore the previous policy configuration if unauthorized
+6. Review admin account access logs for compromise indicators
+', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1562/001/"]', '(contains("log.message", ["policy", "configuration", "setting"]) &&
+ (contains("log.message", ["disabled", "weakened", "reduced", "lowered", "excluded"]) ||
+  (contains("log.message", "real-time") && contains("log.message", "off")) ||
+  (contains("log.message", "exclusion") && contains("log.message", "added")) ||
+  (contains("log.message", "protection") && contains("log.message", "disabled")))) &&
+exists("log.severity")
+', '2026-02-09 16:28:45.307390', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-bitdefender-gz-*","with":[{"field":"log.hostId","operator":"filter_term","value":"{{log.hostId}}"}],"or":null,"within":"now-1h","count":3}]', '["lastEvent.log.eventType","lastEvent.log.hostId"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (3, 'Bootkit/UEFI Threat Detection', 3, 3, 3, 'Defense Evasion, Persistence', 'T1542.001 - Boot or Logon Autostart Execution: System Firmware', 'Detects bootkit or UEFI-level threats that attempt to persist at the firmware level and compromise the boot process. These threats can survive system reinstalls and bypass traditional security measures by infecting the system firmware.
+
+Next Steps:
+- Isolate the affected system immediately to prevent spread
+- Review system boot logs and firmware settings for modifications
+- Check for other malware detections on the same host in the past 24-48 hours
+- Verify system integrity using offline scanning tools
+- Consider reimaging the system and updating firmware/UEFI
+- Enable Secure Boot if not already enabled
+- Review user activity and recently installed software on the affected system
+- Document the infection for incident response reporting
+- Check if other systems with similar hardware/firmware versions are affected
+', '["https://attack.mitre.org/techniques/T1542/001/","https://www.bitdefender.com/business/support/en/77209-135324-event-types.html"]', 'equals("log.eventType", "av") &&
+greaterOrEqual("log.severity", 8) &&
+(
+  contains("log.requested", ["boot", "uefi", "rootkit", "firmware"]) ||
+  contains("log.restData", ["boot", "uefi", "rootkit", "firmware",
+    "\\EFI\\", "/EFI/", "\\boot\\", "/boot/"])
+)
+', '2026-02-09 16:28:45.432145', true, false, 'origin', null, '[]', '["lastEvent.log.hostId","lastEvent.log.severity"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (4, 'Bitdefender Console Used for Lateral Movement', 3, 3, 3, 'Lateral Movement', 'T1072 - Software Deployment Tools', 'Detects when the Bitdefender GravityZone management console is potentially being used to push malicious policies, scripts, or tasks to managed endpoints, indicating a compromised admin account being leveraged for lateral movement.
+
+Next Steps:
+1. Review all recent task and policy deployments from the console
+2. Identify the admin account used and verify its legitimacy
+3. Check for unusual login patterns to the GravityZone console
+4. Review the content of pushed policies for malicious configurations
+5. Suspend the admin account if compromise is suspected
+6. Audit all managed endpoints for signs of compromise
+', '["https://attack.mitre.org/techniques/T1072/","https://www.bitdefender.com/business/support/en/77212-237089-event-types.html"]', '(contains("log.message", ["remote task", "deploy", "push policy", "execute script"]) ||
+ (contains("log.message", "task") && contains("log.message", "created") &&
+  (contains("log.message", "scan") || contains("log.message", "install") ||
+   contains("log.message", "uninstall") || contains("log.message", "execute")))) &&
+exists("log.severity")
+', '2026-02-09 16:28:45.567103', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-bitdefender-gz-*","with":[{"field":"log.hostId","operator":"filter_term","value":"{{log.hostId}}"}],"or":null,"within":"now-30m","count":10}]', '["lastEvent.log.eventType","lastEvent.log.hostId"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (5, 'Advanced Persistent Threat (APT) Detection', 3, 3, 2, 'Command and Control', 'TA0011 - Application Layer Protocol', 'Detects indicators of Advanced Persistent Threats including targeted attacks, sophisticated malware, and persistent threats detected by Bitdefender GravityZone''s HyperDetect module.
+
+Next Steps:
+- Investigate the affected endpoint to determine the scope of compromise
+- Review process execution history and network connections from the affected system
+- Check for lateral movement by examining authentication logs from the same source IP
+- Isolate the affected system if active threat is confirmed
+- Collect forensic artifacts including memory dumps and event logs
+- Search for similar malware indicators across the environment
+- Review user account activities for signs of credential compromise
+- Contact security operations center if threat actors match known APT groups
+', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/tactics/TA0011/"]', 'equals("log.product", "Bitdefender GravityZone") &&
+greaterOrEqual("log.severity", 8) &&
+(
+  contains("log.eventType", ["apt", "targeted", "advanced", "persistent", "hyperdetect"]) ||
+  contains("log.restData", ["apt", "targeted attack", "advanced persistent",
+    "lazarus", "equation", "sofacy", "cozy bear", "fancy bear",
+    "panda", "kitten", "carbanak", "fin7", "fileless"]) ||
+  equals("log.signatureID", "hyperdetect")
+) &&
+exists("log.hostId")
+', '2026-02-09 16:28:45.697226', true, false, 'origin', null, '[]', '["lastEvent.log.eventType","lastEvent.log.hostId"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (6, 'Crypto-Mining Detection', 2, 2, 3, 'Impact', 'T1496 - Resource Hijacking', 'Detects cryptocurrency mining activities including miners, coin miners, and cryptojacking attempts detected by Bitdefender GravityZone.
+
+Next Steps:
+- Review the affected endpoint details (hostname, IP) to identify the compromised system
+- Check CPU and memory usage patterns on the affected system for unusual spikes
+- Look for network connections to known mining pools or suspicious outbound traffic
+- Search for related processes running with names like xmrig, minerd, cgminer, or bfgminer
+- Review recent file downloads and installations on the affected system
+- Check for persistence mechanisms (scheduled tasks, startup items, services)
+- Isolate the affected system if active mining is confirmed
+- Run a full system scan with updated definitions
+- Consider reimaging the system if compromise is extensive', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1496/"]', 'equals("log.productVendor", "Bitdefender") &&
+equals("log.product", "GravityZone") &&
+(
+  contains("log.eventType", ["miner", "coin", "crypto", "CoinMiner"]) ||
+  contains("log.requested", ["miner", "coin", "xmr", "monero", "bitcoin",
+    "ethereum", "xmrig", "minerd", "cgminer", "bfgminer", "coinhive"])
+)
+', '2026-02-09 16:28:45.842442', true, false, 'origin', null, '[]', '["adversary.host","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (7, 'Email-Based Threat Spreading', 3, 3, 2, 'Initial Access', 'T1566 - Phishing', 'Detects email-based malware spreading including phishing attempts, malicious attachments, and email-borne threats through Bitdefender''s Exchange protection. This rule triggers on Exchange-specific malware events and monitors for patterns of email-based threats.
+
+Next Steps:
+1. Investigate the affected email and sender:
+   - Check the sender''s email address and domain reputation
+   - Review email headers for spoofing indicators
+   - Analyze attachment hash values if present in log.restData
+   - Check log.severity for threat level assessment
+2. Review related events:
+   - Look for similar events from the same sender or to other recipients
+   - Check if the email was delivered or blocked
+   - Verify if any users clicked links or opened attachments
+   - Search for the same signatureID across other hosts
+3. Remediation actions:
+   - If delivered, recall the email from all recipients immediately
+   - Reset credentials if phishing was successful
+   - Block sender domain/IP at email gateway
+   - Update email security policies if needed
+   - Scan affected endpoints for malware if attachments were opened
+   - Update Bitdefender Exchange protection rules
+4. Investigation commands:
+   - Check host status: Verify log.hostId endpoint protection status
+   - Review product version: Ensure log.productVersion is up to date
+   - Analyze event patterns: Look for unusual log.eventType combinations
+', '["https://attack.mitre.org/techniques/T1566/","https://www.bitdefender.com/business/support/en/77209-135324-event-types.html"]', 'oneOf("log.eventType", ["exchange-malware", "exchange-user-credentials", "exchange-organization-info"]) ||
+(contains("log.eventType", "exchange") && equals("log.severity", "High")) ||
+(contains("log.product", "Exchange") && contains("log.eventType", ["malware", "phishing"]))
+', '2026-02-09 16:28:45.976907', true, false, 'origin', null, '[]', '["lastEvent.log.hostId","lastEvent.log.signatureID"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (8, 'Fileless Malware Detection', 2, 2, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects fileless malware attacks including PowerShell-based attacks, memory injection, and living-off-the-land techniques using Bitdefender GravityZone''s HyperDetect and Command-Line Scanner modules. These attacks execute malicious code directly in memory without writing to disk, making them harder to detect with traditional antivirus.
+
+Next Steps:
+- Isolate the affected endpoint immediately to prevent lateral movement
+- Review process tree to identify the parent process and initial attack vector
+- Check for PowerShell command history and script blocks (Event ID 4104)
+- Look for suspicious WMI activity or unusual process spawning patterns
+- Examine network connections from the affected process
+- Collect memory dump if the process is still running
+- Review user activity to determine if account is compromised
+- Apply security patches if exploitation of vulnerability is suspected
+', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1055/","https://www.bitdefender.com/en-us/business/gravityzone-platform/fileless-attack-defense"]', 'oneOf("log.eventType", ["fileless_attack", "hyperdetect_fileless", "command_line_scanner"]) ||
+(
+  equals("log.eventType", "malware_detected") &&
+  contains("log.restData", ["fileless", "memory injection", "powershell",
+    "wscript", "cscript", "mshta", "regsvr32", "rundll32"])
+) ||
+(
+  oneOf("log.severity", ["HIGH", "CRITICAL"]) &&
+  contains("log.restData", "code injection")
+)
+', '2026-02-09 16:28:46.092180', true, false, 'origin', null, '[]', '["lastEvent.log.eventType","lastEvent.log.hostId"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (9, 'Bitdefender GravityZone High Severity Threat Detection', 3, 3, 2, 'Execution', 'T1204.002 - User Execution: Malicious File', 'Detects high-severity malware threats identified by Bitdefender GravityZone that require immediate attention. This rule triggers on severity levels 8-10, which indicate critical threats such as trojans, ransomware, rootkits, or other advanced malware.
+
+Next Steps:
+1. Immediately isolate the affected endpoint(s) from the network to prevent lateral movement
+2. Review the threat details in Bitdefender GravityZone console:
+   - Check threat name and malware type from the event details
+   - Verify the affected file path and process information
+   - Review the action taken by Bitdefender (quarantine, delete, etc.)
+3. Investigate the source of infection:
+   - Check origin.ip and origin.path for the malware source
+   - Review recent user activity and email attachments
+   - Look for similar threats on other endpoints
+4. Perform forensic analysis:
+   - Collect memory dumps if rootkit or fileless malware is suspected
+   - Check for persistence mechanisms (registry, scheduled tasks, services)
+   - Review network connections from the affected host
+5. Remediation actions:
+   - Ensure Bitdefender has successfully cleaned/quarantined the threat
+   - Run full system scan on affected and neighboring systems
+   - Update antivirus signatures and security policies
+   - Consider reimaging if system integrity is compromised
+', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1204/002/","https://attack.mitre.org/techniques/T1055/"]', 'oneOf("log.severity", ["8", "9", "10"]) && oneOf("log.eventType", ["avc", "malware_detected", "av"])', '2026-02-09 16:28:46.176247', true, false, 'origin', null, '[]', '["lastEvent.log.signatureID","lastEvent.log.syslogHostIP"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (149, 'Azure Global Administrator Role Addition to PIM User', 3, 3, 3, 'Persistence', 'T1098.001 - Account Manipulation: Additional Cloud Credentials', 'Detects when users are granted Global Administrator (Company Administrator) role assignments through Azure AD/Entra ID Privileged Identity Management (PIM).
+
+**Security Context:**
+The Global Administrator role is the most powerful administrative role in Azure AD/Entra ID, granting complete control over all aspects of the directory and services that use Azure AD identities. PIM enables just-in-time privileged access through eligible (requires activation) or time-bound assignments. Adversaries who gain sufficient privileges may add themselves or other compromised accounts to this role to establish persistence and maintain full administrative control over the tenant.
+
+**Detection Logic:**
+This rule monitors AuditLogs for successful PIM role assignments specifically for the Global Administrator role. It detects both:
+- **Eligible assignments (permanent)**: User can activate the role when needed
+- **Active assignments (time-bound)**: Role is directly active for a specified duration
+
+The rule identifies these assignments through the operation names and filters for the Global Administrator role specifically.
+
+**Investigation Steps:**
+1. Identify the assignor: Check log.propertiesInitiatedBy for who made the role assignment
+2. Identify the assignee: Examine log.propertiesTargetResources for the user receiving the role
+3. Verify authorization: Confirm if this assignment was part of approved privileged access request
+4. Check assignment type: Determine if it''s eligible (requires activation) or time-bound (direct)
+5. Review duration: For time-bound assignments, check the duration of the assignment
+6. Analyze timing: Determine if assignment follows suspicious authentication or compromise indicators
+7. Review justification: Check if a business justification was provided in log.propertiesAdditionalDetails
+8. Check user history: Review the assignee''s account for recent suspicious activity
+9. Examine recent actions: Look for privileged operations performed immediately after assignment
+10. Correlate with sign-ins: Check for unusual authentication patterns before/after assignment
+
+**Recommended Actions:**
+- If unauthorized, immediately revoke the Global Administrator role assignment
+- Review all recent PIM role assignments for anomalies
+- Enable PIM approval workflows for Global Administrator role assignments
+- Implement maximum assignment duration limits for time-bound assignments
+- Require MFA and justification for all Global Administrator activations
+- Enable PIM alerts for high-privilege role assignments
+- Audit accounts with Privileged Role Administrator permissions
+- Review and limit the number of permanent Global Administrator assignments
+- Enable Azure AD Identity Protection to detect compromised credentials
+- Implement break-glass emergency access accounts following best practices
+
+**PIM Assignment Types:**
+- **Eligible (permanent)**: User must activate the role when needed, typically with MFA and justification
+- **Active (time-bound)**: Role is directly assigned for a limited duration without activation required
+- Both types should be monitored as adversaries may use either for persistence
+
+**Common Attack Patterns:**
+- Compromised Privileged Role Administrator adding backdoor accounts
+- Insider threat establishing persistent administrative access
+- Privilege escalation from lower-privilege administrative roles
+- Adding service principals or managed identities to Global Administrator role
+- Creating long-duration time-bound assignments for sustained access
+
+**MITRE ATT&CK Reference:** T1098.001 - Account Manipulation: Additional Cloud Credentials
+
+**Azure Documentation:**
+- AuditLogs table: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs
+- PIM for Azure AD roles: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure
+', '["https://attack.mitre.org/techniques/T1098/001/","https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs","https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure","https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#global-administrator"]', 'equalsIgnoreCase("log.category", "AuditLogs") &&
+(equals("log.resultType", "0") || equalsIgnoreCase("actionResult", "SUCCESS")) &&
+(contains("log.operationName", "Add eligible member to role") || contains("log.operationName", "Add member to role")) &&
+(contains("log.properties.targetResources.displayName", "Global Administrator") || contains("log.properties.targetResources.displayName", "Company Administrator"))
+', '2026-02-09 16:31:20.596213', true, false, 'target', null, '[]', '["target.ip","target.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (10, 'Memory-Based Threat Detection', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects memory-based threats including process injection, memory manipulation, and fileless malware executing in memory based on Bitdefender GravityZone event types.
+
+Next Steps:
+1. Identify the affected process and host using log.hostId and origin.path fields
+2. Check if the process is legitimate or if it shows signs of compromise
+3. Review the process tree to identify parent-child relationships
+4. Look for other suspicious activities on the same host in the last hour
+5. Collect memory dump if the process is still running
+6. Analyze network connections from the affected process
+7. Check for persistence mechanisms on the affected system
+8. Isolate the host if active malicious behavior is confirmed
+', '["https://attack.mitre.org/techniques/T1055/","https://www.bitdefender.com/business/support/en/77209-135324-event-types.html"]', 'exists("log.eventType") &&
+(oneOf("log.eventType", ["aph", "antiexploit", "hd"]) ||
+ (exists("origin.path") && contains("origin.path", "memory"))) &&
+(oneOf("log.severity", ["critical", "high"]) ||
+ exists("log.malwareName") ||
+ exists("log.threatName"))
+', '2026-02-09 16:28:46.350884', true, false, 'origin', null, '[]', '["lastEvent.log.hostId","adversary.path"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (11, 'Malware Outbreak Detection - Multiple Hosts Infected', 3, 3, 3, 'Command and Control', 'T1105 - Ingress Tool Transfer', 'Detects when the same malware signature or threat is detected on multiple endpoints within a short time window. This pattern indicates a potential malware outbreak spreading across the network environment.
+
+Next Steps:
+1. Immediately isolate affected endpoints to prevent further spread
+2. Identify the malware signature ID and research its capabilities and impact
+3. Check network logs for lateral movement patterns between infected hosts
+4. Review the initial infection vector - check email logs, web proxy logs, and USB device usage
+5. Verify antivirus definitions are up-to-date on all endpoints
+6. Conduct memory and disk forensics on patient zero if identifiable
+7. Check for persistence mechanisms on infected systems
+8. Review domain controller and authentication logs for credential compromise
+9. Document all affected systems and timeline for incident response
+10. Consider engaging incident response team if outbreak involves critical systems
+', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1105/"]', 'equals("log.eventType", "AntiMalware") &&
+oneOf("log.severity", ["4", "5"]) &&
+exists("log.signatureID") &&
+exists("log.syslogHostIP")
+', '2026-02-09 16:28:46.496449', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-bitdefender-gz-*","with":[{"field":"log.signatureID","operator":"filter_term","value":"{{log.signatureID}}"},{"field":"log.eventType","operator":"filter_term","value":"AntiMalware"}],"or":null,"within":"now-2h","count":10}]', '["lastEvent.log.signatureID","lastEvent.log.syslogHostIP"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (12, 'Multiple Malware Detections from Single Source', 3, 3, 2, 'Command and Control', 'T1105 - Ingress Tool Transfer', 'Detects when multiple malware threats are detected on a single host within a short time period. This could indicate a compromised system actively spreading malware or an attacker launching multiple malware variants.
+
+Next Steps:
+1. Investigate the affected host:
+   - Identify the system using the hostId field
+   - Check if it''s a critical system or server
+   - Review recent user activity on the host
+2. Analyze the detected malware:
+   - Review the malware types and names detected (signatureID field)
+   - Check file paths and processes involved
+   - Determine if malware was successfully quarantined
+3. Check for lateral movement:
+   - Look for connections from the affected host to other internal systems
+   - Review authentication logs for suspicious activity
+   - Check for file share access patterns
+4. Remediation actions:
+   - Isolate the affected system if confirmed compromised
+   - Run full system scans on potentially affected systems
+   - Update antivirus signatures and definitions
+   - Consider reimaging if system is severely compromised
+', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1105/"]', 'equals("log.eventType", "AntiMalware") &&
+oneOf("log.severity", ["4", "5"]) &&
+exists("log.hostId")
+', '2026-02-09 16:28:46.621867', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-bitdefender-gz-*","with":[{"field":"log.hostId","operator":"filter_term","value":"{{log.hostId}}"},{"field":"log.eventType","operator":"filter_term","value":"AntiMalware"}],"or":null,"within":"now-1h","count":5}]', '["lastEvent.log.hostId","lastEvent.log.signatureID"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (13, 'Network-Based Threat Detection', 3, 2, 3, 'Command and Control', 'T1071 - Application Layer Protocol: Command and Control', 'Detects network-based threats including C2 communications, malicious network activity, and suspicious network connections identified by Bitdefender GravityZone.
+
+Next Steps:
+1. Identify the affected host using log.hostId and check for other security events from this system
+2. Review origin.ip to determine if it''s a known malicious IP or C2 server
+3. Check firewall logs for any blocked or allowed connections to/from the suspicious IP
+4. Investigate running processes on the affected host for signs of malware
+5. Review network traffic patterns for data exfiltration attempts
+6. If ransomware is detected, immediately isolate the affected system
+7. Collect network packet captures if available for deeper analysis
+8. Check if other hosts have communicated with the same external IP address
+9. Submit suspicious IPs to threat intelligence platforms for reputation checking
+10. Document findings and update firewall rules to block confirmed malicious IPs
+', '["https://attack.mitre.org/techniques/T1071/","https://www.bitdefender.com/business/support/en/77209-135324-event-types.html"]', '(oneOf("log.eventType", ["network-sandboxing", "fw"]) &&
+ oneOf("log.severity", ["high", "critical", "4", "5"])) ||
+(exists("origin.ip") && contains("log.eventType", "network") &&
+ contains("log.restData", ["malware", "threat", "blocked", "c2", "botnet"])) ||
+(equals("log.severity", "critical") && contains("log.product", "network"))
+', '2026-02-09 16:28:46.751926', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-bitdefender-gz-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":[{"indexPattern":"v11-log-antivirus-bitdefender-gz-*","with":[{"field":"log.hostId","operator":"filter_term","value":"{{log.hostId}}"},{"field":"log.eventType","operator":"filter_term","value":"network-sandboxing"}],"or":null,"within":"now-4h","count":3}],"within":"now-2h","count":5}]', '["lastEvent.log.hostId","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (24, 'Deception API Call Tracking', 2, 2, 1, 'Execution', 'T1106 - Native API', 'Tracks suspicious API calls made to decoy services or endpoints. This behavior indicates an attacker is attempting to interact with what they believe are legitimate services but are actually deception assets.
+
+Next Steps:
+- Review the source IP address and check if it''s from a known legitimate source
+- Examine the API endpoint accessed and the HTTP method used
+- Look for other activity from the same IP address across all log sources
+- Check if the source IP has accessed multiple decoy endpoints (indicating reconnaissance)
+- Investigate any authentication tokens or credentials used in the API calls
+- Consider blocking the source IP if malicious intent is confirmed
+- Document the attack pattern for threat intelligence sharing
+', '["https://attack.mitre.org/techniques/T1106/","https://deceptivebytes.com/solution/"]', 'equals("log.eventType", "api_call") && equals("log.isDecoy", "true") && exists("log.httpMethod") && exists("origin.ip")', '2026-02-09 16:28:48.236834', true, false, 'origin', null, '[]', '["lastEvent.log.apiEndpoint","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (14, 'Bitdefender GravityZone Quarantine Failure Detection', 3, 3, 2, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects when Bitdefender GravityZone fails to quarantine detected malware. This could indicate that the malware is actively resisting remediation attempts or that there are permission issues preventing proper quarantine.
+
+Next Steps:
+- Immediately isolate the affected system from the network
+- Check if the malware process is still running and attempt manual termination
+- Verify antivirus permissions and ensure it has necessary privileges
+- Review system logs for signs of privilege escalation or rootkit activity
+- Consider reimaging the system if quarantine continues to fail
+- Check for similar failures on other systems in the environment
+- Investigate the specific malware detected and research its capabilities
+- Review quarantine configuration and storage capacity
+', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1562/001/"]', 'oneOf("log.eventType", ["quarantine_failed", "quarantine_failure"]) ||
+(equals("log.eventType", "AntiMalware") &&
+  (containsAll("log.requestToParse", ["quarantine", "fail"]) ||
+   contains("log.restData", ["quarantine failed", "unable to quarantine", "failed to quarantine"]) ||
+   (equals("log.severity", "failure") && contains("log.requestToParse", "quarantine"))))
+', '2026-02-09 16:28:46.891407', true, false, 'origin', null, '[]', '["lastEvent.log.hostId","lastEvent.log.signatureID"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (15, 'Ransomware Behavior Detection', 3, 3, 3, 'Impact', 'T1486 - Data Encrypted for Impact', 'Detects ransomware behavior patterns including file encryption attempts, mass file modifications, and ransomware-specific malware types detected by Bitdefender GravityZone.
+
+Next Steps:
+1. Immediately isolate the affected system from the network to prevent spread
+2. Check for recent backup availability and integrity
+3. Review process execution history on the affected host
+4. Look for suspicious file modifications or mass encryption activities
+5. Check for ransomware notes or changed file extensions
+6. Investigate the source of infection (email attachments, downloads, RDP compromise)
+7. Scan other systems for similar indicators
+8. Consider engaging incident response team for containment and recovery
+', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1486/"]', '(contains("log.message", ["ransomware", "ransom", "locky", "cerber",
+  "wannacry", "petya", "ryuk", "sodinokibi", "maze"]) ||
+ contains("log.signatureID", "ransomware") ||
+ (equals("log.severity", "10") && contains("log.eventType", "malware"))) &&
+exists("log.severity")
+', '2026-02-09 16:28:47.031671', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-bitdefender-gz-*","with":[{"field":"log.hostId","operator":"filter_term","value":"{{log.hostId}}"}],"or":null,"within":"now-10m","count":5}]', '["lastEvent.log.hostId","lastEvent.log.signatureID"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (16, 'Real-time Protection Disabled', 3, 3, 2, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects when real-time protection features are disabled on an endpoint. This is a critical security event as it leaves the system vulnerable to malware infections and requires immediate investigation.
+
+Next Steps:
+1. Immediately investigate who disabled the real-time protection and why
+2. Check if the action was authorized by IT security team
+3. Review recent activity on the affected endpoint for signs of compromise
+4. Re-enable real-time protection if the action was unauthorized
+5. Check for any malware infections that may have occurred while protection was disabled
+6. Review system logs for any suspicious activities during the protection downtime
+7. Consider implementing additional controls to prevent unauthorized disabling of security tools
+', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1562/001/"]', 'exists("log.syslogHostIP") &&
+(
+  (equals("log.eventType", "modules") && 
+   equals("log.product", "av") &&
+   contains("log.restData", "real-time")) ||
+  (equals("log.eventType", "Product ModulesStatus") &&
+   oneOf("log.severity", ["4", "5"]) &&
+   (contains("log.restData", "protection disabled") ||
+    contains("log.restData", "real-time scanning disabled")))
+)
+', '2026-02-09 16:28:47.155607', true, false, 'origin', null, '[]', '["lastEvent.log.eventType","lastEvent.log.syslogHostIP"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (17, 'Rootkit Detection', 3, 3, 2, 'Defense Evasion', 'T1014 - Rootkit', 'Detects rootkit infections and kernel-level threats that attempt to hide malicious activity at the system level using Bitdefender GravityZone''s advanced detection capabilities.
+
+Next Steps:
+1. Immediately isolate the affected system from the network to prevent lateral movement
+2. Capture a memory dump and disk image for forensic analysis
+3. Check for signs of privilege escalation or kernel-level modifications
+4. Review system logs for any suspicious driver installations or kernel module loading
+5. Scan other systems in the same network segment for similar infections
+6. Consider rebuilding the system from a known clean state as rootkits can be difficult to fully remove
+7. Review how the rootkit was initially delivered (email attachment, exploit kit, etc.)
+8. Update all security software and operating system patches
+', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1014/"]', 'equals("log.eventType", "malware_detected") &&
+oneOf("log.severity", ["high", "critical"]) &&
+(
+  contains("log.restData", ["rootkit", "kernel", "tdss", "zeroaccess",
+    "necurs", "bootkit", "alureon", "rustock", "sinowal"]) ||
+  contains("log.requested", "rootkit") ||
+  equals("log.signatureID", "rootkit")
+)
+', '2026-02-09 16:28:47.296159', true, false, 'origin', null, '[]', '["lastEvent.log.hostId","lastEvent.log.signatureID"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (18, 'Bitdefender GravityZone Suspicious Exclusion Added', 3, 3, 1, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects when exclusions are added to Bitdefender GravityZone that may allow malware to operate undetected. Attackers often add exclusions to antivirus software to prevent detection of their malicious tools and activities.
+
+Next Steps:
+1. Review the exclusion details to determine what files, folders, or processes were excluded
+2. Verify if the exclusion was authorized by security team or IT administrators
+3. Check if the excluded path contains any suspicious executables or scripts
+4. Review recent activity from the user who added the exclusion
+5. If unauthorized, immediately remove the exclusion and scan the excluded locations
+6. Consider implementing a change control process for antivirus exclusions
+', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1562/001/"]', 'equals("log.eventType", "exclusion_added") ||
+(oneOf("log.eventType", ["policy_change", "configuration_change"]) &&
+ contains("log.requested", "exclusion"))
+', '2026-02-09 16:28:47.446530', true, false, 'origin', null, '[]', '["lastEvent.log.eventType","lastEvent.log.hostId"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (192, 'AWS GuardDuty Detector Deletion', 3, 2, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html","https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html"]', 'equals("log.eventSource", "guardduty.amazonaws.com") &&
+equals("log.eventName", "DeleteDetector")
+', '2026-02-09 16:32:23.040735', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (19, 'USB-Based Malware Propagation', 3, 3, 2, 'Lateral Movement, Initial Access', 'T1091 - Replication Through Removable Media', 'Detects USB-based malware propagation attempts including autorun infections, removable media threats, and device control violations. This rule monitors for device control events and removable media access patterns that may indicate malware attempting to spread via USB devices.
+
+Next Steps:
+1. Isolate the affected endpoint immediately to prevent further spread
+2. Check device control logs for unauthorized USB device connections
+3. Scan all removable media that were connected to the affected system
+4. Review file creation/modification events on removable drives (especially autorun.inf)
+5. Verify if similar events occurred on other endpoints in the network
+6. Update device control policies to restrict USB usage if necessary
+7. Consider implementing USB device whitelisting for critical systems
+', '["https://attack.mitre.org/techniques/T1091/","https://www.bitdefender.com/business/support/en/77209-135324-event-types.html"]', '(oneOf("log.eventType", ["device-control", "dp"]) &&
+ (contains("log.restData", ["malware", "threat", "infection", "autorun", "suspicious"]) ||
+  oneOf("log.severity", ["high", "critical", "4", "5"]))) ||
+(contains("log.requested", ["usb", "removable", "autorun"]) &&
+ contains("log.restData", ["malware", "threat", "infection"]))
+', '2026-02-09 16:28:47.571150', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-bitdefender-gz-*","with":[{"field":"log.hostId","operator":"filter_term","value":"{{log.hostId}}"}],"or":null,"within":"now-30m","count":5}]', '["lastEvent.log.eventType","lastEvent.log.hostId"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (20, 'Bitdefender GravityZone Zero-Day Malware Detection', 3, 3, 2, 'Execution', 'T1203 - Exploitation for Client Execution', 'Detects potential zero-day malware identified by Bitdefender''s advanced threat detection capabilities including HyperDetect and Sandbox Analyzer. These detection methods use behavioral analysis and machine learning to identify previously unknown threats.
+
+Next Steps:
+1. Immediately isolate the affected system from the network to prevent lateral movement
+2. Review the detection details including file path, process information, and threat indicators
+3. Check if similar detections occurred on other systems in the environment
+4. Collect the suspicious file/process for further analysis in a sandbox environment
+5. Review system logs for any suspicious activities before and after the detection
+6. Update security policies to block similar threats across the organization
+7. Consider submitting the sample to Bitdefender for further analysis
+', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1203/"]', 'oneOf("log.eventType", ["HyperDetect Activity", "Sandbox Analyzer Detection", "hyperdetect"]) ||
+(equals("log.eventType", "avc") && equals("log.severity", "High"))
+', '2026-02-09 16:28:47.700896', true, false, 'origin', null, '[]', '["lastEvent.log.hostId","lastEvent.log.syslogHostIP"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (21, 'Advanced Threat Tactic Identification', 3, 3, 3, 'Advanced Persistent Threat', 'Multiple Tactics', 'Detects advanced threat tactics including initial access, execution, and persistence techniques by monitoring deception environment interactions and behavioral patterns. This rule triggers when deceptive assets are accessed with high behavior scores indicating sophisticated attack patterns.
+
+Next Steps:
+1. Immediately isolate the affected endpoint(s) associated with the source IP
+2. Review the specific tactic name to understand the attack phase (initial access, execution, persistence, etc.)
+3. Check all deception assets that were triggered to map the attacker''s movement
+4. Analyze the behavior score details to understand the sophistication level
+5. Look for related alerts from the same source IP across different systems
+6. Collect forensic data from the endpoint before any remediation
+7. Review authentication logs for any credential abuse from this source
+8. Check network logs for lateral movement attempts
+9. Update security controls to block the identified tactics
+10. Consider deploying additional deception assets in the path of the attacker
+', '["https://attack.mitre.org/tactics/TA0001/","https://attack.mitre.org/tactics/TA0002/","https://attack.mitre.org/tactics/TA0003/"]', 'equals("log.eventType", "advanced_threat_detected") &&
+equals("log.threatLevel", "critical") &&
+(oneOf("log.tacticName", ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion"])) &&
+equals("log.deceptionTriggered", true) &&
+greaterOrEqual("log.behaviorScore", 80)
+', '2026-02-09 16:28:47.842316', true, false, 'origin', null, '[{"indexPattern":"v11-log-deceptive-bytes-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.tacticName","operator":"filter_term","value":"{{log.tacticName}}"}],"or":null,"within":"now-15m","count":3}]', '["lastEvent.log.tacticName","lastEvent.log.threatLevel","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (22, 'Criminal Group Signatures', 3, 3, 2, 'Organized Crime Activity', 'Criminal Group TTPs', 'Identifies attack signatures and behavioral patterns associated with known criminal groups including ransomware operators, financial crime syndicates, and organized cybercrime operations. Deception technology detects malicious activity by monitoring interactions with decoy assets that should never be accessed in legitimate workflows.
+
+Next Steps:
+1. IMMEDIATE: Isolate the affected endpoint to prevent lateral movement
+2. Verify the criminal group signature or toolset identified in the alert details
+3. Check if the source IP/domain appears in threat intelligence feeds or previous incidents
+4. Review all activity from the affected endpoint in the last 24-48 hours
+5. Search for indicators of lateral movement or data staging activities
+6. Scan other endpoints for similar patterns or IoCs
+7. If ransomware indicators are present, activate ransomware response playbook
+8. Collect forensic evidence: process creation logs, network connections, file modifications
+9. Check for data exfiltration attempts to external IPs or cloud services
+10. Review all user account activity associated with the endpoint for signs of compromise
+11. Document all findings and coordinate with incident response team
+12. Consider threat hunting across the environment for related criminal group activities
+', '["https://attack.mitre.org/groups/","https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf","https://www.acalvio.com/cyber-deception/the-role-of-deception-technology-in-the-endpoint-security-reference-architecture/","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a"]', 'oneOf("log.eventType", ["threat_detected", "deception_triggered", "malicious_activity"]) &&
+oneOf("log.threatType", ["criminal_group", "ransomware", "organized_crime"]) &&
+(exists("log.signature") || exists("log.toolset") || exists("log.groupName")) &&
+(oneOf("log.action", ["blocked", "detected", "prevented"]) ||
+ oneOf("log.severity", ["high", "critical"])) &&
+(oneOf("log.indicatorType", ["ransomware", "financial_theft", "cryptomining", "data_exfiltration"]) ||
+ greaterOrEqual("log.threatScore", 70))
+', '2026-02-09 16:28:47.971185', true, false, 'origin', null, '[]', '["lastEvent.log.groupName","lastEvent.log.signature","adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (23, 'Data Theft Attempt on Decoy Files', 3, 2, 1, 'Collection', 'T1005 - Data from Local System', 'Detects attempts to access, copy, or exfiltrate deceptive decoy files and honeypot data, indicating potential data theft activities by an attacker. This rule triggers when an attacker interacts with high-sensitivity decoy files planted by Deceptive Bytes.
+
+Next Steps:
+- Immediately isolate the affected endpoint to prevent lateral movement
+- Review the source IP and user account for suspicious activity patterns
+- Check for other decoy interactions from the same source in the past 24 hours
+- Examine network traffic logs for potential data exfiltration attempts
+- Verify if the user account has been compromised or if this is insider threat activity
+- Consider resetting credentials for the affected user account
+- Document all decoy files accessed for forensic analysis
+', '["https://attack.mitre.org/techniques/T1005/","https://attack.mitre.org/techniques/T1567/","https://deceptivebytes.com/solution/"]', 'equals("log.event_type", "decoy_accessed") &&
+oneOf("log.action", ["file_read", "file_copy", "file_download"]) &&
+equals("log.decoy_sensitivity", "high")
+', '2026-02-09 16:28:48.101258', true, false, 'origin', null, '[{"indexPattern":"v11-log-deceptive-bytes-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.event_type","operator":"filter_term","value":"decoy_accessed"}],"or":null,"within":"now-2h","count":3}]', '["lastEvent.log.decoy_file","adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (786, 'Windows: Volume Shadow Copy Deletion via WMIC', 1, 2, 3, 'Impact', 'T1490 - Inhibit System Recovery', 'Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.', '["https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1490/"]', 'regexMatch("log.message", "(delete(.+)shadowcopy|shadowcopy(.+)delete)") && contains("log.eventDataProcessName", "WMIC.exe")', '2026-02-09 16:57:43.422219', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (25, 'Deception Token Access Patterns', 3, 3, 1, 'Defense Evasion, Persistence, Privilege Escalation, Initial Access', 'T1078 - Valid Accounts: Credential Access', 'Detects when deception tokens or honeytokens are accessed, indicating potential unauthorized activity or insider threat. Multiple token accesses from the same source within a short timeframe suggest systematic reconnaissance or data harvesting attempts. Honeytokens are fake credentials or access tokens planted as traps to detect unauthorized access.
+
+Next Steps:
+1. Identify the source IP and user account associated with the token access
+2. Review access logs to determine if this is legitimate testing or actual malicious activity
+3. Check for lateral movement from the same source IP across the network
+4. Investigate any data access or exfiltration attempts following the token access
+5. Consider immediately blocking the source IP if confirmed malicious
+6. Review and rotate any potentially compromised credentials in the environment
+7. Alert security team immediately as honeytoken access is a high-confidence indicator of compromise
+8. Document the incident and update detection rules based on observed attack patterns
+9. Verify the integrity of the deception infrastructure to ensure it wasn''t compromised
+', '["https://attack.mitre.org/techniques/T1078/","https://deceptivebytes.com/"]', 'equals("log.eventType", "token_access") &&
+equals("log.deceptionType", "honeytoken") &&
+exists("origin.ip") &&
+oneOf("log.severity", ["high", "critical"])
+', '2026-02-09 16:28:48.366791', true, false, 'origin', null, '[{"indexPattern":"v11-log-deceptive-bytes-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.eventType","operator":"filter_term","value":"token_access"}],"or":null,"within":"now-1h","count":3}]', '["lastEvent.log.tokenId","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (26, 'Decoy Share Access Monitoring', 3, 2, 1, 'Discovery', 'T1135 - Network Share Discovery', 'Detects when an attacker attempts to access decoy network shares set up by Deceptive Bytes. This indicates potential lateral movement or reconnaissance activity within the network. Any interaction with decoy shares is a high-confidence indicator of malicious activity since legitimate users should never access these resources.
+
+Next Steps:
+- Immediately investigate the source IP and verify if it belongs to an authorized user or system
+- Check for other suspicious activities from the same source IP in the last 24-48 hours
+- Review authentication logs to identify any compromised credentials associated with this IP
+- Look for lateral movement attempts or privilege escalation from the same source
+- Consider isolating the source system if it shows signs of compromise
+- Document all accessed decoy resources for threat intelligence purposes
+- Update security controls to block or monitor the attacker''s techniques
+', '["https://attack.mitre.org/techniques/T1135/","https://deceptivebytes.com/solution/"]', 'equals("log.eventType", "decoy_access") && equals("log.resourceType", "network_share") && exists("origin.ip")', '2026-02-09 16:28:48.496984', true, false, 'origin', '["adversary.ip","lastEvent.log.resourceType"]', '[{"indexPattern":"v11-log-deceptive-bytes-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.eventType","operator":"filter_term","value":"decoy_access"},{"field":"log.resourceType","operator":"filter_term","value":"network_share"}],"or":null,"within":"now-30m","count":3}]', null);
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (27, 'Decoy System Enumeration', 3, 2, 1, 'Discovery', 'T1082 - System Information Discovery', 'Detects when an attacker performs system enumeration activities on decoy systems or services. This includes port scanning, service discovery, or system information gathering on deception assets.
+
+Next Steps:
+- Immediately investigate the source IP address for other suspicious activities
+- Check if the source IP has attempted to access other decoy or real systems
+- Review network logs for lateral movement attempts from this source
+- Consider blocking the source IP if malicious intent is confirmed
+- Document the attack pattern for threat intelligence sharing
+- Verify if the attacker has discovered any real assets alongside decoys
+', '["https://attack.mitre.org/techniques/T1082/","https://deceptivebytes.com/solution/"]', 'equals("log.eventType", "system_enumeration") &&
+(equals("log.isDecoy", true) || equals("log.isDecoy", "true")) &&
+oneOf("log.action", ["port_scan", "service_discovery", "system_info"]) &&
+exists("origin.ip")
+', '2026-02-09 16:28:48.646238', true, false, 'origin', '["adversary.ip","lastEvent.log.targetHost","lastEvent.log.decoyName"]', '[]', null);
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (28, 'Fake User Authentication Attempts', 3, 3, 1, 'Credential Access', 'T1110 - Brute Force', 'Detects authentication attempts using decoy user accounts created by Deceptive Bytes. This indicates an attacker has obtained what they believe are valid credentials and is attempting to use them.
+
+Next Steps:
+- Immediately investigate the source IP address for other suspicious activities
+- Check if the same IP has triggered other deception alerts or security events
+- Review how the attacker obtained the decoy credentials (phishing, credential dumping, insider threat)
+- Examine network logs for lateral movement attempts from this IP
+- Consider blocking the source IP if confirmed malicious
+- Check for any legitimate user accounts that may have been compromised
+- Review authentication logs for attempts using real credentials from the same source
+- Notify the security team for potential active breach investigation
+', '["https://attack.mitre.org/techniques/T1110/","https://deceptivebytes.com/solution/"]', 'equals("log.eventType", "authentication") && equals("log.isDecoyUser", true) && exists("log.authResult") && exists("origin.ip")', '2026-02-09 16:28:48.776477', true, false, 'origin', null, '[]', '["lastEvent.log.username","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (29, 'Honey Table Query Detection', 3, 2, 1, 'Collection', 'T1005 - Data from Local System', 'Detects when an attacker queries honey tables or decoy database objects deployed by Deceptive Bytes. This indicates potential data exfiltration attempts or database reconnaissance. Honey tables are deliberately placed decoy data designed to attract and identify unauthorized access attempts.
+
+Next Steps:
+1. Identify the source IP and determine if it''s an internal or external address
+2. Check if the source IP has accessed other decoy resources or legitimate database tables
+3. Review the specific honey table(s) that were queried to understand attacker interest
+4. Correlate with authentication logs to identify the user account used
+5. Check for any data exfiltration patterns following the honey table access
+6. Isolate the compromised system or account if malicious activity is confirmed
+7. Review database access logs for unauthorized queries to legitimate tables
+8. Consider blocking the source IP if it''s external and confirmed malicious
+9. Document the incident and update security monitoring rules if needed
+', '["https://attack.mitre.org/techniques/T1005/","https://deceptivebytes.com/solution/"]', 'equals("log.eventType", "decoy_access") && equals("log.resourceType", "database_table") && equals("log.action", "query") && exists("origin.ip")', '2026-02-09 16:28:48.911903', true, false, 'origin', null, '[{"indexPattern":"v11-log-deceptive-bytes-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.eventType","operator":"filter_term","value":"decoy_access"}],"or":null,"within":"now-1h","count":5}]', '["lastEvent.log.tableName","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (30, 'Lateral Movement Trap Triggered', 3, 3, 2, 'Lateral Movement', 'T1021 - Remote Services', 'Detects when an attacker triggers a deceptive trap while attempting lateral movement across the network. This indicates potential compromise and active threat movement within the environment.
+
+Next Steps:
+1. Immediately isolate the source IP address to prevent further lateral movement
+2. Review all activities from the source IP in the last 24-48 hours
+3. Check if the source system shows signs of compromise (unusual processes, new services, etc.)
+4. Identify what credentials or methods were used in the lateral movement attempt
+5. Review network logs for any successful connections from this source to other systems
+6. Initiate incident response procedures for potential active threat
+7. Consider deploying additional deception tokens around critical assets
+', '["https://attack.mitre.org/techniques/T1021/","https://deceptivebytes.com/solution/"]', 'equals("log.event_type", "trap_triggered") && equals("log.trap_type", "lateral_movement") && exists("origin.ip")', '2026-02-09 16:28:49.282062', true, false, 'origin', null, '[]', '["lastEvent.log.trap_type","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (49, 'Suspicious Process Behavior Detection', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects suspicious process behaviors including injection attempts, privilege escalation, and abnormal process creation patterns identified by ESET''s behavioral monitoring. This alert indicates potential malware activity or exploitation attempts on the affected system.
+
+Next Steps:
+1. Immediately review the alert details to identify:
+   - Affected hostname (check log.headHostname)
+   - Specific threat or behavior detected (check log.jsonMessage)
+   - Process name and path if available
+   - Time of detection (check log.deviceTime)
+2. Investigate the process that triggered the alert:
+   - Verify if it''s a legitimate application or unknown/suspicious
+   - Check process creation chain and parent-child relationships
+   - Review file hash against threat intelligence sources
+3. Check for related security events:
+   - Look for other ESET alerts from the same host
+   - Search for network connections from the suspicious process
+   - Review authentication events around the same timeframe
+4. Containment actions if malicious:
+   - Isolate the affected host from the network
+   - Kill the suspicious process if still running
+   - Preserve forensic evidence (memory dump, logs)
+5. Remediation steps:
+   - Run full antivirus scan on the affected system
+   - Check for persistence mechanisms (registry, scheduled tasks)
+   - Update ESET signatures and perform system hardening
+6. Prevention measures:
+   - Review and update application control policies
+   - Ensure ESET real-time protection is enabled
+   - Consider implementing application whitelisting
+', '["https://help.eset.com/ees/12/en-US/idh_dialog_epfw_ids_alert.html","https://attack.mitre.org/techniques/T1055/"]', 'oneOf("log.msgType", ["EnterpriseInspectorAlert_Event", "HIPS_Event"]) &&
+exists("log.jsonMessage") &&
+contains("log.jsonMessage", ["Process injection", "Suspicious behavior",
+  "Anomalous process", "blocked", "terminated", "prevented"])
+', '2026-02-09 16:28:51.996232', true, false, 'origin', null, '[]', '["lastEvent.log.headHostname","lastEvent.log.msgType"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (31, 'Nation-State Tactic Detection', 3, 3, 3, 'Advanced Persistent Threat', 'T1595 - Active Scanning / Nation-State Attack Patterns', 'Detects sophisticated attack patterns and techniques commonly associated with nation-state actors including advanced persistence mechanisms, custom tooling, and strategic lateral movement.
+
+Next Steps:
+1) Immediately isolate affected systems and preserve forensic evidence
+2) Review all decoy interactions and identify compromised credentials
+3) Check for lateral movement attempts from the source IP across all systems
+4) Analyze custom tools or malware samples if detected
+5) Engage incident response team for potential APT activity
+6) Review network traffic for command & control communications
+7) Implement enhanced monitoring on high-value targets identified in the attack
+', '["https://attack.mitre.org/groups/","https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats"]', 'oneOf("log.event_type", ["decoy_interaction", "honeypot_access", "deception_triggered"]) &&
+equals("log.threat_level", "critical") &&
+(equals("log.attack_sophistication", "advanced") || greaterOrEqual("log.threat_score", 85)) &&
+(equals("log.apt_indicators", true) ||
+ equals("log.custom_malware", true) ||
+ equals("log.advanced_ttps", true) ||
+ greaterThan("log.targeted_decoys", 1) ||
+ equals("log.persistence_attempt", true))
+', '2026-02-09 16:28:49.375846', true, false, 'origin', null, '[]', '["adversary.host","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (32, 'Living Off The Land Attack Using Deceptive Resources', 3, 3, 2, 'Defense Evasion', 'T1218 - Signed Binary Proxy Execution', 'Detects when attackers use legitimate system tools and binaries to interact with deceptive resources, indicating Living Off The Land (LOLBins) attack techniques. This is a high-confidence indicator of malicious activity as legitimate users should not be accessing deceptive resources with system binaries.
+
+Next Steps:
+1. Immediately isolate the affected system to prevent lateral movement
+2. Review the process execution chain to identify the parent process and any child processes
+3. Check if the user account is compromised by reviewing recent authentication logs
+4. Examine command line arguments and scripts executed by the LOLBin
+5. Search for other deceptive resource interactions from the same user or system
+6. Collect memory dump if possible for forensic analysis
+7. Review network connections made by the process for C2 communication
+8. Check for persistence mechanisms (scheduled tasks, registry modifications, services)
+', '["https://attack.mitre.org/techniques/T1218/","https://attack.mitre.org/techniques/T1053/","https://lolbas-project.github.io/","https://deceptivebytes.com/solution/"]', 'equals("log.event_type", "lolbin_trap") && oneOf("log.process_name", ["powershell.exe", "cmd.exe", "wmic.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe"]) && exists("log.deceptive_target")', '2026-02-09 16:28:49.511077', true, false, 'origin', null, '[]', '["lastEvent.log.deceptive_target","adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (33, 'Privilege Escalation Bait Accessed', 3, 3, 2, 'Privilege Escalation', 'T1068 - Exploitation for Privilege Escalation', 'Detects when an attacker accesses deceptive privileged account baits or attempts to escalate privileges using trapped credentials, indicating active exploitation attempts. This is a high-priority alert as it indicates an active attacker who has progressed beyond initial access and is attempting to gain elevated privileges.
+
+Next Steps:
+- Immediately isolate the affected system to prevent lateral movement
+- Review authentication logs for the source IP and user account to identify scope of compromise
+- Check for other deception bait interactions from the same source in the past 24 hours
+- Investigate any legitimate user activity that may have been compromised
+- Collect forensic data from the endpoint including running processes and network connections
+- Review SIEM/EDR alerts for related suspicious activities from the same source
+- Document the attacker''s TTPs for threat intelligence sharing
+- Consider resetting credentials for any accounts that may have been exposed
+- Update firewall rules to block the attacker''s source IP if confirmed malicious
+', '["https://attack.mitre.org/techniques/T1068/","https://attack.mitre.org/techniques/T1078/","https://www.checkpoint.com/cyber-hub/cyber-security/what-is-deception-technology/"]', 'equals("log.event_type", "bait_accessed") &&
+equals("log.bait_type", "privileged_account") &&
+oneOf("log.target_privilege", ["admin", "system", "administrator"])
+', '2026-02-09 16:28:49.605982', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (34, 'Ransomware Behavior Detected in Deception Environment', 3, 3, 3, 'Impact', 'T1486 - Data Encrypted for Impact', 'Detects ransomware-like behavior patterns when attackers interact with deceptive files, including rapid file enumeration, encryption attempts, and ransom note creation in the Deceptive Bytes deception environment.
+
+Next Steps:
+1. Immediately isolate the affected system from the network to prevent ransomware spread
+2. Check the process name and path identified in the alert for known ransomware indicators
+3. Review file system activity from the same process for encryption patterns
+4. Check for shadow copy deletion attempts (vssadmin, wmic shadowcopy delete)
+5. Look for network connections to potential C2 servers from the identified process
+6. Preserve forensic evidence and memory dumps if possible
+7. Verify if this is a deception environment interaction or production system compromise
+8. Check for lateral movement attempts from the source IP address
+9. Review backup integrity and availability before any restoration attempts
+', '["https://attack.mitre.org/techniques/T1486/","https://attack.mitre.org/techniques/T1490/","https://deceptivebytes.com/solution/"]', 'equals("log.event_type", "ransomware_behavior") &&
+oneOf("log.behavior_pattern", ["mass_encryption", "file_enumeration", "ransom_note_drop"])
+', '2026-02-09 16:28:49.721539', true, false, 'origin', null, '[{"indexPattern":"v11-log-deceptive-bytes-*","with":[{"field":"log.process","operator":"filter_term","value":"{{log.process}}"},{"field":"log.source_ip","operator":"filter_term","value":"{{log.source_ip}}"}],"or":null,"within":"now-15m","count":10}]', '["lastEvent.log.hostname","lastEvent.log.process"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (35, 'Threat Actor Attribution', 2, 2, 2, 'Threat Intelligence', 'T1583 - Acquire Infrastructure', 'Correlates observed attack patterns, tools, techniques, and infrastructure with known threat actor profiles to provide attribution intelligence and identify potential threat actors based on high-confidence indicators.
+
+Next Steps:
+1. Review the attributed threat actor profile and historical campaigns for context
+2. Analyze the specific TTPs (Tactics, Techniques, and Procedures) that triggered the attribution
+3. Check for related activity from the same actor across other systems or time periods
+4. Correlate with threat intelligence feeds to validate attribution confidence
+5. Document observed infrastructure and tooling for future threat hunting
+6. Consider implementing specific detections for this actor''s known techniques
+7. Share attribution indicators with security teams for enhanced monitoring
+8. Escalate to incident response team if high-profile threat actor is identified
+', '["https://attack.mitre.org/groups/","https://malpedia.caad.fkie.fraunhofer.de/"]', 'equals("log.eventType", "threat_attribution") &&
+greaterOrEqual("log.attributionConfidence", 70) &&
+exists("log.actorProfile") &&
+equals("log.deceptionTriggered", true) &&
+(greaterOrEqual("log.ttpsMatched", 3) ||
+ equals("log.infrastructureMatch", true) ||
+ exists("log.toolingFingerprint")) &&
+equals("log.historicalCampaignMatch", true)
+', '2026-02-09 16:28:49.841808', true, false, 'origin', null, '[]', '["lastEvent.log.actorProfile","lastEvent.log.campaignId","adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (36, 'Zero-Day Behavior Patterns Detection', 3, 3, 3, 'Defense Evasion', 'T1211 - Exploitation for Defense Evasion', 'Identifies potential zero-day exploits and unknown malware through abnormal behavior patterns, deception interactions, and anomaly detection in endpoint activities.
+
+Next Steps:
+1. Immediately isolate the affected system from the network to prevent lateral movement
+2. Capture memory dumps and process information for forensic analysis
+3. Check for similar behavioral anomalies on other endpoints in the same network segment
+4. Review the exploit technique and process chain to understand the attack vector
+5. Submit samples to threat intelligence platforms for analysis
+6. Update security controls based on the identified exploit patterns
+7. Document all IOCs (file hashes, network connections, process behaviors) for threat hunting
+', '["https://attack.mitre.org/techniques/T1211/","https://attack.mitre.org/techniques/T1055/","https://attack.mitre.org/techniques/T1620/"]', 'oneOf("log.eventType", ["unknown_threat", "behavioral_anomaly", "zero_day_suspect"]) &&
+equals("log.threatSignature", "unknown") &&
+equals("log.deceptionEnvironment", true) &&
+(
+  (greaterOrEqual("log.memoryAnomalyScore", 90)) ||
+  (greaterOrEqual("log.processChainAnomalyScore", 85)) ||
+  (greaterOrEqual("log.networkBehaviorScore", 88)) ||
+  (greaterOrEqual("log.fileSystemAnomalyScore", 92))
+) &&
+equals("log.knownMalwareFamily", "") &&
+exists("log.exploitTechnique")
+', '2026-02-09 16:28:49.976711', true, false, 'origin', null, '[{"indexPattern":"v11-log-deceptive-bytes-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.processName","operator":"filter_term","value":"{{log.processName}}"}],"or":null,"within":"now-30m","count":2}]', '["lastEvent.log.exploitTechnique","lastEvent.log.processHash","adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (37, 'Advanced Heuristic Detection Triggers', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects when ESET''s advanced heuristic engine identifies suspicious behavior patterns that may indicate novel malware or zero-day threats. These detections use DNA signatures and behavioral analysis.
+
+Next Steps:
+- Review the affected hostname and user context to understand the scope
+- Check the process name (if available) that triggered the detection
+- Verify if the action taken (cleaned/deleted/quarantined) was successful
+- Look for related alerts from the same host within the past 24 hours
+- If multiple hosts show similar detections, investigate potential lateral movement
+- Consider isolating the affected system if threat persists
+- Review ESET console link (if available) for detailed threat information
+- Check file hash against threat intelligence databases if available
+- Capture and analyze the malicious file sample if quarantined
+- Review system logs for any unusual activities before and after detection
+- Update ESET signatures and run a full system scan
+', '["https://help.eset.com/eea/8/en-US/idh_config_threat_sense.html","https://attack.mitre.org/techniques/T1055/"]', 'oneOf("log.msgType", ["EnterpriseInspectorAlert_Event", "threat_event", "FirewallAggregatedAlert_Event"]) &&
+contains("log.jsonMessage", ["heuristic", "NewHeur", "suspicious behavior"]) &&
+contains("log.jsonMessage", ["cleaned", "deleted", "quarantined", "blocked"])
+', '2026-02-09 16:28:50.121137', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-esmc-eset-*","with":[{"field":"log.headHostname","operator":"filter_term","value":"{{log.headHostname}}"}],"or":null,"within":"now-30m","count":3}]', '["lastEvent.log.headHostname","lastEvent.log.msgType"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (38, 'ESET Botnet Communication Detection', 3, 3, 2, 'Command and Control', 'T1071 - Application Layer Protocol', 'Detects attempts to communicate with known botnet command and control servers. ESET identifies typical communication patterns when a computer is infected and a bot is attempting to communicate with malicious C2 infrastructure.
+
+Next Steps:
+1. Immediately isolate the affected system from the network to prevent further C2 communication
+2. Check the hostname (log.headHostname) to identify the affected system
+3. Review the full log message content (log.jsonMessage) for additional threat details including target IPs and processes
+4. Review process activity on the affected host to identify the malicious process
+5. Scan the system with ESET for complete malware removal
+6. Check other systems in the network for similar C2 communication attempts
+7. Update firewall rules to block any identified C2 server IPs found in the logs
+8. Consider reimaging the system if the infection persists
+9. Review ESET logs for the time period around this detection to identify related malicious activity
+', '["https://www.eset.com/us/botnet/","https://support.eset.com/en/kb7487-resolve-the-incomingattackgeneric-or-botnetcncgeneric-network-protection-alert","https://attack.mitre.org/techniques/T1071/"]', 'contains("log.jsonMessage", ["Botnet", "CnC.Generic", "botnet", "C&C", "command and control"]) &&
+exists("log.headHostname")
+', '2026-02-09 16:28:50.326726', true, false, 'origin', null, '[]', '["lastEvent.log.headHostname","lastEvent.log.jsonMessage"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (39, 'ESET Agent Disabled or Tampered', 3, 3, 3, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects when the ESET security agent is disabled, uninstalled, or tampered with. This is a critical defense evasion indicator as attackers commonly disable endpoint protection before executing their payload.
+
+Next Steps:
+1. Immediately investigate the affected endpoint
+2. Determine who or what process disabled the agent
+3. Check for concurrent malicious activity on the endpoint
+4. Reinstall and re-enable the ESET agent
+5. Review the endpoint for malware or unauthorized software
+6. Check if similar tampering occurred on other endpoints
+', '["https://help.eset.com/ees/8/en-US/idh_config_era_agent.html","https://attack.mitre.org/techniques/T1562/001/"]', '(regexMatch("log.message", "(?i)(eset|ekrn|egui|agent)") &&
+ regexMatch("log.message", "(?i)(disabled|stopped|uninstalled|removed|tampered|terminated)")) ||
+(contains("log.message", "protection status") && contains("log.message", "disabled")) ||
+(contains("log.message", "agent") && contains("log.message", "not responding")) ||
+(equals("log.eventType", "AGENT_EVENT") && contains("log.message", "removed"))
+', '2026-02-09 16:28:50.486216', true, false, 'origin', null, '[]', '["lastEvent.log.eventType","target.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (40, 'ESET ERA/ESMC Console Suspicious Activity', 3, 3, 2, 'Lateral Movement', 'T1072 - Software Deployment Tools', 'Detects suspicious activity on the ESET ERA/ESMC management console including unauthorized policy changes, mass task deployments, or admin account modifications that could indicate console compromise.
+
+Next Steps:
+1. Verify the admin account performing console operations
+2. Review recent policy changes and task deployments
+3. Check admin login history for unauthorized access
+4. Verify the content of any pushed policies or tasks
+5. Suspend suspicious admin accounts
+6. Audit endpoints affected by recent console changes
+', '["https://help.eset.com/esmc_admin/70/en-US/","https://attack.mitre.org/techniques/T1072/"]', '(contains("log.message", "policy") &&
+ (contains("log.message", "modified") || contains("log.message", "assigned") ||
+  contains("log.message", "created"))) ||
+(contains("log.message", "client task") &&
+ (contains("log.message", "executed") || contains("log.message", "deployed"))) ||
+(contains("log.message", "administrator") &&
+ ((contains("log.message", "created") || contains("log.message", "modified")) ||
+  (contains("log.message", "login") && contains("log.message", "failed"))))
+', '2026-02-09 16:28:50.647197', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-esmc-eset-*","with":[{"field":"log.headHostname","operator":"filter_term","value":"{{log.headHostname}}"}],"or":null,"within":"now-30m","count":10}]', '["lastEvent.log.headHostname","target.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (41, 'ESET Repeated Quarantine Failures', 2, 3, 2, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects repeated quarantine failures in ESET, which may indicate malware actively resisting quarantine through file locks, permission manipulation, or rapid re-creation of malicious files.
+
+Next Steps:
+1. Identify the specific file or threat that cannot be quarantined
+2. Check the file permissions and processes locking the file
+3. Attempt manual quarantine or deletion in safe mode
+4. Review the malware''s persistence mechanisms
+5. Consider isolating the endpoint for manual remediation
+6. Run a boot-time scan if available
+', '["https://help.eset.com/ees/8/en-US/","https://attack.mitre.org/techniques/T1562/001/"]', '(contains("log.message", "quarantine") &&
+ (contains("log.message", "failed") || contains("log.message", "error") ||
+  contains("log.message", "unable") || contains("log.message", "denied"))) ||
+(contains("log.message", "clean") && contains("log.message", "failed") &&
+ contains("log.message", "threat"))
+', '2026-02-09 16:28:50.806501', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-esmc-eset-*","with":[{"field":"log.headHostname","operator":"filter_term","value":"{{log.headHostname}}"}],"or":null,"within":"now-1h","count":5}]', '["lastEvent.log.headHostname","target.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (42, 'ESET Exploit Detection Alert', 3, 3, 2, 'Privilege Escalation', 'T1068 - Exploitation for Privilege Escalation', 'Detects when ESET''s Exploit Blocker identifies and blocks exploitation attempts targeting vulnerabilities in commonly exploited applications such as browsers, document readers, email clients, Flash, and Java.
+
+Next Steps:
+1. Identify the affected host and the specific exploit attempt details
+2. Check for any successful exploitation attempts on the same host
+3. Review process execution logs for suspicious activity following the exploit attempt
+4. Verify that the exploit was successfully blocked and no compromise occurred
+5. Update the vulnerable application if a patch is available
+6. Consider isolating the host if exploitation may have succeeded
+', '["https://www.eset.com/us/about/technology/","https://attack.mitre.org/techniques/T1068/"]', '(contains("log.jsonMessage", "exploit") ||
+ oneOf("log.msgType", ["Exploit_Blocked", "Exploit"])) &&
+equals("actionResult", "blocked") &&
+oneOf("log.severity", ["medium", "high"])
+', '2026-02-09 16:28:50.965988', true, false, 'origin', null, '[]', '["lastEvent.log.jsonMessage","target.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (43, 'ESET Host Intrusion Prevention System Triggered', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects when ESET''s Host-based Intrusion Prevention System (HIPS) blocks suspicious behavior, including process manipulation, registry modifications, and file system changes that indicate potential malware activity. HIPS events indicate active attempts to compromise system integrity through various attack techniques.
+
+Next Steps:
+1. Review the blocked process or action details in the ESET console
+2. Identify the source application attempting the blocked behavior
+3. Check if the blocked action is from legitimate software (false positive)
+4. If malicious, isolate the affected system and perform full malware scan
+5. Review system logs for any successful compromise attempts before HIPS activation
+6. Update HIPS rules if necessary to prevent similar attacks
+7. Check for persistence mechanisms on the affected host
+8. Review network connections from the suspicious process if applicable
+', '["https://help.eset.com/ees/8/en-US/idh_hips_main.html","https://attack.mitre.org/techniques/T1055/"]', 'equals("log.actionResult", "HIPS_Event") && equals("log.action", "blocked") && oneOf("log.severity", ["medium", "high"])', '2026-02-09 16:28:51.125733', true, false, 'origin', null, '[]', '["lastEvent.log.objectname","target.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (44, 'Machine Learning Detection Anomalies', 3, 3, 2, 'Execution', 'T1204.002 - User Execution: Malicious File', 'Identifies threats detected by ESET''s machine learning engine that analyzes file behavior patterns and characteristics to identify previously unknown malware variants. Machine learning detection indicates advanced malware that may evade signature-based detection methods.
+
+Next Steps:
+- Immediately investigate the affected host for signs of compromise
+- Review the threat details in the log message to understand the malware type and behavior
+- Check if the malware was successfully blocked or quarantined
+- Look for similar detections across other hosts in your environment
+- Consider isolating the affected system if the threat was not successfully contained
+- Review process activity around the time of detection for suspicious behavior
+- Collect and analyze the malware sample if available for threat intelligence
+- Update security policies to prevent similar threats
+- Check for any data exfiltration or lateral movement attempts from the affected host
+', '["https://help.eset.com/protect_admin/11.0/en-US/events-exported-to-json-format.html","https://attack.mitre.org/techniques/T1204/002/"]', 'contains("log.message", "machine learning") &&
+contains("log.message", ["threat", "detected", "found"]) &&
+exists("log.msgType") &&
+exists("log.headHostname")
+', '2026-02-09 16:28:51.285844', true, false, 'origin', null, '[]', '["lastEvent.log.headHostname","target.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (45, 'ESET Network Attack Detection', 3, 2, 1, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Detects network-based attacks and exploits blocked by ESET''s Network Attack Protection (IDS). This includes attempts to exploit known vulnerabilities in network services and protocols.
+
+Next Steps:
+1. Review the attack details in ESET console to identify the specific vulnerability or attack pattern
+2. Check if the source IP is known malicious using threat intelligence sources
+3. Verify if other systems received similar attacks from the same source
+4. Review firewall logs for additional suspicious activity from the source IP
+5. Consider blocking the source IP at the perimeter firewall if attacks persist
+6. Update network security policies and ensure all systems are patched
+', '["https://help.eset.com/ees/7/en-US/idh_config_epfw_network_attack_protection.html","https://attack.mitre.org/techniques/T1190/"]', 'equals("log.event_type", "NetworkProtection_Event") &&
+equals("log.action", "blocked") &&
+exists("origin.ip")
+', '2026-02-09 16:28:51.445944', true, false, 'origin', null, '[]', '["adversary.ip","target.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (46, 'Suspicious Encrypted File Activity', 3, 3, 2, 'Impact', 'T1486 - Data Encrypted for Impact', 'Detects suspicious encrypted file activities that may indicate ransomware encryption attempts or unauthorized file encryption operations. This rule triggers when ESET detects ransomware-related threats or file encryption activities.
+
+Next Steps:
+1. Immediately isolate the affected system to prevent spread
+2. Check if backup systems are accessible and uncompromised
+3. Review the threat details in log.jsonMessage for specific ransomware variant
+4. Look for other systems showing similar encryption patterns
+5. Preserve forensic evidence before remediation
+6. Consider engaging incident response team for ransomware cases
+7. Do not power off the system if encryption is in progress
+', '["https://attack.mitre.org/techniques/T1486/","https://help.eset.com/protect_admin/10.1/en-US/events-exported-to-json-format.html"]', 'equals("log.msgType", "Threat_Event") &&
+contains("log.jsonMessage", ["ransomware", "filecoder", "encrypted", ".encrypted"])
+', '2026-02-09 16:28:51.606002', true, false, 'origin', null, '[]', '["lastEvent.log.msgType","target.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (47, 'Registry Modification Attempts Blocked', 2, 3, 2, 'Defense Evasion, Persistence', 'T1112 - Modify Registry', 'Identifies attempts to modify critical Windows registry keys that were blocked by ESET, indicating potential persistence or system tampering attempts. Registry modifications are a common technique used by malware to establish persistence, disable security features, or alter system behavior.
+
+Next Steps:
+1. Review the blocked action details to understand what registry key was targeted
+2. Investigate the source process and user account involved in the attempt
+3. Check for other security events from the same host around the same time
+4. Verify if this is legitimate administrative activity or potential malicious behavior
+5. If suspicious, isolate the affected system and perform a full malware scan
+6. Review system logs for any successful registry modifications before the block occurred
+', '["https://help.eset.com/esmc_admin/70/en-US/events-exported-to-json-format.html","https://attack.mitre.org/techniques/T1112/"]', 'exists("log.jsonMessage") &&
+contains("log.jsonMessage", "registry") &&
+oneOf("log.action", ["blocked", "denied", "prevented"]) &&
+oneOf("log.severity", ["high", "medium"])
+', '2026-02-09 16:28:51.765946', true, false, 'origin', null, '[]', '["lastEvent.log.action","target.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (48, 'ESET Blocked Suspicious PowerShell Activity', 3, 3, 1, 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'Detects when ESET blocks suspicious PowerShell commands or scripts that exhibit malicious behavior patterns, including obfuscated scripts, encoded commands, or attempts to bypass execution policies. This is a high-priority security event that indicates potential malicious activity was prevented.
+
+Next Steps:
+1. Review the blocked PowerShell command details in the log message
+2. Identify the user account and process that attempted to execute PowerShell
+3. Check if this is part of legitimate administrative activity or scripting
+4. Investigate the source of the PowerShell execution (parent process, script location)
+5. Look for other suspicious activities from the same host or user
+6. Consider isolating the affected system if malicious intent is confirmed
+7. Review and update PowerShell execution policies if needed
+', '["https://help.eset.com/ees/8/en-US/idh_hips_main.html","https://attack.mitre.org/techniques/T1059/001/"]', 'regexMatch("log.message", "(?i)(powershell|pwsh)") && equals("log.action", "blocked") && exists("log.headHostname")', '2026-02-09 16:28:51.906284', true, false, 'origin', null, '[]', '["lastEvent.log.headHostname","target.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (50, 'Code Injection Attempt Detection', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects attempts to inject malicious code into legitimate processes. This technique is commonly used by malware to evade detection and gain elevated privileges by running within trusted processes.
+
+Next Steps:
+1. Immediately isolate the affected system to prevent lateral movement
+2. Identify the source process that attempted the injection
+3. Check if the malware was successfully quarantined or if manual removal is needed
+4. Review system logs for any suspicious activities around the same timeframe
+5. Scan the system with updated antivirus definitions
+6. Check for persistence mechanisms (scheduled tasks, registry keys, services)
+7. Review network connections from the affected host for C2 communications
+8. Consider reimaging the system if critical processes were compromised
+', '["https://attack.mitre.org/techniques/T1055/","https://support.kaspersky.com/KESWin/11/en-us/151065.htm"]', '(equals("log.signatureID", "3") || equals("log.cs1", "DETECT")) &&
+(regexMatch("log.cefMsg", "(?i).*(inject|injection|CreateRemoteThread|SetWindowsHookEx|WriteProcessMemory).*") ||
+ contains("log.cs4", ["inject", "hooking", "trojan", "backdoor"]) ||
+ contains("log.action", ["terminate", "delete", "quarantine"])) &&
+(contains("log.cefMsg", ["lsass", "csrss", "winlogon", "services", "svchost", "explorer"]) ||
+ contains("log.cefMsgAll", "process"))
+', '2026-02-09 16:29:46.566557', true, false, 'origin', null, '[]', '["lastEvent.log.cs3","adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (51, 'Kaspersky Command and Control Communication Detection', 3, 3, 2, 'Command and Control', 'T1071 - Application Layer Protocol', 'Detects potential command and control (C2) communication attempts identified by Kaspersky, including suspicious outbound connections, malware callbacks, and botnet communication patterns. This rule triggers when Kaspersky identifies network threats related to botnet activity, C2 communications, or malware beaconing that was not successfully blocked.
+
+Next Steps:
+1. Immediately isolate the affected system from the network to prevent further C2 communication
+2. Review the target IP address against threat intelligence feeds to confirm malicious activity
+3. Check if other systems have communicated with the same C2 server
+4. Analyze the process or malware that initiated the connection
+5. Review Kaspersky logs for additional context about the threat
+6. Perform a full system scan and forensic analysis on the affected machine
+7. Update antivirus signatures and ensure real-time protection is enabled
+8. Consider reimaging the system if compromise is confirmed
+', '["https://attack.mitre.org/techniques/T1071/","https://support.kaspersky.com/KLMS/8.2/en-US/151504.htm"]', '(contains("log.cs2", ["Bot", "bot", "C2", "Command", "command"]) ||
+ contains("log.message", ["callback", "beacon"]) ||
+ equals("log.cat", "NetworkThreat")) &&
+exists("target.ip") &&
+!equals("action", "blocked")
+', '2026-02-09 16:29:46.705948', true, false, 'origin', null, '[]', '["adversary.host","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (52, 'Kaspersky Critical Object Detection', 3, 3, 2, 'Execution', 'T1204 - User Execution: Malicious File', 'Detects when Kaspersky identifies critical threats including malware, trojans, or other dangerous objects that require immediate attention. High severity detections often indicate active threats.
+
+Next Steps:
+1. Immediately isolate the affected system from the network to prevent lateral movement
+2. Identify the malware name/signature from log.cs1, log.cs2, or log.cs4 fields
+3. Check if Kaspersky successfully quarantined or removed the threat
+4. Scan other systems in the same network segment for similar infections
+5. Review recent user activity and email attachments that could be the infection vector
+6. Collect and preserve forensic artifacts if needed for incident response
+7. Update antivirus signatures and run a full system scan
+8. Consider reimaging the system if the infection is severe or persistent
+', '["https://support.kaspersky.com/ScanEngine/1.0/en-US/186767.htm","https://attack.mitre.org/techniques/T1204/"]', 'exists("log.signatureID") &&
+equals("log.cefDeviceSeverity", "High") &&
+(contains("log.cs1", ["INFECTED", "MALWARE", "TROJAN"]) ||
+ contains("log.cs2", "Trojan") ||
+ contains("log.cs4", "Trojan") ||
+ contains("log.message", ["infected", "malicious"]))
+', '2026-02-09 16:29:46.871602', true, false, 'origin', null, '[]', '["lastEvent.log.signatureID","adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (168, 'GCP probable Government-backed attack', 3, 3, 2, 'Collection', 'T1560 - Archive Collected Data', 'A user''s account might have been targeted by government-backed attack.  Government-backed attackers are trying to access the account of one of your users.  An attack happens to less than 0.1% of all Google Account users. There''s a chance the alert is  a false alarm. However, we believe we detected activities that government-backed attackers use  to try to steal a password or other personal information. Such activity includes the user receiving  an email containing a harmful attachment, links to malicious software downloads, or links to fake  websites that are designed to access passwords.', '["https://attack.mitre.org/tactics/TA0009/","https://attack.mitre.org/techniques/T1560"]', 'contains("log.protoPayload.methodName", "google.login.LoginService.govAttackWarning")
+', '2026-02-09 16:31:52.331138', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (53, 'Kaspersky Data Exfiltration Attempts Detection', 3, 2, 1, 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 'Detects potential data exfiltration attempts identified by Kaspersky through suspicious network traffic patterns, large data transfers, or connections to suspicious external destinations. This rule monitors for network threats, trojan/backdoor detections, and suspicious data transfer patterns that may indicate data exfiltration.
+
+Next Steps:
+1. Immediately identify the source host (origin.ip) and any associated user accounts on the affected system
+2. Check if the destination IP (target.ip) is known malicious using threat intelligence sources
+3. Review the volume and frequency of data transfers to this destination in the last 24-48 hours
+4. Search for any other malware detections (especially Trojans/Backdoors) on the same host
+5. Analyze network traffic logs for unusual patterns or protocols from the source IP
+6. Check if other hosts in your network have connected to the same destination
+7. If confirmed malicious:
+   - Block the destination IP at firewall/proxy level
+   - Isolate the affected system from network
+   - Initiate full incident response procedures
+   - Preserve evidence for forensic analysis
+8. Document all findings and actions taken for compliance and future reference
+', '["https://attack.mitre.org/techniques/T1048/","https://support.kaspersky.com/KLMS/8.2/en-US/151684.htm"]', '(equals("log.cat", "NetworkThreat") ||
+ regexMatch("log.cs2", "(?i).*(trojan|backdoor).*") ||
+ regexMatch("log.cefMsg", "(?i).*(data.*transfer|exfiltrat|upload.*suspicious|unauthorized.*transfer).*") ||
+ regexMatch("log.cefMsgAll", "(?i).*(data.*exfiltration|suspicious.*upload|unauthorized.*transfer).*")) &&
+exists("target.ip") &&
+greaterOrEqual("log.cefDeviceSeverity", 3)
+', '2026-02-09 16:29:47.051234', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-kaspersky-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.cat","operator":"filter_term","value":"NetworkThreat"}],"or":null,"within":"now-30m","count":5}]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (54, 'Kaspersky Agent Disabled or Tampered', 3, 3, 3, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects when the Kaspersky security agent is disabled, stopped, or tampered with. This is a critical indicator of defense evasion as attackers disable endpoint protection to execute malware undetected.
+
+Next Steps:
+1. Immediately investigate the affected endpoint
+2. Identify the user or process that disabled the agent
+3. Check for concurrent malicious activity
+4. Re-enable the Kaspersky agent
+5. Perform a full system scan
+6. Check for similar events on other endpoints
+', '["https://support.kaspersky.com/","https://attack.mitre.org/techniques/T1562/001/"]', 'exists("log.signatureID") &&
+(regexMatch("log.message", "(?i)(kaspersky|klnagent|kavfs|kesl).*( disabled| stopped| removed| tampered| uninstalled)") ||
+ regexMatch("log.message", "(?i)(protection|self-defense).*(disabled|off|stopped)") ||
+ (contains("log.cs1", "PROTECTION") && contains("log.message", "disabled")) ||
+ (contains("log.message", "agent") && contains("log.message", "not running")))
+', '2026-02-09 16:29:47.205678', true, false, 'origin', null, '[]', '["lastEvent.log.dvchost","lastEvent.log.src"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (55, 'Kaspersky Ransomware Behavior Detection', 3, 3, 3, 'Impact', 'T1486 - Data Encrypted for Impact', 'Detects ransomware behavior patterns identified by Kaspersky including mass file encryption, ransom note creation, and ransomware-specific malware classifications.
+
+Next Steps:
+1. Immediately isolate the affected system from the network
+2. Identify the ransomware variant from Kaspersky''s classification
+3. Check backup availability and integrity
+4. Do not pay the ransom
+5. Engage incident response team
+6. Scan other systems for the same indicators
+7. Determine the initial infection vector
+', '["https://support.kaspersky.com/","https://attack.mitre.org/techniques/T1486/"]', 'exists("log.signatureID") &&
+(regexMatch("log.message", "(?i)(ransomware|ransom|trojan-ransom|cryptolocker|locky|cerber|wannacry|ryuk|conti|lockbit|blackcat)") ||
+ contains("log.cs2", "Trojan-Ransom") || contains("log.cs4", "Trojan-Ransom") ||
+ (contains("log.message", "encrypt") && contains("log.message", "mass")) ||
+ (contains("log.message", "System Watcher") && contains("log.message", "rollback")))
+', '2026-02-09 16:29:47.406636', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-kaspersky-*","with":[{"field":"log.src","operator":"filter_term","value":"{{log.src}}"}],"or":null,"within":"now-10m","count":3}]', '["lastEvent.log.dvchost","lastEvent.log.src"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (56, 'Kaspersky Rootkit Detection', 3, 3, 3, 'Defense Evasion', 'T1014 - Rootkit', 'Detects rootkit activity identified by Kaspersky security, including hidden processes, kernel-level modifications, and rootkit-specific malware classifications that indicate a deeply compromised system.
+
+Next Steps:
+1. Immediately isolate the affected system
+2. Do not trust any output from the compromised system
+3. Perform offline forensic analysis
+4. Plan for full system reimaging
+5. Check for lateral movement from the compromised host
+6. Determine the initial infection vector
+', '["https://support.kaspersky.com/","https://attack.mitre.org/techniques/T1014/"]', 'exists("log.signatureID") &&
+(regexMatch("log.message", "(?i)(rootkit|bootkit|Rootkit|hidden.*process|hidden.*module)") ||
+ contains("log.cs2", "Rootkit") || contains("log.cs4", "Rootkit") ||
+ contains("log.cs2", "Bootkit") || contains("log.cs4", "Bootkit") ||
+ (contains("log.message", "System Analysis") && contains("log.message", "hidden")))
+', '2026-02-09 16:29:47.566348', true, false, 'origin', null, '[]', '["lastEvent.log.dvchost","lastEvent.log.src"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (57, 'Lateral Movement Indicators Detection', 3, 3, 2, 'Lateral Movement', 'T1021 - Remote Services', 'Detects indicators of lateral movement attempts within the network through Kaspersky antivirus logs. 
+Attackers use various techniques including PSExec, WMI, RDP, SMB shares, and exploitation tools to move 
+from one compromised system to others, expanding their access and control across the network. This rule 
+identifies blocked or detected activities that may indicate lateral movement attempts.
+
+Next Steps:
+1. Investigate the source IP and hostname for signs of compromise
+2. Review authentication logs for the same time period to identify potential credential theft
+3. Check if the detected tools (PSExec, WMI, RDP) are authorized for use in your environment
+4. Examine network traffic between the source and destination systems
+5. Look for other suspicious activities from the same source host
+6. Consider isolating affected systems if lateral movement is confirmed
+7. Review similar patterns from the same source within the detection window
+', '["https://attack.mitre.org/tactics/TA0008/","https://support.kaspersky.com/KESWin/11/en-us/151065.htm"]', '(equals("log.cn1", "3") || equals("log.cs1", "DETECT") || equals("log.act", "blocked")) &&
+(contains("log.cefMsg", ["psexec", "wmi", "rdp", "smb", "admin$", "ipc$", "c$",
+  "remote", "lateral", "pivot"]) ||
+ contains("log.cs4", ["exploit", "mimikatz", "bloodhound", "sharphound", "propagat"])) &&
+exists("log.dst") &&
+exists("log.src") &&
+safe(log.src, "") != safe(log.dst, "")
+', '2026-02-09 16:29:47.711856', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-kaspersky-*","with":[{"field":"log.src","operator":"filter_term","value":"{{log.src}}"}],"or":null,"within":"now-2h","count":3}]', '["lastEvent.log.dhost","lastEvent.log.dst","lastEvent.log.src"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (188, 'AWS CloudTrail Log Deleted', 2, 3, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/","https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"]', 'equals("log.eventSource", "cloudtrail.amazonaws.com") &&
+equals("log.eventName", "DeleteTrail")
+', '2026-02-09 16:32:22.485394', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (58, 'Living Off the Land Binaries (LOLBins) Abuse Detection', 3, 3, 2, 'Defense Evasion', 'T1218 - System Binary Proxy Execution', 'Detects the malicious use of legitimate Windows system binaries (LOLBins) to execute malicious code. Attackers abuse these trusted tools to bypass security controls and maintain persistence. LOLBins are particularly dangerous because they are signed Microsoft binaries that are trusted by most security products.
+
+Next Steps:
+1. Immediately isolate the affected system from the network to prevent lateral movement
+2. Review the full context of the detection including command line parameters and parent processes
+3. Check for any network connections or file downloads initiated by the LOLBin process
+4. Look for persistence mechanisms (scheduled tasks, registry keys, services) created around the same time
+5. Scan for additional indicators of compromise on the affected system
+6. Review user account activity for signs of compromise or privilege escalation
+7. Consider reimaging the system if fileless malware is confirmed
+', '["https://attack.mitre.org/techniques/T1218/","https://lolbas-project.github.io/","https://www.kaspersky.com/enterprise-security/wiki-section/products/fileless-threats-protection"]', '(equals("log.signatureID", "3") || equals("log.cs1", "DETECT")) &&
+(regexMatch("log.cefMsg", "(?i).*(rundll32|regsvr32|mshta|certutil|bitsadmin|powershell|wmic|cscript|wscript|msiexec|installutil|regasm|regsvcs).*") ||
+ contains("log.cs4", ["fileless", "LOLBin", "LOLBas"])) &&
+(contains("log.cefMsg", ["download", "execute", "bypass", "encoded", "obfuscat", "hidden", "malicious"]) ||
+ exists("log.actionResult"))
+', '2026-02-09 16:29:47.867270', true, false, 'origin', null, '[]', '["lastEvent.log.cs4","adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (59, 'Kaspersky Application Privilege Escalation Detection', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055/T1134 - Process Injection and Access Token Manipulation', 'Detects attempts to escalate privileges through application manipulation, process injection, or unauthorized elevation of permissions monitored by Kaspersky endpoint protection. These techniques are commonly used by attackers to gain higher-level permissions on compromised systems.
+
+Next Steps:
+1. Immediately isolate the affected system to prevent lateral movement
+2. Review the process that triggered the alert and its parent process chain
+3. Check if the source process is legitimate or potentially malicious
+4. Look for other suspicious activities on the same host in the last hour
+5. Collect memory dumps if possible for forensic analysis
+6. Review user account permissions and recent changes
+7. Check for any unauthorized scheduled tasks or services
+8. Update Kaspersky signatures and run a full system scan
+', '["https://support.kaspersky.com/KLMS/8.2/en-US/151684.htm","https://attack.mitre.org/techniques/T1055/","https://attack.mitre.org/techniques/T1134/"]', 'exists("log.signatureID") &&
+!equals("log.action", "Allowed") &&
+(contains("log.message", ["privilege", "elevation", "EXPLOIT", "Exploit",
+   "process injection", "token manipulation"]) ||
+ contains("log.cs1", "EXPLOIT") ||
+ contains("log.cs2", "Exploit") ||
+ contains("log.cs4", "Exploit") ||
+ contains("log.cefMsg", ["privilege", "elevation"]))
+', '2026-02-09 16:29:48.010688', true, false, 'origin', null, '[]', '["lastEvent.log.signatureID","adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (60, 'Kaspersky Sandbox Evasion Attempts Detection', 3, 3, 2, 'Defense Evasion, Discovery', 'T1497 - Virtualization/Sandbox Evasion', 'Identifies malware attempting to detect and evade sandbox environments. This includes time-based evasion, environment checks, anti-VM techniques, and other behaviors designed to avoid analysis in controlled environments.
+
+Next Steps:
+1. Immediately isolate the affected system to prevent potential malware spread
+2. Review the process that triggered the sandbox evasion detection
+3. Check for any suspicious parent processes or child processes
+4. Collect memory dumps and samples for deeper analysis
+5. Review recent file downloads and email attachments on the affected system
+6. Check if similar detection occurred on other systems in the network
+7. Consider submitting the sample to Kaspersky for further analysis
+', '["https://www.kaspersky.com/enterprise-security/malware-sandbox","https://attack.mitre.org/techniques/T1497/","https://attack.mitre.org/techniques/T1497/001/"]', 'exists("log.signatureID") &&
+(contains("log.cefMsg", ["sandbox", "evasion", "anti-VM", "virtualization"]) ||
+ contains("log.cefMsgAll", ["sandbox", "evasion"]) ||
+ contains("log.cs1", "SANDBOX_") ||
+ contains("log.cs4", ["Evasion", "AntiVM", "environment check", "time delay", "VM detection"]) ||
+ (equals("log.cat", "Behavior Detection") &&
+  contains("log.cefMsg", ["delay", "sleep"])))
+', '2026-02-09 16:29:48.151518', true, false, 'origin', '["adversary.host","lastEvent.log.cs4"]', '[]', null);
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (61, 'Kaspersky Suspicious Network Activity Detection', 3, 2, 2, 'Command and Control', 'T1071 - Application Layer Protocol', 'Detects suspicious network activities including unusual connections, potential C2 communications, or network-based attacks identified by Kaspersky security monitoring. This rule triggers when Kaspersky blocks network connections that match suspicious patterns and multiple similar events occur from the same host.
+
+Next Steps:
+1. Review the source and destination IP addresses for known malicious indicators using threat intelligence feeds
+2. Check if the blocked connection was attempting to reach known C2 servers or suspicious domains
+3. Examine the process that initiated the network connection (check log.processName or log.filePath if available)
+4. Review other security events from the same host within the last hour for additional IOCs
+5. Verify if multiple hosts are exhibiting similar network behavior (potential lateral movement or outbreak)
+6. Check firewall logs for any successful connections to the same destination that may have bypassed Kaspersky
+7. Consider isolating the affected system if C2 communication is confirmed
+8. Run a full system scan on the affected host and check for persistence mechanisms
+9. Review network traffic logs for data exfiltration attempts to the same destination
+10. Document the incident and update block lists with confirmed malicious IPs/domains
+', '["https://support.kaspersky.com/kwts/6.1/267200","https://attack.mitre.org/techniques/T1071/","https://attack.mitre.org/techniques/T1043/"]', 'exists("log.signatureID") &&
+(contains("log.message", ["suspicious connection", "network attack", "port scan", "unusual traffic"]) ||
+ contains("log.descMsg", "network") ||
+ contains("log.cs1", "NETWORK") ||
+ contains("log.cs2", "Net-Worm") ||
+ contains("log.cs4", "Net-Worm") ||
+ (exists("log.dstIP") && exists("log.dpt"))) &&
+equals("log.act", "Blocked")
+', '2026-02-09 16:29:48.296465', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-kaspersky-*","with":[{"field":"log.src","operator":"filter_term","value":"{{log.src}}"},{"field":"log.dstIP","operator":"filter_term","value":"{{log.dstIP}}"}],"or":null,"within":"now-30m","count":5}]', '["lastEvent.log.dstIP","lastEvent.log.dvchost","lastEvent.log.src"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (82, 'Storyline Correlation Event', 3, 3, 2, 'Attack Chain Detection', 'Attack Chain Analysis', 'Detects correlated attack patterns identified by SentinelOne''s Storyline feature, which connects related events to reveal complete attack chains and multi-stage threats.
+
+Next Steps:
+1. Review the complete attack chain in the SentinelOne console''s Storyline view
+2. Identify all affected endpoints and users involved in the attack chain
+3. Check for lateral movement or persistence mechanisms across the related events
+4. Isolate affected endpoints if active threats are detected
+5. Collect forensic data from all systems identified in the storyline
+6. Review and update security policies based on the attack patterns observed
+7. Analyze the attack timeline and identify any gaps in detection
+8. Coordinate with incident response team for threat hunting activities
+', '["https://www.sentinelone.com/platform/storyline-active-response/","https://attack.mitre.org/tactics/enterprise/"]', 'regexMatch("log.eventDescription", "(?i)(storyline|attack chain|correlated|multi.?stage|campaign)") && regexMatch("log.message", "(?i)(threat|attack|compromise|breach)")', '2026-02-09 16:29:51.525591', true, false, 'origin', null, '[]', '["lastEvent.log.eventDescription","adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (62, 'Suspicious Packed Executable Detection', 3, 3, 2, 'Defense Evasion', 'T1027.002 - Obfuscated Files or Information: Software Packing', 'Detects when Kaspersky identifies suspicious packed executables, which are often used by malware to evade detection and analysis. Packed executables use compression or encryption to hide their true content and make reverse engineering more difficult.
+
+Next Steps:
+1. Identify the affected system from origin.hostname and origin.ip fields
+2. Review the detected threat details from log.descMsg and log.msg fields
+3. Check the action taken by the antivirus (blocked/detected) in the action field
+4. Verify if the file is legitimate software that uses packing for protection
+5. If malicious, isolate the affected system immediately
+6. Perform a full system scan to identify additional threats
+7. Review process execution logs for suspicious child processes spawned by packed executables
+8. Check network connections initiated by the suspicious executable
+9. Submit the sample to Kaspersky or third-party sandbox for detailed analysis
+10. Update antivirus signatures and ensure real-time protection is enabled
+', '["https://www.kaspersky.com/resource-center/threats/suspicious-packers","https://attack.mitre.org/techniques/T1027/002/"]', 'oneOf("action", ["blocked", "detected"]) &&
+(contains("log.descMsg", ["Packed", "packer"]) ||
+ contains("log.msg", ["packed", "Packed"]) ||
+ contains("log.descMsg", ["NSAnti", "Themida", "VMProtect", "ASPack", "UPX",
+   "PECompact", "Enigma", "Armadillo"]) ||
+ contains("log.msg", ["NSAnti", "Themida", "VMProtect", "ASPack", "UPX",
+   "PECompact", "Enigma", "Armadillo"]) ||
+ contains("log.cat", ["Trojan.Packed", "Packed"]))
+', '2026-02-09 16:29:48.426196', true, false, 'origin', null, '[]', '["adversary.hostname","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (63, 'Kaspersky Suspicious Scheduled Tasks Detection', 3, 3, 2, 'Execution, Persistence, Privilege Escalation', 'T1053 - Scheduled Task/Job', 'Detects suspicious scheduled task creation or modification identified by Kaspersky, which could indicate persistence mechanisms used by malware or attackers. Scheduled tasks are commonly abused by attackers to maintain persistence, execute malicious code at specific times, or escalate privileges.
+
+Next Steps:
+1. Review the scheduled task details in log.msg, log.fname, and log.descMsg fields
+2. Check the specific threat signature in log.signatureID to understand the detection
+3. Examine log.cs1 and log.cs2 fields for additional threat context and classification
+4. Verify if the task creation was part of legitimate administrative activity
+5. Check the affected host (origin.host) for other persistence mechanisms:
+   - Registry run keys
+   - Startup folder items
+   - Services
+   - WMI event subscriptions
+6. Review log.deviceTime for timeline analysis and correlate with other security events
+7. If confirmed malicious:
+   - Disable or remove the scheduled task immediately
+   - Scan the system for additional malware components
+   - Check if the malware has spread to other systems
+   - Preserve evidence and initiate incident response procedures
+', '["https://attack.mitre.org/techniques/T1053/","https://support.kaspersky.com/ScanEngine/1.0/en-US/186767.htm"]', '(containsAll("log.msg", ["scheduled", "task"]) ||
+ contains("log.msg", ["schtasks", "schedule"]) ||
+ contains("log.descMsg", ["scheduled", "task"]) ||
+ contains("log.cs2", "persist") ||
+ contains("log.fname", "\\Tasks\\") ||
+ contains("log.cat", "persistence")) &&
+(exists("log.signatureID") ||
+ oneOf("log.cs1", ["infected", "suspicious"]) ||
+ exists("log.cefDeviceSeverity"))
+', '2026-02-09 16:29:48.581531', true, false, 'origin', null, '[]', '["lastEvent.log.signatureID","adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (64, 'Kaspersky Suspicious Service Installation Detection', 2, 2, 2, 'Persistence, Privilege Escalation', 'T1543.003 - Create or Modify System Process: Windows Service', 'Detects suspicious Windows service installation or modification attempts identified by Kaspersky, which could indicate malware persistence mechanisms or privilege escalation attempts. Service manipulation is a common technique used by malware to maintain persistence on compromised systems.
+
+Next Steps:
+1. Identify the service name and executable path from the alert details
+2. Verify if the service installation was authorized and legitimate
+3. Check the digital signature and reputation of the service executable
+4. Review parent process that initiated the service installation
+5. Look for other suspicious activities on the affected host around the same time
+6. If confirmed malicious, stop and remove the service, quarantine associated files
+7. Perform full system scan and check for additional compromise indicators
+', '["https://attack.mitre.org/techniques/T1543/003/","https://support.kaspersky.com/ScanEngine/2.1/en-US/186767.htm"]', '(containsAll("log.message", ["Service", "install"]) ||
+ containsAll("log.message", ["sc.exe", "create"]) ||
+ containsAll("log.message", ["New", "Service"]) ||
+ contains("log.fname", "\\services.exe") ||
+ contains("log.cs2", "Service")) &&
+(oneOf("log.cs1", ["infected", "suspicious"]) ||
+ greaterOrEqual("log.cefDeviceSeverity", 3))
+', '2026-02-09 16:29:48.715709', true, false, 'origin', null, '[]', '["lastEvent.log.fname","adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (65, 'Kaspersky System File Tampering Detection', 2, 3, 1, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects attempts to tamper with critical system files, Windows services, or protected system components. This includes unauthorized modifications to system binaries, service configurations, or attempts to manipulate security-critical files.
+
+Next Steps:
+1. Identify the affected system file or component from the log details
+2. Check if the modification was authorized (planned maintenance, legitimate software update)
+3. Review process information to identify the source of the tampering attempt
+4. Look for additional indicators of compromise on the affected system
+5. Investigate any parent processes or scripts that initiated the modification
+6. Check for persistence mechanisms that may have been established
+7. Consider isolating the system if unauthorized tampering is confirmed
+', '["https://support.kaspersky.com/kwts/6.1/267200","https://attack.mitre.org/techniques/T1562/001/","https://attack.mitre.org/techniques/T1036/"]', 'exists("log.signatureID") &&
+(contains("log.message", ["system file", "critical file", "protected file", "service tamper"]) ||
+ contains("log.cs1", "SYSTEM_MOD") ||
+ contains("log.cs4", "SystemFile") ||
+ contains("log.cefMsg", ["system modification", "unauthorized change"]) ||
+ (equals("log.cat", "Behavior Detection") && contains("log.message", "modify")))
+', '2026-02-09 16:29:48.851403', true, false, 'origin', null, '[]', '["lastEvent.log.cs4","adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (66, 'Kaspersky WMI Abuse Detection', 3, 3, 2, 'Execution', 'T1047 - Windows Management Instrumentation', 'Detects potential Windows Management Instrumentation (WMI) abuse identified by Kaspersky, including suspicious WMI queries, event subscriptions, or process creation via WMI. WMI is a legitimate Windows component often abused by attackers for lateral movement, persistence, and code execution.
+
+Next Steps:
+1. Identify the affected host and user account involved in the WMI activity
+2. Review the specific WMI commands or queries that triggered the alert
+3. Check for any unauthorized scheduled tasks or startup items created via WMI
+4. Look for other indicators of compromise on the affected system
+5. Verify if this is legitimate administrative activity or potential malicious behavior
+6. If confirmed malicious, isolate the system and perform incident response procedures
+', '["https://attack.mitre.org/techniques/T1047/","https://support.kaspersky.com/KLMS/8.2/en-US/151684.htm"]', '(contains("log.cefMsg", ["WMI", "wmi", "wmic", "winmgmt", "scrcons.exe"]) ||
+ contains("log.cefMsgAll", "WMI")) &&
+(greaterOrEqual("log.cefDeviceSeverity", 3) || equals("log.cat", "blocked"))
+', '2026-02-09 16:29:49.335545', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (67, 'SentinelOne Agent Tampering Attempts', 3, 3, 3, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects attempts to tamper with, disable, or modify the SentinelOne agent. This is a critical security event as attackers often try to disable security tools before launching their main attack. Immediate response required.
+
+Next Steps:
+1. Immediately isolate the affected endpoint to prevent further damage
+2. Review the user account associated with the tampering attempt
+3. Check system logs for any suspicious activities before and after the tampering attempt
+4. Verify if the SentinelOne agent is still functioning properly
+5. Look for any malware or unauthorized software that may have been installed
+6. Review network connections from the affected host for command and control activity
+7. If tampering was successful, consider reimaging the system after forensic analysis
+', '["https://support.sentinelone.com/hc/en-us/articles/360001089343-Protecting-the-SentinelOne-Agent","https://attack.mitre.org/techniques/T1562/001/"]', 'regexMatch("log.eventDescription", ".*(tamper|disable|stop|uninstall|modify).*agent.*") ||
+regexMatch("log.eventDescription", ".*agent.*(tamper|disable|stop|uninstall|modify).*") ||
+oneOf("log.activityType", ["agent_uninstall", "agent_disable", "agent_tamper"]) ||
+equals("log.eventType", "AgentTamperingAttempt") ||
+(regexMatch("log.processName", ".*(sentinelone|sentinel).*") &&
+ oneOf("log.action", ["kill", "terminate", "stop", "disable"]))
+', '2026-02-09 16:29:49.440788', true, false, 'origin', null, '[]', '["lastEvent.log.agentId","adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (68, 'Kaspersky Trusted Application Compromise Detection', 3, 3, 2, 'Defense Evasion', 'T1218 - Signed Binary Proxy Execution', 'Identifies when legitimate or trusted applications exhibit malicious behavior, potentially indicating compromise or exploitation. This includes detecting when signed binaries are used for malicious purposes or when trusted processes perform suspicious activities. This is a critical security event that indicates an attacker may be using living-off-the-land techniques to evade detection.
+
+Next Steps:
+1. Immediately isolate the affected system to prevent lateral movement
+2. Identify the compromised trusted application and its process chain
+3. Review recent system changes and user activities on the affected host
+4. Check for persistence mechanisms (scheduled tasks, services, registry keys)
+5. Analyze network connections from the compromised application
+6. Look for data exfiltration indicators from the affected system
+7. Consider reimaging the system if compromise is confirmed
+8. Update security policies to monitor the exploited application more closely
+', '["https://www.kaspersky.com/enterprise-security/wiki-section/products/kaspersky-anti-targeted-attack-platform","https://attack.mitre.org/techniques/T1218/","https://attack.mitre.org/techniques/T1574/"]', 'exists("log.signatureID") &&
+(contains("log.msg", ["trusted application", "signed binary", "legitimate program"]) ||
+ contains("log.cs1", "TRUSTED_COMP") ||
+ contains("log.cs4", "TrustedApp") ||
+ contains("log.descMsg", "whitelisted") ||
+ (equals("log.cat", "Exploit Prevention") && contains("log.msg", "exploit")) ||
+ containsAll("log.msg", ["behavior", "trusted"])) &&
+oneOf("log.cefDeviceSeverity", ["High", "Medium"])
+', '2026-02-09 16:29:49.531168', true, false, 'origin', null, '[]', '["lastEvent.log.cs1","adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (69, 'SentinelOne AI-Based Threat Hunting Alerts', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects threats identified by SentinelOne''s AI and machine learning threat hunting capabilities, including zero-day exploits, fileless attacks, and previously unknown malware variants.
+
+Next Steps:
+1. Immediately isolate the affected system to prevent lateral movement
+2. Review the threat details in SentinelOne console for threat classification and confidence score
+3. Check if the AI detection correlates with any unusual process behavior or network activity
+4. Examine memory dumps if available for fileless attack indicators
+5. Search for similar AI detections across other endpoints in the environment
+6. If confirmed as a zero-day or new variant, submit samples to threat intelligence teams
+7. Update security policies based on the AI detection patterns observed
+', '["https://www.sentinelone.com/platform/ai-powered-prevention/","https://attack.mitre.org/tactics/TA0043/","https://attack.mitre.org/techniques/T1055/"]', '(
+  regexMatch("log.eventDescription", "(?i)(ai detected|machine learning|threat hunt|hunting alert|ai threat|automated detection)") ||
+  oneOf("log.engines", ["AI", "MachineLearning", "Static AI", "Behavioral AI"]) ||
+  contains("log.threatClassificationSource", "AI")
+) &&
+exists("log.endpointDeviceName") &&
+(exists("log.threatId") || exists("log.threatName") || exists("log.threatClassification"))
+', '2026-02-09 16:29:49.676366', true, false, 'origin', null, '[]', '["lastEvent.log.accName","lastEvent.log.endpointDeviceName"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (70, 'SentinelOne Behavioral Threat Detection', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects behavioral threat patterns identified by SentinelOne''s AI engine, including suspicious process behaviors, anomalous system calls, and deviations from normal endpoint activity patterns.
+
+Next Steps:
+1. Review the specific behavioral indicator that triggered the alert in log.eventDescription
+2. Identify the affected host and user account from log.syslogHost and log.destinationUser
+3. Check if the behavior is associated with legitimate software or administrative activity
+4. Investigate other recent activities from the same host for signs of compromise
+5. If confirmed malicious, isolate the endpoint and initiate incident response procedures
+6. Review SentinelOne console for additional threat details and recommended remediation actions
+7. Collect memory dumps if process injection or in-memory threats are suspected
+8. Check for persistence mechanisms that may have been established
+', '["https://www.sentinelone.com/platform/behavioral-ai/","https://attack.mitre.org/techniques/T1055/"]', '(regexMatch("log.eventDescription", "(?i)(behavioral|anomaly|suspicious behavior|abnormal|pattern detected|threat behavior|malicious activity)") || regexMatch("log.eventDescription", "(?i)(process injection|code injection|memory manipulation|hollowing)")) && exists("log.syslogHost") && exists("log.eventDescription")', '2026-02-09 16:29:49.810812', true, false, 'origin', null, '[]', '["lastEvent.log.eventDescription","lastEvent.log.syslogHost"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (81, 'SentinelOne Policy Downgraded from Protect to Detect', 3, 3, 3, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects when a SentinelOne policy is downgraded from Protect mode to Detect-only mode, which stops automatic threat remediation. This is a critical defense evasion indicator as attackers with console access weaken protection before deploying malware.
+
+Next Steps:
+1. Identify the administrator who changed the policy
+2. Verify through change management if this was authorized
+3. Check for concurrent threat detections on affected endpoints
+4. Restore the Protect policy immediately if unauthorized
+5. Review admin account access for compromise
+6. Scan all affected endpoints for unmitigated threats
+', '["https://support.sentinelone.com/","https://attack.mitre.org/techniques/T1562/001/"]', '(contains("log.eventDescription", "policy") &&
+ ((contains("log.eventDescription", "Detect") && contains("log.eventDescription", "changed")) ||
+  contains("log.eventDescription", "downgrade") ||
+  (contains("log.eventDescription", "Protect") && contains("log.eventDescription", "Detect")))) ||
+(oneOf("log.activityType", ["policy_updated", "policy_changed"]) &&
+ contains("log.eventDescription", "Detect"))
+', '2026-02-09 16:29:51.340676', true, false, 'origin', null, '[]', '["lastEvent.log.activityType","adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (71, 'SentinelOne Cloud Workload Protection Alert', 3, 3, 2, 'Defense Evasion, Persistence, Privilege Escalation, Initial Access', 'T1078.004 - Valid Accounts: Cloud Accounts', 'Detects cloud workload protection alerts including suspicious cloud API calls, unauthorized cloud resource access, cloud account compromise, or cloud-native threat detection.
+
+Next Steps:
+1. Review the specific cloud workload alert details in the SentinelOne console
+2. Identify the affected cloud resources (AWS, Azure, GCP) and account involved
+3. Check for any unauthorized changes to cloud configurations or resources
+4. Review cloud provider logs for the time period around the alert
+5. Verify if the activity was authorized or part of legitimate operations
+6. If suspicious, immediately revoke any compromised credentials or access keys
+7. Enable additional cloud security monitoring and alerts if not already configured
+8. Document findings and update incident response procedures as needed
+', '["https://www.sentinelone.com/platform/singularity-cloud-workload-security/","https://attack.mitre.org/techniques/T1078/004/"]', 'exists("log.eventDescription") &&
+contains("log.eventDescription", ["cloud", "aws", "azure", "gcp",
+  "lambda", "s3", "ec2", "workload"]) &&
+contains("log.eventDescription", ["threat detected", "malicious", "compromise",
+  "breach", "attack detected", "unauthorized access"]) &&
+(exists("log.threatId") || exists("log.endpointDeviceName"))
+', '2026-02-09 16:29:49.951108', true, false, 'origin', null, '[]', '["lastEvent.log.accName","target.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (72, 'SentinelOne Container Security Alert', 3, 3, 2, 'Defense Evasion, Execution', 'T1610 - Deploy Container', 'Detects container-related security events including container drift, unauthorized container deployment, cryptominers in containers, or suspicious container behavior.
+
+Next Steps:
+1. Identify the affected container and host system from the alert details
+2. Review the container runtime logs for additional context
+3. Check if the container is running authorized images from trusted registries
+4. Investigate any network connections or processes spawned by the container
+5. If unauthorized activity is confirmed, isolate the container and host
+6. Review container deployment policies and runtime security configurations
+7. Check for similar alerts across other container environments
+', '["https://www.sentinelone.com/platform/singularity-cloud-workload-security/","https://www.sentinelone.com/resources/cloud-workload-security-for-containers/","https://attack.mitre.org/techniques/T1610/"]', 'exists("log.eventDescription") &&
+contains("log.eventDescription", ["container", "kubernetes", "k8s",
+  "docker", "pod"]) &&
+contains("log.eventDescription", ["drift detected", "cryptominer", "malicious",
+  "breach", "unauthorized container", "container escape"]) &&
+(exists("log.threatId") || exists("log.endpointDeviceName"))
+', '2026-02-09 16:29:50.096116', true, false, 'origin', null, '[]', '["adversary.host","target.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (73, 'Custom Detection Rule Triggers', 3, 3, 2, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects when custom detection rules configured in SentinelOne trigger, indicating organization-specific threat patterns or policy violations have been identified. Custom rules are tailored to detect specific behaviors or patterns unique to the organization''s security requirements.
+
+Next Steps:
+1. Review the specific custom rule that triggered and understand its purpose
+2. Investigate the affected endpoint (log.syslogHost) for additional suspicious activity
+3. Check if the same custom rule has triggered on other endpoints
+4. Verify if the detection is a false positive based on the custom rule''s logic
+5. If legitimate threat activity, initiate incident response procedures
+6. Consider updating the custom rule if false positives are frequent
+', '["https://docs.sentinelone.com/","https://attack.mitre.org/techniques/T1059/"]', '(contains("log.eventDescription", ["custom rule", "custom detection", "Custom Rules"]) ||
+ equals("log.detectionSource", "CustomRule") ||
+ equals("log.ruleType", "Custom")) &&
+exists("log.syslogHost")
+', '2026-02-09 16:29:50.250725', true, false, 'origin', null, '[]', '["lastEvent.log.eventDescription","lastEvent.log.syslogHost"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (74, 'Deep Visibility Threat Indicators', 3, 3, 2, 'Defense Evasion', 'T1070 - Indicator Removal on Host', 'Detects advanced threat indicators through SentinelOne''s deep visibility monitoring. This rule triggers when specific threat-related events are detected in the SentinelOne logs.
+
+Next Steps:
+1. Review the event description to understand the specific threat indicator
+2. Check the affected host (syslogHost) for signs of compromise
+3. Investigate any associated user accounts (sourceUser, destinationUser)
+4. Review source IP addresses for suspicious origins
+5. Check if this is part of a larger attack campaign
+6. Consider isolating the affected endpoint if threat is confirmed
+', '["https://www.sentinelone.com/blog/rapid-threat-hunting-with-deep-visibility-feature-spotlight/","https://attack.mitre.org/techniques/T1070/"]', 'exists("log.eventDescription") &&
+(
+  contains("log.eventDescription", ["malware detected", "threat detected", "malicious file", "malicious process",
+    "exploit detected", "ransomware detected", "trojan detected", "backdoor detected", "rootkit detected",
+    "cryptominer detected", "worm detected", "spyware detected"]) ||
+  (contains("log.eventDescription", "threat") && oneOf("log.threatClassification", ["Malware", "Exploit", "Ransomware", "Trojan", "PUP"])) ||
+  (contains("log.eventDescription", "malicious") && exists("log.threatId"))
+) &&
+exists("log.syslogHost")
+', '2026-02-09 16:29:50.391111', true, false, 'origin', null, '[]', '["lastEvent.log.eventDescription","lastEvent.log.syslogHost"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (75, 'SentinelOne Endpoint Detection and Response (EDR) Alerts', 3, 3, 2, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Critical EDR alerts from SentinelOne including suspicious endpoint activities, unauthorized system changes, malicious command execution, and advanced persistent threat (APT) indicators. These alerts indicate potential security incidents that require immediate investigation.
+
+Next Steps:
+1. Identify the affected endpoint(s) and user accounts involved
+2. Review the specific threat details and indicators of compromise (IoCs)
+3. Check for any lateral movement or persistence mechanisms
+4. Isolate the affected endpoint(s) if necessary
+5. Collect forensic data and memory dumps if required
+6. Review related security events from the same host in the last 24-48 hours
+7. Verify if the detected activity is legitimate or false positive
+8. If confirmed malicious, initiate incident response procedures
+9. Update security controls and detection rules based on findings
+10. Document the incident and lessons learned
+', '["https://www.sentinelone.com/platform/edr/","https://attack.mitre.org/techniques/T1059/","https://attack.mitre.org/techniques/T1547/"]', '(
+  regexMatch("log.eventDescription", "(?i)(edr|endpoint detection|endpoint alert|endpoint threat|endpoint incident|suspicious endpoint|compromised endpoint|endpoint breach|endpoint attack)") ||
+  regexMatch("log.message", "(?i)(edr alert|endpoint response|incident response|threat response)")
+) &&
+(
+  regexMatch("log.eventDescription", "(?i)(critical|high|severe|malicious|unauthorized|breach)") ||
+  exists("log.destinationUser") ||
+  exists("log.endpointDeviceName")
+) &&
+exists("log.syslogHost")
+', '2026-02-09 16:29:50.520978', true, false, 'origin', null, '[]', '["lastEvent.log.endpointDeviceName","lastEvent.log.syslogHost"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (76, 'SentinelOne IoT Device Compromise Indicator', 3, 3, 2, 'Execution', 'T1203 - Exploitation for Client Execution', 'Detects indicators of IoT device compromise including unauthorized firmware modifications, suspicious network behavior from IoT devices, or anomalous IoT device activity patterns detected by SentinelOne''s Singularity Ranger. This rule triggers when IoT-related threats are identified including compromised embedded systems, firmware backdoors, industrial control system attacks, or SCADA system compromises.
+
+Next Steps:
+1. Isolate the affected IoT device immediately to prevent lateral movement
+2. Review device logs and network traffic to identify the initial compromise vector
+3. Check for firmware modifications or unauthorized configuration changes
+4. Verify if other IoT devices on the same network segment show similar indicators
+5. Update device firmware to latest secure version if available
+6. Consider factory reset and reconfiguration if compromise is confirmed
+7. Review network segmentation to ensure IoT devices are properly isolated
+8. Implement additional monitoring for IoT device communications
+', '["https://www.sentinelone.com/platform/singularity-ranger/","https://attack.mitre.org/techniques/T1203/"]', 'exists("log.eventDescription") &&
+contains("log.eventDescription", ["iot", "embedded", "firmware",
+  "industrial", "scada", "ics", "plc"]) &&
+contains("log.eventDescription", ["compromise", "malicious",
+  "backdoor", "botnet", "exploit", "infection"]) &&
+exists("log.endpointDeviceName")
+', '2026-02-09 16:29:50.665659', true, false, 'origin', null, '[]', '["lastEvent.log.endpointDeviceName","lastEvent.log.eventDescription"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (77, 'Kernel-Level Threat Detection', 3, 3, 3, 'Privilege Escalation', 'T1068 - Exploitation for Privilege Escalation', 'Detects kernel-level threats including rootkits, kernel exploits, driver manipulation, and other low-level system attacks that attempt to compromise the operating system kernel.
+
+Next Steps:
+1. Immediately isolate the affected system from the network to prevent lateral movement
+2. Verify the threat detection in SentinelOne console and check threat details
+3. Run a full system scan on the affected endpoint
+4. Check for persistence mechanisms and suspicious kernel modules/drivers
+5. Review system logs for any unauthorized kernel-level changes or driver installations
+6. If rootkit is confirmed, consider reimaging the system after forensic data collection
+7. Update endpoint protection signatures and kernel protection modules
+', '["https://attack.mitre.org/techniques/T1068/","https://attack.mitre.org/techniques/T1014/"]', 'regexMatch("log.eventDescription", "(?i)(kernel|rootkit|driver|ring.?0|system.?level)") &&
+contains("log.eventDescription", ["threat", "malicious", "exploit", "compromise",
+  "detect", "block", "prevent", "isolate"])
+', '2026-02-09 16:29:50.790849', true, false, 'origin', null, '[]', '["lastEvent.log.eventDescription","lastEvent.log.syslogHost"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (78, 'Memory Injection Detection', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects memory injection attempts including DLL injection, process hollowing, reflective DLL injection, and other in-memory attack techniques detected by SentinelOne.
+
+Next Steps:
+1. Immediately isolate the affected system to prevent lateral movement
+2. Identify the injected process and the target process from the alert details
+3. Check for persistence mechanisms on the affected system
+4. Review SentinelOne console for additional threat indicators and related events
+5. Collect memory dump if possible for forensic analysis
+6. Check if the injection technique matches known threat actor TTPs
+7. Review network connections from the affected system for C2 communication
+8. Ensure SentinelOne remediation actions have been applied successfully
+', '["https://attack.mitre.org/techniques/T1055/","https://attack.mitre.org/techniques/T1055/001/"]', 'regexMatch("log.eventDescription", "(?i)(memory.injection|dll.injection|process.injection|reflective.dll|process.hollow|code.injection|thread.hijack|injection.detected|malicious.injection)") ||
+regexMatch("log.eventDescToParse", "(?i)(memory.injection|dll.injection|process.injection|reflective.dll|process.hollow|code.injection|thread.hijack|injection.detected|malicious.injection)")
+', '2026-02-09 16:29:50.930852', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (79, 'SentinelOne Rollback Operation Patterns Detection', 2, 3, 3, 'Impact', 'T1490 - Inhibit System Recovery', 'Detects rollback operations in SentinelOne that may indicate ransomware recovery attempts or suspicious rollback activity. Rollback operations are critical system recovery events that should be monitored for both legitimate recovery and potential abuse scenarios.
+
+Next Steps:
+1. Verify if the rollback operation was authorized by checking with the system administrator
+2. Check if there were any ransomware or malware detections on the affected system prior to the rollback
+3. Review the system logs to understand what changes were rolled back
+4. Confirm the identity of the user who initiated the rollback operation
+5. If unauthorized, investigate potential system compromise and consider isolating the affected endpoint
+6. Document the rollback operation and its justification for compliance purposes
+', '["https://www.cybervigilance.uk/insights/sentinelone-how-does-rollback-work","https://attack.mitre.org/techniques/T1490/"]', 'regexMatch("log.eventDescription", ".*[Rr]ollback.*") && (equals("log.activityType", "rollback") || exists("log.rollbackStatus") || equals("log.cat", "SystemEvent"))', '2026-02-09 16:29:51.066689', true, false, 'origin', null, '[]', '["lastEvent.log.endpointDeviceName","lastEvent.log.syslogHost"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (80, 'SentinelOne Suspicious Exclusion Addition', 3, 3, 2, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects suspicious additions to SentinelOne exclusion or allowlist entries, which attackers abuse to prevent detection of their malware or tools after gaining console access.
+
+Next Steps:
+1. Review the specific exclusion or allowlist entry that was added
+2. Identify the administrator who made the change
+3. Check if the excluded path or hash corresponds to known malware
+4. Verify the change through change management records
+5. Remove unauthorized exclusions immediately
+6. Audit the admin account for compromise indicators
+7. Scan endpoints for threats in previously excluded locations
+', '["https://support.sentinelone.com/","https://attack.mitre.org/techniques/T1562/001/"]', '((contains("log.eventDescription", "exclusion") || contains("log.eventDescription", "allowlist") ||
+  contains("log.eventDescription", "whitelist") || contains("log.eventDescription", "exception")) &&
+ (contains("log.eventDescription", "added") || contains("log.eventDescription", "created") ||
+  contains("log.eventDescription", "modified"))) ||
+oneOf("log.activityType", ["exclusion_created", "whitelist_created", "exclusion_modified"])
+', '2026-02-09 16:29:51.216052', true, false, 'origin', null, '[]', '["lastEvent.log.activityType","adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (189, 'AWS Config Service Tampering', 3, 2, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/","https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html","https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html"]', 'equals("log.eventSource", "config.amazonaws.com") &&
+oneOf("log.eventName", ["DeleteConfigRule", "DeleteOrganizationConfigRule",
+"DeleteConfigurationAggregator", "DeleteConfigurationRecorder",
+"DeleteConformancePack", "DeleteOrganizationConformancePack",
+"DeleteDeliveryChannel", "DeleteRemediationConfiguration",
+"DeleteRetentionConfiguration"])
+', '2026-02-09 16:32:22.626343', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (83, 'Suspicious Process Tree Analysis', 3, 3, 1, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects suspicious process tree patterns identified by SentinelOne, including unusual parent-child relationships, process hollowing, and malicious process chains commonly used in attacks.
+
+Next Steps:
+1. Review the process tree details in the SentinelOne console to understand the parent-child relationships
+2. Identify the affected host from log.syslogHost and the user account from log.destinationUser
+3. Check if the process chain is associated with legitimate software or administrative activity
+4. Look for indicators of process injection, hollowing, or other malicious techniques
+5. Investigate other recent process creation events on the same host
+6. If confirmed malicious, isolate the endpoint and terminate the suspicious processes
+7. Review the threat storyline in SentinelOne for full attack context
+8. Collect memory dumps if advanced analysis is required
+', '["https://attack.mitre.org/techniques/T1055/","https://attack.mitre.org/techniques/T1057/"]', '(contains("log.eventDescription", ["process tree", "parent", "process chain",
+  "process spawn", "suspicious process", "abnormal process", "process anomaly"]) ||
+ contains("log.threatName", ["process", "injection", "hollow"]) ||
+ contains("log.mitigationMode", "process")) &&
+exists("log.syslogHost")
+', '2026-02-09 16:29:51.656042', true, false, 'origin', null, '[]', '["lastEvent.log.syslogHost","lastEvent.log.threatId"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (84, 'SentinelOne Suspicious Script Execution Detected', 3, 3, 2, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects suspicious script execution activities including PowerShell, Python, Bash, or other scripting interpreters that may indicate malicious activity or fileless attacks. SentinelOne''s behavioral detection engine identifies these patterns as potential threats that could compromise system integrity.
+
+Next Steps:
+1. Review the specific script or command that triggered the alert in the SentinelOne console
+2. Check if the script execution is authorized and part of normal operations
+3. Investigate the process tree to understand the parent process and execution chain
+4. Look for encoded or obfuscated commands within the script content
+5. Check for persistence mechanisms or scheduled tasks created by the script
+6. Review network connections initiated by the script process
+7. If confirmed malicious, isolate the affected endpoint and perform threat hunting across the environment
+', '["https://www.sentinelone.com/platform/singularity-cloud-workload-security/","https://attack.mitre.org/techniques/T1059/"]', 'exists("log.eventDescription") &&
+(
+  contains("log.eventDescription", ["malicious script", "suspicious script", "fileless attack", "suspicious process"]) ||
+  (contains("log.eventDescription", ["powershell", "cmd.exe", "bash", "python", "wscript", "cscript"]) &&
+   contains("log.eventDescription", ["encoded", "obfuscated", "download", "bypass", "invoke", "hidden", "base64", "exploit"]))
+) &&
+exists("log.endpointDeviceName")
+', '2026-02-09 16:29:51.810914', true, false, 'origin', null, '[]', '["lastEvent.log.endpointDeviceName","lastEvent.log.eventDescription"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (85, 'Threat Intelligence Matches', 2, 2, 2, 'Execution', 'T1203 - Exploitation for Client Execution', 'Detects matches against threat intelligence feeds including known malicious hashes, IPs, domains, and behavioral patterns associated with APT groups and cybercrime campaigns. This indicates that SentinelOne has identified a file, behavior, or network connection that matches known threat indicators.
+
+Next Steps:
+1. Immediately isolate the affected endpoint to prevent lateral movement
+2. Review the threat intelligence match details to understand the specific indicator that was matched
+3. Check if the same hash or threat indicator has been seen on other endpoints
+4. Investigate the process tree and parent processes that led to this detection
+5. Review network connections from the affected host for potential C2 communications
+6. If a file hash match, search for the same hash across all endpoints
+7. Contact threat intelligence team for additional context on the matched indicator
+8. Preserve forensic evidence before remediation
+9. Review file reputation scores and threat classification details
+10. Analyze the timeline of events leading to the threat intelligence match
+11. Check for any related indicators of compromise (IoCs) in the environment
+12. Verify if this is a false positive by cross-referencing with other security tools
+', '["https://www.sentinelone.com/blog/decrypting-sentinelone-cloud-detection-the-threat-intelligence-engine-in-real-time-cwpp/","https://attack.mitre.org/techniques/T1203/"]', 'exists("log.externalthreatvalue") || (exists("log.filecontenthash") && greaterOrEqual("log.confidencelevel", 90)) || contains("log.dveventtype", "threat_intel") || contains("log.eventDescription", "reputation")', '2026-02-09 16:29:51.946540', true, false, 'origin', null, '[]', '["lastEvent.log.externalthreatvalue","lastEvent.log.filecontenthash","lastEvent.log.syslogHost"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (86, 'SentinelOne Threat Mitigation Failures', 2, 3, 2, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects failed threat mitigation attempts in SentinelOne, which could indicate advanced malware evading remediation, system compromise preventing cleanup, or configuration issues. Failed mitigations require immediate investigation.
+
+Next Steps:
+1. Immediately isolate the affected endpoint to prevent potential spread
+2. Review the specific threat details and mitigation failure reason in SentinelOne console
+3. Check if the agent has the latest version and policies are up to date
+4. Verify system integrity - check for rootkits or system-level compromise
+5. Consider manual remediation using SentinelOne''s threat hunting capabilities
+6. If persistent failures occur, engage incident response team for deep forensic analysis
+7. Document the threat indicators for future detection improvements
+', '["https://support.sentinelone.com/hc/en-us/articles/360004195934-Threat-Mitigation-Status","https://attack.mitre.org/techniques/T1562/"]', '(contains("log.eventDescription", "mitigation") && contains("log.eventDescription", "fail")) ||
+(contains("log.eventDescription", "remediation") && contains("log.eventDescription", "fail")) ||
+contains("log.mitigationStatus", "fail") ||
+equals("log.threatStatus", "mitigation_failed") ||
+(equals("log.activityType", "mitigation") && equals("log.status", "failed"))
+', '2026-02-09 16:29:52.081163', true, false, 'origin', null, '[]', '["lastEvent.log.agentId","lastEvent.log.threatId"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (100, 'Meraki IDS High Priority Intrusion Alert', 3, 3, 2, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Detects high and medium priority intrusion detection alerts from Meraki IDS/IPS system. These alerts indicate potential exploitation attempts, malicious traffic patterns, or known attack signatures detected by the Snort engine.
+
+Next Steps:
+1. Review the specific signature that triggered the alert and assess its severity
+2. Investigate the source IP for additional malicious activity or reputation
+3. Check if the destination system shows signs of compromise
+4. Verify if this is part of a larger attack campaign by correlating with other security events
+5. Consider blocking the source IP if confirmed malicious
+6. Review firewall rules and IPS signatures for potential tuning
+7. Document the incident and update threat intelligence feeds if applicable
+', '["https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples","https://attack.mitre.org/techniques/T1190/"]', 'equals("log.eventType", "security_event") && 
+equals("log.alertType", "ids_alerted") &&
+lessOrEqual("log.priority", 2) &&
+exists("origin.ip") &&
+exists("target.ip")
+', '2026-02-09 16:30:30.231345', true, false, 'origin', null, '[]', '["lastEvent.log.signature","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (87, 'Botnet Command and Control Traffic Detected', 3, 2, 1, 'Command and Control', 'T1071 - Application Layer Protocol', 'Detects botnet command and control traffic identified by Cisco ASA''s dynamic filter/botnet database. Message IDs 338001-338002 indicate blacklisted traffic from/to malicious addresses. This could indicate compromised hosts communicating with known botnet infrastructure.
+
+Next Steps:
+1. Immediately isolate the affected host(s) to prevent further communication with C2 infrastructure
+2. Review the source IP address (origin.ip) to identify the compromised internal host
+3. Check the destination IP/domain against threat intelligence sources to confirm malicious nature
+4. Examine other logs from the affected host for signs of initial compromise or lateral movement
+5. Run full antivirus/anti-malware scans on the affected system
+6. Review DNS logs for additional suspicious queries from the same host
+7. Check for any data exfiltration attempts or unusual outbound traffic patterns
+8. Consider reimaging the affected system if compromise is confirmed
+', '["https://www.cisco.com/c/en/us/td/docs/security/asa/special/botnet/asa-botnet.pdf","https://attack.mitre.org/techniques/T1071/"]', 'oneOf("log.messageId", ["338001", "338002"])
+|| regexMatch("log.message", "botnet.*(detected|blocked|dropped)")
+|| contains("log.message", "dynamic filter blacklisted")
+|| contains("log.message", "malicious address")
+', '2026-02-09 16:30:28.066072', true, false, 'origin', null, '[]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (88, 'IPS Signature Match - Malicious Pattern Detected', 3, 3, 2, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Detects when ASA IPS features identify malicious patterns in network traffic. Message ID 108003 indicates ESMTP/SMTP connections terminated due to malicious patterns. Also monitors for general IPS/IDS signature matches and threat intelligence hits.
+
+Next Steps:
+1. Review the specific IPS signature that was triggered and understand its severity
+2. Investigate the source IP address for reputation and previous malicious activity
+3. Check if the target system shows any signs of compromise
+4. Review firewall logs for any successful connections from the same source
+5. Consider blocking the source IP if multiple signatures are triggered
+6. Verify that IPS signatures are up-to-date
+7. Document the incident and any actions taken
+', '["https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html","https://attack.mitre.org/techniques/T1190/"]', 'equals("log.messageId", "108003")
+|| (contains("log.message", "malicious pattern") && contains("log.message", ["detected", "terminated", "blocked"]))
+|| (contains("log.message", "IPS") && contains("log.message", "signature") && contains("log.message", ["matched", "triggered", "detected"]))
+|| oneOf("log.action", ["ips_alert", "ids_alert", "threat_detected"])
+', '2026-02-09 16:30:28.342799', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-cisco-asa-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":3}]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (89, 'ARP Poisoning Attack Detection', 3, 3, 2, 'Credential Access, Collection', 'T1557.002 - Adversary-in-the-Middle: ARP Cache Poisoning', 'Detects potential ARP poisoning attacks by monitoring for invalid ARP packets, DHCP snooping violations, and gratuitous ARP abuse. These attacks can enable man-in-the-middle attacks by corrupting the ARP cache of network devices and redirecting network traffic through an attacker-controlled system.
+
+Next Steps:
+1. Identify the source MAC and IP addresses involved in the suspicious ARP activity
+2. Check if the source device is authorized to be on the network segment
+3. Review DHCP snooping and dynamic ARP inspection logs for additional violations
+4. Verify if legitimate network changes (new devices, IP changes) may have triggered the alert
+5. If confirmed malicious, immediately isolate the affected switch port and investigate the compromised device
+6. Review network traffic for signs of data interception, credential harvesting, or traffic redirection
+7. Update switch security configurations (enable port security, DHCP snooping, DAI if not already enabled)
+8. Consider implementing additional network segmentation to limit attack impact
+', '["https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html","https://attack.mitre.org/techniques/T1557/002/"]', '(equals("log.facility", "SW_DAI") && oneOf("log.facilityMnemonic", ["INVALID_ARP", "DHCP_SNOOPING_DENY", "ACL_DENY"]))
+|| (equals("log.facility", "IP") && oneOf("log.facilityMnemonic", ["DUPADDR", "SOURCEGUARD"]))
+|| contains("log.message", ["invalid arp", "arp inspection drop", "dhcp snooping deny", "gratuitous arp", "arp reply not request", "duplicate ip address", "IP source guard deny", "arp packet validation failed"])
+|| (lessOrEqual("log.severity", 3) && contains("log.message", ["arp spoofing", "arp poison", "man in the middle"]))
+', '2026-02-09 16:30:28.510824', true, false, 'origin', null, '[{"indexPattern":"v11-log-cisco-switch-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-10m","count":5}]', '["adversary.ip","adversary.mac"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (90, 'MAC Address Spoofing Detection', 2, 3, 1, 'Initial Access', 'MAC Spoofing', 'Detects potential MAC address spoofing attempts by monitoring for MAC address flapping between ports, duplicate MAC addresses, or MAC addresses appearing on unexpected ports. This could indicate an attacker attempting to impersonate legitimate devices.
+
+Next Steps:
+1. Identify the affected MAC address and ports involved in the flapping
+2. Check if the MAC address belongs to a legitimate device that may be moving between ports
+3. Review switch logs for any unauthorized configuration changes
+4. Verify if port security or dynamic ARP inspection is properly configured
+5. Investigate the source device and check for signs of ARP spoofing tools
+6. Consider implementing port security to limit MAC addresses per port
+7. Enable DHCP snooping and dynamic ARP inspection if not already configured
+', '["https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html","https://attack.mitre.org/techniques/T1200/"]', '(equals("log.facility", "SW_MATM") && equals("log.facilityMnemonic", "MACFLAP_NOTIF"))
+|| (equals("log.facility", "SW_DAI") && oneOf("log.facilityMnemonic", ["INVALID_ARP", "DHCP_SNOOPING_DENY"]))
+|| regexMatch("log.message", "(?i)(mac.*flap|duplicate.*mac|mac.*move.*between.*port)")
+|| regexMatch("log.message", "(?i)(Host [0-9a-fA-F:.]+.*is flapping between port)")
+|| (lessOrEqual("log.severity", 4) && regexMatch("log.message", "(?i)(mac.*address.*conflict|duplicate.*address.*detected)"))
+', '2026-02-09 16:30:28.645936', true, false, 'origin', null, '[{"indexPattern":"v11-log-cisco-switch-*","with":[{"field":"origin.mac","operator":"filter_term","value":"{{origin.mac}}"}],"or":null,"within":"now-10m","count":3}]', '["adversary.mac"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (112, 'Azure AD Anomalous Token Detection', 3, 2, 1, 'Credential Access', 'T1528 - Steal Application Access Token', 'Detects Azure Identity Protection alerts for anomalous tokens with unusual lifetime, unfamiliar locations, or other suspicious properties. These indicate potential token theft or manipulation.
+
+Next Steps:
+1. Review the token properties that triggered the anomaly detection
+2. Check the user''s recent sign-in activity for suspicious patterns
+3. Verify the source IP and device used for the authentication
+4. Check for impossible travel or unfamiliar location patterns
+5. If compromise is suspected, revoke all refresh tokens for the user
+6. Force MFA re-registration if MFA token was compromised
+7. Review conditional access policies for token protection gaps
+', '["https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks","https://attack.mitre.org/techniques/T1528/"]', 'contains("log.operationName", "Anomalous Token") ||
+(contains("log.properties", "riskEventType") && contains("log.properties", "anomalousToken"))
+', '2026-02-09 16:31:14.845619', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (91, 'Multiple Failed VPN Authentication Attempts', 3, 2, 1, 'Credential Access', 'T1110 - Brute Force', 'Detects multiple failed VPN authentication attempts from the same source IP address, which could indicate a brute force attack or password guessing attempt against VPN credentials.
+
+Next Steps:
+- Review the source IP address and check if it is known or authorized
+- Check for successful authentication attempts from the same IP after failed attempts
+- Verify if the targeted user accounts exist and are active
+- Consider temporarily blocking the source IP if attack continues
+- Review VPN access logs for any unusual patterns or other indicators
+- Contact the user if the IP is associated with a legitimate user to verify activity
+', '["https://attack.mitre.org/techniques/T1110/","https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html"]', '(equals("log.messageId", "113015") || 
+ equals("log.messageId", "113021") || 
+ equals("log.messageId", "109034") ||
+ equals("log.messageId", "611102")) && 
+exists("origin.ip") &&
+(regexMatch("log.reason", "(?i)(invalid|failed|rejected|authentication)") ||
+ regexMatch("log.message", "(?i)(authentication.*failed|invalid.*password)"))
+', '2026-02-09 16:30:28.806480', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-cisco-asa-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.messageId","operator":"filter_term","value":"113015"}],"or":[{"indexPattern":"v11-log-firewall-cisco-asa-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.messageId","operator":"filter_term","value":"113021"}],"or":null,"within":"now-15m","count":10},{"indexPattern":"v11-log-firewall-cisco-asa-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.messageId","operator":"filter_term","value":"109034"}],"or":null,"within":"now-15m","count":10},{"indexPattern":"v11-log-firewall-cisco-asa-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.messageId","operator":"filter_term","value":"611102"}],"or":null,"within":"now-15m","count":10}],"within":"now-15m","count":10}]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (92, 'VLAN Hopping Attack Detection', 3, 3, 2, 'Defense Evasion', 'T1599 - Network Boundary Bridging', 'Detects potential VLAN hopping attacks through switch spoofing or double tagging. Monitors for DTP negotiation attempts, trunk port changes, or multiple VLAN tags that could indicate an attacker trying to gain unauthorized access to other VLANs.
+
+Next Steps:
+1. Immediately identify the affected switch port and connected device
+2. Review switch configuration for DTP enabled ports and disable where not needed
+3. Check trunk port configurations and ensure proper native VLAN settings
+4. Verify VLAN access lists and ensure proper segmentation
+5. Investigate the source MAC address for any previous suspicious activity
+6. Review network topology to assess potential lateral movement paths
+7. Consider implementing VLAN ACLs or private VLANs for additional protection
+8. Document the incident and update switch hardening procedures
+', '["https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html","https://attack.mitre.org/techniques/T1599/"]', '(equals("log.facility", "SW_VLAN") && oneOf("log.facilityMnemonic", ["VLAN_INCONSISTENCY", "MACFLAP_NOTIF", "TRUNK_MODE_CHANGE"]))
+|| (equals("log.facility", "DTP") && oneOf("log.facilityMnemonic", ["NONTRUNKPORTON", "DOMAINMISMATCH", "TRUNKPORTON"]))
+|| regexMatch("log.message", "(?i)(received 802.1Q BPDU on non trunk|native vlan mismatch|inconsistent vlan|double tag)")
+|| (lessOrEqual("log.severity", 4) && regexMatch("log.message", "(?i)(vlan.*tag.*tag|switch.*spoofing|dtp.*negotiation)"))
+', '2026-02-09 16:30:29.021128', true, false, 'origin', null, '[]', '["adversary.ip","adversary.mac"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (93, 'Advanced Malware Protection (AMP) Alert Detection', 3, 3, 2, 'Initial Access', 'T1566 - Phishing', 'Detects when Cisco Firepower Advanced Malware Protection (AMP) identifies malware or malicious files, including retrospective detections and high threat score files. This rule triggers on various malware dispositions including confirmed malware, custom detections, retrospective malware (files later identified as malicious), and files with high threat scores (>=70).
+
+Next Steps:
+1. Identify the affected host using the origin.ip and log.deviceName fields
+2. Review the file hash (log.sha256) in threat intelligence databases
+3. Check if the malware was successfully blocked or if remediation is needed
+4. Look for lateral movement attempts from the affected host
+5. Verify if other hosts accessed the same malicious file
+6. Consider isolating the affected system if malware execution is confirmed
+7. Review the file trajectory to understand the infection vector
+8. Update endpoint protection rules to prevent similar infections
+', '["https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/file_malware_events_and_network_file_trajectory.html","https://attack.mitre.org/techniques/T1566/"]', 'equals("log.eventType", "MALWARE_EVENT") && 
+(equals("log.disposition", "MALWARE") || 
+ equals("log.disposition", "CUSTOM_DETECTION") ||
+ equals("log.disposition", "RETROSPECTIVE_MALWARE") ||
+ greaterOrEqual("log.threatScore", 70))
+', '2026-02-09 16:30:29.155770', true, false, 'origin', null, '[]', '["lastEvent.log.sha256","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (94, 'Intrusion Prevention System High Priority Events', 3, 3, 3, 'Execution', 'T1203 - Exploitation for Client Execution', 'Detects high priority IPS events from Cisco Firepower indicating potential exploitation attempts, zero-day attacks, or critical vulnerabilities being targeted. These events represent immediate threats that require urgent investigation.
+
+Next Steps:
+1. Immediately isolate the affected system if the attack was successful
+2. Review the specific signature ID and classification to understand the attack vector
+3. Check if the target system shows signs of compromise (unusual processes, network connections, file modifications)
+4. Analyze firewall logs to determine if the attack was blocked or if any malicious traffic passed through
+5. Search for similar attempts from the same source IP across other systems
+6. Update IPS signatures and ensure all systems are patched against the exploited vulnerability
+7. Consider blocking the source IP if it shows persistent malicious behavior
+8. Document the incident and update security controls based on findings
+', '["https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/intrusion-overview.html","https://attack.mitre.org/techniques/T1203/"]', 'equals("log.eventType", "IPS_EVENT") && 
+(equals("log.priority", 1) || 
+ lessOrEqual("log.severity", 2) ||
+ equals("log.impact", "HIGH") ||
+ contains("log.classification", "attempted-admin") ||
+ contains("log.classification", "attempted-user") ||
+ contains("log.classification", "web-application-attack") ||
+ contains("log.classification", "exploit-kit"))
+', '2026-02-09 16:30:29.271077', true, false, 'origin', null, '[]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (101, 'Meraki Client VPN Brute Force Attempts', 3, 2, 1, 'Credential Access', 'T1110 - Brute Force', 'Detects multiple failed client VPN authentication attempts from the same source IP on Meraki MX appliances, indicating potential brute force attacks against VPN credentials.
+
+Next Steps:
+1. Review the source IP address and check geographic location
+2. Verify if the targeted user account exists and is active
+3. Check for any successful VPN connections from the same IP
+4. Consider blocking the source IP at the MX appliance
+5. Review VPN authentication settings and ensure MFA is enabled
+6. Notify the targeted user if the account is legitimate
+', '["https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview","https://attack.mitre.org/techniques/T1110/"]', '(oneOf("log.eventType", ["vpn_auth_failure", "client_vpn_auth_failure"]) ||
+ (contains("log.message", "VPN") && contains("log.message", ["auth fail", "authentication failed", "invalid credentials"]))) &&
+exists("origin.ip")
+', '2026-02-09 16:30:30.391049', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-meraki-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":10}]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (95, 'Firepower IOC (Indicator of Compromise) Detection', 3, 3, 2, 'Initial Access', 'T1566 - Phishing', 'Detects when Firepower identifies an Indicator of Compromise (IOC), indicating a host may be infected with malware or compromised. IOCs can include file hashes, malware signatures, or behavioral patterns that suggest malicious activity.
+
+Next Steps:
+1. Immediately isolate the affected host from the network to prevent lateral movement
+2. Review the specific IOC details including threat name, SHA256 hash, and file path
+3. Search for the same IOC across other endpoints in your environment
+4. Check if the affected host has made any suspicious network connections recently
+5. Collect memory dumps and disk images for forensic analysis if required
+6. Review user activity logs to identify potential initial compromise vector
+7. Update antivirus signatures and threat intelligence feeds with new IOC data
+8. Perform deep scan of the affected system and related network segments
+9. Consider reimaging the affected system after complete evidence collection
+10. Update security controls to prevent similar future compromises
+', '["https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/file_malware_events_and_network_file_trajectory.html","https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1566/"]', '(equals("log.eventType", "AMP_IOC") || equals("log.eventType", "IOC_DETECTED") || contains("log.message", "indication of compromise") || contains("log.message", "IOC")) && exists("origin.ip") && (exists("log.threatName") || exists("log.sha256") || exists("log.fileName"))', '2026-02-09 16:30:29.425739', true, false, 'origin', null, '[]', '["adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (96, 'Threat Intelligence Director (TID) Alert Detection', 3, 3, 2, 'Command and Control', 'T1071.001 - Application Layer Protocol: Web Protocols', 'Detects when Cisco Firepower Threat Intelligence Director identifies connections to known malicious indicators including IPs, domains, URLs, and SHA256 hashes from threat feeds. This rule triggers when TID blocks or would block connections based on threat intelligence matches with high confidence scores.
+
+Next Steps:
+- Immediately isolate the affected system if the connection was not blocked
+- Review the specific threat indicator (IP/domain/URL/hash) that triggered the alert
+- Check the threat category and score to understand the severity
+- Investigate all recent network activity from the source IP address
+- Search for similar indicators across other systems in the network
+- Review endpoint logs for signs of malware or suspicious processes
+- If a file hash triggered the alert, locate and quarantine the file
+- Check if other systems have communicated with the same malicious indicator
+- Update firewall rules to ensure the indicator is blocked network-wide
+- Report the incident to the security team for further investigation
+', '["https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/tid_overview.html","https://attack.mitre.org/techniques/T1071/"]', 'equals("log.eventType", "TID_EVENT") && 
+(equals("log.action", "BLOCK") || 
+ equals("log.action", "WOULD_BLOCK") ||
+ exists("log.tidIndicatorType")) &&
+(exists("log.tidCategory") || 
+ greaterOrEqual("log.threatScore", 80))
+', '2026-02-09 16:30:29.586003', true, false, 'origin', null, '[]', '["lastEvent.log.tidIndicator","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (97, 'Command and Control on Non-Standard Ports', 3, 2, 1, 'Command and Control', 'T1571 - Non-Standard Port', 'Detects connections on non-standard ports that may indicate command and control (C2) communication. Identifies HTTP traffic on non-HTTP ports, encrypted traffic on unexpected ports, and application protocol mismatches detected by Firepower''s application identification engine.
+
+Next Steps:
+1. Investigate the internal host initiating the suspicious connection
+2. Review the destination IP against threat intelligence feeds
+3. Analyze the application identification results for protocol anomalies
+4. Check if the destination port is commonly used for C2 frameworks
+5. Examine the connection duration and data transfer patterns
+6. Consider blocking the destination IP and scanning the internal host
+', '["https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/connection-log-fields.html","https://attack.mitre.org/techniques/T1571/"]', 'exists("log.appProto") &&
+exists("origin.ip") &&
+exists("target.ip") &&
+((contains("log.appProto", "HTTP") && !oneOf("target.port", [80, 443, 8080, 8443, 8000, 8888])) ||
+ (contains("log.appProto", "SSL") && !oneOf("target.port", [443, 8443, 993, 995, 465, 636])) ||
+ equals("log.appProto", "unknown-tcp")) &&
+equals("log.initiatorPackets", true)
+', '2026-02-09 16:30:29.766810', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-cisco-firepower-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"target.ip","operator":"filter_term","value":"{{target.ip}}"}],"or":null,"within":"now-1h","count":5}]', '["adversary.ip","target.ip","target.port"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (98, 'Meraki Advanced Malware Protection Alert', 3, 3, 2, 'Execution', 'T1204.002 - User Execution: Malicious File', 'Detects when Meraki Advanced Malware Protection (AMP) identifies malicious files being downloaded or executed on the network. This includes retrospective alerts where files previously considered safe are later identified as malicious.
+
+Next Steps:
+1. Immediately isolate the affected system(s) from the network to prevent lateral movement
+2. Review the malware details including file hash, name, and threat severity in the Meraki dashboard
+3. Check if the malicious file was executed or only downloaded
+4. Scan other systems for the same file hash to identify additional infections
+5. Review network traffic logs from the affected IP for suspicious communications
+6. If file was executed, perform full system scan and consider reimaging the affected device
+7. Update endpoint protection signatures and ensure all systems are patched
+8. Document the incident and update security policies if needed
+', '["https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Advanced_Malware_Protection_(AMP)","https://attack.mitre.org/techniques/T1204/002/"]', 'equals("log.eventType", "security_event") && 
+(contains("log.message", "malware") || 
+ contains("log.message", "AMP") || 
+ contains("log.message", "malicious") ||
+ equals("log.action", "malware_blocked") ||
+ contains("log.eventName", "Advanced Malware Protection")) &&
+exists("origin.ip")
+', '2026-02-09 16:30:29.926286', true, false, 'origin', null, '[]', '["adversary.hostname","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (99, 'Air Marshal Rogue Access Point Detection', 3, 3, 2, 'Initial Access', 'T1200 - Hardware Additions', 'Detects when Meraki Air Marshal identifies rogue access points or unauthorized SSIDs in the wireless environment. This could indicate malicious wireless infrastructure attempting to intercept traffic or perform man-in-the-middle attacks.
+
+Next Steps:
+1. Verify if the detected BSSID and SSID are known legitimate access points that may not be properly registered
+2. Check the RSSI value to determine proximity - higher values indicate the rogue AP is closer to your infrastructure
+3. Use wireless scanning tools to physically locate the rogue access point using the BSSID
+4. Review network traffic logs for any suspicious connections to unknown wireless networks
+5. Check if any sensitive data might have been exposed through connections to the rogue AP
+6. Consider implementing MAC address filtering or 802.1X authentication to prevent unauthorized connections
+7. Document the incident and update the wireless security policy if needed
+', '["https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal","https://attack.mitre.org/techniques/T1200/"]', 'equals("log.eventType", "airmarshal_events") &&
+equals("log.type", "rogue_ssid_detected") &&
+exists("log.bssid") &&
+greaterOrEqual("log.rssi", -50)
+', '2026-02-09 16:30:30.091477', true, false, 'origin', null, '[]', '["adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (102, 'Evil Twin Access Point Detection', 3, 3, 1, 'Wireless Security', 'T1557 - Adversary-in-the-Middle', 'Detects evil twin attacks where a rogue access point mimics a legitimate corporate SSID to intercept wireless traffic. Meraki Air Marshal identifies spoofed SSIDs that match corporate network names but originate from unauthorized hardware.
+
+Next Steps:
+1. Verify the detected SSID against authorized access point inventory
+2. Check the BSSID (MAC address) against known Meraki access points
+3. Use Air Marshal containment features to prevent client connections
+4. Physically locate the rogue AP using signal strength triangulation
+5. Check if any clients have connected to the rogue AP
+6. Review network traffic from affected clients for signs of credential theft
+', '["https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal","https://attack.mitre.org/techniques/T1557/"]', 'equals("log.eventType", "airmarshal_events") &&
+(equals("log.type", "ssid_spoofing") ||
+ equals("log.type", "rogue_ssid_detected") ||
+ (contains("log.message", "SSID Spoofing") || contains("log.message", "Evil Twin"))) &&
+exists("log.bssid")
+', '2026-02-09 16:30:30.561264', true, false, 'origin', null, '[]', '["lastEvent.log.bssid","adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (103, 'Rogue SSID Detection', 3, 3, 2, 'Initial Access', 'T1200 - Hardware Additions', 'Detects when a rogue SSID is identified in the wireless environment. This could indicate an evil twin attack or unauthorized access point deployment attempting to intercept wireless traffic or credentials.
+
+Next Steps:
+1. Immediately investigate the rogue access point''s physical location using the MAC address
+2. Check if the rogue SSID name matches legitimate corporate SSIDs (potential evil twin attack)
+3. Verify if the rogue AP is broadcasting from an unauthorized location
+4. Review wireless client connection logs for any devices that may have connected to the rogue SSID
+5. Consider performing a physical sweep of the area to locate and remove the unauthorized device
+6. Update wireless intrusion detection policies if needed
+7. Notify security team and facilities management for potential physical security breach
+', '["https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples","https://attack.mitre.org/techniques/T1200/"]', 'equals("log.eventType", "rogue_ssid_detected") || 
+(equals("log.type", "airmarshal_events") && 
+ equals("log.subtype", "rogue_ssid_detected")) ||
+(contains("log.message", "rogue") && 
+ contains("log.message", "SSID"))
+', '2026-02-09 16:30:30.715429', true, false, 'origin', null, '[]', '["adversary.mac"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (104, 'Wireless Intrusion Attempts', 3, 3, 2, 'Reconnaissance', 'T1595.002 - Active Scanning: Vulnerability Scanning', 'Detects wireless intrusion attempts including deauthentication attacks, association floods, and other wireless-specific attack patterns that could compromise the wireless network integrity.
+
+Next Steps:
+1. Review the wireless access point logs for the affected device
+2. Identify the source MAC address and physical location if possible
+3. Check for unauthorized devices or rogue access points in the vicinity
+4. Verify wireless security configurations and update if necessary
+5. Consider implementing additional wireless monitoring and detection capabilities
+6. Document the incident and update security policies if needed
+', '["https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples","https://attack.mitre.org/techniques/T1595/002/"]', 'equals("log.eventType", "wids_alerted") ||
+(equals("log.type", "airmarshal_events") && 
+ (contains("log.subtype", "attack") || 
+  contains("log.subtype", "flood") ||
+  contains("log.subtype", "deauth"))) ||
+(contains("log.message", "deauthentication attack") ||
+ contains("log.message", "association flood") ||
+ contains("log.message", "wireless intrusion"))
+', '2026-02-09 16:30:30.871093', true, false, 'origin', '["adversary.ip","target.mac"]', '[]', null);
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (105, 'Azure AKS Container Security Threat Detection', 3, 3, 2, 'Execution', 'T1610 - Deploy Container', 'Detects suspicious container operations in Azure Kubernetes Service (AKS) including privileged pod creation, container exec commands, and potential container escape attempts. These activities may indicate an attacker attempting to deploy malicious workloads or escape container isolation.
+
+Next Steps:
+1. Review the Kubernetes audit logs for the specific pod or container operation
+2. Check if the container image is from an approved registry
+3. Verify the service account and RBAC permissions used for the operation
+4. Examine pod security context for privileged flags, host network, or host PID access
+5. Review the container command for suspicious payloads or reverse shells
+6. If unauthorized, delete the pod and investigate the cluster for further compromise
+7. Implement Azure Policy for AKS to enforce pod security standards
+8. Enable Microsoft Defender for Containers for runtime protection
+', '["https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction","https://attack.mitre.org/techniques/T1610/"]', '(contains("log.operationName", "Microsoft.ContainerService") ||
+ contains("log.operationName", "MICROSOFT.KUBERNETES")) &&
+(contains("log.operationName", "write") ||
+ contains("log.operationName", "create") ||
+ contains("log.operationName", "exec")) &&
+equals("log.resultType", "Success")
+', '2026-02-09 16:31:13.707278', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.operationName","operator":"filter_match","value":"Container"}],"or":null,"within":"now-30m","count":10}]', '["lastEvent.log.operationName","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (106, 'Azure AD App Registration with High-Privilege API Permissions', 3, 3, 1, 'Persistence', 'T1098.001 - Account Manipulation: Additional Cloud Credentials', 'Detects creation of new Azure AD application registrations which may be used to establish persistence with high-privilege API permissions. Attackers create app registrations with permissions like Mail.ReadWrite, Directory.ReadWrite.All, or RoleManagement.ReadWrite.Directory to maintain access.
+
+Next Steps:
+1. Review the application registration and its requested API permissions
+2. Verify the creator has authorization to register applications
+3. Check if admin consent was granted for the application''s permissions
+4. Review the application''s redirect URIs for suspicious external domains
+5. Examine the application''s credential types (secrets, certificates)
+6. If unauthorized, delete the application registration and revoke any granted consents
+7. Implement app registration policies to restrict who can create applications
+8. Enable admin consent workflow for application permission requests
+', '["https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals","https://attack.mitre.org/techniques/T1098/001/"]', '(contains("log.operationName", "Add application") ||
+ contains("log.operationName", "Add service principal") ||
+ contains("log.operationName", "Consent to application")) &&
+equals("log.categoryValue", "Administrative")
+', '2026-02-09 16:31:13.876574', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.user","operator":"filter_term","value":"{{origin.user}}"},{"field":"log.categoryValue","operator":"filter_term","value":"Administrative"}],"or":null,"within":"now-1h","count":3}]', '["lastEvent.log.operationName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (107, 'Application Gateway WAF Security Alerts', 3, 3, 2, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Detects Web Application Firewall alerts from Azure Application Gateway indicating potential web attacks or malicious activity. This rule triggers when WAF blocks or detects suspicious requests that match security rules.
+
+**Next Steps:**
+1. Review the specific WAF rule ID and message details to understand the attack type
+2. Analyze the source IP address for reputation and geographic location
+3. Examine the request URL, headers, and payload for attack indicators
+4. Check for additional requests from the same source IP within the time window
+5. Verify if this is a legitimate application behavior or actual attack attempt
+6. Consider implementing additional WAF rules or IP blocking if confirmed malicious
+7. Review application logs for any successful bypass attempts
+', '["https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs","https://attack.mitre.org/techniques/T1190/"]', '(equals("log.operationName", "ApplicationGatewayFirewallLog") || equals("log.type", "ApplicationGatewayFirewallLog")) &&
+equals("log.action", "Blocked") &&
+exists("log.ruleId")
+', '2026-02-09 16:31:14.041368', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-10m","count":5}]', '["lastEvent.log.ruleId","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (108, 'Azure AD Impossible Travel Sign-In Detection', 3, 2, 1, 'Credential Access', 'T1078 - Valid Accounts', 'Detects Azure AD sign-ins flagged as risky due to impossible travel, anonymous IP usage, or unfamiliar locations. These risk detections indicate potential credential compromise when a user authenticates from geographically impossible locations or through anonymizing services.
+
+Next Steps:
+1. Review the sign-in details including IP addresses and geographic locations
+2. Check if the user employs VPN services that could explain different locations
+3. Verify with the user whether the sign-in attempts are legitimate
+4. Review the risk level and risk detail provided by Azure AD Identity Protection
+5. Check for MFA challenges and their outcomes during the sign-in
+6. If compromised, immediately reset user credentials and revoke active sessions
+7. Enable Conditional Access policies requiring MFA for risky sign-ins
+8. Review Azure AD sign-in logs for other accounts from the same suspicious IPs
+', '["https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks","https://attack.mitre.org/techniques/T1078/"]', 'contains("log.operationName", "Sign-in activity") &&
+(equals("log.properties.riskLevelDuringSignIn", "high") ||
+ equals("log.properties.riskState", "atRisk") ||
+ contains("log.properties.riskEventTypes", "impossibleTravel") ||
+ contains("log.properties.riskEventTypes", "anonymizedIPAddress"))
+', '2026-02-09 16:31:14.200933', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (109, 'Azure Automation Runbook Abuse', 3, 3, 2, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects creation or modification of Azure Automation runbooks which can be abused for code execution with managed identity privileges. Attackers may create runbooks to execute arbitrary code, establish persistence, or perform lateral movement using the automation account''s managed identity.
+
+Next Steps:
+1. Review the runbook content for malicious scripts or commands
+2. Verify the automation account''s managed identity permissions
+3. Check the user creating or modifying the runbook has authorization
+4. Review the runbook schedule for unauthorized execution times
+5. Examine the runbook''s Run As account credentials
+6. If unauthorized, disable the runbook and revoke the automation account''s permissions
+7. Review execution history for already-executed malicious runbooks
+8. Implement RBAC to restrict automation account management
+', '["https://learn.microsoft.com/en-us/azure/automation/automation-runbook-types","https://attack.mitre.org/techniques/T1059/"]', 'contains("log.operationName", "Microsoft.Automation") &&
+(contains("log.operationName", "runbooks/write") ||
+ contains("log.operationName", "runbooks/publish") ||
+ contains("log.operationName", "jobs/write") ||
+ contains("log.operationName", "schedules/write")) &&
+equals("log.resultType", "Success")
+', '2026-02-09 16:31:14.375401', true, false, 'origin', null, '[]', '["lastEvent.log.operationName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (110, 'Azure AD Password Spray Attack Detection', 3, 2, 1, 'Credential Access', 'T1110 - Brute Force', 'Detects password spray attacks against Azure AD by correlating failed sign-in attempts across multiple usernames from the same source IP within a short time window. Password spraying tries common passwords against many accounts to avoid account lockout thresholds.
+
+Next Steps:
+1. Identify the source IP and check threat intelligence feeds for known malicious sources
+2. Review the list of targeted user accounts for patterns (executives, admins, service accounts)
+3. Check if any of the targeted accounts subsequently had successful logins
+4. Verify that account lockout policies are properly configured
+5. Block the source IP at the network level if confirmed malicious
+6. Enable Azure AD Smart Lockout for brute force protection
+7. Implement Conditional Access policies requiring MFA
+8. Review password policies and enforce complexity requirements
+', '["https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks","https://attack.mitre.org/techniques/T1110/"]', 'contains("log.operationName", "Sign-in activity") &&
+(equals("log.properties.status.errorCode", "50126") ||
+ equals("log.properties.status.errorCode", "50053") ||
+ equals("log.properties.status.errorCode", "50057")) &&
+exists("origin.ip")
+', '2026-02-09 16:31:14.526597', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.properties.status.errorCode","operator":"filter_match","value":"5005"}],"or":null,"within":"now-15m","count":15}]', '["lastEvent.log.operationName","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (111, 'Azure Security Alert Suppression Rule Created', 2, 3, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Detects creation of alert suppression rules in Azure Defender / Microsoft Defender for Cloud. Attackers create suppression rules to hide security alerts generated by their activities.
+
+Next Steps:
+1. Review the suppression rule and what alert types it suppresses
+2. Verify the rule creation was part of an authorized security operations workflow
+3. Check the user identity for legitimate security team membership
+4. Review recent security alerts that may have been suppressed
+5. If unauthorized, delete the suppression rule and review suppressed alerts
+6. Check for other defense evasion activities from the same user
+', '["https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules","https://attack.mitre.org/techniques/T1562/"]', 'regexMatch("log.operationName", "(?i)MICROSOFT\\.SECURITY/ALERTSSUPPRESSIONRULES/WRITE")
+', '2026-02-09 16:31:14.687510', true, false, 'origin', null, '[]', '["lastEvent.log.operationName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (136, 'Azure Service Principal Credentials Added', 3, 3, 2, 'Persistence', 'T1098.001 - Account Manipulation: Additional Cloud Credentials', 'Detects when new credentials (certificates or secrets) are added to Azure service principals through Azure AD/Entra ID Audit Logs.
+
+**Security Context:**
+Adversaries may add credentials to service principals to maintain persistent access to victim Azure accounts. By hijacking an application with granted permissions through adding rogue secrets or certificates, attackers can access protected data and bypass MFA requirements. This technique is commonly used after initial compromise to establish long-term persistence.
+
+**Detection Logic:**
+This rule monitors AuditLogs for successful "Add service principal" operations, which indicate new credentials being added to service principals. The operation captures both certificate and secret additions.
+
+**Investigation Steps:**
+1. Identify the actor who added the credentials: Check log.propertiesInitiatedBy for the user or service principal
+2. Review the target service principal: Examine log.propertiesTargetResources for the affected service principal name and ID
+3. Verify if the action was authorized: Correlate with change management tickets
+4. Check service principal permissions: Review what resources this service principal can access
+5. Examine recent sign-in activity: Look for unusual authentication patterns using the service principal
+6. Review credential type: Determine if a certificate or secret was added via log.propertiesModifiedProperties
+
+**Recommended Actions:**
+- If unauthorized, immediately revoke the newly added credentials
+- Review and rotate all credentials for the affected service principal
+- Audit all resources accessible by the service principal for signs of compromise
+- Enable alerts for future credential additions to critical service principals
+- Implement conditional access policies and privileged identity management
+
+**MITRE ATT&CK Reference:** T1098.001 - Account Manipulation: Additional Cloud Credentials
+
+**Azure Documentation:**
+- AuditLogs table: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs
+- Service Principal credentials: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
+', '["https://attack.mitre.org/techniques/T1098/001/","https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs","https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal"]', 'equalsIgnoreCase("log.category", "AuditLogs") &&
+contains("log.operationName", "Add service principal") &&
+(equals("log.resultType", "0") || equalsIgnoreCase("actionResult", "SUCCESS"))
+', '2026-02-09 16:31:18.565801', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (113, 'Azure AD Application Credential Added', 3, 3, 2, 'Persistence', 'T1098.001 - Account Manipulation: Additional Cloud Credentials', 'Detects when new certificates or client secrets are added to Azure AD application registrations. This is the primary Azure AD persistence technique - attackers add credentials to existing apps to maintain access even after password resets.
+
+Next Steps:
+1. Verify the credential addition was authorized by the application owner
+2. Identify the application and its permissions (especially Graph API permissions)
+3. Check the user identity adding the credential for legitimacy
+4. Review the credential type (certificate vs secret) and expiration
+5. Check for subsequent sign-ins using the new application credential
+6. If unauthorized, remove the credential and rotate all app secrets
+7. Review the application''s API permissions for excessive access
+', '["https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal","https://attack.mitre.org/techniques/T1098/001/"]', 'oneOf("log.operationName", ["Add service principal credentials", "Update application - Certificates and secrets management"]) ||
+(contains("log.operationName", "application") && contains("log.properties", "KeyCredentials"))
+', '2026-02-09 16:31:14.980999', true, false, 'origin', null, '[]', '["lastEvent.log.properties.targetResources","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (114, 'Azure AD Privileged App Role Assignment', 3, 3, 2, 'Privilege Escalation', 'T1098.003 - Account Manipulation: Additional Cloud Roles', 'Detects privileged app role assignments to service principals in Azure AD, which is the mechanism used in illicit consent grant attacks. Attackers create or modify applications with high-privilege API permissions to access organizational data.
+
+Next Steps:
+1. Review the application and the specific API permissions granted
+2. Verify the consent was authorized by a legitimate administrator
+3. Check if the application is known and trusted
+4. Review the application publisher and redirect URIs
+5. Check for data access using the application''s permissions
+6. If unauthorized, remove the role assignment and revoke application consent
+7. Review and restrict user consent settings in Azure AD
+', '["https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals","https://attack.mitre.org/techniques/T1098/003/"]', 'contains("log.operationName", "Add app role assignment to service principal") ||
+(contains("log.operationName", "Consent to application") && contains("log.properties", "AppRoleAssignment"))
+', '2026-02-09 16:31:15.125869', true, false, 'origin', null, '[]', '["lastEvent.log.properties.targetResources","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (115, 'AzureHound Reconnaissance Tool Detected', 2, 1, 0, 'Discovery', 'T1087.004 - Account Discovery: Cloud Account', 'Detects AzureHound user agent in Azure AD sign-in logs. AzureHound is the Azure AD data collector for BloodHound, used to enumerate all users, groups, roles, apps, and relationships in the tenant for attack path analysis.
+
+Next Steps:
+1. Identify the user account running AzureHound
+2. Determine if this is an authorized security assessment
+3. Review the scope of data collected (users, groups, roles, apps)
+4. Check for lateral movement or privilege escalation following the enumeration
+5. If unauthorized, revoke the user''s tokens and investigate
+6. Review API permissions that allowed the enumeration
+7. Consider implementing Graph API rate limiting or monitoring
+', '["https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html","https://attack.mitre.org/techniques/T1087/004/"]', 'contains("log.properties", "azurehound") ||
+contains("log.properties", "AzureHound")
+', '2026-02-09 16:31:15.285862', true, false, 'origin', '["adversary.user","adversary.ip"]', '[]', null);
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (116, 'Azure AD Device Code Authentication Flow Detected', 3, 2, 1, 'Initial Access', 'T1078 - Valid Accounts', 'Detects OAuth device code flow authentication in Azure AD. Device code phishing is a growing attack vector where attackers trick users into authenticating on a device the attacker controls, granting the attacker access tokens.
+
+Next Steps:
+1. Verify the device code authentication was initiated by the user on a legitimate device
+2. Check the application requesting the device code for legitimacy
+3. Review the source IP where the token was redeemed
+4. Check for subsequent suspicious activities using the obtained token
+5. If unauthorized, revoke the session and all refresh tokens
+6. Consider blocking device code flow via conditional access policies
+7. Educate users about device code phishing attacks
+', '["https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code","https://attack.mitre.org/techniques/T1078/"]', '(contains("log.properties", "deviceCode") && contains("log.operationName", "Sign-in")) ||
+contains("log.properties", "urn:ietf:params:oauth:grant-type:device_code")
+', '2026-02-09 16:31:15.446209', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (117, 'Azure Disk Snapshot Exfiltration', 3, 2, 1, 'Data Exfiltration', 'T1537 - Transfer Data to Cloud Account', 'Detects Azure disk snapshot operations that could be used for data exfiltration, including sharing snapshots across subscriptions, generating SAS URIs for download, or copying snapshots to external storage accounts.
+
+Next Steps:
+1. Identify the disk snapshot and the virtual machine it was taken from
+2. Review the target location or account where the snapshot is being shared
+3. Verify the operator has authorization for cross-subscription snapshot operations
+4. Check if a SAS URI was generated that could allow external download
+5. Review the data sensitivity of the affected virtual machine''s disk
+6. If unauthorized, revoke any generated SAS tokens and delete shared snapshots
+7. Implement Azure Policy to restrict snapshot sharing across subscriptions
+8. Enable diagnostic logging for disk operations
+', '["https://learn.microsoft.com/en-us/azure/virtual-machines/disks-incremental-snapshots","https://attack.mitre.org/techniques/T1537/"]', '(contains("log.operationName", "Microsoft.Compute/snapshots") ||
+ contains("log.operationName", "Microsoft.Compute/disks")) &&
+(contains("log.operationName", "beginGetAccess") ||
+ contains("log.operationName", "export")) &&
+equals("log.resultType", "Success")
+', '2026-02-09 16:31:15.591151', true, false, 'origin', null, '[]', '["lastEvent.log.operationName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (118, 'Azure AD Bulk Privileged Role Assignment Changes', 3, 3, 2, 'Privilege Escalation', 'T1098 - Account Manipulation', 'Detects mass privileged role assignment changes in Azure AD. Multiple role assignments in a short time window indicate an attacker rapidly escalating privileges across multiple accounts for persistence and lateral movement.
+
+Next Steps:
+1. Review all role assignments made in the burst
+2. Identify the admin account making the changes
+3. Check if these changes were part of an approved onboarding or migration
+4. Review the specific roles assigned (Global Admin, Exchange Admin, etc.)
+5. If unauthorized, revert all role assignments and investigate the admin account
+6. Enable Azure PIM for just-in-time role activation
+', '["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles","https://attack.mitre.org/techniques/T1098/"]', 'contains("log.operationName", "Add member to role") ||
+contains("log.operationName", "Add eligible member to role")
+', '2026-02-09 16:31:15.727148', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-30m","count":10}]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (119, 'Azure AD Impossible Travel Sign-In', 3, 2, 1, 'Initial Access', 'T1078 - Valid Accounts', 'Detects Azure Identity Protection impossible travel alerts where a user signs in from geographically distant locations in a timeframe that makes physical travel impossible. This strongly indicates credential theft or session hijacking.
+
+Next Steps:
+1. Contact the user to verify both sign-in locations
+2. Check if a VPN or proxy could explain the geolocation discrepancy
+3. Review the sign-in details (device, browser, app) for both locations
+4. If unauthorized, force password reset and revoke all sessions
+5. Review data access and actions from the suspicious location
+6. Enable location-based conditional access policies
+7. Check for other users with similar patterns from the same locations
+', '["https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks","https://attack.mitre.org/techniques/T1078/"]', 'contains("log.operationName", "Impossible Travel") ||
+(contains("log.properties", "riskEventType") && contains("log.properties", "impossibleTravel"))
+', '2026-02-09 16:31:15.861315', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (120, 'Azure Kubernetes Admission Webhook Modified', 3, 3, 2, 'Persistence', 'T1078.004 - Valid Accounts: Cloud Accounts', 'Detects creation or modification of MutatingAdmissionWebhook or ValidatingAdmissionWebhook configurations in Azure Kubernetes Service. Attackers use admission controllers to inject malicious containers or modify workload specifications.
+
+Next Steps:
+1. Review the webhook configuration and its target service
+2. Verify the webhook was created as part of a legitimate deployment
+3. Check the webhook''s namespace selector and object selector
+4. Examine what resources the webhook intercepts (pods, deployments, etc.)
+5. If unauthorized, delete the webhook and audit all recent pod deployments
+6. Review cluster RBAC for excessive admission controller permissions
+', '["https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/","https://attack.mitre.org/techniques/T1078/004/"]', 'contains("log.operationName", "MICROSOFT.CONTAINERSERVICE") &&
+(contains("log.properties", "MutatingWebhookConfiguration") || contains("log.properties", "ValidatingWebhookConfiguration")) &&
+(contains("log.properties", "create") || contains("log.properties", "update") || contains("log.properties", "patch"))
+', '2026-02-09 16:31:16.010841', true, false, 'origin', null, '[]', '["lastEvent.log.resourceId","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (121, 'Azure Kubernetes Secret Write or Delete', 3, 3, 2, 'Credential Access', 'T1552.007 - Unsecured Credentials: Container API', 'Detects write or delete operations on Kubernetes Secrets in Azure Kubernetes Service. Secrets contain sensitive data like service account tokens, TLS certificates, and database credentials. Unauthorized access indicates potential credential theft or data tampering.
+
+Next Steps:
+1. Identify the user or service account accessing the secrets
+2. Review which secrets were accessed, modified, or deleted
+3. Check if the operation was part of a legitimate deployment workflow
+4. Audit the RBAC permissions of the identity performing the action
+5. If unauthorized, rotate all affected secrets immediately
+6. Review pod specifications for secrets mounted as volumes or environment variables
+', '["https://kubernetes.io/docs/concepts/configuration/secret/","https://attack.mitre.org/techniques/T1552/007/"]', 'contains("log.operationName", "MICROSOFT.CONTAINERSERVICE") &&
+contains("log.properties", "secrets") &&
+(contains("log.properties", "create") || contains("log.properties", "update") || contains("log.properties", "delete") || contains("log.properties", "patch"))
+', '2026-02-09 16:31:16.165946', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-30m","count":5}]', '["lastEvent.log.resourceId","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (122, 'Azure Kubernetes Events Deleted', 1, 3, 2, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects deletion of Kubernetes events in Azure Kubernetes Service (AKS). Attackers delete events to cover traces of their activities within the cluster.
+
+Next Steps:
+1. Identify the user or service account that deleted the events
+2. Check for other suspicious Kubernetes operations from the same identity
+3. Review AKS audit logs for activities that occurred before the event deletion
+4. Verify if this was part of a legitimate cluster maintenance operation
+5. If unauthorized, investigate the cluster for signs of compromise
+6. Review RBAC policies to restrict event deletion permissions
+', '["https://learn.microsoft.com/en-us/azure/aks/monitor-aks","https://attack.mitre.org/techniques/T1562/001/"]', 'contains("log.operationName", "MICROSOFT.CONTAINERSERVICE") &&
+(contains("log.properties", "events") && contains("log.properties", "delete"))
+', '2026-02-09 16:31:16.326140', true, false, 'origin', null, '[]', '["lastEvent.log.resourceId","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (123, 'Azure AD LAPS Password Recovery', 3, 2, 1, 'Credential Access', 'T1003 - OS Credential Dumping', 'Detects Local Administrator Password Solution (LAPS) password recovery from Entra ID. While LAPS recovery is a legitimate admin operation, excessive or unauthorized recovery attempts indicate credential dumping for lateral movement.
+
+Next Steps:
+1. Verify the user recovering the LAPS password has legitimate need
+2. Check the target device and whether the user is responsible for it
+3. Review the frequency of LAPS password recoveries by this user
+4. Correlate with subsequent RDP or SMB connections to the target device
+5. If unauthorized, rotate the LAPS password and investigate the user''s activities
+6. Review RBAC for LAPS password read permissions
+', '["https://learn.microsoft.com/en-us/entra/identity/devices/howto-manage-local-admin-passwords","https://attack.mitre.org/techniques/T1003/"]', 'contains("log.operationName", "Recover device local administrator password") ||
+(contains("log.operationName", "Read device local administrator password") && exists("log.properties"))
+', '2026-02-09 16:31:16.486258', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-1h","count":3}]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (124, 'Azure AD Federation Settings Modified', 3, 3, 3, 'Credential Access', 'T1556 - Modify Authentication Process', 'Detects modifications to Azure AD domain federation settings. Changing federation configuration is a critical attack technique that enables Golden SAML attacks and domain takeover, allowing attackers to forge authentication tokens for any user.
+
+Next Steps:
+1. Immediately verify the federation modification was authorized
+2. Check the user identity and source IP performing the change
+3. Review the new federation settings for suspicious IdP configurations
+4. Validate the signing certificate in the federation configuration
+5. Check for subsequent sign-ins using federated authentication
+6. If unauthorized, revert the federation changes and investigate all federated sessions
+7. Review all privileged role assignments that occurred after the change
+', '["https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-fed","https://attack.mitre.org/techniques/T1556/"]', 'contains("log.operationName", "Set federation settings on domain") ||
+(contains("log.operationName", "Set domain authentication") && contains("log.properties", "Federated"))
+', '2026-02-09 16:31:16.650983', true, false, 'origin', null, '[]', '["lastEvent.log.operationName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (125, 'Azure AD Leaked Credentials Detection', 3, 3, 2, 'Credential Access', 'T1078 - Valid Accounts', 'Detects Azure Identity Protection alerts for leaked credentials found on dark web, paste sites, or other sources. This indicates user credentials have been exposed and may be used for unauthorized access.
+
+Next Steps:
+1. Immediately force a password reset for the affected user
+2. Revoke all active sessions and refresh tokens
+3. Review recent sign-in activity for unauthorized access
+4. Check for any data access or configuration changes after the leak
+5. Enable MFA if not already required for the user
+6. Investigate how the credentials were leaked (phishing, malware, reuse)
+7. Check if the same password was used across other services
+', '["https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks","https://attack.mitre.org/techniques/T1078/"]', 'contains("log.operationName", "Leaked Credentials") ||
+(contains("log.properties", "riskEventType") && contains("log.properties", "leakedCredentials"))
+', '2026-02-09 16:31:16.806087', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (126, 'Azure Primary Refresh Token Access Attempt', 3, 3, 1, 'Credential Access', 'T1528 - Steal Application Access Token', 'Detects attempts to access the Primary Refresh Token (PRT) in Azure AD. PRT theft is a high-confidence compromise indicator as PRTs provide SSO access across all Azure AD-integrated applications and can be used to bypass conditional access policies.
+
+Next Steps:
+1. Immediately investigate the user account associated with this alert
+2. Check the device from which the PRT access was attempted
+3. Review sign-in logs for the affected user for anomalous patterns
+4. Check for token replay attacks or sessions from unexpected locations
+5. If compromise is confirmed, revoke all refresh tokens for the user
+6. Re-register the device and force re-authentication
+7. Review conditional access policies for PRT-based bypass vulnerabilities
+', '["https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token","https://attack.mitre.org/techniques/T1528/"]', 'contains("log.operationName", "Primary Refresh Token") ||
+(contains("log.properties", "PRT") && contains("log.properties", "access"))
+', '2026-02-09 16:31:17.045870', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (127, 'Azure AD Resource Owner Password Credentials Flow Detected', 2, 2, 1, 'Credential Access', 'T1078 - Valid Accounts', 'Detects use of the Resource Owner Password Credentials (ROPC) OAuth flow in Azure AD. ROPC sends plain-text credentials directly to the token endpoint, bypassing MFA and conditional access. It is commonly abused by attackers for credential stuffing and automated account compromise.
+
+Next Steps:
+1. Identify the application using ROPC flow and verify its legitimacy
+2. Check if the application has a legitimate need for ROPC (legacy/headless apps)
+3. Review the source IPs making ROPC requests for suspicious patterns
+4. Check for high volumes of failed ROPC requests (credential stuffing)
+5. Migrate the application to a modern auth flow (authorization code, device code)
+6. If unauthorized, block the application and reset affected user passwords
+', '["https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc","https://attack.mitre.org/techniques/T1078/"]', 'contains("log.properties", "urn:ietf:params:oauth:grant-type:password") ||
+(contains("log.operationName", "Sign-in") && contains("log.properties", "ropc"))
+', '2026-02-09 16:31:17.186271', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-1h","count":5}]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (128, 'Azure AD Password Spray Attack Detected', 3, 2, 1, 'Credential Access', 'T1110.003 - Brute Force: Password Spraying', 'Detects Azure Identity Protection password spray attack signals. Microsoft''s ML-based detection identifies distributed password spray attempts across multiple accounts using common passwords.
+
+Next Steps:
+1. Identify all affected user accounts in the password spray
+2. Check if any accounts were successfully compromised
+3. Force password resets for all targeted accounts
+4. Review source IPs for known attack infrastructure
+5. Check for successful sign-ins from the same source IPs
+6. Enable smart lockout policies if not already configured
+7. Review MFA enforcement across all targeted accounts
+', '["https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks","https://attack.mitre.org/techniques/T1110/003/"]', 'contains("log.operationName", "Password Spray") ||
+(contains("log.properties", "riskEventType") && contains("log.properties", "passwordSpray"))
+', '2026-02-09 16:31:17.366393', true, false, 'origin', null, '[]', '["lastEvent.log.operationName","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (129, 'Azure Sentinel High/Critical Alert Pattern Detection', 3, 3, 2, 'Threat Detection', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects high-severity or critical alerts from Azure Sentinel that may indicate coordinated attack activity or serious security incidents requiring immediate investigation. This rule identifies new alerts with High or Critical severity levels from Microsoft Sentinel that could represent active threats.
+
+Next Steps:
+1. Review the alert details and affected resources immediately
+2. Correlate with other security events in the environment
+3. Check for signs of lateral movement or privilege escalation
+4. Verify if the alert represents a true positive through manual investigation
+5. Implement containment measures if attack activity is confirmed
+6. Document findings and update incident response procedures
+', '["https://learn.microsoft.com/en-us/azure/sentinel/security-alert-schema","https://attack.mitre.org/techniques/T1562/"]', 'oneOf("log.AlertSeverity", ["High", "Critical"]) &&
+equals("log.VendorName", "Microsoft Sentinel") &&
+equals("log.Status", "New")
+', '2026-02-09 16:31:17.531107', true, false, 'origin', null, '[]', '["lastEvent.log.AlertType","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (130, 'Azure AD New Root Certificate Authority Added', 3, 3, 2, 'Persistence', 'T1556 - Modify Authentication Process', 'Detects when a new root certificate authority is added to the TrustedCAsForPasswordlessAuth configuration in Azure AD. Adding a rogue root CA enables persistent passwordless authentication backdoor access.
+
+Next Steps:
+1. Immediately verify the root CA addition was authorized
+2. Review the certificate details and issuing authority
+3. Check the user identity performing the change
+4. Validate the CA against your organization''s known PKI infrastructure
+5. If unauthorized, remove the root CA immediately
+6. Audit all certificate-based authentications since the CA was added
+7. Review Azure AD authentication methods policies
+', '["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-certificate-based-authentication","https://attack.mitre.org/techniques/T1556/"]', 'contains("log.operationName", "TrustedCAsForPasswordlessAuth") ||
+(contains("log.operationName", "Update organization settings") && contains("log.properties", "certificateAuthorities"))
+', '2026-02-09 16:31:17.685722', true, false, 'origin', null, '[]', '["lastEvent.log.operationName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (190, 'AWS Configuration Recorder Stopped', 3, 2, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Identifies an AWS configuration change to stop recording a designated set of resources', '["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html","https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html","https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/"]', 'equals("log.eventSource", "config.amazonaws.com") &&
+equals("log.eventName", "StopConfigurationRecorder")
+', '2026-02-09 16:32:22.765665', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (131, 'Azure AD Temporary Access Pass Registration', 3, 2, 1, 'Credential Access', 'T1078.004 - Valid Accounts: Cloud Accounts', 'Detects registration of Temporary Access Pass (TAP) in Azure AD. TAPs can be used to bypass MFA requirements and are a growing attack vector for initial access and MFA circumvention.
+
+Next Steps:
+1. Verify the TAP was requested through legitimate channels (IT helpdesk)
+2. Check the admin user who created the TAP for legitimacy
+3. Review the target user and reason for TAP issuance
+4. Check for sign-ins using the TAP, especially from unusual locations
+5. Verify MFA registration events following the TAP usage
+6. If unauthorized, revoke the TAP immediately and investigate
+7. Review TAP policy settings for appropriate lifetime and usage limits
+', '["https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass","https://attack.mitre.org/techniques/T1078/004/"]', '(contains("log.operationName", "Admin registered security info") && contains("log.properties", "Temporary Access Pass")) ||
+(contains("log.operationName", "Update user") && contains("log.properties", "TemporaryAccessPass"))
+', '2026-02-09 16:31:17.816412', true, false, 'origin', null, '[]', '["lastEvent.log.properties.targetResources","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (132, 'Azure Key Vault Modified', 3, 3, 2, 'Credential Access', 'T1552 - Unsecured Credentials', 'Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates,  connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow  only authorized applications and users. Adversaries may modify Key Vault configurations to weaken security controls, add unauthorized access policies,  or change network rules to facilitate credential theft and unauthorized access to sensitive secrets.', '["https://attack.mitre.org/techniques/T1552/","https://attack.mitre.org/tactics/TA0006/","https://learn.microsoft.com/en-us/azure/key-vault/general/security-features"]', '(equalsIgnoreCase("log.category", "Administrative") || contains("log.category", "Activity")) &&
+(equalsIgnoreCase("log.operationName", "MICROSOFT.KEYVAULT/VAULTS/WRITE") ||
+contains("log.operationName", "Microsoft.KeyVault/vaults/write")) &&
+equals("log.resultType", "0")
+', '2026-02-09 16:31:17.966280', true, false, 'target', null, '[]', '["target.ip","target.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (133, 'Azure Subscription Permission Elevation via ElevateAccess', 3, 3, 3, 'Privilege Escalation', 'T1078.004 - Valid Accounts: Cloud Accounts', 'Detects the MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION operation which grants a Global Administrator access to ALL Azure subscriptions in the tenant. This is an extremely high-impact action that should be very rare and carefully monitored.
+
+Next Steps:
+1. Immediately verify this action was authorized by a known Global Administrator
+2. Check if a change request or emergency procedure exists for this action
+3. Review what subscription-level changes were made after the elevation
+4. Check for new role assignments at the management group or subscription level
+5. If unauthorized, remove the User Access Administrator role and audit all changes
+6. Enable Azure PIM (Privileged Identity Management) if not already in use
+', '["https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin","https://attack.mitre.org/techniques/T1078/004/"]', 'regexMatch("log.operationName", "(?i)MICROSOFT\\.AUTHORIZATION/ELEVATEACCESS/ACTION")
+', '2026-02-09 16:31:18.095884', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (134, 'Azure Event Hub Deletion', 1, 3, 3, 'Defense Evasion', 'T1562.008 - Impair Defenses: Disable Cloud Logs', 'Detects the deletion of an Azure Event Hub, which is a critical event processing service that ingests and processes large volumes of events, logs, and telemetry data. Event Hubs are commonly used for security monitoring, log aggregation, and SIEM integration. Adversaries may delete Event Hubs to evade detection by disrupting log collection pipelines and preventing security events from reaching monitoring systems.
+
+Threat Context:
+- Event Hubs are often used to stream logs to SIEM solutions
+- Deletion interrupts security monitoring and incident detection capabilities
+- Can be part of anti-forensics activities to cover tracks
+- May indicate an attempt to blind security operations before further attacks
+
+Legitimate Use Cases:
+- Decommissioning unused Event Hubs during cost optimization
+- Infrastructure cleanup during application retirement
+- Migration to new Event Hub namespaces or different logging solutions
+- Testing and development environment cleanup
+
+Suspicious Indicators:
+- Event Hub actively receiving logs suddenly deleted
+- Deletion performed by non-administrative accounts
+- Multiple Event Hubs deleted in quick succession
+- Deletion outside change management windows
+- Deletion from unusual locations or IP addresses
+- Event Hub connected to production SIEM or security monitoring
+
+Next Steps:
+1. Verify if the deletion was authorized via change management process
+2. Identify who performed the deletion (caller) and their role
+3. Check if the Event Hub was actively receiving security logs
+4. Determine the impact on security monitoring and log collection
+5. Review recent authentication activity for the caller account
+6. Check for other suspicious activities in the timeline (diagnostic settings changes, etc.)
+7. Verify if backups of the Event Hub configuration exist
+8. If unauthorized, restore the Event Hub and investigate for account compromise
+9. Review authorization rules and access policies for remaining Event Hubs
+', '["https://attack.mitre.org/techniques/T1562/008/","https://attack.mitre.org/tactics/TA0005/","https://learn.microsoft.com/en-us/azure/event-hubs/monitor-event-hubs","https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log"]', '(equalsIgnoreCase("log.category", "Administrative") || contains("log.category", "Activity")) &&
+(equalsIgnoreCase("log.operationName", "MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE") ||
+contains("log.operationName", "Delete EventHub")) &&
+(equalsIgnoreCase("log.resultType", "0") || equalsIgnoreCase("actionResult", "SUCCESS"))
+', '2026-02-09 16:31:18.250850', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (135, 'Azure Diagnostic Settings Deletion', 1, 3, 3, 'Defense Evasion', 'T1562.008 - Impair Defenses: Disable Cloud Logs', 'Detects the deletion of diagnostic settings in Azure, which are critical for sending platform logs, metrics, and activity data to destinations like Log Analytics workspaces, Event Hubs, or storage accounts. Adversaries delete diagnostic settings to evade detection by disabling security monitoring and audit logging capabilities.
+
+This technique is commonly observed when attackers:
+- Attempt to hide malicious activities from security teams
+- Disable logging before executing destructive operations
+- Remove evidence trails of their presence in the environment
+- Prevent detection of lateral movement or data exfiltration
+
+Legitimate deletions are rare and typically occur only during:
+- Infrastructure decommissioning or major reconfigurations
+- Cost optimization initiatives (but should be heavily scrutinized)
+- Migration to new monitoring solutions
+
+Next Steps:
+1. Immediately verify if the deletion was authorized and documented
+2. Identify who performed the operation and from which IP address
+3. Check if diagnostic settings were immediately recreated (potential test)
+4. Review recent activities on the affected resource for suspicious behavior
+5. Verify if other resources had their diagnostic settings deleted
+6. Restore diagnostic settings immediately to resume monitoring
+7. Investigate the caller''s account for potential compromise
+8. Check for other defense evasion techniques in the timeline
+', '["https://attack.mitre.org/techniques/T1562/008/","https://attack.mitre.org/tactics/TA0005/","https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings","https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log"]', '(equalsIgnoreCase("log.category", "Administrative") || contains("log.category", "Activity")) &&
+(equalsIgnoreCase("log.operationName", "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE") ||
+contains("log.operationName", "Delete diagnostic setting")) &&
+equalsIgnoreCase("log.resultType", "0")
+', '2026-02-09 16:31:18.406489', true, false, 'target', null, '[]', '["target.ip","target.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (137, 'Azure AD Golden SAML and Federation Domain Abuse', 3, 3, 2, 'Credential Access', 'T1606.002 - Forge Web Credentials: SAML Tokens', 'Detects additions or modifications of federated domains in Azure AD which could indicate Golden SAML attacks. Attackers who compromise AD FS signing certificates or add rogue federation domains can forge SAML tokens to impersonate any user in the organization.
+
+Next Steps:
+1. Immediately verify if the federation domain change was authorized
+2. Review the domain being added and its federation metadata endpoint
+3. Check the AD FS signing certificate for unauthorized modifications
+4. Verify the identity of the administrator making the change
+5. Review Azure AD audit logs for other suspicious tenant-level changes
+6. If unauthorized, immediately remove the federated domain and revoke all active sessions
+7. Rotate the AD FS token signing certificate
+8. Enable Certificate Authority revocation checking for federation certificates
+', '["https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed","https://attack.mitre.org/techniques/T1606/002/"]', '(contains("log.operationName", "Set federation settings on domain") ||
+ contains("log.operationName", "Set domain authentication") ||
+ contains("log.operationName", "Add unverified domain") ||
+ contains("log.operationName", "Add verified domain") ||
+ contains("log.operationName", "Set DomainFederationSettings")) &&
+equals("log.categoryValue", "Administrative")
+', '2026-02-09 16:31:18.721022', true, false, 'origin', null, '[]', '["lastEvent.log.operationName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (138, 'Azure Active Directory High Risk Sign-in', 3, 3, 2, 'Initial Access', 'T1078 - Valid Accounts', 'Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft''s Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised. This rule triggers on ''high'' risk level sign-ins, which indicate strong indicators of compromise such as impossible travel, anonymous IP usage, or leaked credentials.', '["https://attack.mitre.org/techniques/T1078/","https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks","https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs"]', 'equalsIgnoreCase("log.category", "SignInLogs") &&
+equalsIgnoreCase("log.properties.RiskLevelDuringSignIn", "high") &&
+equalsIgnoreCase("log.propertiesTokenIssuerType", "AzureAD") &&
+equals("log.resultType", "0")
+', '2026-02-09 16:31:18.861590', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (140, 'Azure Key Vault Excessive Access Detected', 3, 2, 1, 'Collection', 'T1530 - Data from Cloud Storage Object', 'Detects unusual spikes in Azure Key Vault access patterns. Monitors for multiple secret retrieval operations from the same source, which could indicate credential harvesting or data exfiltration attempts.
+
+Next Steps:
+1. Investigate the source IP address and verify if it''s a legitimate system or user
+2. Review the specific secrets/keys being accessed and their criticality
+3. Check for any recent changes to Key Vault access policies
+4. Correlate with user authentication logs to identify the account responsible
+5. Verify if the access pattern aligns with normal business operations
+6. Consider implementing additional access controls or monitoring if suspicious activity is confirmed
+', '["https://learn.microsoft.com/en-us/azure/key-vault/general/logging","https://attack.mitre.org/techniques/T1530/"]', 'equals("log.category", "AuditEvent") &&
+oneOf("log.operationName", ["SecretGet", "SecretList", "KeyGet"])
+', '2026-02-09 16:31:19.397260', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.category","operator":"filter_term","value":"AuditEvent"}],"or":null,"within":"now-10m","count":20}]', '["lastEvent.log.resourceId","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (141, 'MFA Disabled for Privileged Azure AD User', 3, 3, 1, 'Defense Evasion', 'T1556 - Modify Authentication Process', 'Detects when Multi-Factor Authentication (MFA) is disabled for privileged users in Azure AD. This could indicate an attempt to weaken security controls for unauthorized access.
+
+Next Steps:
+1. Verify if the MFA disable action was authorized and legitimate
+2. Check who initiated the change and from which IP address
+3. Review the user''s recent login activity and permissions
+4. Ensure the user account has not been compromised
+5. Re-enable MFA if the change was unauthorized
+6. Consider implementing conditional access policies to prevent unauthorized MFA changes
+', '["https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-reporting","https://attack.mitre.org/techniques/T1556/"]', '(equals("log.operationName", "Disable Strong Authentication") ||
+ (equals("log.operationName", "Update user") && contains("log.properties", "StrongAuthenticationMethod"))) &&
+equals("log.categoryValue", "Administrative")
+', '2026-02-09 16:31:19.526659', true, false, 'origin', null, '[]', '["lastEvent.log.correlationId","lastEvent.log.targetUserPrincipalName"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (142, 'Azure Managed Identity Token Abuse', 3, 3, 1, 'Credential Access', 'T1078.004 - Valid Accounts: Cloud Accounts', 'Detects suspicious token acquisition from Azure Instance Metadata Service (IMDS) by managed identities. Attackers who compromise an Azure VM can abuse managed identities to obtain access tokens for Azure resources without credentials, enabling lateral movement across the cloud environment.
+
+Next Steps:
+1. Identify the Azure resource (VM, App Service, Function) where the token was acquired
+2. Review the target resource being accessed with the managed identity token
+3. Check if the managed identity''s permissions follow least privilege principles
+4. Investigate the process or application that requested the token
+5. Review Azure Activity logs for actions performed using the managed identity
+6. If unauthorized, restrict the managed identity''s role assignments immediately
+7. Investigate the source VM for signs of compromise
+8. Implement Conditional Access policies for workload identities
+', '["https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview","https://attack.mitre.org/techniques/T1078/004/"]', 'contains("log.operationName", "Microsoft.ManagedIdentity") &&
+equals("log.categoryValue", "Administrative") &&
+(contains("log.properties.message", "token") ||
+ contains("log.operationName", "tokens"))
+', '2026-02-09 16:31:19.656126', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-1h","count":5}]', '["lastEvent.log.operationName","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (143, 'Multi-Factor Authentication Disabled for an Azure User', 3, 3, 2, 'Persistence', 'T1556 - Modify Authentication Process', 'Detects when multi-factor authentication (MFA) is disabled for an Azure AD/Entra ID user account through Audit Logs.
+
+**Security Context:**
+Multi-factor authentication is a critical security control that requires users to provide additional verification beyond just a password. Disabling MFA for user accounts significantly weakens authentication security and is a common technique used by adversaries to maintain persistent access. Once MFA is disabled, attackers can authenticate using only compromised credentials without triggering additional verification steps, making detection more difficult.
+
+**Detection Logic:**
+This rule monitors AuditLogs for successful "Disable Strong Authentication" operations, which represent the per-user MFA setting being turned off in Azure AD/Entra ID. This operation is distinct from Conditional Access MFA policies and represents the legacy per-user MFA enforcement method.
+
+**Investigation Steps:**
+1. Identify the disabler: Check log.propertiesInitiatedBy for who disabled MFA
+2. Identify affected user: Examine log.propertiesTargetResources for the user whose MFA was disabled
+3. Verify authorization: Confirm if the MFA disabling was part of legitimate administrative action
+4. Review user privilege: Determine if the affected user has elevated permissions (admins, privileged roles)
+5. Check timing: Analyze if MFA was disabled after suspicious authentication events
+6. Review authentication history: Look for failed authentication attempts before MFA disabling
+7. Check for compromise indicators: Search for unusual sign-in patterns, impossible travel, or risky sign-ins
+8. Examine subsequent logins: Monitor for authentication activity immediately after MFA disabling
+9. Review MFA methods: Check what MFA methods the user had registered before disabling
+10. Correlate with other events: Look for privilege escalation or data access after MFA disabling
+
+**Recommended Actions:**
+- If unauthorized, immediately re-enable MFA for the affected user
+- Force password reset for the affected account
+- Review all authentication activity for the affected user
+- Check for compromised credentials using Azure AD Identity Protection
+- Revoke all active sessions for the affected user
+- Enable Conditional Access policies instead of per-user MFA for better control
+- Implement PIM approval workflows for modifying MFA settings
+- Enable alerts for MFA changes on privileged accounts
+- Audit accounts with permissions to modify user authentication settings
+- Review and restrict who can disable MFA (typically requires User Administrator or higher)
+
+**Modern MFA Management:**
+- **Per-user MFA (legacy)**: This detection targets the legacy per-user MFA setting
+- **Conditional Access**: Modern approach using policies instead of per-user settings
+- **Authentication Methods Policy**: Newer method for managing FIDO2, passwordless, etc.
+
+Organizations should migrate from per-user MFA to Conditional Access policies for more granular control.
+
+**Common Attack Patterns:**
+- Disabling MFA after compromising an administrator account
+- Removing MFA from privileged accounts for easier persistent access
+- Disabling MFA before credential harvesting or lateral movement
+- Insider threats removing MFA from their own accounts
+- Disabling MFA on service accounts to enable automated authentication attacks
+
+**Related Detections:**
+- MFA method removal/changes
+- Conditional Access policy modifications
+- Authentication methods policy changes
+- Privileged role assignments without MFA
+
+**MITRE ATT&CK Reference:** T1556 - Modify Authentication Process
+
+**Azure Documentation:**
+- AuditLogs table: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs
+- Per-user MFA: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates
+', '["https://attack.mitre.org/techniques/T1556/","https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs","https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates","https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-licensing"]', 'equalsIgnoreCase("log.category", "AuditLogs") &&
+equalsIgnoreCase("log.operationName", "Disable Strong Authentication") &&
+(equals("log.resultType", "0") || equalsIgnoreCase("actionResult", "SUCCESS"))
+', '2026-02-09 16:31:19.796075', true, false, 'target', null, '[]', '["target.ip","target.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (139, 'Azure Defender for Cloud Critical Security Alert', 3, 3, 2, 'Intrusion Detection', 'TA0001 - Initial Access', 'Detects critical severity alerts from Azure Defender for Cloud indicating potential active threats, malware infections, or successful breach attempts that require immediate response.
+
+Next Steps:
+1. Review the full alert details in Azure Defender for Cloud portal
+2. Verify the affected resource and assess the scope of potential compromise
+3. Check for related suspicious activities on the affected resource
+4. Implement immediate containment measures if threat is confirmed
+5. Review security policies and configurations for the affected resource
+6. Document the incident and update security procedures as needed
+', '["https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview","https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-schemas","https://attack.mitre.org/tactics/TA0001/"]', '(equals("log.eventName", "Microsoft.Security/locations/alerts/Activate/action") || contains("log.operationName", "Microsoft.Security")) &&
+equals("log.category", "Security") &&
+oneOf("log.level", ["Critical", "High", "Error"]) &&
+(equals("log.properties.severity", "High") || equals("log.properties.alertSeverity", "High"))
+', '2026-02-09 16:31:19.311503', true, false, 'origin', null, '[]', '["lastEvent.log.correlationId","lastEvent.log.eventDataId"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (144, 'Azure PIM Role Activation Anomaly', 3, 3, 1, 'Privilege Escalation', 'T1078 - Valid Accounts', 'Detects unusual Privileged Identity Management (PIM) role activation patterns including activation of high-privilege roles such as Global Administrator or Privileged Role Administrator. Repeated or unusual PIM activations may indicate an attacker leveraging compromised credentials to escalate privileges.
+
+Next Steps:
+1. Verify the user activating the PIM role has legitimate business justification
+2. Review the specific role being activated and its scope
+3. Check the activation justification message provided by the user
+4. Review the activation duration and whether it exceeds normal patterns
+5. Check for unusual source IP or device during the activation
+6. If unauthorized, immediately deactivate the role and disable the user account
+7. Review PIM audit logs for other suspicious activations by the same user
+8. Implement PIM access reviews and require approval for critical roles
+', '["https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure","https://attack.mitre.org/techniques/T1078/"]', '(contains("log.operationName", "Add member to role completed (PIM activation)") ||
+ contains("log.operationName", "Add eligible member to role in PIM completed") ||
+ contains("log.operationName", "Activate PIM role")) &&
+equals("log.categoryValue", "Administrative")
+', '2026-02-09 16:31:19.920746', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.user","operator":"filter_term","value":"{{origin.user}}"},{"field":"log.categoryValue","operator":"filter_term","value":"Administrative"}],"or":null,"within":"now-4h","count":3}]', '["lastEvent.log.operationName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (145, 'Storage Account Public Access Enabled', 3, 2, 1, 'Collection', 'T1530 - Data from Cloud Storage Object', 'Detects when public access is enabled on Azure Storage Accounts which could lead to unauthorized data exposure. 
+This configuration change creates a significant security risk as it allows anonymous access to stored data.
+
+Next Steps:
+1. Immediately review the affected storage account configuration
+2. Verify if public access was intentionally enabled and properly authorized
+3. Check if any sensitive data is stored in the account
+4. Review access logs for any unauthorized access attempts
+5. Consider disabling public access if not required for business operations
+6. Implement network restrictions and access policies if public access is necessary
+7. Monitor for any data exfiltration activities
+', '["https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema","https://attack.mitre.org/techniques/T1530/"]', 'contains("log.operationName", "Microsoft.Storage/storageAccounts") &&
+(contains("log.operationName", "/write") || contains("log.operationName", "/blobServices/write")) &&
+equals("log.category", "Administrative") &&
+equals("log.actionResult", "accepted") &&
+(contains("log.properties", "allowBlobPublicAccess") || contains("log.properties", "publicAccess"))
+', '2026-02-09 16:31:20.055797', true, false, 'origin', null, '[]', '["lastEvent.log.aadObjectId","lastEvent.log.resourceId"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (146, 'Azure Application Credential Modification', 3, 3, 2, 'Defense Evasion', 'T1098.001 - Account Manipulation: Additional Cloud Credentials', 'Detects when a new credential (certificate or secret) is added to an Azure AD application. Applications can use certificates or secret strings to authenticate when requesting tokens. Adversaries may add additional authentication credentials to existing applications to establish persistence, evade defenses, or enable privilege escalation by impersonating legitimate applications.
+
+This technique is commonly used in post-compromise scenarios where attackers:
+- Add secrets to high-privilege applications to maintain access
+- Create backdoor authentication methods to evade MFA requirements
+- Establish persistence mechanisms that survive password resets
+- Enable token-based authentication for automated attacks
+
+Next Steps:
+1. Verify if the credential modification was authorized and expected
+2. Identify who performed the operation (check InitiatedBy field)
+3. Review the affected application''s permissions and access scope
+4. Check for subsequent suspicious sign-in activity using the application
+5. Audit other applications for similar unauthorized modifications
+6. If unauthorized, immediately remove the suspicious credentials
+7. Review application usage logs for potential abuse
+8. Investigate the source IP address and user agent of the modification
+', '["https://attack.mitre.org/techniques/T1098/001/","https://attack.mitre.org/tactics/TA0005/","https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs","https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities"]', '(equalsIgnoreCase("log.category", "AuditLogs") || contains("log.category", "Audit")) &&
+(contains("log.operationName", "Certificates and secrets management") ||
+equalsIgnoreCase("log.operationName", "Add service principal credentials") ||
+equalsIgnoreCase("log.operationName", "Update application") ||
+equalsIgnoreCase("log.operationName", "Update application - Certificates and secrets management")) &&
+equalsIgnoreCase("log.resultType", "0")
+', '2026-02-09 16:31:20.191064', true, false, 'target', null, '[]', '["target.ip","target.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (147, 'Azure Subscription Ownership Transfer Detected', 3, 3, 2, 'Identity and Access Management', 'T1078 - Valid Accounts', 'Detects when ownership of an Azure subscription is transferred by monitoring role assignment changes at the subscription level. This could indicate unauthorized access or insider threat activity.
+
+Next Steps:
+1. Verify the legitimacy of the ownership transfer with the subscription administrator
+2. Check if the user performing the transfer is authorized for this action
+3. Review the timing and context of the transfer (business hours, planned change)
+4. Examine other recent activities by the same user or from the same source IP
+5. Validate that proper change management procedures were followed
+6. Check for any unusual activity following the ownership transfer
+7. If unauthorized, immediately revoke the new owner''s access and escalate to security team
+', '["https://learn.microsoft.com/en-us/azure/role-based-access-control/change-history-report","https://attack.mitre.org/techniques/T1078/"]', 'equals("log.operationName", "Microsoft.Authorization/roleAssignments/write") &&
+contains("log.properties", "Owner") &&
+equals("log.category", "Administrative") &&
+contains("log.resourceId", "/subscriptions/") &&
+!contains("log.resourceId", "/resourceGroups/")
+', '2026-02-09 16:31:20.330759', true, false, 'origin', null, '[]', '["lastEvent.log.correlationId","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (148, 'Possible Consent Grant Attack via Azure-Registered Application', 3, 3, 2, 'Initial Access', 'T1078 - Valid Accounts', 'Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents. Consent grant attacks are commonly used in phishing campaigns where malicious OAuth applications trick users into granting excessive permissions, enabling data exfiltration or unauthorized access to organizational resources.', '["https://attack.mitre.org/techniques/T1566/","https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-consent-requests","https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth"]', '(equalsIgnoreCase("log.category", "AuditLogs") || contains("log.category", "Audit")) &&
+equalsIgnoreCase("log.operationName", "Consent to application") &&
+equals("log.resultType", "0")
+', '2026-02-09 16:31:20.450405', true, false, 'target', null, '[]', '["target.ip","target.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (150, 'Azure Diagnostic Settings Tampering', 2, 3, 2, 'Defense Evasion', 'T1562.008 - Impair Defenses: Disable Cloud Logs', 'Detects deletion or modification of Azure diagnostic settings which are used to route platform logs and metrics to monitoring destinations. Attackers may disable diagnostic settings to prevent their activities from being logged and detected.
+
+Next Steps:
+1. Verify if the diagnostic settings change was authorized through change management
+2. Identify which resources lost their diagnostic logging
+3. Review the identity performing the change and confirm authorization
+4. Check if any suspicious activities occurred after logging was disabled
+5. Restore diagnostic settings for affected resources immediately
+6. Implement Azure Policy to enforce diagnostic settings on all resources
+7. Set up alerts for diagnostic settings modifications
+8. Review Azure Activity Log for other defense evasion activities by the same identity
+', '["https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings","https://attack.mitre.org/techniques/T1562/008/"]', 'contains("log.operationName", "Microsoft.Insights/diagnosticSettings") &&
+(contains("log.operationName", "delete") ||
+ contains("log.operationName", "Delete")) &&
+equals("log.resultType", "Success")
+', '2026-02-09 16:31:20.730956', true, false, 'origin', null, '[]', '["lastEvent.log.resourceId","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (151, 'Anthos Security Policy Violations', 3, 3, 2, 'Security Control Bypass', 'T1562 - Impair Defenses', 'Detects security-related events in Google Anthos environments including policy violations, authentication failures, and suspicious container activities. Monitors Anthos Service Mesh, Config Management, and Policy Controller events.
+
+Next Steps:
+- Review the specific policy violation details in the event logs
+- Verify if the violation was authorized or represents a legitimate security concern
+- Check the source IP and user account associated with the violation
+- Examine recent configuration changes to Anthos security policies
+- Validate that security controls are properly configured and enforced
+- Consider implementing additional monitoring for the affected resources
+', '["https://cloud.google.com/anthos/docs/concepts/overview","https://attack.mitre.org/techniques/T1562/"]', '(
+  oneOf("log.protoPayload.serviceName", ["anthos.googleapis.com", "anthospolicycontroller.googleapis.com", "anthosservicemesh.googleapis.com"]) ||
+  oneOf("log.resourceType", ["k8s_cluster", "gke_cluster"])
+) && 
+(
+  contains("log.protoPayload.methodName", "Policy") ||
+  oneOf("log.jsonPayload.type", ["admission.k8s.io/violation", "policy.violation", "security.alert"]) ||
+  oneOf("log.severity", ["ERROR", "WARNING"])
+) &&
+(
+  equals("log.protoPayload.response.status", "PERMISSION_DENIED") ||
+  contains("log.protoPayload.status.message", "violation") ||
+  contains("log.protoPayload.status.message", "denied") ||
+  contains("log.jsonPayload.details", "policy")
+)
+', '2026-02-09 16:31:49.431583', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.resourceName","lastEvent.log.resource.labels.project_id"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (152, 'Binary Authorization Bypass Detection', 3, 3, 2, 'Defense Evasion', 'T1553 - Subvert Trust Controls', 'Detects attempts to bypass Binary Authorization controls including use of breakglass deployments, policy violations, and unauthorized container deployments. These events could indicate attempts to deploy untrusted or malicious container images.
+
+Next Steps:
+1. Verify the legitimacy of the breakglass deployment or policy bypass
+2. Review the container image source and verify its authenticity
+3. Check if the user had proper authorization for emergency deployments
+4. Examine the deployment context and business justification
+5. Validate that security policies are restored after emergency deployment
+6. Monitor for any subsequent suspicious activity from deployed containers
+', '["https://cloud.google.com/binary-authorization/docs/audit-logging","https://cloud.google.com/binary-authorization/docs/run/using-breakglass-cloud-run","https://attack.mitre.org/techniques/T1553/"]', '(
+  equals("log.protoPayload.serviceName", "binaryauthorization.googleapis.com") && 
+  (
+    contains("log.logName", "cloudaudit.googleapis.com/system_event") &&
+    (contains("log.protoPayload.response.details", "breakglass") || equals("log.jsonPayload.breakglass", true))
+  )
+) ||
+(
+  equals("log.resourceType", "cloud_run_revision") &&
+  contains("log.logName", "cloudaudit.googleapis.com/system_event") &&
+  (
+    contains("log.protoPayload.response.status.conditions", "ContainerImageUnauthorized") ||
+    equals("log.jsonPayload.policyViolation", true) ||
+    equals("log.protoPayload.metadata.dryRun", true)
+  )
+)
+', '2026-02-09 16:31:49.570574', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","lastEvent.log.protoPayload.resourceName"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (153, 'Cloud Identity Suspicious Sign-ins Detection', 3, 2, 1, 'Initial Access', 'T1078 - Valid Accounts', 'Detects suspicious sign-in attempts to Google Cloud Identity, including logins from unfamiliar locations, unusual IP addresses, or after multiple failed attempts. These could indicate compromised credentials or unauthorized access attempts.
+
+Next Steps:
+1. Verify the legitimacy of the login attempt with the user
+2. Check if the IP address is from a known malicious source
+3. Review recent account activity for signs of compromise
+4. Consider implementing additional MFA if not already enabled
+5. If confirmed malicious, reset user credentials immediately
+6. Review access logs for any unauthorized activities
+', '["https://support.google.com/cloudidentity/answer/4580120?hl=en","https://cloud.google.com/blog/products/identity-security/logs-based-security-alerting-in-google-cloud","https://attack.mitre.org/techniques/T1078/"]', 'equals("log.protoPayload.serviceName", "login.googleapis.com") && 
+(
+  equals("log.protoPayload.metadata.event.type", "Suspicious Login") ||
+  (equals("log.protoPayload.metadata.event.type", "login") && equals("log.protoPayload.metadata.event.parameter.is_suspicious", true)) ||
+  equals("log.protoPayload.metadata.event.parameter.is_suspicious", true)
+)
+', '2026-02-09 16:31:49.745830', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (154, 'GCP probable hijacked account', 3, 3, 2, 'Collection', 'T1560 - Archive Collected Data', 'A user''s account was disabled because Google has detected a suspicious activity  indicating it might have been compromised. Hijacked account can be used to perform other attacks like data collection and exfiltration', '["https://attack.mitre.org/tactics/TA0009/","https://attack.mitre.org/techniques/T1560"]', 'equals("log.protoPayload.methodName", "google.login.LoginService.accountDisabledHijacked")
+', '2026-02-09 16:31:49.925601', true, false, 'target', null, '[]', '["target.ip","target.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (155, 'GCP detected account with password leak', 3, 3, 2, 'Initial Access', 'T1078 - Valid Accounts', 'A user''s account was disabled because a password leak was detected by google.', '["https://attack.mitre.org/tactics/TA0001/","https://attack.mitre.org/techniques/T1078"]', 'equals("log.protoPayload.methodName", "google.login.LoginService.accountDisabledPasswordLeak")
+', '2026-02-09 16:31:50.111410', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (156, 'GCP account is probably used for spamming', 1, 2, 3, 'Initial Access', 'T1566 - Phishing', 'A user''s account was disabled because Google has become aware that it was used to engage in spamming. Usually, spamming is used to perform other attacks like phishing or spread malware.', '["https://attack.mitre.org/tactics/TA0001","https://attack.mitre.org/techniques/T1566/"]', 'equals("log.protoPayload.methodName", "google.login.LoginService.accountDisabledSpamming") ||
+equals("log.protoPayload.methodName", "google.login.LoginService.accountDisabledSpammingThroughRelay")
+', '2026-02-09 16:31:50.355664', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (157, 'GCP Audit Log Disabling or Tampering', 3, 3, 2, 'Defense Evasion', 'T1562.008 - Impair Defenses: Disable Cloud Logs', 'Detects attempts to disable GCP audit logging including sink deletion, log exclusion filter creation, and audit configuration changes. Attackers may manipulate logging infrastructure to hide their activities from security monitoring.
+
+Next Steps:
+1. Immediately verify if the logging change was authorized
+2. Review the specific sink or exclusion filter that was modified
+3. Check the identity making the change and verify authorization
+4. Assess what log types are no longer being collected
+5. Restore logging configuration and ensure all critical logs are captured
+6. Review activities that may have been hidden during the logging gap
+7. Implement Organization Policy to prevent log sink deletion
+8. Set up alerting on any changes to logging infrastructure
+', '["https://cloud.google.com/logging/docs/audit","https://attack.mitre.org/techniques/T1562/008/"]', '(contains("log.protoPayload.methodName", "DeleteSink") ||
+ contains("log.protoPayload.methodName", "UpdateSink") ||
+ contains("log.protoPayload.methodName", "CreateExclusion") ||
+ contains("log.protoPayload.methodName", "UpdateExclusion") ||
+ contains("log.protoPayload.methodName", "DeleteLog") ||
+ contains("log.protoPayload.methodName", "SetIamPolicy")) &&
+(contains("log.protoPayload.serviceName", "logging.googleapis.com") ||
+ contains("log.resource.type", "logging_sink") ||
+ contains("log.resource.type", "logging_exclusion"))
+', '2026-02-09 16:31:50.520544', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.methodName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (158, 'GCP Break-Glass Container Workload Deployed', 3, 3, 2, 'Defense Evasion', 'T1548 - Abuse Elevation Control Mechanism', 'Detects deployment of container workloads using the break-glass mechanism to bypass Binary Authorization policy. While legitimate in emergency scenarios, this bypasses security controls and can be abused to deploy malicious or untrusted container images.
+
+Next Steps:
+1. Verify the break-glass deployment was authorized and documented
+2. Review the container image that was deployed
+3. Check the user identity and their authorization level
+4. Validate the business justification for the emergency bypass
+5. Ensure Binary Authorization policies are restored after the emergency
+6. Scan the deployed container for vulnerabilities and malware
+7. Review cluster activity following the deployment
+', '["https://cloud.google.com/binary-authorization/docs/using-breakglass","https://attack.mitre.org/techniques/T1548/"]', '(equals("log.protoPayload.serviceName", "binaryauthorization.googleapis.com") &&
+contains("log.protoPayload.response", "breakglass")) ||
+(contains("log.protoPayload.methodName", "container.clusters") &&
+contains("log.protoPayload.request", "breakglass"))
+', '2026-02-09 16:31:50.680995', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","lastEvent.log.protoPayload.resourceName"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (159, 'GCP BigQuery Data Exfiltration Detection', 3, 1, 1, 'Data Exfiltration', 'T1567 - Exfiltration Over Web Service', 'Detects BigQuery operations that may indicate data exfiltration including large data exports, table copies to external projects, and extract jobs writing to external storage. Attackers may use BigQuery to query and export large datasets from compromised projects.
+
+Next Steps:
+1. Review the BigQuery job details including source and destination datasets
+2. Check the data volume being exported or copied
+3. Verify the destination project or storage bucket is legitimate
+4. Review the identity performing the operation and verify authorization
+5. Check if the query accesses sensitive tables or datasets
+6. If unauthorized, cancel running jobs and revoke the identity''s BigQuery permissions
+7. Implement VPC Service Controls to restrict data export
+8. Enable BigQuery authorized views to restrict data access
+', '["https://cloud.google.com/bigquery/docs/audit-logging","https://attack.mitre.org/techniques/T1567/"]', 'contains("log.protoPayload.serviceName", "bigquery.googleapis.com") &&
+(contains("log.protoPayload.methodName", "jobservice.insert") ||
+ contains("log.protoPayload.methodName", "tableservice.exportdata") ||
+ contains("log.protoPayload.methodName", "datasets.copy"))
+', '2026-02-09 16:31:50.887308', true, false, 'origin', null, '[{"indexPattern":"v11-log-google-*","with":[{"field":"log.protoPayload.authenticationInfo.principalEmail","operator":"filter_term","value":"{{log.protoPayload.authenticationInfo.principalEmail}}"},{"field":"log.protoPayload.serviceName","operator":"filter_term","value":"bigquery.googleapis.com"}],"or":null,"within":"now-30m","count":10}]', '["lastEvent.log.protoPayload.methodName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (160, 'GCP Cloud Function and Cloud Run Abuse', 2, 2, 1, 'Persistence', 'T1059 - Command and Scripting Interpreter', 'Detects creation or modification of Cloud Functions and Cloud Run services which can be used for persistence, backdoor access, or command execution. Attackers may deploy serverless functions with high-privilege service accounts to maintain access or exfiltrate data.
+
+Next Steps:
+1. Review the function or service code for malicious content
+2. Check the associated service account and its permissions
+3. Verify the deployer identity has authorization
+4. Review the function trigger configuration (HTTP, Pub/Sub, etc.)
+5. Check if the function allows unauthenticated invocations
+6. If unauthorized, delete the function and revoke the service account''s permissions
+7. Review invocation logs for the function
+8. Implement Organization Policy to restrict Cloud Function deployment
+', '["https://cloud.google.com/functions/docs/securing","https://attack.mitre.org/techniques/T1059/"]', '((contains("log.protoPayload.serviceName", "cloudfunctions.googleapis.com") &&
+  (contains("log.protoPayload.methodName", "CreateFunction") ||
+   contains("log.protoPayload.methodName", "UpdateFunction"))) ||
+ (contains("log.protoPayload.serviceName", "run.googleapis.com") &&
+  (contains("log.protoPayload.methodName", "CreateService") ||
+   contains("log.protoPayload.methodName", "ReplaceService"))))
+', '2026-02-09 16:31:51.081449', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.methodName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (161, 'GCP Cryptomining Instance Launch Detection', 1, 2, 3, 'Resource Hijacking', 'T1496 - Resource Hijacking', 'Detects creation of GPU-accelerated or high-compute GCP instances commonly used for cryptomining. Attackers with compromised GCP credentials frequently launch expensive GPU instances (a2, g2) or compute-optimized instances in unusual regions for cryptocurrency mining operations.
+
+Next Steps:
+1. Verify the identity launching the instance and confirm business justification
+2. Check if GPU instances are normally used in this project
+3. Review the instance''s machine type and attached GPU accelerators
+4. Examine the instance image for known mining software
+5. Check billing dashboards for unexpected cost increases
+6. If unauthorized, stop and delete the instance immediately
+7. Rotate compromised credentials and review IAM bindings
+8. Implement Organization Policy constraints to restrict GPU instance creation
+', '["https://cloud.google.com/compute/docs/machine-types","https://attack.mitre.org/techniques/T1496/"]', 'contains("log.protoPayload.methodName", "compute.instances.insert") &&
+(contains("log.protoPayload.request.machineType", "a2-") ||
+ contains("log.protoPayload.request.machineType", "g2-") ||
+ contains("log.protoPayload.request.machineType", "n1-highmem-96") ||
+ contains("log.protoPayload.request.machineType", "c2d-highcpu") ||
+ contains("log.protoPayload.request.guestAccelerators", "nvidia"))
+', '2026-02-09 16:31:51.275646', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.resourceName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (162, 'GCP Custom Role with Overly Permissive Permissions', 3, 3, 1, 'Privilege Escalation', 'T1098 - Account Manipulation', 'Detects creation or modification of GCP custom IAM roles which may include overly permissive permissions for privilege escalation. Attackers may create custom roles with broad permissions like iam.serviceAccountKeys.create, iam.serviceAccounts.actAs, or compute.instances.setMetadata to escalate privileges.
+
+Next Steps:
+1. Review the custom role definition and its included permissions
+2. Verify the role follows least privilege principles
+3. Check for high-risk permissions like iam.* or resourcemanager.*
+4. Review the identity creating the role and verify authorization
+5. Check which users or service accounts are bound to the role
+6. If overly permissive, modify the role to include only necessary permissions
+7. Implement Organization Policy to restrict custom role creation
+8. Use IAM Recommender to identify and reduce excess permissions
+', '["https://cloud.google.com/iam/docs/creating-custom-roles","https://attack.mitre.org/techniques/T1098/"]', 'contains("log.protoPayload.serviceName", "iam.googleapis.com") &&
+(contains("log.protoPayload.methodName", "CreateRole") ||
+ contains("log.protoPayload.methodName", "UpdateRole"))
+', '2026-02-09 16:31:51.415706', true, false, 'origin', null, '[{"indexPattern":"v11-log-google-*","with":[{"field":"log.protoPayload.authenticationInfo.principalEmail","operator":"filter_term","value":"{{log.protoPayload.authenticationInfo.principalEmail}}"}],"or":null,"within":"now-1h","count":2}]', '["lastEvent.log.protoPayload.methodName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (163, 'GCP probable Defense Evasion, Logging Sink Deletion', 1, 2, 3, 'Defense Evasion', 'T1562 - Impair Defenses', 'Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise.  Techniques used for defense evasion include uninstalling/disabling security software or  obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes  to hide and masquerade their malware. Other tactics are cross-listed here when those techniques  include the added benefit of subverting defenses.   Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging  compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a  copy of the log entry to the sink''s export destination. An adversary may delete a Logging sink to evade detection.', '["https://cloud.google.com/logging/docs/export","https://attack.mitre.org/techniques/T1562/","https://attack.mitre.org/tactics/TA0005/"]', 'regexMatch("log.protoPayload.methodName", "((.+)?sink(s)?\\.delete|(.+)?v(\\w+)\\.ConfigServiceV(\\w+)\\.DeleteSink)")
+', '2026-02-09 16:31:51.586614', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (164, 'GCP DLP Re-Identification API Call', 3, 2, 0, 'Collection', 'T1565 - Data Manipulation', 'Detects calls to the DLP re-identification API which reverses data de-identification. This is a sensitive operation that could expose previously protected PII, financial data, or health records. Unauthorized use indicates potential data exfiltration attempts.
+
+Next Steps:
+1. Verify the re-identification request was authorized for the specific use case
+2. Review the data being re-identified and its sensitivity classification
+3. Check the user identity and whether they have legitimate access to this data
+4. Review the destination of the re-identified data
+5. If unauthorized, revoke access and investigate potential data exposure
+6. Review DLP API permissions and restrict re-identification access
+', '["https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify","https://attack.mitre.org/techniques/T1565/"]', 'contains("log.protoPayload.methodName", "ReidentifyContent") ||
+contains("log.protoPayload.methodName", "reidentify")
+', '2026-02-09 16:31:51.706281', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","lastEvent.log.protoPayload.methodName"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (165, 'GCP probable Exfiltration, Logging Sink Modification', 3, 2, 2, 'Exfiltration', 'T1537 - Transfer Data to Cloud Account', 'Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they''ve collected data,  adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for  getting data out of a target network typically include transferring it over their command and control channel or an alternate  channel and may also include putting size limits on the transmission.   Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks  in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink''s export  destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.', '["https://cloud.google.com/logging/docs/export#how_sinks_work","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.sinks#LogSink","https://attack.mitre.org/techniques/T1537/","https://attack.mitre.org/tactics/TA0010/"]', 'regexMatch("log.protoPayload.methodName", "((.+)?sink(s)?\\.update|(.+)?v(\\w+)\\.ConfigServiceV(\\w+)\\.UpdateSink)")
+', '2026-02-09 16:31:51.855561', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (166, 'GCP probable Impact, Storage Bucket Deleted', 1, 2, 3, 'Impact', 'T1485 - Data Destruction', 'Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business  and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business  processes can look fine, but may have been altered to benefit the adversaries goals. These techniques might be used by  adversaries to follow through on their end goal or to provide cover for a confidentiality breach.   Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in  order to disrupt their target''s business operations.', '["https://cloud.google.com/logging/docs/buckets","https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1485/"]', 'regexMatch("log.protoPayload.methodName", "(.+)\\.bucket(s)?\\.delete")
+', '2026-02-09 16:31:52.015936', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (167, 'GCP Domain-Wide API Access Granted', 3, 3, 2, 'Privilege Escalation', 'T1098 - Account Manipulation', 'Detects when domain-wide delegation is granted to a service account in Google Workspace. This allows the service account to impersonate any user in the domain and access their data, making it a high-impact privilege escalation vector.
+
+Next Steps:
+1. Verify the domain-wide delegation was authorized by a domain administrator
+2. Review the OAuth scopes granted to the service account
+3. Check the service account''s usage history and associated project
+4. Verify the scopes follow the principle of least privilege
+5. If unauthorized, revoke the delegation immediately
+6. Audit all API calls made by the service account since the delegation was granted
+7. Review Google Workspace admin logs for related changes
+', '["https://cloud.google.com/iam/docs/using-iam-securely","https://attack.mitre.org/techniques/T1098/"]', 'contains("log.protoPayload.methodName", "AUTHORIZE_API_CLIENT_ACCESS") ||
+(contains("log.protoPayload.serviceName", "admin.googleapis.com") && contains("log.protoPayload.methodName", "GrantClientAccess"))
+', '2026-02-09 16:31:52.155979', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","lastEvent.log.protoPayload.resourceName"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (169, 'GCP Network Packet Capture Configuration', 3, 1, 1, 'Credential Access', 'T1040 - Network Sniffing', 'Detects creation or modification of Packet Mirroring configurations in GCP. Attackers use packet mirroring to capture network traffic for credential theft, data exfiltration, or reconnaissance.
+
+Next Steps:
+1. Verify the packet mirroring configuration was authorized for legitimate purposes
+2. Review the mirrored network scope (which subnets, instances, protocols)
+3. Check the collector destination for the mirrored traffic
+4. Identify the user who created the configuration
+5. If unauthorized, delete the packet mirroring policy immediately
+6. Review the mirrored traffic destination for data exfiltration
+7. Check for captured credentials or sensitive data
+', '["https://cloud.google.com/vpc/docs/packet-mirroring","https://attack.mitre.org/techniques/T1040/"]', 'contains("log.protoPayload.methodName", "PacketMirrorings") &&
+(contains("log.protoPayload.methodName", "insert") || contains("log.protoPayload.methodName", "patch") || contains("log.protoPayload.methodName", "create"))
+', '2026-02-09 16:31:52.445702', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","lastEvent.log.protoPayload.resourceName"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (170, 'GCP KMS Key Destruction or Disabling', 1, 3, 3, 'Impact', 'T1552 - Unsecured Credentials', 'Detects destruction or disabling of Cloud KMS key versions which could render encrypted data unrecoverable. Attackers may destroy encryption keys as part of a destructive attack to prevent data recovery or to disrupt operations dependent on encrypted resources.
+
+Next Steps:
+1. Immediately verify if the KMS key operation was authorized
+2. Identify which resources are encrypted with the affected key
+3. Check if the key version is in the scheduled destruction period and can be restored
+4. Review the identity performing the operation and verify authorization
+5. Assess the business impact of the key becoming unavailable
+6. If unauthorized, restore the key version immediately during the destruction grace period
+7. Implement IAM conditions to restrict KMS key destruction permissions
+8. Enable Cloud KMS key rotation policies and cross-region key replication
+', '["https://cloud.google.com/kms/docs/destroy-restore","https://attack.mitre.org/techniques/T1552/"]', 'contains("log.protoPayload.serviceName", "cloudkms.googleapis.com") &&
+(contains("log.protoPayload.methodName", "DestroyCryptoKeyVersion") ||
+ contains("log.protoPayload.methodName", "DisableCryptoKeyVersion") ||
+ contains("log.protoPayload.methodName", "UpdateCryptoKeyPrimaryVersion"))
+', '2026-02-09 16:31:52.601150', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.resourceName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (171, 'GCP probable Privilege Escalation, Kubernetes role bindings created or patched', 1, 2, 3, 'Privilege Escalation', 'T1548 - Abuse Elevation Control Mechanism', 'Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network.  Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through  on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.  Identifies the creation or patching of potentially malicious role bindings. Users can use role bindings and cluster role  bindings to assign roles to Kubernetes subjects (users, groups, or service accounts).', '["https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control","https://attack.mitre.org/tactics/TA0004/","https://attack.mitre.org/techniques/T1548"]', 'contains("log.protoPayload.methodName", ".rbac") &&
+    regexMatch("log.protoPayload.methodName", ''((.+)\\.)?(cluster)?rolebinding(s)?\\.(create|patch)$'') &&
+    !equals("log.protoPayload.authenticationInfo.principalEmail", "system:addon-manager")
+', '2026-02-09 16:31:52.755706', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (172, 'GKE Kubernetes Admission Webhook Modified', 3, 3, 2, 'Persistence', 'T1078.004 - Valid Accounts: Cloud Accounts', 'Detects creation or modification of admission webhook configurations in Google Kubernetes Engine. Attackers use malicious admission controllers to inject sidecar containers, modify workload specs, or intercept secrets.
+
+Next Steps:
+1. Review the webhook configuration and its target service endpoint
+2. Verify the webhook was deployed as part of a legitimate application
+3. Check the namespace selector and object rules for the webhook
+4. Examine what Kubernetes resources the webhook intercepts
+5. If unauthorized, delete the webhook and audit all recent workload deployments
+6. Review cluster RBAC for webhook management permissions
+', '["https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/","https://attack.mitre.org/techniques/T1078/004/"]', 'contains("log.protoPayload.methodName", "admissionregistration.k8s.io") &&
+(contains("log.protoPayload.methodName", "mutatingwebhookconfigurations") || contains("log.protoPayload.methodName", "validatingwebhookconfigurations")) &&
+(contains("log.protoPayload.methodName", "create") || contains("log.protoPayload.methodName", "update") || contains("log.protoPayload.methodName", "patch"))
+', '2026-02-09 16:31:52.890744', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","lastEvent.log.protoPayload.resourceName"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (173, 'GCP Project Manipulation and Shadow Projects', 2, 3, 3, 'Account Manipulation', 'T1578 - Modify Cloud Compute Infrastructure', 'Detects GCP project creation, deletion, and undelete operations that could indicate shadow project creation for persistence or project deletion for impact. Attackers may create new projects outside organizational controls to host malicious workloads.
+
+Next Steps:
+1. Verify the project creation or deletion was authorized
+2. Check if the new project is within the expected folder hierarchy
+3. Review the project''s billing account association
+4. Examine IAM bindings on the new project for overly permissive access
+5. Check if Organization Policies are applied to the new project
+6. If unauthorized, shut down the project and investigate the creating identity
+7. Implement Organization Policy constraints for project creation
+8. Enable alerts for projects created outside approved folders
+', '["https://cloud.google.com/resource-manager/docs/creating-managing-projects","https://attack.mitre.org/techniques/T1578/"]', 'contains("log.protoPayload.serviceName", "cloudresourcemanager.googleapis.com") &&
+(contains("log.protoPayload.methodName", "CreateProject") ||
+ contains("log.protoPayload.methodName", "DeleteProject") ||
+ contains("log.protoPayload.methodName", "UndeleteProject"))
+', '2026-02-09 16:31:53.040913', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.methodName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (191, 'AWS EC2 Flow Log Deletion', 3, 2, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses', '["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html","https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html","https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/"]', 'equals("log.eventSource", "ec2.amazonaws.com") &&
+equals("log.eventName", "DeleteFlowLogs")
+', '2026-02-09 16:32:22.900581', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (174, 'GCP Secret Manager Bulk Access Detection', 3, 1, 1, 'Credential Access', 'T1552 - Unsecured Credentials', 'Detects bulk access to GCP Secret Manager secrets which may indicate credential harvesting. Attackers who gain access to a GCP project may enumerate and retrieve all stored secrets to obtain API keys, database credentials, and other sensitive data.
+
+Next Steps:
+1. Review which secrets were accessed and their sensitivity classification
+2. Verify the identity accessing the secrets has legitimate need
+3. Check the access pattern for unusual timing or volume
+4. Review the caller''s IP address and user agent for anomalies
+5. Determine if the accessed secrets have been used from unauthorized locations
+6. If unauthorized, rotate all accessed secrets immediately
+7. Review Secret Manager IAM bindings and apply least privilege
+8. Enable VPC Service Controls to restrict secret access
+', '["https://cloud.google.com/secret-manager/docs/audit-logging","https://attack.mitre.org/techniques/T1552/"]', 'contains("log.protoPayload.serviceName", "secretmanager.googleapis.com") &&
+contains("log.protoPayload.methodName", "AccessSecretVersion")
+', '2026-02-09 16:31:53.196255', true, false, 'origin', null, '[{"indexPattern":"v11-log-google-*","with":[{"field":"log.protoPayload.authenticationInfo.principalEmail","operator":"filter_term","value":"{{log.protoPayload.authenticationInfo.principalEmail}}"},{"field":"log.protoPayload.methodName","operator":"filter_term","value":"AccessSecretVersion"}],"or":null,"within":"now-15m","count":5}]', '["lastEvent.log.protoPayload.methodName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (175, 'GCP Service Account Impersonation Detection', 3, 3, 1, 'Credential Access', 'T1550.001 - Use Alternate Authentication Material: Application Access Token', 'Detects service account impersonation through token generation APIs including GenerateAccessToken, GenerateIdToken, and SignBlob. Attackers may impersonate service accounts to escalate privileges or access resources the service account has been granted.
+
+Next Steps:
+1. Verify the identity performing the impersonation is authorized
+2. Check the target service account and its IAM bindings
+3. Review the permissions available through the impersonated service account
+4. Examine the API calls made using the generated token
+5. Verify if the impersonation is part of a legitimate workload chain
+6. If unauthorized, remove the iam.serviceAccountTokenCreator role from the caller
+7. Review the service account''s access patterns for anomalies
+8. Implement Organization Policy constraints to limit service account impersonation
+', '["https://cloud.google.com/iam/docs/create-short-lived-credentials-direct","https://attack.mitre.org/techniques/T1550/001/"]', '(contains("log.protoPayload.methodName", "GenerateAccessToken") ||
+ contains("log.protoPayload.methodName", "GenerateIdToken") ||
+ contains("log.protoPayload.methodName", "SignBlob") ||
+ contains("log.protoPayload.methodName", "SignJwt")) &&
+contains("log.protoPayload.serviceName", "iamcredentials.googleapis.com")
+', '2026-02-09 16:31:53.355739', true, false, 'origin', null, '[{"indexPattern":"v11-log-google-*","with":[{"field":"log.protoPayload.authenticationInfo.principalEmail","operator":"filter_term","value":"{{log.protoPayload.authenticationInfo.principalEmail}}"}],"or":null,"within":"now-30m","count":10}]', '["lastEvent.log.protoPayload.methodName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (176, 'GCP probable Password Guessing', 3, 3, 2, 'Credential Access', 'T1110.001 - Brute Force: Password Guessing', 'Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target''s policies on password complexity or use policies that may lock accounts out after a number of failed attempts.', '["https://attack.mitre.org/tactics/TA0006","https://attack.mitre.org/techniques/T1110/001/"]', 'equals("log.protoPayload.methodName", "google.login.LoginService.loginFailure") && exists("log.protoPayload.authenticationInfo.principalEmail")
+', '2026-02-09 16:31:53.495735', true, false, 'origin', null, '[{"indexPattern":"v11-log-google-*","with":[{"field":"log.protoPayload.methodName","operator":"filter_term","value":"google.login.LoginService.loginFailure"},{"field":"log.protoPayload.authenticationInfo.principalEmail","operator":"filter_term","value":"{{log.protoPayload.authenticationInfo.principalEmail}}"}],"or":null,"within":"now-5m","count":5}]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (177, 'GCP Cloud Storage Data Exfiltration', 3, 1, 1, 'Data Exfiltration', 'T1530 - Data from Cloud Storage Object', 'Detects GCP Cloud Storage operations indicating potential data exfiltration including making buckets publicly accessible, modifying IAM policies to grant allUsers access, or bulk object downloads. These actions may indicate an attacker attempting to exfiltrate data from cloud storage.
+
+Next Steps:
+1. Review the affected bucket and its data classification
+2. Check if the bucket was made publicly accessible
+3. Verify the identity making the change has authorization
+4. Review the IAM policy changes for allUsers or allAuthenticatedUsers bindings
+5. Check for bulk GetObject operations following the policy change
+6. If unauthorized, revert the bucket IAM policy and enable uniform bucket-level access
+7. Review VPC Service Controls for the project
+8. Enable Cloud Storage audit logging for data access events
+', '["https://cloud.google.com/storage/docs/access-control","https://attack.mitre.org/techniques/T1530/"]', 'contains("log.protoPayload.serviceName", "storage.googleapis.com") &&
+(contains("log.protoPayload.methodName", "storage.setIamPermissions") ||
+ contains("log.protoPayload.methodName", "storage.buckets.update") ||
+ contains("log.protoPayload.methodName", "storage.objects.update")) &&
+(contains("log.protoPayload.request.policy.bindings", "allUsers") ||
+ contains("log.protoPayload.request.policy.bindings", "allAuthenticatedUsers") ||
+ contains("log.protoPayload.request.acl", "allUsers"))
+', '2026-02-09 16:31:53.651061', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.resourceName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (178, 'GCP suspicious login blocked', 1, 2, 3, 'Initial Access', 'T1078 - Valid Accounts', 'A suspicious login to a user''s account was detected and blocked by Google Cloud.', '["https://attack.mitre.org/tactics/TA0001/","https://attack.mitre.org/techniques/T1078"]', 'equals("log.protoPayload.methodName", "google.login.LoginService.suspiciousLogin")
+', '2026-02-09 16:31:53.800613', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (179, 'GCP suspicious programmatic login', 1, 2, 3, 'Credential Access', 'T1110 - Brute Force', 'Google Cloud has detected a suspicious programmatic login. Programmatic login can be use to perform brute force attack.', '["https://attack.mitre.org/tactics/TA0006","https://attack.mitre.org/techniques/T1110"]', 'equals("log.protoPayload.methodName", "google.login.LoginService.suspiciousProgrammaticLogin")
+', '2026-02-09 16:31:53.930971', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (180, 'GCP suspicious login from less secure app', 1, 2, 3, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Less secure apps (LSAs) are non-Google apps that can access your Google account with only a username and password.  They make your account more vulnerable to hijacking attempts.', '["https://attack.mitre.org/tactics/TA0001/","https://attack.mitre.org/techniques/T1190"]', 'equals("log.protoPayload.methodName", "google.login.LoginService.suspiciousLoginLessSecureApp")
+', '2026-02-09 16:31:54.081040', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (181, 'GCP Workload Identity Federation Abuse', 3, 3, 1, 'Credential Access', 'T1078 - Valid Accounts', 'Detects creation or modification of workload identity pools and providers that enable external identities to access GCP resources. Attackers may create workload identity configurations to grant access to external attacker-controlled identity providers for persistent cloud access.
+
+Next Steps:
+1. Review the workload identity pool and provider configuration
+2. Verify the external identity provider is trusted and authorized
+3. Check the attribute mappings and conditions for overly permissive access
+4. Review which service accounts are bound to the workload identity pool
+5. Verify the change was authorized through security change management
+6. If unauthorized, delete the workload identity pool and revoke associated permissions
+7. Audit all existing workload identity configurations for unauthorized providers
+8. Implement Organization Policy to restrict workload identity pool creation
+', '["https://cloud.google.com/iam/docs/workload-identity-federation","https://attack.mitre.org/techniques/T1078/"]', 'contains("log.protoPayload.serviceName", "iam.googleapis.com") &&
+(contains("log.protoPayload.methodName", "CreateWorkloadIdentityPool") ||
+ contains("log.protoPayload.methodName", "CreateWorkloadIdentityPoolProvider") ||
+ contains("log.protoPayload.methodName", "UpdateWorkloadIdentityPool") ||
+ contains("log.protoPayload.methodName", "UpdateWorkloadIdentityPoolProvider"))
+', '2026-02-09 16:31:54.231322', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.methodName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (182, 'Google Workspace MFA Enforcement Disabled', 3, 3, 1, 'Defense Evasion', 'T1556 - Modify Authentication Process', 'Detects when MFA enforcement is disabled in Google Workspace. Disabling MFA removes a critical security control and enables credential-based attacks against all users in the organization.
+
+Next Steps:
+1. Immediately verify if the MFA policy change was authorized
+2. Identify the admin who made the change and their authorization
+3. Check for brute force or credential stuffing attempts following the change
+4. Re-enable MFA enforcement immediately if unauthorized
+5. Review all sign-ins that occurred while MFA was disabled
+6. Check for other security policy changes from the same admin
+7. Audit admin roles and consider implementing super admin 2SV enforcement
+', '["https://support.google.com/a/answer/9176657","https://attack.mitre.org/techniques/T1556/"]', 'contains("log.protoPayload.methodName", "ENFORCE_STRONG_AUTHENTICATION") ||
+(contains("log.protoPayload.serviceName", "admin.googleapis.com") && contains("log.protoPayload.methodName", "2sv") && contains("log.protoPayload.request", "disable"))
+', '2026-02-09 16:31:54.385470', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","lastEvent.log.protoPayload.methodName"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (183, 'Google Cloud Service Account Key Creation Spike', 3, 3, 2, 'Credential Access', 'Account Manipulation', 'Detects spikes in service account key creation which could indicate credential harvesting or preparation for unauthorized access. Service account keys provide long-term credentials that can be used to authenticate as the service account. Multiple key creations by the same user within a short timeframe may indicate malicious activity or preparation for privilege escalation attacks.
+
+Next Steps:
+1. Investigate the user account creating multiple service account keys
+2. Review the service accounts for which keys were created and their permissions
+3. Check if the key creation was authorized and follows organizational policies
+4. Examine subsequent activities performed using these service account credentials
+5. Verify if the keys were created from expected IP addresses and locations
+6. Review access patterns and identify any unusual resource access or API calls
+7. Consider rotating or disabling the created keys if unauthorized activity is confirmed
+', '["https://cloud.google.com/iam/docs/audit-logging/examples-service-accounts","https://attack.mitre.org/techniques/T1098/001/"]', 'equals("log.protoPayload.methodName", "google.iam.admin.v1.CreateServiceAccountKey") &&
+equals("log.protoPayload.serviceName", "iam.googleapis.com")
+', '2026-02-09 16:31:54.535563', true, false, 'origin', null, '[{"indexPattern":"v11-log-google-*","with":[{"field":"log.protoPayload.authenticationInfo.principalEmail","operator":"filter_term","value":"{{log.protoPayload.authenticationInfo.principalEmail}}"}],"or":null,"within":"now-1h","count":5}]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","lastEvent.log.protoPayload.methodName"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (184, 'GCP 2-step verification disabled', 1, 2, 3, 'Defense Evasion', 'T1562 - Impair Defenses', 'Google Cloud has detected that 2-step verification was disabled for the organization or a user', '["https://attack.mitre.org/tactics/TA0005","https://attack.mitre.org/techniques/T1562/"]', 'equals("log.protoPayload.methodName", "google.login.LoginService.2svDisable")
+', '2026-02-09 16:31:54.675123', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (185, 'AWS IAM Brute Force of Assume Role Policy', 3, 2, 1, 'Credential Access', 'T1110 - Brute Force', 'Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM  roles in order to determine if a role exists before attempting to assume or hijack the discovered role', '["https://attack.mitre.org/tactics/TA0006/","https://attack.mitre.org/techniques/T1110/","https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities","https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"]', 'equals("log.eventSource", "iam.amazonaws.com") &&
+equals("log.eventName", "UpdateAssumeRolePolicy") &&
+equals("log.errorCode", "MalformedPolicyDocumentException")
+', '2026-02-09 16:32:22.046334', true, false, 'origin', null, '[{"indexPattern":"v11-log-aws-*","with":[{"field":"origin.user","operator":"filter_term","value":"{{origin.user}}"}],"or":null,"within":"now-15m","count":5}]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (186, 'AWS Management Console Brute Force of Root User Identity', 3, 2, 1, 'Credential Access', 'T1110 - Brute Force', 'Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account', '["https://attack.mitre.org/tactics/TA0006/","https://attack.mitre.org/techniques/T1110/","https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]', 'equals("log.eventSource", "signin.amazonaws.com") &&
+equals("log.eventName", "ConsoleLogin") &&
+equals("log.userIdentityType", "root") &&
+(exists("log.errorCode") || exists("log.errorMessage"))
+', '2026-02-09 16:32:22.185809', true, false, 'origin', null, '[{"indexPattern":"v11-log-aws-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":5}]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (187, 'AWS CloudTrail Log Suspended', 3, 2, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/","https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html"]', 'equals("log.eventSource", "cloudtrail.amazonaws.com") &&
+equals("log.eventName", "StopLogging")
+', '2026-02-09 16:32:22.325347', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (193, 'AWS S3 Bucket Configuration Deletion', 3, 2, 2, 'Defense Evasion', 'T1070 - Indicator Removal', 'Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components', '["https://attack.mitre.org/techniques/T1070/","https://attack.mitre.org/tactics/TA0005/","https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html","https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html","https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html","https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html","https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html"]', 'equals("log.eventSource", "s3.amazonaws.com") &&
+oneOf("log.eventName", ["DeleteBucketPolicy", "DeleteBucketReplication",
+"DeleteBucketCors", "DeleteBucketEncryption", "DeleteBucketLifecycle"])
+', '2026-02-09 16:32:23.205749', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (194, 'AWS WAF Access Control List Deletion', 3, 2, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html","https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html"]', 'oneOf("log.eventSource", ["waf.amazonaws.com", "waf-regional.amazonaws.com", "wafv2.amazonaws.com"]) &&
+equals("log.eventName", "DeleteWebACL")
+', '2026-02-09 16:32:23.365484', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (195, 'AWS WAF Rule or Rule Group Deletion', 3, 2, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html","https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html"]', 'oneOf("log.eventSource", ["waf.amazonaws.com", "waf-regional.amazonaws.com", "wafv2.amazonaws.com"]) &&
+(equals("log.eventName", "DeleteRule") || equals("log.eventName", "DeleteRuleGroup"))
+', '2026-02-09 16:32:23.525382', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (196, 'AWS EC2 Snapshot Activity', 3, 2, 2, 'Exfiltration', 'T1537 - Transfer Data to Cloud Account', 'An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account', '["https://attack.mitre.org/tactics/TA0010/","https://attack.mitre.org/techniques/T1537/","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html","https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html"]', 'equals("log.eventSource", "ec2.amazonaws.com") &&
+equals("log.eventName", "ModifySnapshotAttribute")
+', '2026-02-09 16:32:23.686140', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (197, 'AWS EC2 VM Export Failure', 3, 2, 2, 'Exfiltration', 'T1537 - Transfer Data to Cloud Account', 'Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information', '["https://attack.mitre.org/techniques/T1537/","https://attack.mitre.org/tactics/TA0010/","https://attack.mitre.org/tactics/TA0009/","https://attack.mitre.org/techniques/T1005/","https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"]', 'equals("log.eventSource", "ec2.amazonaws.com") &&
+equals("log.eventName", "CreateInstanceExportTask")
+', '2026-02-09 16:32:23.826345', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (198, 'AWS EC2 Full Network Packet Capture Detected', 3, 2, 2, 'Exfiltration', 'T1020 - Automated Exfiltration', 'Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic', '["https://attack.mitre.org/tactics/TA0010/","https://attack.mitre.org/techniques/T1020/","https://attack.mitre.org/tactics/TA0009/","https://attack.mitre.org/techniques/T1074/","https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html","https://github.com/easttimor/aws-incident-response"]', 'equals("log.eventSource", "ec2.amazonaws.com") &&
+(equals("log.eventName", "CreateTrafficMirrorFilter") ||
+equals("log.eventName", "CreateTrafficMirrorFilterRule") ||
+equals("log.eventName", "CreateTrafficMirrorSession") ||
+equals("log.eventName", "CreateTrafficMirrorTarget"))
+', '2026-02-09 16:32:23.985624', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (199, 'AWS RDS Snapshot Export', 3, 2, 2, 'Exfiltration', 'T1537 - Transfer Data to Cloud Account', 'Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot', '["https://attack.mitre.org/tactics/TA0010/","https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"]', 'equals("log.eventSource", "rds.amazonaws.com") &&
+equals("log.eventName", "StartExportTask")
+', '2026-02-09 16:32:24.165485', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (200, 'AWS CloudTrail Log Updated', 2, 2, 1, 'Impact', 'T1565 - Data Manipulation', 'Identifies an update to an AWS log trail setting that specifies the delivery of log files', '["https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1565/","https://attack.mitre.org/tactics/TA0009/","https://attack.mitre.org/techniques/T1530/","https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html"]', 'equals("log.eventSource", "cloudtrail.amazonaws.com") &&
+equals("log.eventName", "UpdateTrail")
+', '2026-02-09 16:32:24.305385', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (201, 'AWS CloudWatch Log Group Deletion', 3, 2, 2, 'Impact', 'T1485 - Data Destruction', 'Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted', '["https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1485/","https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html","https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html"]', 'equals("log.eventSource", "logs.amazonaws.com") &&
+equals("log.eventName", "DeleteLogGroup")
+', '2026-02-09 16:32:24.486458', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (202, 'AWS CloudWatch Log Stream Deletion', 3, 2, 2, 'Impact', 'T1485 - Data Destruction', 'Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream', '["https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1485/","https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html","https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html"]', 'equals("log.eventSource", "logs.amazonaws.com") &&
+equals("log.eventName", "DeleteLogStream")
+', '2026-02-09 16:32:24.640434', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (203, 'AWS EC2 Encryption Disabled', 3, 2, 2, 'Impact', 'T1565 - Data Manipulation', 'Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes', '["https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1565/","https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html","https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html"]', 'equals("log.eventSource", "ec2.amazonaws.com") &&
+equals("log.eventName", "DisableEbsEncryptionByDefault")
+', '2026-02-09 16:32:24.801028', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (204, 'AWS IAM Deactivation of MFA Device', 3, 2, 2, 'Impact', 'T1531 - Account Access Removal', 'Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted', '["https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1531/","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html","https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html"]', 'equals("log.eventSource", "iam.amazonaws.com") &&
+oneOf("log.eventName", ["DeactivateMFADevice", "DeleteVirtualMFADevice"])
+', '2026-02-09 16:32:25.205887', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (205, 'AWS RDS Cluster Deletion', 3, 2, 2, 'Impact', 'T1485 - Data Destruction', 'Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster or global database cluster', '["https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1485/","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html","https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html","https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html"]', 'equals("log.eventSource", "rds.amazonaws.com") &&
+oneOf("log.eventName", ["DeleteDBCluster", "DeleteGlobalCluster"])
+', '2026-02-09 16:32:25.302156', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (206, 'AWS Management Console Root Login', 3, 3, 3, 'Initial Access', 'T1078 - Valid Accounts', 'Identifies a successful login to the AWS Management Console by the Root user.
Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases.
Potential false positives
It’s strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule.', '["https://attack.mitre.org/tactics/TA0001/","https://attack.mitre.org/techniques/T1078/","https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]', 'equals("log.eventSource", "signin.amazonaws.com") &&
+equals("log.eventName", "ConsoleLogin") &&
+equals("log.userIdentityType", "root")
+', '2026-02-09 16:32:25.445928', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (207, 'AWS IAM Password Recovery Requested', 2, 1, 0, 'Initial Access', 'T1078 - Valid Accounts', 'Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.
Potential false positives
Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.', '["https://attack.mitre.org/tactics/TA0001/","https://attack.mitre.org/techniques/T1078/","https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"]', 'equals("log.eventSource", "signin.amazonaws.com") &&
+equals("log.eventName", "PasswordRecoveryRequested")
+', '2026-02-09 16:32:25.576265', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (208, 'AWS Route 53 Domain Transfer Lock Disabled', 3, 2, 2, 'Persistence', 'T1098 - Account Manipulation', 'Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar', '["https://attack.mitre.org/tactics/TA0003/","https://attack.mitre.org/techniques/T1098/","https://attack.mitre.org/tactics/TA0006/","https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html","https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html"]', 'equals("log.eventSource", "route53.amazonaws.com") &&
+equals("log.eventName", "DisableDomainTransferLock")
+', '2026-02-09 16:32:25.706232', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (209, 'AWS Execution via System Manager', 2, 1, 1, 'Initial Access', 'T1566 - Phishing', 'Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands
Potential false positives
Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.', '["https://attack.mitre.org/tactics/TA0001/","https://attack.mitre.org/techniques/T1566/","https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"]', 'equals("log.eventSource", "ssm.amazonaws.com") &&
+equals("log.eventName", "SendCommand")
+', '2026-02-09 16:32:25.836057', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (210, 'AWS IAM Assume Role Policy Update', 2, 2, 1, 'Initial Access', 'T1078 - Valid Accounts', 'Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role', '["https://attack.mitre.org/tactics/TA0004/","https://attack.mitre.org/techniques/T1078/","https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"]', 'equals("log.eventSource", "iam.amazonaws.com") &&
+equals("log.eventName", "UpdateAssumeRolePolicy")
+', '2026-02-09 16:32:25.981039', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (211, 'AWS Route 53 Domain Transferred to Another Account', 3, 3, 3, 'Persistence', 'T1098 - Account Manipulation', 'Identifies when a request has been made to transfer a Route 53 domain to another AWS account', '["https://attack.mitre.org/tactics/TA0003/","https://attack.mitre.org/techniques/T1098/","https://attack.mitre.org/tactics/TA0006/","https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"]', 'equals("log.eventSource", "route53.amazonaws.com") &&
+equals("log.eventName", "TransferDomainToAnotherAwsAccount")
+', '2026-02-09 16:32:26.116118', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (212, 'AWS Root Login Without MFA', 3, 2, 2, 'Initial Access', 'T1078 - Valid Accounts', 'Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA', '["https://attack.mitre.org/tactics/TA0004/","https://attack.mitre.org/techniques/T1078/","https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]', 'equals("log.eventSource", "signin.amazonaws.com") &&
+equals("log.eventName", "ConsoleLogin") &&
+equals("log.userIdentityType", "root") &&
+equals("log.additionalEventData.MFAUsed", "no")
+', '2026-02-09 16:32:26.265969', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (213, 'Apache API Endpoint Enumeration Detection', 2, 1, 1, 'Discovery', 'T1087 - Account Discovery', 'Detects rapid sequential API endpoint enumeration by identifying multiple 404/405 responses from the same source IP in a short time window. This indicates an attacker systematically probing for valid API endpoints, hidden resources, or vulnerable paths.
+
+Next Steps:
+1. Review the sequence of requested paths to identify the enumeration pattern
+2. Check if any valid endpoints were discovered during the scan
+3. Assess whether sensitive API documentation or endpoints were exposed
+4. Implement rate limiting on the affected endpoints
+5. Consider deploying a WAF with API protection capabilities
+6. Block the source IP if scanning is confirmed
+', '["https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/","https://attack.mitre.org/techniques/T1087/"]', 'exists("origin.ip") &&
+(equals("log.statusCode", 404) || equals("log.statusCode", 405)) &&
+exists("origin.path") &&
+(
+  contains("origin.path", "/api/") ||
+  contains("origin.path", "/v1/") ||
+  contains("origin.path", "/v2/") ||
+  contains("origin.path", "/v3/") ||
+  contains("origin.path", "/rest/") ||
+  contains("origin.path", "/graphql") ||
+  contains("origin.path", "/swagger") ||
+  contains("origin.path", "/openapi") ||
+  contains("origin.path", "/.env") ||
+  contains("origin.path", "/.git") ||
+  contains("origin.path", "/debug") ||
+  contains("origin.path", "/actuator") ||
+  contains("origin.path", "/healthcheck") ||
+  contains("origin.path", "/metrics")
+)
+', '2026-02-09 16:37:01.731831', true, false, 'origin', '["adversary.ip","target.ip"]', '[{"indexPattern":"v11-log-apache-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.statusCode","operator":"filter_term","value":"404"}],"or":[{"indexPattern":"v11-log-apache-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.statusCode","operator":"filter_term","value":"405"}],"or":null,"within":"now-5m","count":20}],"within":"now-5m","count":20}]', null);
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (214, 'Apache CVE Path Traversal and RCE Detection', 3, 3, 3, 'Exploitation', 'T1190 - Exploit Public-Facing Application', 'Detects exploitation attempts targeting known Apache HTTP Server CVEs including CVE-2021-41773 and CVE-2021-42013 path traversal/RCE vulnerabilities, as well as other Apache-specific attack patterns that enable remote code execution.
+
+Next Steps:
+1. Immediately verify the Apache version running on the target server
+2. Check if the path traversal or RCE attempt was successful (200 status code)
+3. Review the server for signs of compromise or unauthorized file access
+4. Patch Apache to the latest version immediately
+5. Check for reverse shells or dropped files on the server
+6. Block the source IP and review firewall rules
+', '["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013","https://attack.mitre.org/techniques/T1190/"]', 'exists("origin.ip") &&
+exists("origin.path") &&
+(
+  contains("origin.path", ".%2e/") ||
+  contains("origin.path", "%2e%2e/") ||
+  contains("origin.path", "%%32%65") ||
+  contains("origin.path", ".%%32%65/") ||
+  contains("origin.path", "%2e%%32%65/") ||
+  contains("origin.path", "%%32%65%%32%65/") ||
+  (contains("origin.path", "/cgi-bin/") && contains("origin.path", "%2e%2e")) ||
+  (contains("origin.path", "/icons/") && contains("origin.path", "%2e%2e")) ||
+  regexMatch("origin.path", "(?i)/cgi-bin/.*\\.(sh|pl|py|cgi)\\?") ||
+  contains("origin.path", "/server-status") ||
+  contains("origin.path", "/server-info")
+)
+', '2026-02-09 16:37:01.872197', true, false, 'origin', null, '[]', '["adversary.ip","adversary.path"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (215, 'Apache Slowloris DoS Attack Detection', 0, 0, 3, 'Denial of Service', 'T1499.001 - Endpoint Denial of Service: OS Exhaustion Flood', 'Detects Slowloris-style slow HTTP denial of service attacks by identifying patterns of incomplete requests, connection timeouts, and excessive concurrent connections from a single source IP. Slowloris exhausts server resources by holding connections open with partial HTTP requests.
+
+Next Steps:
+1. Check Apache connection status and active connection counts
+2. Identify the source IPs with the most concurrent connections
+3. Review Apache error logs for timeout and connection reset messages
+4. Implement connection timeouts and mod_reqtimeout if not already configured
+5. Consider rate limiting connections per IP at the firewall level
+6. Deploy a reverse proxy or CDN with DDoS protection
+', '["https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/","https://attack.mitre.org/techniques/T1499/001/"]', 'exists("origin.ip") &&
+(
+  (exists("log.message") && (
+    contains("log.message", "request failed: error reading the headers") ||
+    contains("log.message", "AH01382") ||
+    contains("log.message", "AH00567") ||
+    contains("log.message", "client denied by server configuration") ||
+    contains("log.message", "Timeout waiting for output from CGI script") ||
+    contains("log.message", "incomplete headers") ||
+    contains("log.message", "request body read timeout")
+  )) ||
+  (exists("log.errorCode") && (
+    equals("log.errorCode", "408") ||
+    equals("log.errorCode", "AH01382") ||
+    equals("log.errorCode", "AH00567")
+  ))
+)
+', '2026-02-09 16:37:02.012276', true, false, 'origin', '["adversary.ip","target.ip"]', '[{"indexPattern":"v11-log-apache-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.message","operator":"filter_match","value":"timeout OR incomplete OR headers OR AH01382 OR AH00567"}],"or":null,"within":"now-5m","count":15}]', null);
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (216, 'Apache SSRF Attack Detection', 3, 2, 1, 'Server-Side Request Forgery', 'T1090 - Proxy', 'Detects Server-Side Request Forgery (SSRF) attempts by identifying requests containing internal IP addresses, cloud metadata endpoints, or localhost references in URL parameters. Attackers use SSRF to access internal services, cloud instance metadata, or pivot to internal networks.
+
+Next Steps:
+1. Review the full request URL and parameters for internal IP or metadata references
+2. Identify the application endpoint being targeted for SSRF
+3. Check if any internal services were successfully accessed
+4. Review application code for improper URL validation
+5. Block the source IP if confirmed malicious
+6. Implement URL allowlisting and SSRF protections in the application
+', '["https://owasp.org/www-community/attacks/Server_Side_Request_Forgery","https://attack.mitre.org/techniques/T1090/"]', 'exists("origin.ip") &&
+exists("origin.path") &&
+(
+  contains("origin.path", "169.254.169.254") ||
+  contains("origin.path", "metadata.google.internal") ||
+  contains("origin.path", "metadata.azure.com") ||
+  regexMatch("origin.path", "(?i)(url|redirect|next|target|dest|uri|path|file|page|go|return|out|view|load|fetch)=.*(127\\.0\\.0\\.1|localhost|0\\.0\\.0\\.0|10\\.[0-9]+\\.[0-9]+\\.[0-9]+|172\\.(1[6-9]|2[0-9]|3[01])\\.[0-9]+\\.[0-9]+|192\\.168\\.[0-9]+\\.[0-9]+)") ||
+  regexMatch("origin.path", "(?i)(url|redirect|next|target|dest|uri|path|file|page|go|return|out|view|load|fetch)=https?://(127\\.0\\.0\\.1|localhost|0\\.0\\.0\\.0)") ||
+  contains("origin.path", "file:///") ||
+  contains("origin.path", "gopher://") ||
+  contains("origin.path", "dict://") ||
+  contains("origin.path", "ftp://127") ||
+  contains("origin.path", "ftp://localhost")
+)
+', '2026-02-09 16:37:02.167020', true, false, 'origin', null, '[{"indexPattern":"v11-log-apache-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"origin.path","operator":"filter_match","value":"169.254.169.254 OR localhost OR 127.0.0.1 OR metadata OR file:// OR gopher://"}],"or":null,"within":"now-10m","count":3}]', '["adversary.ip","adversary.path"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (217, 'Apache Server-Side Template Injection Detection', 3, 3, 2, 'Code Injection', 'T1059 - Command and Scripting Interpreter', 'Detects Server-Side Template Injection (SSTI) payloads in Apache web server requests. Attackers inject template syntax to execute arbitrary code on the server through template engines like Jinja2, Twig, Freemarker, or Velocity.
+
+Next Steps:
+1. Review the request URL and parameters for template injection payloads
+2. Identify the template engine used by the target application
+3. Check if any payloads were successfully rendered or executed
+4. Review application code for unsafe template rendering
+5. Implement input sanitization and template sandboxing
+6. Block the source IP if confirmed malicious
+', '["https://portswigger.net/research/server-side-template-injection","https://attack.mitre.org/techniques/T1059/"]', 'exists("origin.ip") &&
+exists("origin.path") &&
+(
+  regexMatch("origin.path", "(?i)\\{\\{[0-9]+\\*[0-9]+\\}\\}") ||
+  regexMatch("origin.path", "(?i)\\$\\{[0-9]+\\*[0-9]+\\}") ||
+  regexMatch("origin.path", "(?i)\\{\\{.*config.*\\}\\}") ||
+  regexMatch("origin.path", "(?i)\\{\\{.*__class__.*\\}\\}") ||
+  regexMatch("origin.path", "(?i)\\{\\{.*__import__.*\\}\\}") ||
+  regexMatch("origin.path", "(?i)\\{\\{.*__builtins__.*\\}\\}") ||
+  regexMatch("origin.path", "(?i)\\$\\{.*Runtime.*\\}") ||
+  regexMatch("origin.path", "(?i)\\$\\{.*getRuntime.*\\}") ||
+  regexMatch("origin.path", "(?i)#\\{.*Runtime.*\\}") ||
+  contains("origin.path", "${T(java.lang") ||
+  contains("origin.path", "#{T(java.lang") ||
+  contains("origin.path", "__mro__") ||
+  contains("origin.path", "__subclasses__") ||
+  contains("origin.path", "{{request.") ||
+  contains("origin.path", "${request.")
+)
+', '2026-02-09 16:37:02.331526', true, false, 'origin', null, '[{"indexPattern":"v11-log-apache-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"origin.path","operator":"filter_match","value":"__class__ OR __import__ OR Runtime OR __subclasses__ OR __mro__"}],"or":null,"within":"now-10m","count":3}]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (218, 'Apache Web Shell Access Detection', 3, 3, 2, 'Persistence', 'T1505.003 - Server Software Component: Web Shell', 'Detects access to known web shell file paths and suspicious PHP/JSP/ASP file access patterns that indicate web shell activity. Web shells provide persistent remote access to compromised web servers.
+
+Next Steps:
+1. Immediately investigate the accessed file path on the web server
+2. Check if the file exists and examine its contents for malicious code
+3. Review file creation timestamps and upload vectors
+4. Scan the web directory for additional web shells
+5. Check for lateral movement from the web server
+6. Remove the web shell and patch the upload vulnerability
+', '["https://www.microsoft.com/en-us/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/","https://attack.mitre.org/techniques/T1505/003/"]', 'exists("origin.ip") &&
+exists("origin.path") &&
+(
+  regexMatch("origin.path", "(?i)/(c99|r57|b374k|alfa|wso|madspot|mini|phpspy|cgitelnet|shell|cmd|eval|backdoor|hack|upload|filemanager)\\.(php|jsp|asp|aspx|cgi)") ||
+  regexMatch("origin.path", "(?i)/(wp-content|wp-includes|wp-admin)/.*\\.(php|phtml|php[3-7])\\?.*=") ||
+  regexMatch("origin.path", "(?i)\\.(php|jsp|asp|aspx)\\?(cmd|exec|command|shell|c|e|id|pass)=") ||
+  contains("origin.path", "/webshell") ||
+  contains("origin.path", "/c99.php") ||
+  contains("origin.path", "/r57.php") ||
+  contains("origin.path", "/b374k.php") ||
+  contains("origin.path", "/WSO.php") ||
+  contains("origin.path", "/alfa.php") ||
+  contains("origin.path", "/adminer.php") ||
+  contains("origin.path", "/phpspy.php")
+) &&
+greaterOrEqual("log.statusCode", 200) &&
+lessThan("log.statusCode", 400)
+', '2026-02-09 16:37:02.466959', true, false, 'origin', null, '[]', '["adversary.ip","adversary.path"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (219, 'Apache XXE Injection Attack Detection', 3, 2, 2, 'XML Injection', 'T1190 - Exploit Public-Facing Application', 'Detects XML External Entity (XXE) injection payloads in Apache web server requests. XXE attacks can lead to file disclosure, SSRF, denial of service, and remote code execution by exploiting XML parsers that process external entity definitions.
+
+Next Steps:
+1. Review the request body and headers for XML payloads with external entities
+2. Identify the application endpoint processing XML input
+3. Check if sensitive files were disclosed (e.g., /etc/passwd, web.config)
+4. Disable external entity processing in XML parsers
+5. Implement input validation for XML content
+6. Block the source IP if confirmed malicious
+', '["https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing","https://attack.mitre.org/techniques/T1190/"]', 'exists("origin.ip") &&
+(
+  (exists("origin.path") && (
+    regexMatch("origin.path", "(?i)]*>") ||
+  regexMatch("target.path", "(?i)(onerror|onload|onmouseover|onclick|onfocus|onblur)\\s*=") ||
+  contains("target.path", "javascript:") ||
+  contains("target.path", "vbscript:") ||
+  regexMatch("target.path", "(?i)<(img|svg|body|iframe|input|div|a)\\s+[^>]*(on\\w+)=") ||
+  contains("target.path", "%3Cscript") ||
+  contains("target.path", "%3cscript") ||
+  regexMatch("target.path", "(?i)document\\.(cookie|location|write)") ||
+  regexMatch("target.path", "(?i)(alert|confirm|prompt)\\s*\\(") ||
+  contains("target.path", "<script") ||
+  contains("target.path", "data:text/html")
+)
+', '2026-02-09 16:37:07.071599', true, false, 'origin', null, '[{"indexPattern":"v11-log-iis-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"target.path","operator":"filter_match","value":"script OR onerror OR onload OR javascript OR alert"}],"or":null,"within":"now-10m","count":5}]', '["adversary.ip","target.path"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (434, 'System Linux: System Log File Deletion', 3, 3, 3, 'Defense Evasion', 'T1070.002 - Indicator Removal', 'Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1070/002/"]', 'regexMatch("log.message", "(/var/run/utmp|/var/log/wtmp|/var/log/btmp|/var/log/lastlog|/var/log/faillog|/var/log/syslog|/var/log/messages|/var/log/secure|/var/log/auth.log|/var/log/boot.log|/var/log/kern.log)") && !contains("log.message", "gzip") && regexMatch("log.message", "(rm |shred -u)")', '2026-02-09 16:51:29.207828', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (250, 'IIS ISAPI Filter Exploitation Attempt', 3, 3, 3, 'Lateral Movement', 'T1210 - Exploitation of Remote Services', 'Detects attempts to exploit ISAPI filter vulnerabilities in IIS, including buffer overflow attempts and malicious extension access patterns. This rule identifies suspicious requests targeting DLL files, script directories, and other ISAPI-related endpoints that could indicate exploitation attempts.
+
+Next Steps:
+1. Analyze the target path and HTTP method to understand the attack vector
+2. Review the response time and status code for signs of successful exploitation
+3. Examine the user agent string for embedded script content or encoding
+4. Check for additional requests from the same IP to identify attack patterns
+5. Verify if the targeted ISAPI extensions are legitimate and properly secured
+6. Review IIS logs for any successful authentication or privilege escalation
+7. Implement additional monitoring for the affected server and check for signs of persistence
+8. Review firewall logs to identify any outbound connections from the compromised system
+', '["https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/","https://attack.mitre.org/techniques/T1210/"]', 'exists("target.path") && 
+greaterOrEqual("log.statusCode", 200) &&
+(
+  (contains("target.path", ".dll") && equals("log.method", "POST")) ||
+  (contains("target.path", "/scripts/") && contains("target.path", ".ida")) ||
+  (contains("target.path", "/scripts/") && contains("target.path", ".idq")) ||
+  (contains("target.path", "/_vti_bin/") && greaterThan("log.responseTime", 5000)) ||
+  (contains("log.userAgent", "<%") || contains("log.userAgent", "%3C%25")) ||
+  (regexMatch("target.path", ".*\\.(printer|idc|stm|shtm|shtml).*") && equals("log.method", "POST"))
+)
+', '2026-02-09 16:37:07.217495', true, false, 'origin', null, '[{"indexPattern":"v11-log-iis-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-10m","count":3}]', '["adversary.ip","target.path"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (251, 'IIS 8.3 Short Filename Enumeration Attack', 3, 2, 1, 'Discovery', 'T1083 - Discovery: File and Directory Discovery', 'Detects attempts to enumerate 8.3 short filenames using the tilde (~) character, which can reveal sensitive file and directory names on IIS servers. This attack technique exploits the Windows 8.3 filename convention to discover files and directories that may not be publicly accessible through normal browsing.
+
+Next Steps:
+1. Review the source IP addresses attempting this enumeration
+2. Check if any sensitive files or directories were successfully discovered
+3. Verify IIS configuration to disable 8.3 filename generation if not needed
+4. Implement request filtering to block requests containing tilde characters
+5. Monitor for subsequent attacks from the same sources
+6. Consider implementing rate limiting for suspicious request patterns
+', '["https://attack.mitre.org/techniques/T1083/","https://soroush.secproject.com/blog/2014/07/iis-short-file-name-disclosure-vulnerability/"]', 'contains("target.path", "~") &&
+(regexMatch("target.path", ".*~[0-9].*") || regexMatch("target.path", ".*~[0-9]\\*.*")) &&
+(equals("log.statusCode", 404) || equals("log.statusCode", 400) || equals("log.statusCode", 200)) &&
+(equals("log.subStatusCode", 0) || equals("log.subStatusCode", 2)) &&
+!regexMatch("target.path", "(?i).*\\.(css|js|jpg|jpeg|png|gif|ico).*")
+', '2026-02-09 16:37:07.361919', true, false, 'origin', '["adversary.ip","target.path"]', '[{"indexPattern":"v11-log-iis-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"target.path","operator":"filter_match","value":"~"}],"or":null,"within":"now-5m","count":10}]', null);
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (252, 'IIS Unicode Bypass Directory Traversal Attack', 3, 3, 2, 'Defense Evasion', 'T1027 - Obfuscated Files or Information', 'Detects Unicode encoding bypass attempts including overlong UTF-8 sequences and alternative Unicode representations used to evade security filters and access restricted files. This attack exploits Unicode normalization vulnerabilities in IIS to traverse directories and access sensitive system files.
+
+**Next Steps:**
+1. Examine the full HTTP request including headers and POST data
+2. Check if the attack was successful by reviewing response codes and content lengths
+3. Verify what files or directories were accessed during the attack
+4. Review server logs for any executed commands or accessed sensitive files
+5. Check for other suspicious activity from the same source IP
+6. Implement proper input validation and Unicode normalization
+7. Consider blocking the source IP if attack continues
+', '["https://www.kb.cert.org/vuls/id/111677","https://attack.mitre.org/techniques/T1027/"]', 'contains("target.path", "%c0%af") || contains("target.path", "%c0%ae") ||
+contains("target.path", "%c1%9c") || contains("target.path", "%c0%2f") ||
+contains("target.path", "%c0%5c") || contains("target.path", "%c1%8s") ||
+contains("target.path", "%c1%1c") || contains("target.path", "%c1%af") ||
+contains("target.path", "%e0%80%af") || contains("target.path", "%f0%80%80%af") ||
+contains("target.path", "%u2215") || contains("target.path", "%u2216") ||
+contains("target.path", "%uff0e") || contains("target.path", "..%c0%af") ||
+(contains("target.path", "winnt") && contains("target.path", "system32")) ||
+(contains("target.path", "cmd.exe") || contains("target.path", "command.com"))
+', '2026-02-09 16:37:07.491405', true, false, 'origin', null, '[{"indexPattern":"v11-log-iis-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-5m","count":3}]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (253, 'Virtual Directory Traversal Attack', 3, 3, 2, 'Discovery', 'T1083 - File and Directory Discovery', 'Detects attempts to traverse directories and access files outside the web root through various encoding techniques and traversal sequences. This attack attempts to access files and directories that are stored outside the web root folder by using relative file paths that contain ''../'' or similar sequences. Attackers may use various encoding techniques to bypass security filters.
+
+Next Steps:
+- Review the source IP and user agent for suspicious patterns
+- Check if the requests resulted in successful responses (200, 301, 302 status codes)
+- Examine the full request path and identify what files were being accessed
+- Verify web application security controls and input validation
+- Check for other suspicious activity from the same source IP
+- Review IIS logs for any successful file access outside the web root
+- Consider blocking the source IP if malicious intent is confirmed
+', '["https://owasp.org/www-community/attacks/Path_Traversal","https://attack.mitre.org/techniques/T1083/"]', '(
+  regexMatch("target.path", ".*\\.\\.[\\\\/].*") ||
+  regexMatch("target.path", ".*%2e%2e[\\\\/].*") ||
+  regexMatch("target.path", ".*%252e%252e.*") ||
+  regexMatch("target.path", ".*%c0%ae%c0%ae.*") ||
+  regexMatch("target.path", ".*%e0%80%ae%e0%80%ae.*") ||
+  regexMatch("target.path", ".*/Windows/System32/.*") ||
+  regexMatch("target.path", ".*/boot\\.ini.*") ||
+  regexMatch("target.path", ".*/win\\.ini.*") ||
+  regexMatch("target.path", ".*/web\\.config.*") ||
+  regexMatch("target.path", ".*/applicationHost\\.config.*")
+) &&
+exists("target.ip")
+', '2026-02-09 16:37:07.641931', true, false, 'origin', '["adversary.ip","target.ip"]', '[{"indexPattern":"v11-log-iis-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-30m","count":3}]', null);
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (435, 'System Linux: Modification of OpenSSH Binaries', 3, 3, 2, 'Persistence', 'T1543 - Create or Modify System Process', 'Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.', '["https://attack.mitre.org/tactics/TA0003/","https://attack.mitre.org/techniques/T1543/"]', 'regexMatch("log.message", "libkeyutils.so") && !regexMatch("log.message", "(dpkg|yum|dnf|dnf-automatic)") && regexMatch("log.message", "(/usr/sbin/sshd|/usr/bin/ssh|/usr/bin/sftp|/usr/bin/scp)")', '2026-02-09 16:51:29.367617', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (254, 'IIS Web Shell Upload Detection', 3, 3, 1, 'Initial Access', 'T1505.003 - Server Software Component: Web Shell', 'Detects potential web shell uploads based on suspicious file extensions and POST requests to uncommon paths. This rule identifies POST requests to ASP.NET-related file extensions in suspicious directory paths commonly used for web shell placement.
+
+Next Steps:
+1. Immediately investigate the target server and file path for uploaded web shells
+2. Check file system for recently uploaded .aspx, .asp, .asmx, .ashx, or .axd files
+3. Review IIS logs for additional suspicious requests from the same source IP
+4. Examine the uploaded file content for malicious code
+5. Check for privilege escalation attempts following the upload
+6. Review authentication logs for compromised accounts
+7. Implement file upload restrictions and input validation
+8. Block the source IP if confirmed malicious
+9. Scan the entire web directory for additional web shells
+10. Review recent file modifications on the web server
+', '["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/","https://attack.mitre.org/techniques/T1505/003/"]', 'equals("log.method", "POST") && 
+exists("target.path") &&
+(
+  contains("target.path", ".aspx") ||
+  contains("target.path", ".asp") ||
+  contains("target.path", ".asmx") ||
+  contains("target.path", ".ashx") ||
+  contains("target.path", ".axd")
+) &&
+(
+  regexMatch("target.path", "(?i)upload") ||
+  regexMatch("target.path", "(?i)temp") ||
+  regexMatch("target.path", "(?i)tmp") ||
+  regexMatch("target.path", "(?i)test") ||
+  regexMatch("target.path", "(?i)shell") ||
+  regexMatch("target.path", "(?i)cmd") ||
+  regexMatch("target.path", "(?i)eval") ||
+  regexMatch("target.path", "(?i)exec") ||
+  regexMatch("target.path", "(?i)webshell") ||
+  regexMatch("target.path", "(?i)backdoor")
+) &&
+greaterOrEqual("log.statusCode", 200) &&
+lessThan("log.statusCode", 300)
+', '2026-02-09 16:37:07.793258', true, false, 'origin', null, '[]', '["adversary.ip","target.path"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (255, 'Kibana Dev Tools Dangerous Query Detection', 3, 3, 2, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects dangerous queries executed via Kibana Dev Tools console including index deletions, security setting changes, user creation, and role modifications. Dev Tools provides direct API access that can be abused by compromised accounts.
+
+Next Steps:
+1. Review the queries executed through Dev Tools
+2. Identify the user account and session
+3. Check if any destructive operations succeeded
+4. Restrict Dev Tools access to authorized administrators
+5. Review Kibana role assignments for over-privileged users
+6. Enable audit logging for Kibana API actions
+', '["https://www.elastic.co/guide/en/kibana/current/console-kibana.html","https://attack.mitre.org/techniques/T1059/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "console") && (
+    contains("log.message", "DELETE /") ||
+    contains("log.message", "_security/user") ||
+    contains("log.message", "_security/role") ||
+    contains("log.message", "_cluster/settings") ||
+    contains("log.message", "_snapshot") ||
+    contains("log.message", "_scripts") ||
+    contains("log.message", "_reindex")
+  )) ||
+  (contains("log.message", "dev_tools") && contains("log.message", "execute"))
+)
+', '2026-02-09 16:37:07.921649', true, false, 'origin', null, '[]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (256, 'Kibana Mass Report Export Exfiltration Detection', 3, 1, 1, 'Data Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 'Detects mass report generation and CSV exports from Kibana that could indicate data exfiltration. Attackers with Kibana access can export large datasets via the reporting feature.
+
+Next Steps:
+1. Review the reports generated and their data content
+2. Verify the user account and export authorization
+3. Check the report download destinations
+4. Restrict reporting permissions to authorized users
+5. Implement data export limits and approval workflows
+6. Monitor for large data downloads from Kibana
+', '["https://www.elastic.co/guide/en/kibana/current/reporting-getting-started.html","https://attack.mitre.org/techniques/T1048/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "reporting") && contains("log.message", "generate")) ||
+  (contains("log.message", "csv_searchsource") && contains("log.message", "created")) ||
+  (contains("log.message", "report") && contains("log.message", "export")) ||
+  (contains("log.message", "/api/reporting/generate") && exists("origin.ip")) ||
+  (contains("log.message", "csv") && contains("log.message", "download"))
+)
+', '2026-02-09 16:37:08.066867', true, false, 'origin', null, '[{"indexPattern":"v11-log-kibana-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.message","operator":"filter_match","value":"reporting OR csv OR export OR generate"}],"or":null,"within":"now-30m","count":5}]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (257, 'Kibana Malicious Saved Object Import Detection', 3, 3, 2, 'Code Execution', 'T1059 - Command and Scripting Interpreter', 'Detects potentially malicious saved object imports in Kibana that could include crafted visualizations, dashboards, or scripted fields designed to execute code or exfiltrate data.
+
+Next Steps:
+1. Review the imported saved objects for malicious content
+2. Check for scripted fields in imported index patterns
+3. Verify the import source and user authorization
+4. Remove suspicious saved objects immediately
+5. Review Kibana scripted field permissions
+6. Restrict saved object import to administrator roles
+', '["https://www.elastic.co/guide/en/kibana/current/saved-objects-api-import.html","https://attack.mitre.org/techniques/T1059/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "saved_objects") && contains("log.message", "_import")) ||
+  (contains("log.message", "import") && contains("log.message", "saved object")) ||
+  (contains("log.message", "saved_objects/_bulk_create") && exists("origin.ip")) ||
+  (contains("log.message", "scripted_field") && contains("log.message", "created")) ||
+  (contains("log.message", "visualization") && contains("log.message", "import") && contains("log.message", "script"))
+)
+', '2026-02-09 16:37:08.201941', true, false, 'origin', null, '[]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (258, 'Potential Session Hijacking Activity', 3, 3, 2, 'Collection', 'T1185 - Browser Session Hijacking', 'Detects potential session hijacking activities based on suspicious authentication patterns, multiple IP addresses using the same session, or rapid location changes that may indicate stolen session tokens.
+
+Next Steps:
+1. Investigate the user account and recent login patterns
+2. Check for concurrent sessions from different IP addresses or locations
+3. Review session activity logs for unusual behavior patterns
+4. Verify if the user reported any suspicious activity
+5. Consider forcing session termination and requiring re-authentication
+6. Check for any recent credential compromise indicators
+7. Review security controls on user workstations and browsers
+', '["https://www.elastic.co/guide/en/kibana/current/xpack-security-audit-logging.html","https://attack.mitre.org/techniques/T1185/"]', 'contains("log.actionMessage", "http_request") &&
+exists("origin.user") &&
+(contains("log.actionMessage", "session") ||
+ contains("log.component", "security")) &&
+(equals("actionResult", "failure") ||
+ equals("log.severityLabel", "warning") ||
+ equals("log.severityLabel", "error"))
+', '2026-02-09 16:37:08.331295', true, false, 'origin', null, '[{"indexPattern":"v11-log-kibana-*","with":[{"field":"origin.user","operator":"filter_term","value":"{{origin.user}}"}],"or":null,"within":"now-1h","count":20},{"indexPattern":"v11-log-kibana-*","with":[{"field":"origin.user","operator":"filter_term","value":"{{origin.user}}"},{"field":"origin.ip","operator":"must_not_term","value":"{{origin.ip}}"}],"or":null,"within":"now-30m","count":1}]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (259, 'XSS Attack Attempt Detection', 3, 3, 1, 'Execution', 'T1059.007 - Cross-Site Scripting', 'Detects potential XSS attack attempts in Kibana through malicious script injection in search queries, field formatters, or visualization titles. This rule identifies common XSS patterns including script tags, JavaScript execution, and event handlers that could indicate an attempt to inject malicious code into Kibana interfaces.
+
+Next Steps:
+1. Review the specific log message and action that triggered this alert
+2. Check the user''s recent activity in Kibana for other suspicious actions
+3. Examine the affected Kibana component for potential compromise
+4. Review Kibana access logs for the source IP and user
+5. Consider blocking the source IP if malicious activity is confirmed
+6. Update Kibana security configurations and input validation
+7. Implement Content Security Policy (CSP) headers to prevent XSS execution
+8. Review and sanitize all user inputs in Kibana dashboards and visualizations
+', '["https://www.elastic.co/guide/en/kibana/current/security-best-practices.html","https://attack.mitre.org/techniques/T1059/007/"]', '(equals("log.component", "visualize") ||
+ equals("log.component", "discover") ||
+ equals("log.component", "security")) &&
+(
+  regexMatch("log.actionMessage", ".*.*.*") ||
+  contains("log.actionMessage", "javascript:") ||
+  contains("log.actionMessage", "onerror=") ||
+  contains("log.actionMessage", "onload=") ||
+  contains("log.actionMessage", " 1000) ||
+  (regexMatch("log.msg", "(?i)KEYS\\s+\\*") && !equals("log.levelEnc", "debug")) ||
+  (regexMatch("log.msg", "(?i)(SCAN|HSCAN|SSCAN|ZSCAN)\\s+\\d+\\s+MATCH\\s+\\*\\s+COUNT\\s+[1-9]\\d{3,}")) ||
+  (regexMatch("log.msg", "(?i)(BGSAVE|SAVE|LASTSAVE)") && regexMatch("log.msg", "(?i)(remote|external|http|ftp)")) ||
+  (regexMatch("log.msg", "(?i)SELECT\\s+\\d+") && regexMatch("log.msg", "(?i)(KEYS\\s+\\*|SCAN\\s+0)")) ||
+  (regexMatch("log.msg", "(?i)MIGRATE\\s+\\d+\\.\\d+\\.\\d+\\.\\d+")) ||
+  (regexMatch("log.msg", "(?i)(GET|HGETALL|SMEMBERS|ZRANGE).*") && regexMatch("log.msg", "(?i)(password|secret|token|api[_-]?key|private[_-]?key)"))
+)
+', '2026-02-09 16:37:16.006831', true, false, 'origin', null, '[{"indexPattern":"v11-log-redis-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-30m","count":10}]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (308, 'Redis Lua Script Injection Attack', 3, 3, 3, 'Execution', 'Script Injection', 'Detects potential Lua script injection attacks in Redis including malicious EVAL/EVALSHA commands, script-based exploitation attempts, or suspicious scripting activity.
+
+Next Steps:
+1. Immediately review the Redis logs to identify the source of the suspicious script commands
+2. Check if the Redis instance is exposed to untrusted networks
+3. Verify that Redis authentication is properly configured and strong passwords are in use
+4. Review all Lua scripts loaded into Redis for malicious code
+5. Consider implementing command blacklisting for EVAL/EVALSHA if not required
+6. Monitor for any unauthorized data access or modification following the alert
+7. If compromise is confirmed, rotate Redis passwords and review all stored data for tampering
+', '["https://antirez.com/news/119","https://redis.io/docs/latest/develop/interact/programmability/lua-debugging/","https://attack.mitre.org/techniques/T1059/007/"]', 'exists("log.message") && (
+  contains("log.message", "Cross Protocol Scripting") ||
+  (contains("log.message", "POST") && contains("log.message", "Host:")) ||
+  (contains("log.message", "EVAL") && contains("log.message", ["os.execute", "io.popen", "io.open", "loadfile", "dofile"])) ||
+  contains("log.message", "Lua script attempted to access") ||
+  (contains("log.message", "lua") && contains("log.message", "attack"))
+)
+', '2026-02-09 16:37:16.166915', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (309, 'Redis Persistence Mechanism Abuse Detected', 3, 3, 2, 'Persistence', 'T1505: Server Software Component', 'Detects attempts to abuse Redis persistence mechanisms for maintaining unauthorized access, including suspicious RDB/AOF operations, module loading for backdoors, or configuration changes to establish persistence.
+
+Next Steps:
+1. Immediately review the Redis server configuration changes and module operations
+2. Check if any unauthorized modules were loaded using MODULE LIST command
+3. Examine Redis data directory for suspicious files (crontab, authorized_keys, shell scripts)
+4. Review Redis access logs for the source IP and authentication method used
+5. Verify if RDB/AOF files have been written to unusual locations
+6. Check system cron jobs and SSH authorized_keys for signs of compromise
+7. Consider rotating Redis passwords and implementing ACL restrictions
+8. Enable Redis command logging if not already active for forensic analysis
+', '["https://medium.com/@knownsec404team/rce-exploits-of-redis-based-on-master-slave-replication-ef7a664ce1d0","https://attack.mitre.org/techniques/T1505/"]', 'exists("log.message") && (
+  (regexMatch("log.message", "(?i)CONFIG\\s+SET\\s+(save|appendonly|appendfsync|aof-rewrite)")) ||
+  (regexMatch("log.message", "(?i)MODULE\\s+LOAD\\s+") && !regexMatch("log.message", "(?i)(redis[_-]?search|redis[_-]?graph|redis[_-]?timeseries|redis[_-]?json|redis[_-]?bloom)")) ||
+  (regexMatch("log.message", "(?i)CONFIG\\s+SET\\s+dir\\s+/(root|home|usr|etc|var/spool/cron)")) ||
+  (regexMatch("log.message", "(?i)CONFIG\\s+SET\\s+dbfilename\\s+(crontab|authorized_keys|passwd|shadow|\\.bashrc|\\.profile)")) ||
+  (regexMatch("log.message", "(?i)(BGREWRITEAOF|BGSAVE)") && regexMatch("log.message", "(?i)(ssh|cron|bash|shell)")) ||
+  (equals("log.roleEnc", "master") && regexMatch("log.message", "(?i)Synchronization\\s+with\\s+replica.*module\\s+load")) ||
+  (regexMatch("log.message", "(?i)MODULE\\s+(LIST|UNLOAD)") && equals("log.levelEnc", "error"))
+)
+', '2026-02-09 16:37:16.326627', true, false, 'origin', null, '[]', '["adversary.host","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (310, 'Redis ACL Manipulation Detection', 3, 3, 2, 'Persistence', 'T1098 - Account Manipulation', 'Detects manipulation of Redis ACL to create backdoor accounts, modify existing user permissions, or disable authentication. Attackers use ACL SETUSER to create persistent access with full privileges.
+
+Next Steps:
+1. Review the ACL changes to identify unauthorized user modifications
+2. List all current Redis users with ACL LIST
+3. Remove unauthorized user accounts
+4. Verify the default user is properly restricted
+5. Check for requirepass/masterauth changes
+6. Implement ACL file persistence and monitoring
+', '["https://redis.io/docs/latest/operate/oss_and_stack/management/security/acl/","https://attack.mitre.org/techniques/T1098/"]', 'exists("log.message") &&
+(
+  regexMatch("log.message", "(?i)ACL\\s+SETUSER") ||
+  regexMatch("log.message", "(?i)ACL\\s+DELUSER") ||
+  regexMatch("log.message", "(?i)ACL\\s+SAVE") ||
+  regexMatch("log.message", "(?i)ACL\\s+LOAD") ||
+  regexMatch("log.message", "(?i)CONFIG\\s+SET\\s+requirepass") ||
+  regexMatch("log.message", "(?i)CONFIG\\s+SET\\s+masterauth") ||
+  (contains("log.message", "ACL SETUSER") && contains("log.message", "allcommands")) ||
+  (contains("log.message", "ACL SETUSER") && contains("log.message", "allkeys"))
+)
+', '2026-02-09 16:37:16.476558', true, false, 'origin', null, '[{"indexPattern":"v11-log-redis-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-10m","count":3}]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (311, 'Redis Data Destruction Detection', 1, 3, 3, 'Data Destruction', 'T1485 - Data Destruction', 'Detects Redis data destruction commands including FLUSHALL, FLUSHDB, and DEBUG SLEEP that could indicate an attacker wiping data or preparing for ransomware. These commands irreversibly delete all data from Redis databases.
+
+Next Steps:
+1. Verify if the FLUSH command was authorized
+2. Check if RDB/AOF persistence files are intact for recovery
+3. Identify the source of the destructive command
+4. Restore data from backups immediately if unauthorized
+5. Restrict FLUSH commands via Redis ACL
+6. Monitor for ransom messages or follow-up demands
+', '["https://redis.io/docs/latest/commands/flushall/","https://attack.mitre.org/techniques/T1485/"]', 'exists("log.message") &&
+(
+  regexMatch("log.message", "(?i)FLUSHALL") ||
+  regexMatch("log.message", "(?i)FLUSHDB") ||
+  regexMatch("log.message", "(?i)DEBUG\\s+SET-ACTIVE-EXPIRE") ||
+  (contains("log.message", "CONFIG SET") && contains("log.message", "save") && contains("log.message", "\"\"")) ||
+  regexMatch("log.message", "(?i)CONFIG\\s+SET\\s+appendonly\\s+no")
+)
+', '2026-02-09 16:37:16.631959', true, false, 'origin', null, '[{"indexPattern":"v11-log-redis-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-10m","count":3}]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (312, 'Redis Rogue Replication Attack Detection', 3, 3, 3, 'Exploitation', 'T1210 - Exploitation of Remote Services', 'Detects rogue Redis replication attacks using SLAVEOF or REPLICAOF commands to connect the target Redis instance to an attacker-controlled server. This technique is used to load malicious Redis modules, exfiltrate data, or achieve remote code execution.
+
+Next Steps:
+1. Verify the replication target address is a legitimate Redis master
+2. Check for any loaded modules after the replication command
+3. Review Redis configuration for unauthorized changes
+4. Disconnect from the rogue master using REPLICAOF NO ONE
+5. Check for data exfiltration or corruption
+6. Restrict SLAVEOF/REPLICAOF commands via ACL
+', '["https://redis.io/docs/latest/operate/oss_and_stack/management/replication/","https://attack.mitre.org/techniques/T1210/"]', 'exists("log.message") &&
+(
+  regexMatch("log.message", "(?i)(SLAVEOF|REPLICAOF)\\s+[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+") ||
+  regexMatch("log.message", "(?i)(SLAVEOF|REPLICAOF)\\s+\\w+") ||
+  (contains("log.message", "MASTER <-> REPLICA") && contains("log.message", "sync started")) ||
+  (contains("log.message", "Connecting to MASTER") && !contains("log.message", "already connected")) ||
+  contains("log.message", "FULLRESYNC") ||
+  regexMatch("log.message", "(?i)MODULE\\s+LOAD")
+) &&
+!contains("log.message", "REPLICAOF NO ONE") &&
+!contains("log.message", "SLAVEOF NO ONE")
+', '2026-02-09 16:37:16.781895', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (313, 'Redis Unauthorized Access Pattern Detected', 3, 3, 2, 'Initial Access', 'T1078 - Valid Accounts', 'Detects patterns indicative of unauthorized access attempts to Redis including authentication failures, dangerous command usage without authentication, or attempts to bypass security restrictions. This rule identifies potential Redis security breaches through analysis of log messages for authentication failures, dangerous administrative commands, and unauthorized client activities.
+
+Next Steps:
+1. Verify the legitimacy of the Redis client connection from the identified origin host
+2. Check Redis authentication configuration and ensure AUTH is properly enabled
+3. Review Redis configuration for exposed dangerous commands (FLUSHALL, FLUSHDB, CONFIG)
+4. Investigate if any data was compromised during the unauthorized access attempt
+5. Consider implementing Redis ACLs and restricting dangerous commands
+6. Monitor for data exfiltration attempts from the affected Redis instance
+', '["https://medium.com/@Victor.Z.Zhu/redis-unauthorized-access-vulnerability-simulation-victor-zhu-ac7a71b2e419","https://attack.mitre.org/techniques/T1078/"]', 'exists("log.msg") && (
+  (regexMatch("log.msg", "(?i)(AUTH\\s+failed|invalid\\s+password|authentication\\s+required)")) ||
+  (regexMatch("log.msg", "(?i)(FLUSHALL|FLUSHDB|CONFIG\\s+(GET|SET)|KEYS\\s+\\*|SCAN\\s+0)") && equals("log.severity", "warning")) ||
+  (regexMatch("log.msg", "(?i)CONFIG\\s+SET\\s+(dir\\s+/|dbfilename\\s+authorized_keys)")) ||
+  (regexMatch("log.msg", "(?i)(SAVE|BGSAVE).*ssh|authorized_keys")) ||
+  (regexMatch("log.msg", "(?i)Client\\s+id=\\d+\\s+addr=.*\\s+name=.*\\s+cmd=(flushall|flushdb|config)")) ||
+  (equals("log.severity", "high") && regexMatch("log.msg", "(?i)(Possible\\s+security\\s+attack|unauthorized\\s+client)"))
+)
+', '2026-02-09 16:37:16.916919', true, false, 'origin', null, '[{"indexPattern":"v11-log-redis-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-10m","count":5}]', '["adversary.host","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (314, 'AWS SSM Agent Hijacking - Unauthorized Registration', 3, 3, 3, 'Command and Control', 'T1219 - Remote Access Software', 'Detects unauthorized re-registration of the AWS Systems Manager (SSM) agent with a different AWS account. Attackers with local access to an EC2 instance can re-register the SSM agent to their own AWS account, gaining persistent remote command execution capability through a legitimate AWS service. This technique is particularly dangerous because SSM traffic blends with normal AWS API calls.
+
+Next Steps:
+1. Verify the SSM agent registration is pointing to the correct AWS account
+2. Check the activation code and ID used in the registration
+3. Compare the SSM agent configuration with expected values from your AWS account
+4. Review SSM session history for unauthorized command execution
+5. Check CloudTrail logs for SSM API calls from unexpected accounts
+6. Re-register the SSM agent with your legitimate AWS account
+7. Investigate how the attacker gained local access to the instance
+8. Rotate all credentials accessible from the compromised instance
+', '["https://attack.mitre.org/techniques/T1219/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml","https://www.mitiga.io/blog/new-attack-vector-aws-ssm-agent-as-a-remote-access-trojan"]', 'exists("log.message") &&
+regexMatch("log.message", "(?i)amazon-ssm-agent\\s+.*-register\\s+.*-(code|id|region)")
+', '2026-02-09 16:39:06.621928', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (315, 'Base64 Decode Piped to Shell Execution', 3, 3, 2, 'Defense Evasion', 'T1140 - Deobfuscate/Decode Files or Information', 'Detects base64-encoded content being decoded and piped directly to bash or sh for execution. This is an extremely common technique used by malware droppers, initial access scripts, and post-exploitation frameworks to evade detection by encoding malicious commands. Legitimate use of base64 piped to shell execution is very rare in production environments.
+
+Next Steps:
+1. Capture and decode the base64 payload to understand what was executed
+2. Identify the source of the encoded command (downloaded file, cron job, web request)
+3. Check for persistence mechanisms installed by the decoded payload
+4. Review network connections for C2 communication
+5. Search for similar base64 patterns across all systems
+6. Investigate the user account and parent process chain
+7. Look for file drops or modifications made by the executed payload
+', '["https://attack.mitre.org/techniques/T1140/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)base64\\s+-d.*\\|\\s*(ba)?sh") ||
+ regexMatch("log.message", "(?i)base64\\s+--decode.*\\|\\s*(ba)?sh") ||
+ regexMatch("log.message", "(?i)echo\\s+.*\\|\\s*base64\\s+-d\\s*\\|\\s*(ba)?sh") ||
+ regexMatch("log.message", "(?i)\\|\\s*base64\\s+-(d|decode)\\s*\\|\\s*(ba)?sh"))
+', '2026-02-09 16:39:06.727070', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (316, 'BPFDoor Backdoor Indicators', 3, 3, 3, 'Malware Detection', 'T1205.002 - Traffic Signaling: Socket Filters', 'Detects indicators of the BPFDoor backdoor, a sophisticated Linux malware used by APT groups (particularly Red Menshen/DecisiveArchitect). BPFDoor uses Berkeley Packet Filters (BPF) to monitor network traffic and respond to magic packets, making it extremely stealthy. It hides by deleting its own binary and running from memory, using specific file paths and socket operations.
+
+Next Steps:
+1. THIS IS A HIGH-CONFIDENCE APT INDICATOR - immediately activate incident response
+2. Isolate the affected host but preserve running processes for memory analysis
+3. Check for BPF socket filters attached to network interfaces
+4. Look for processes with deleted binary files (ls -la /proc/*/exe | grep deleted)
+5. Search for BPFDoor-specific files: /var/run/haldrund.pid, /dev/shm/kdmtmpflush
+6. Capture full memory dump before any remediation
+7. Hunt for lateral movement and other compromised hosts
+8. Engage threat intelligence team for APT attribution
+', '["https://attack.mitre.org/techniques/T1205/002/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/path/lnx_auditd_bpfdoor_file_accessed.yml","https://www.trendmicro.com/en_us/research/23/e/bpfdoor-linux-backdoor.html"]', 'exists("log.message") &&
+(contains("log.message", "/var/run/haldrund.pid") ||
+ contains("log.message", "/dev/shm/kdmtmpflush") ||
+ contains("log.message", "kdmtmpflush") ||
+ contains("log.message", "haldrund") ||
+ regexMatch("log.message", "(?i)/tmp/\\.(lock|font|pid)") ||
+ (contains("log.message", "BPF") && contains("log.message", "socket")) ||
+ contains("log.message", "bpfdoor"))
+', '2026-02-09 16:39:06.890835', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (317, 'Bash /dev/tcp Reverse Shell Detected', 3, 3, 3, 'Command and Control', 'T1059.004 - Command and Scripting Interpreter: Unix Shell', 'Detects the classic bash reverse shell pattern using /dev/tcp, including "bash -i >& /dev/tcp/" and "exec 3<>/dev/tcp/" variants. The /dev/tcp pseudo-device is a bash built-in for TCP connections and its use in command lines is almost exclusively malicious. This is one of the most commonly used reverse shell techniques.
+
+Next Steps:
+1. Immediately isolate the affected host from the network
+2. Extract the destination IP and port from the /dev/tcp path
+3. Block the C2 IP at the network perimeter
+4. Identify the user account and process tree that executed the command
+5. Check for initial access vector and persistence mechanisms
+6. Hunt for the same C2 IP across all systems
+7. Perform full forensic analysis of the compromised host
+', '["https://attack.mitre.org/techniques/T1059/004/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/builtin/lnx_susp_dev_tcp.yml"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)bash\\s+-i\\s+>&\\s*/dev/tcp/") ||
+ regexMatch("log.message", "(?i)exec\\s+\\d+<>/dev/tcp/") ||
+ contains("log.message", "/dev/tcp/"))
+', '2026-02-09 16:39:07.031456', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (318, 'Credential File Copied to Staging Directory', 3, 2, 1, 'Credential Access', 'T1552.001 - Unsecured Credentials: Credentials In Files', 'Detects the copying of credential files (/etc/passwd, /etc/shadow, /etc/gshadow) to world-readable staging directories like /tmp or /dev/shm. This is a direct indicator of credential theft where an attacker stages sensitive files for exfiltration or offline password cracking. Legitimate administrators never copy these files to /tmp.
+
+Next Steps:
+1. Immediately remove the copied credential files from /tmp or /dev/shm
+2. Identify the user account that performed the copy
+3. Check if the shadow file was accessed - if so, assume all local passwords are compromised
+4. Force password resets for all local accounts on the affected system
+5. Investigate how the attacker gained the privileges to read /etc/shadow
+6. Look for exfiltration attempts (scp, curl, nc) from the same host
+7. Check for password cracking tool downloads or execution
+', '["https://attack.mitre.org/techniques/T1552/001/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)cp\\s+/etc/(passwd|shadow|gshadow)\\s+/tmp") ||
+ regexMatch("log.message", "(?i)cp\\s+/etc/(passwd|shadow|gshadow)\\s+/dev/shm") ||
+ regexMatch("log.message", "(?i)cp\\s+/etc/(passwd|shadow|gshadow)\\s+/var/tmp") ||
+ regexMatch("log.message", "(?i)cat\\s+/etc/(shadow|gshadow)\\s*>\\s*/tmp/") ||
+ regexMatch("log.message", "(?i)cat\\s+/etc/(shadow|gshadow)\\s*>\\s*/dev/shm/"))
+', '2026-02-09 16:39:07.182341', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (319, 'Immutable File Flag Removal via chattr', 1, 3, 2, 'Defense Evasion', 'T1222.002 - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification', 'Detects the removal of the immutable flag from files using chattr -i. The immutable flag prevents files from being modified or deleted, even by root. Ransomware and rootkits commonly remove this flag before modifying or encrypting protected system files.
+
+Next Steps:
+1. Identify which files had their immutable flag removed
+2. Check if those files were subsequently modified or deleted
+3. Look for ransomware indicators (encryption, ransom notes)
+4. Examine the process and user that executed chattr
+5. Verify the integrity of the affected files
+6. Restore the immutable flag on critical system files
+', '["https://attack.mitre.org/techniques/T1222/002/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml"]', 'contains("log.message", "chattr") &&
+contains("log.message", "-i")
+', '2026-02-09 16:39:07.331792', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (441, 'System Linux: Potential Protocol Tunneling via EarthWorm', 3, 3, 2, 'Command and Control', 'T1572 - Protocol Tunneling', 'Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.', '["https://attack.mitre.org/tactics/TA0011/","https://attack.mitre.org/techniques/T1572/"]', 'contains("log.message", "-s") && contains("log.message", "-d") && contains("log.message", "rssocks")', '2026-02-09 16:51:30.327138', true, false, 'target', null, '[]', '["target.ip","target.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (320, 'Cryptocurrency Mining Command Line Indicators', 1, 2, 3, 'Resource Hijacking', 'T1496 - Resource Hijacking', 'Detects cryptocurrency mining software execution based on distinctive command-line arguments. This includes mining-specific parameters such as --cpu-priority, --donate-level, stratum+tcp://, --algo=rx/0, and other Monero/XMR mining indicators. Unauthorized crypto mining is a common objective of automated Linux exploits and worms.
+
+Next Steps:
+1. Identify and terminate the mining process immediately
+2. Determine the mining pool and wallet address being used
+3. Check CPU utilization to confirm active mining
+4. Investigate how the miner was installed (exploit, compromised credentials, malicious package)
+5. Search for persistence mechanisms (cron jobs, systemd services, init scripts)
+6. Check for additional compromised hosts mining to the same pool
+7. Remove all mining-related files and restore system to clean state
+8. Patch the vulnerability that led to the initial compromise
+', '["https://attack.mitre.org/techniques/T1496/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml"]', 'exists("log.message") &&
+(contains("log.message", "--donate-level") ||
+ contains("log.message", "stratum+tcp://") ||
+ contains("log.message", "stratum+ssl://") ||
+ contains("log.message", "stratum+tls://") ||
+ contains("log.message", "--coin=") ||
+ regexMatch("log.message", "(?i)--algo=(rx/0|cn/|randomx|cryptonight)") ||
+ contains("log.message", "--cpu-priority") ||
+ contains("log.message", "--threads=") ||
+ regexMatch("log.message", "(?i)(xmrig|xmr-stak|cpuminer|minerd|cgminer|bfgminer|ethminer|nbminer|t-rex)") ||
+ contains("log.message", "pool.minexmr.com") ||
+ contains("log.message", "pool.hashvault.pro"))
+', '2026-02-09 16:39:07.486686', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (321, 'Cryptocurrency Mining Pool Connection', 1, 2, 3, 'Resource Hijacking', 'T1496 - Resource Hijacking', 'Detects network connections or DNS lookups to known cryptocurrency mining pool hostnames. This covers major Monero, Bitcoin, and Ethereum mining pools. Connections to these hosts from production servers are almost always indicators of unauthorized cryptocurrency mining.
+
+Next Steps:
+1. Identify the process making connections to mining pools
+2. Terminate the mining process and remove associated files
+3. Block mining pool domains and IPs at the firewall/proxy
+4. Check for persistence mechanisms maintaining the miner
+5. Investigate the initial compromise vector
+6. Audit other systems for similar mining pool connections
+7. Review DNS logs for mining pool lookups from other hosts
+', '["https://attack.mitre.org/techniques/T1496/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml"]', 'exists("log.message") &&
+regexMatch("log.message", "(?i)(pool\\.minergate\\.com|xmrpool\\.eu|moneropool\\.com|monerohash\\.com|minexmr\\.com|pool\\.hashvault\\.pro|xmr\\.nanopool\\.org|xmr\\.2miners\\.com|pool\\.supportxmr\\.com|xmr-eu1\\.nanopool\\.org|xmr-eu2\\.nanopool\\.org|xmr-us-east1\\.nanopool\\.org|xmr-us-west1\\.nanopool\\.org|xmr-asia1\\.nanopool\\.org|randomxmonero\\.auto|gulf\\.moneroocean\\.stream|xmr\\.herominers\\.com|pool\\.xmr\\.pt|xmr\\.f2pool\\.com|xmrpool\\.net|xmr-eu\\.dwarfpool\\.com|monero\\.crypto-pool\\.fr|mine\\.c3pool\\.com)")
+', '2026-02-09 16:39:07.611500', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (322, 'Process Memory Injection via dd', 3, 3, 2, 'Defense Evasion', 'T1055.009 - Process Injection: Proc Memory', 'Detects the use of dd to write to /proc/PID/mem, which is a process injection technique. By writing directly to a process''s memory space through the proc filesystem, attackers can inject malicious code into legitimate running processes to evade detection and gain the process''s privileges.
+
+Next Steps:
+1. Identify the target process whose memory was written to
+2. Examine the source data being injected into the process
+3. Check if the target process is a privileged or security-sensitive process
+4. Review the injecting process and its parent chain
+5. Dump and analyze the target process memory for injected code
+6. Investigate the system for additional process injection attempts
+', '["https://attack.mitre.org/techniques/T1055/009/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml"]', 'contains("log.message", "dd ") &&
+regexMatch("log.message", "/proc/[0-9]+/mem")
+', '2026-02-09 16:39:07.767041', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (323, 'Download and Execute from Staging Directory', 3, 3, 3, 'Execution', 'T1105 - Ingress Tool Transfer', 'Detects the pattern of downloading a file using curl or wget to /tmp or /dev/shm and then executing it. This is one of the most common multi-stage attack patterns where an attacker downloads a payload from their infrastructure to a staging directory and immediately executes it. This pattern is seen in cryptocurrency miners, botnet agents, and initial compromise payloads.
+
+Next Steps:
+1. Identify the URL from which the file was downloaded
+2. Block the download URL and associated domain at the proxy/firewall
+3. Retrieve and analyze the downloaded file (if still present) for malware analysis
+4. Check for persistence mechanisms installed by the payload
+5. Review network connections for C2 communication
+6. Hunt for the same download URL or file hash across all systems
+7. Investigate the initial access vector that led to the download command
+', '["https://attack.mitre.org/techniques/T1105/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_curl_wget_exec_tmp.yml"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)(curl|wget)\\s+.*-o\\s+(/tmp/|/dev/shm/|/var/tmp/)") ||
+ regexMatch("log.message", "(?i)(curl|wget)\\s+.*>\\s*(/tmp/|/dev/shm/|/var/tmp/)") ||
+ regexMatch("log.message", "(?i)(curl|wget)\\s+.*(/tmp/|/dev/shm/).*&&.*chmod.*\\+x") ||
+ regexMatch("log.message", "(?i)(curl|wget)\\s+.*\\|\\s*(ba)?sh") ||
+ regexMatch("log.message", "(?i)(curl|wget)\\s+.*(/tmp/|/dev/shm/).*&&.*/tmp/"))
+', '2026-02-09 16:39:07.922334', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (324, 'ESXi VM Process Kill - Ransomware Precursor', 2, 3, 3, 'Impact', 'T1529 - System Shutdown/Reboot', 'Detects the use of esxcli to kill virtual machine processes on VMware ESXi hypervisors. This is a critical pre-encryption step used by ransomware groups (ESXiArgs, Royal, LockBit, BlackBasta) to shut down VMs before encrypting their VMDK files. The esxcli vm process kill command is the standard method used by ESXi ransomware variants.
+
+Next Steps:
+1. THIS IS A CRITICAL ALERT - immediately isolate the ESXi host from the network
+2. Check if ransomware encryption has already begun (look for .encrypted, .locked extensions on datastores)
+3. Identify all VMs that were killed and assess business impact
+4. Determine how the attacker gained access to the ESXi host (CVE exploitation, stolen credentials)
+5. Verify ESXi host integrity and check for dropped ransomware binaries
+6. Check for ransom notes on datastores
+7. Do NOT restart VMs until forensic analysis is complete
+8. Activate incident response and business continuity procedures
+', '["https://attack.mitre.org/techniques/T1529/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)esxcli\\s+vm\\s+process\\s+kill") ||
+ regexMatch("log.message", "(?i)vim-cmd\\s+vmsvc/power\\.off") ||
+ regexMatch("log.message", "(?i)esxcli\\s+vm\\s+process\\s+list"))
+', '2026-02-09 16:39:08.066746', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (325, 'Suspicious Process Execution from /tmp Directory', 3, 3, 2, 'Execution', 'T1036 - Masquerading', 'Detects process execution from the /tmp directory, which is a world-writable location commonly used by attackers to stage and execute malware. Legitimate applications rarely execute from /tmp. This pattern is seen in initial access payloads, cryptocurrency miners, reverse shells, and automated exploitation tools.
+
+Next Steps:
+1. Identify the specific binary or script executing from /tmp
+2. Calculate the file hash and check against threat intelligence feeds
+3. Determine how the file was placed in /tmp (downloaded, transferred, compiled)
+4. Review the process''s network connections and child processes
+5. Check for persistence mechanisms that reference the /tmp file
+6. Remove the malicious file and any associated persistence
+7. Investigate the initial access vector that led to the file placement
+', '["https://attack.mitre.org/techniques/T1036/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)exec(ve)?.*(/tmp/|/var/tmp/|/dev/shm/)") ||
+ regexMatch("log.message", "(?i)/tmp/[a-zA-Z0-9._-]+\\s+(started|running|executed)") ||
+ regexMatch("log.message", "(?i)sh\\s+-c\\s+/tmp/") ||
+ regexMatch("log.message", "(?i)bash\\s+/tmp/") ||
+ regexMatch("log.message", "(?i)chmod\\s+\\+x\\s+/tmp/.*&&.*/tmp/"))
+', '2026-02-09 16:39:08.207093', true, false, 'origin', null, '[{"indexPattern":"v11-log-linux-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-15m","count":2}]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (326, 'Shell History File Deletion', 1, 3, 1, 'Defense Evasion', 'T1070.003 - Indicator Removal: Clear Command History', 'Detects deletion, truncation, or clearing of shell history files (.bash_history, .zsh_history, .sh_history). Attackers delete history files to remove evidence of their commands after compromising a system. This is a common anti-forensic technique used during post-exploitation.
+
+Next Steps:
+1. Identify the user account that deleted the history file
+2. Check for remaining shell history in other locations (syslog, auditd)
+3. Review SIEM/remote log data for the commands that were likely being hidden
+4. Investigate what activities preceded the history deletion
+5. Look for other anti-forensic indicators (log clearing, timestamp manipulation)
+6. Check for persistence mechanisms and ongoing compromise
+7. Correlate with other alerts from the same host
+', '["https://attack.mitre.org/techniques/T1070/003/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)(rm|shred|unlink)\\s+.*\\.(bash_history|zsh_history|sh_history|history)") ||
+ regexMatch("log.message", "(?i)>\\s*~/?\\.?(bash_history|zsh_history|sh_history)") ||
+ regexMatch("log.message", "(?i)cat\\s+/dev/null\\s*>.*\\.(bash_history|zsh_history)") ||
+ regexMatch("log.message", "(?i)truncate\\s+.*\\.(bash_history|zsh_history)") ||
+ contains("log.message", "HISTFILE=/dev/null") ||
+ contains("log.message", "unset HISTFILE") ||
+ contains("log.message", "set +o history") ||
+ contains("log.message", "HISTSIZE=0"))
+', '2026-02-09 16:39:08.351829', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (327, 'Java Process Spawning Suspicious Child Process', 3, 3, 3, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects Java processes spawning suspicious child processes such as bash, sh, curl, wget, or python. This pattern is a strong indicator of exploitation of Java applications including Log4Shell (CVE-2021-44228), Confluence RCE vulnerabilities, and Java deserialization attacks. Legitimate Java applications rarely spawn shell processes.
+
+Next Steps:
+1. Immediately isolate the affected Java application server
+2. Identify the specific Java application being exploited (check the Java process arguments)
+3. Review application logs for exploitation payloads (JNDI lookups, deserialization gadgets)
+4. Check for Log4j vulnerabilities in all Java dependencies
+5. Inspect what commands were executed by the spawned child process
+6. Look for reverse shells, webshells, or persistence mechanisms
+7. Patch the vulnerable application immediately
+8. Hunt for the same exploitation pattern across other Java application servers
+', '["https://attack.mitre.org/techniques/T1059/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml","https://www.lunasec.io/docs/blog/log4j-zero-day/"]', 'exists("log.message") &&
+regexMatch("log.message", "(?i)java.*child.*(bash|/bin/sh|curl|wget|python|perl|ruby|nc |ncat)") ||
+(contains("log.message", "java") &&
+ regexMatch("log.message", "(?i)(Runtime\\.getRuntime|ProcessBuilder|exec\\(|/bin/bash|/bin/sh)"))
+', '2026-02-09 16:39:08.492019', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (328, 'LD_PRELOAD Library Injection in System Logs', 3, 3, 2, 'Persistence', 'T1574.006 - Hijack Execution Flow: Dynamic Linker Hijacking', 'Detects modifications to /etc/ld.so.preload or LD_PRELOAD usage in system logs, indicating dynamic linker hijacking for persistence or credential interception.
+
+Next Steps:
+1. Examine /etc/ld.so.preload for unauthorized shared library entries
+2. Analyze the referenced shared library for malicious code
+3. Check for LD_PRELOAD in environment variables and shell profiles
+4. Identify the user and process that made the modification
+5. Remove malicious preload entries and libraries
+6. Audit running processes for injected libraries
+', '["https://attack.mitre.org/techniques/T1574/006/"]', '(contains("log.message", "ld.so.preload") || contains("log.message", "LD_PRELOAD")) &&
+(contains("log.message", "modified") || contains("log.message", "write") ||
+ contains("log.message", "export LD_PRELOAD") || contains("log.message", "changed") ||
+ contains("log.message", "opened for writing"))
+', '2026-02-09 16:39:08.641507', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (329, 'Linux Hack Tool Execution', 3, 3, 2, 'Execution', 'T1588.002 - Obtain Capabilities: Tool', 'Detects execution of known offensive security and hacking tools on Linux systems. This includes C2 frameworks (Cobalt Strike, Sliver, Havoc, Merlin), post-exploitation tools (LinPEAS, pspy, Chisel), credential attack tools (Hydra, John, Hashcat, Mimikatz), network attack tools (CrackMapExec, Impacket, Responder), and vulnerability scanners (sqlmap, Nikto, ncrack). The presence of these tools on a production system is a strong indicator of compromise.
+
+Next Steps:
+1. Immediately isolate the affected host from the network
+2. Identify the user account executing the tool and determine if it is compromised
+3. Check how the tool was installed (downloaded, transferred, compiled on host)
+4. Review process history and network connections for scope of attack
+5. Search for additional compromised hosts using the same tools
+6. Collect forensic artifacts from the system
+7. Remove the offensive tools and remediate the compromise
+8. Reset credentials for any accounts accessed from the compromised host
+', '["https://attack.mitre.org/techniques/T1588/002/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml"]', 'exists("log.message") &&
+regexMatch("log.message", "(?i)(crackmapexec|cme\\s|evil-winrm|sliver-client|sliver-server|havoc|merlin|msfconsole|msfvenom|meterpreter|pspy|pspy64|linpeas|linpeas\\.sh|winpeas|linenum|linux-exploit-suggester|les\\.sh|linux-smart-enumeration|lse\\.sh|hydra|john |johntheripper|hashcat|ncrack|medusa|patator|sqlmap|sqlninja|nikto|gobuster|feroxbuster|dirbuster|dirb |ffuf |wfuzz|nuclei |subfinder|amass |masscan|nmap\\s|responder|impacket|secretsdump|chisel|ligolo|bloodhound-python|sharphound|rubeus|mimikatz|lazagne|enum4linux|smbmap|cracklord|thc-hydra)")
+', '2026-02-09 16:39:08.781918', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (330, 'Linux Log File Clearing', 1, 3, 2, 'Defense Evasion', 'T1070.002 - Indicator Removal: Clear Linux or Mac System Logs', 'Detects commands used to delete or overwrite Linux log files in /var/log. Attackers frequently clear logs to cover their tracks after compromising a system. Commands like rm, shred, unlink, and truncation of log files are indicators of anti-forensic activity.
+
+Next Steps:
+1. Identify the user account and process that deleted the log files
+2. Check for any remaining log entries before the clearing event
+3. Review remote syslog backups or SIEM data for the deleted timeframe
+4. Investigate what the attacker was trying to hide
+5. Look for other anti-forensic activities (history deletion, timestamp manipulation)
+6. Check for active compromise indicators on the system
+7. Preserve all remaining forensic artifacts immediately
+8. Consider the system compromised and investigate lateral movement
+', '["https://attack.mitre.org/techniques/T1070/002/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)(rm|shred|unlink)\\s+(-rf?\\s+)?/var/log") ||
+ regexMatch("log.message", "(?i)>\\s*/var/log/(syslog|auth\\.log|messages|secure|wtmp|btmp|lastlog)") ||
+ regexMatch("log.message", "(?i)truncate\\s+(-s\\s+0\\s+)?/var/log/") ||
+ regexMatch("log.message", "(?i)cat\\s+/dev/null\\s*>\\s*/var/log/"))
+', '2026-02-09 16:39:08.926981', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (331, 'Outbound Connection to Known Malware C2 Ports', 3, 2, 2, 'Command and Control', 'T1571 - Non-Standard Port', 'Detects outbound network connections to ports commonly used by malware for command and control callbacks. Ports like 4444 (Metasploit default), 5555 (Android Debug Bridge abuse), 6789 (Cobalt Strike), 8531 (fake WSUS), and others are well-known C2 callback ports. While some may have legitimate uses, outbound connections to these ports from servers warrant investigation.
+
+Next Steps:
+1. Identify the process making the outbound connection
+2. Determine the destination IP address and verify it is not a known legitimate service
+3. Check the destination IP against threat intelligence feeds
+4. Capture network traffic to analyze the C2 protocol
+5. Investigate the process tree and how the connecting process was started
+6. Block the destination IP at the firewall
+7. Search for the same destination IP across all monitored systems
+8. Check for persistence mechanisms associated with the C2 agent
+', '["https://attack.mitre.org/techniques/T1571/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)(connect|established|connection).*\\b(4444|4445|5555|6666|6667|6789|7443|8531|9001|9090|1337|31337|12345)\\b") ||
+ regexMatch("log.message", "(?i)outbound.*(4444|5555|6789|8531|9001)") ||
+ regexMatch("log.message", "(?i)destination.*port.*(4444|4445|5555|6666|6789|8531)"))
+', '2026-02-09 16:39:09.066872', true, false, 'origin', null, '[{"indexPattern":"v11-log-linux-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-15m","count":3}]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (332, 'Named Pipe Creation in Suspicious Location', 2, 2, 1, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects creation of named pipes (FIFOs) in /tmp or /dev/shm using mkfifo. Named pipes in temporary directories are commonly used by attackers and malware for inter-process communication during exploitation. This technique was notably used in the Barracuda ESG exploitation campaign.
+
+Next Steps:
+1. Identify the named pipe file and examine its location
+2. Determine which processes are reading from and writing to the pipe
+3. Check for associated reverse shell or data exfiltration activity
+4. Review the parent process that executed mkfifo
+5. Look for other indicators of web application exploitation
+6. Remove the named pipe and investigate the full attack chain
+', '["https://attack.mitre.org/techniques/T1059/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml","https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally"]', 'contains("log.message", "mkfifo") &&
+contains("log.message", ["/tmp/", "/dev/shm/", "/var/tmp/"])
+', '2026-02-09 16:39:09.211835', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (333, 'Netcat Reverse Shell Detected', 3, 3, 3, 'Command and Control', 'T1059 - Command and Scripting Interpreter', 'Detects netcat (nc/ncat/netcat) being used with -c or -e flags to spawn a shell, which is the most common method of establishing a reverse shell on Linux systems. This is almost never used legitimately and is a strong indicator of active compromise.
+
+Next Steps:
+1. Immediately isolate the affected host from the network
+2. Identify the user and parent process that executed netcat
+3. Determine the destination IP and port of the reverse shell connection
+4. Check for initial access vectors (webshell, exploited service, stolen credentials)
+5. Search for persistence mechanisms installed by the attacker
+6. Review network connections from the host for additional C2 channels
+7. Hunt for the same destination IP across all monitored systems
+', '["https://attack.mitre.org/techniques/T1059/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml"]', 'exists("log.message") &&
+regexMatch("log.message", "(?i)(nc|ncat|netcat)\\s+.*-(e|c)\\s+(/bin/)?(ba)?sh")
+', '2026-02-09 16:39:09.356771', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (334, 'Ngrok Tunnel Communication Detected', 3, 2, 2, 'Command and Control', 'T1572 - Protocol Tunneling', 'Detects connections to ngrok tunnel infrastructure (tunnel.*.ngrok.com, *.ngrok.io, *.ngrok-free.app). Ngrok is a legitimate tunneling service that is frequently abused by attackers to establish reverse tunnels from compromised systems, bypassing firewalls and NAT. Its use on production servers is almost always unauthorized and indicates either C2 communication, data exfiltration, or unauthorized remote access.
+
+Next Steps:
+1. Identify the process establishing the ngrok tunnel
+2. Determine what service or port is being exposed through the tunnel
+3. Check if ngrok is authorized for use in the environment
+4. Terminate the ngrok process and remove the binary
+5. Block ngrok domains at the DNS/proxy level
+6. Investigate what the attacker was accessing through the tunnel
+7. Check for the ngrok configuration file for tunnel details
+8. Hunt for ngrok usage on other systems
+', '["https://attack.mitre.org/techniques/T1572/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)tunnel\\..*\\.ngrok\\.com") ||
+ contains("log.message", ".ngrok.io") ||
+ contains("log.message", ".ngrok-free.app") ||
+ contains("log.message", "ngrok.com/api") ||
+ regexMatch("log.message", "(?i)ngrok\\s+(http|tcp|tls|start)"))
+', '2026-02-09 16:39:09.486706', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (669, 'Windows: Microsoft Build Engine Started an Unusual Process', 3, 3, 2, 'Defense Evasion', 'T1027 - Obfuscated Files or Information', 'An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1027/"]', 'regexMatch("log.winlogEventDataProcessName", "(csc.exe|iexplore.exe|powershell.exe)") && regexMatch("log.winlogEventDataParentProcessName", "MSBuild.exe")', '2026-02-09 16:57:25.017103', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (335, 'OMIGOD SCX Agent Exploitation Detected', 3, 3, 3, 'Exploitation', 'T1068 - Exploitation for Privilege Escalation', 'Detects exploitation of the OMIGOD vulnerability (CVE-2021-38647) in the Azure Open Management Infrastructure (OMI) SCX agent. This critical vulnerability allows unauthenticated remote code execution as root via the SCXcore RunAsProvider ExecuteShellCommand method.
+
+Next Steps:
+1. Immediately patch the OMI agent on the affected system
+2. Check for unauthorized processes spawned from the SCX agent path
+3. Review commands executed through the OMI agent
+4. Examine network connections to the OMI listener port (5985/5986)
+5. Check for persistence mechanisms installed by the attacker
+6. Audit all Azure VMs running the OMI agent for this vulnerability
+', '["https://attack.mitre.org/techniques/T1068/","https://attack.mitre.org/techniques/T1190/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml","https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure"]', '(
+  contains("log.message", "/var/opt/microsoft/scx") ||
+  contains("log.message", "/opt/omi/") ||
+  contains("log.message", "SCXcore")
+) &&
+(
+  contains("log.message", "ExecuteShellCommand") ||
+  contains("log.message", "RunAsProvider") ||
+  (contains("log.message", "omicli") && contains("log.message", "exec"))
+)
+', '2026-02-09 16:39:09.627198', true, false, 'origin', null, '[]', '["adversary.host","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (336, 'Perl Reverse Shell Detected', 3, 3, 2, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects Perl-based reverse shell execution patterns using fdopen with Socket library. This is a well-known post-exploitation technique where attackers use Perl''s built-in networking capabilities to establish a reverse shell connection back to their command and control server.
+
+Next Steps:
+1. Immediately isolate the affected system from the network
+2. Identify the destination IP and port of the reverse shell connection
+3. Determine how the attacker gained initial access to execute Perl
+4. Check for other compromised systems connecting to the same C2 address
+5. Review process tree to identify the parent process that spawned Perl
+6. Examine the system for persistence mechanisms and lateral movement
+', '["https://attack.mitre.org/techniques/T1059/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml"]', 'contains("log.message", "perl") &&
+(
+  (contains("log.message", "fdopen") && contains("log.message", "Socket")) ||
+  (contains("log.message", "socket") && contains("log.message", "connect") && contains("log.message", "open") && contains("log.message", "STDIN"))
+)
+', '2026-02-09 16:39:09.767845', true, false, 'origin', null, '[]', '["adversary.host","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (337, 'PHP Reverse Shell Detected', 3, 3, 3, 'Command and Control', 'T1059 - Command and Scripting Interpreter', 'Detects PHP being used to establish a reverse shell via fsockopen or similar network functions. This is commonly seen on compromised web servers where an attacker leverages PHP''s built-in socket functions to create a reverse connection. The presence of php -r with fsockopen in command lines is a strong indicator of active exploitation.
+
+Next Steps:
+1. Immediately isolate the affected web server from the network
+2. Identify the webshell or vulnerable application that triggered the PHP reverse shell
+3. Check for uploaded PHP files in web-accessible directories
+4. Review web server access logs for the initial exploitation request
+5. Determine the destination C2 IP and block it at the firewall
+6. Audit all PHP files on the server for additional webshells
+7. Patch the vulnerable application and restore from clean backup
+', '["https://attack.mitre.org/techniques/T1059/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml"]', 'exists("log.message") &&
+regexMatch("log.message", "(?i)php\\s+-r\\s+.*fsockopen")
+', '2026-02-09 16:39:09.907293', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (338, 'Shell Script Persistence via profile.d', 2, 3, 2, 'Persistence', 'T1546.004 - Event Triggered Execution: Unix Shell Configuration Modification', 'Detects creation or modification of shell scripts in /etc/profile.d/. Scripts in this directory are executed by every user at login, making it a powerful persistence mechanism. Attackers drop malicious scripts here to maintain persistent access and execute commands in the context of every user session.
+
+Next Steps:
+1. Identify the new or modified script in /etc/profile.d/ and examine its contents
+2. Check if the script was created by a legitimate package installation or administrator
+3. Compare the script against known-good baselines from package manager
+4. Review the user and process that created or modified the script
+5. Remove unauthorized scripts from /etc/profile.d/
+6. Check for other persistence mechanisms on the same system
+', '["https://attack.mitre.org/techniques/T1546/004/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml"]', 'contains("log.message", "/etc/profile.d/") &&
+(
+  contains("log.message", ["created", "modified", "written", "installed"]) ||
+  (contains("log.message", [" cp ", " mv ", "tee ", "cat "]) && contains("log.message", "/etc/profile.d/")) ||
+  (contains("log.message", "chmod") && contains("log.message", "/etc/profile.d/"))
+)
+', '2026-02-09 16:39:10.056562', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (339, 'Python PTY Shell Spawn - Interactive Shell Upgrade', 3, 3, 2, 'Execution', 'T1059.006 - Command and Scripting Interpreter: Python', 'Detects the use of Python''s pty module to spawn an interactive TTY shell. This is a standard post-exploitation technique where an attacker upgrades a basic reverse shell to a fully interactive terminal. The command "python -c ''import pty; pty.spawn(\"/bin/bash\")''" is taught in every penetration testing course and is a strong indicator of active hands-on-keyboard exploitation.
+
+Next Steps:
+1. The system is actively being exploited - immediately isolate the host
+2. Identify the parent process (likely a reverse shell or webshell)
+3. Check for the initial access vector that gave the attacker shell access
+4. Review all commands executed in the spawned interactive shell
+5. Look for privilege escalation attempts following the shell upgrade
+6. Check for lateral movement from this host
+7. Collect memory dump and disk forensic artifacts
+', '["https://attack.mitre.org/techniques/T1059/006/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)python[23]?\\s+-c\\s+.*import\\s+pty.*pty\\.spawn") ||
+ contains("log.message", "import pty;pty.spawn") ||
+ contains("log.message", "import pty; pty.spawn"))
+', '2026-02-09 16:39:10.197334', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (442, 'System Linux: Namespace Manipulation Using Unshare', 3, 3, 2, 'Privilege Escalation', 'T1543 - Create or Modify System Process', 'Identifies  suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges.', '["https://attack.mitre.org/tactics/TA0004/","https://attack.mitre.org/techniques/T1543/"]', 'contains("log.message", "unshare") && !contains("log.message", "/usr/bin/snap") && !regexMatch("log.message", "(\\/usr\\/bin\\/udevadm|\\/lib\\/systemd\\/systemd-udevd|\\/usr\\/bin\\/unshare)")', '2026-02-09 16:51:30.486997', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (341, 'Comprehensive Reverse Shell Detection', 3, 3, 3, 'Command and Control', 'T1059.004 - Command and Scripting Interpreter: Unix Shell', 'Detects multiple reverse shell patterns in Linux system logs including bash, netcat, python, perl, ruby, socat, awk, xterm, and telnet variants. Reverse shells are one of the most common post-exploitation techniques used by attackers to establish interactive command and control channels from a compromised host back to their infrastructure.
+
+Next Steps:
+1. Immediately isolate the affected host from the network
+2. Identify the source process and user that spawned the reverse shell
+3. Determine the destination IP and port of the outbound connection
+4. Check for webshell presence or initial access vector that led to the reverse shell
+5. Review all processes and network connections on the compromised host
+6. Search for lateral movement from this host to other systems
+7. Collect forensic artifacts (memory dump, disk image) before remediation
+8. Block the C2 IP at the firewall and hunt for it across all systems
+', '["https://attack.mitre.org/techniques/T1059/004/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/builtin/lnx_shell_susp_rev_shells.yml","https://www.revshells.com/"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)bash\\s+-i\\s+>&\\s*/dev/tcp/") ||
+ regexMatch("log.message", "(?i)exec\\s+\\d+<>/dev/tcp/") ||
+ regexMatch("log.message", "(?i)(nc|ncat|netcat)\\s+.*\\s+-(e|c)\\s+(/bin/)?(ba)?sh") ||
+ regexMatch("log.message", "(?i)python[23]?\\s+-c\\s+.*socket.*pty.*spawn") ||
+ regexMatch("log.message", "(?i)python[23]?\\s+-c\\s+.*socket.*connect.*subprocess") ||
+ regexMatch("log.message", "(?i)perl\\s+-e\\s+.*socket.*INET.*exec") ||
+ regexMatch("log.message", "(?i)perl\\s+-MIO\\s+-e") ||
+ regexMatch("log.message", "(?i)php\\s+-r\\s+.*fsockopen") ||
+ regexMatch("log.message", "(?i)ruby\\s+-rsocket\\s+-e") ||
+ regexMatch("log.message", "(?i)ruby\\s+-e\\s+.*TCPSocket") ||
+ regexMatch("log.message", "(?i)socat\\s+.*exec.*tcp") ||
+ regexMatch("log.message", "(?i)socat\\s+.*tcp.*exec") ||
+ regexMatch("log.message", "(?i)awk\\s+.*\\/inet\\/tcp\\/") ||
+ regexMatch("log.message", "(?i)xterm\\s+-display\\s+\\d+") ||
+ regexMatch("log.message", "(?i)telnet\\s+.*\\|\\s*/bin/(ba)?sh") ||
+ regexMatch("log.message", "(?i)mkfifo\\s+/tmp/.*&&.*nc\\s+") ||
+ regexMatch("log.message", "(?i)mknod\\s+/tmp/.*&&.*nc\\s+"))
+', '2026-02-09 16:39:10.472050', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (342, 'Reverse Shell Patterns in System Logs', 3, 3, 3, 'Execution', 'T1059.004 - Command and Scripting Interpreter: Unix Shell', 'Detects common reverse shell patterns in system logs including bash TCP redirects, netcat shells, python socket connections, and other common reverse shell one-liners.
+
+Next Steps:
+1. Immediately isolate the affected system
+2. Identify the destination IP and port of the reverse shell
+3. Determine the initial access vector
+4. Check for data exfiltration or lateral movement
+5. Block the C2 IP at the network perimeter
+6. Perform full incident response on the host
+', '["https://attack.mitre.org/techniques/T1059/004/"]', 'regexMatch("log.message", "(?i)bash\\s+-i\\s+>&\\s+/dev/tcp/") ||
+regexMatch("log.message", "(?i)python[23]?\\s+-c\\s+.*socket.*connect") ||
+regexMatch("log.message", "(?i)nc\\s+(-e|--exec)\\s+/bin/(ba)?sh") ||
+regexMatch("log.message", "(?i)socat\\s+.*exec.*tcp") ||
+regexMatch("log.message", "(?i)perl\\s+-e\\s+.*socket.*INET") ||
+regexMatch("log.message", "(?i)php\\s+-r\\s+.*fsockopen") ||
+regexMatch("log.message", "(?i)ruby\\s+-rsocket") ||
+regexMatch("log.message", "(?i)mkfifo\\s+/tmp/.*\\|.*nc\\s+")
+', '2026-02-09 16:39:10.606388', true, false, 'origin', null, '[]', '["adversary.host","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (343, 'Root Certificate Installation Detected', 2, 3, 1, 'Defense Evasion', 'T1553.004 - Subvert Trust Controls: Install Root Certificate', 'Detects the installation of root certificates on Linux systems using update-ca-certificates or update-ca-trust. Attackers install rogue root certificates to enable TLS interception (man-in-the-middle attacks), bypass certificate pinning, or establish trust for malicious code signing.
+
+Next Steps:
+1. Identify which certificate was installed and its issuer
+2. Verify if the certificate installation was authorized
+3. Check /usr/local/share/ca-certificates/ and /etc/pki/ca-trust/source/ for new certificates
+4. Examine the process and user that triggered the certificate installation
+5. Look for signs of TLS interception or MITM activity
+6. Remove unauthorized certificates and update the trust store
+', '["https://attack.mitre.org/techniques/T1553/004/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml"]', 'contains("log.message", ["update-ca-certificates", "update-ca-trust"]) &&
+!contains("log.message", ["apt", "yum", "dnf", "dpkg"])
+', '2026-02-09 16:39:10.757972', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (344, 'Security Tools Disabled or Stopped', 2, 3, 3, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects commands used to stop, disable, or remove security tools on Linux systems. This includes firewalls (iptables, firewalld, ufw, nftables), EDR agents (falcon-sensor, cbdaemon, mdatp), SELinux/AppArmor enforcement, and other security services. Attackers disable security tools early in the kill chain to avoid detection during subsequent exploitation phases.
+
+Next Steps:
+1. Immediately verify if the security tool disabling was authorized
+2. Check if the affected security tools are currently running
+3. Re-enable any disabled security tools immediately
+4. Investigate the user account and process that issued the command
+5. Look for subsequent malicious activity that the attacker was trying to hide
+6. Check for persistence mechanisms that disable security tools at boot
+7. Verify SELinux/AppArmor enforcement status
+8. Review other hosts for similar security tool disabling patterns
+', '["https://attack.mitre.org/techniques/T1562/001/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)systemctl\\s+(stop|disable|mask)\\s+(iptables|firewalld|ufw|nftables|falcon-sensor|cbdaemon|cbsensor|mdatp|clamd|ossec|wazuh|auditd|rsyslog|syslog-ng|apparmor)") ||
+ regexMatch("log.message", "(?i)service\\s+(iptables|firewalld|ufw|falcon-sensor|cbdaemon|auditd|rsyslog|apparmor)\\s+stop") ||
+ contains("log.message", "setenforce 0") ||
+ contains("log.message", "setenforce Permissive") ||
+ regexMatch("log.message", "(?i)aa-teardown") ||
+ regexMatch("log.message", "(?i)apparmor_parser\\s+-R") ||
+ regexMatch("log.message", "(?i)(apt|yum|dnf|rpm)\\s+.*(remove|erase)\\s+(iptables|firewalld|falcon-sensor|clamav|ossec|wazuh|auditd)"))
+', '2026-02-09 16:39:10.902131', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (345, 'Ruby Reverse Shell Detected', 3, 3, 2, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects Ruby-based reverse shell execution patterns using TCPSocket. Attackers use Ruby''s TCPSocket class to establish a reverse shell connection, redirecting stdin/stdout/stderr to a remote socket for interactive command execution.
+
+Next Steps:
+1. Immediately isolate the affected system from the network
+2. Identify the destination IP and port of the reverse shell connection
+3. Determine how the attacker gained initial access to execute Ruby
+4. Check for other compromised systems connecting to the same C2 address
+5. Review process tree to identify the parent process that spawned Ruby
+6. Examine the system for persistence mechanisms and lateral movement
+', '["https://attack.mitre.org/techniques/T1059/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml"]', 'contains("log.message", "ruby") &&
+(
+  contains("log.message", "TCPSocket") ||
+  (contains("log.message", "socket") && contains("log.message", "spawn"))
+) &&
+contains("log.message", ["/bin/sh", "/bin/bash", "exec"])
+', '2026-02-09 16:39:11.063049', true, false, 'origin', null, '[]', '["adversary.host","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (443, 'System Linux: A user has been added to the administrators group', 3, 3, 2, 'Privilege Escalation', 'T1484 - Domain Policy Modification', 'Detects when a user has been added to the administrators group (sudo) on a Linux system.', '["https://attack.mitre.org/tactics/TA0004","https://attack.mitre.org/techniques/T1484/"]', 'regexMatch("log.message", "(((adduser|useradd|usermod)(.+)([Aa]dded user|new user|add)(.+)to(.+)group)(.+)sudo)") && contains("log.message", "usermod -aG sudo")', '2026-02-09 16:51:30.647303', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (346, 'Suspicious Access to Sensitive System Files', 3, 3, 2, 'Credential Access', 'T1003.008 - OS Credential Dumping: /etc/passwd and /etc/shadow', 'Detects suspicious access to critical system files including /etc/passwd, /etc/shadow, /etc/sudoers, /etc/crontab, and sensitive directories like /boot, /bin, /sbin. While system administrators may legitimately access these files, unusual access patterns can indicate credential theft, privilege escalation, or system tampering.
+
+Next Steps:
+1. Verify the user account accessing the sensitive files and their authorization
+2. Check the specific command used (cat, vi, nano, cp, scp)
+3. Determine if this aligns with legitimate administrative activity
+4. Review the access context - was it from an interactive session or automated process?
+5. Check for concurrent suspicious activities (reverse shells, lateral movement)
+6. If unauthorized, immediately reset affected credentials
+7. Audit file permissions on sensitive files
+', '["https://attack.mitre.org/techniques/T1003/008/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)(cat|less|more|head|tail|vi|vim|nano|emacs|sed|awk)\\s+/etc/(shadow|gshadow)") ||
+ regexMatch("log.message", "(?i)(vi|vim|nano|emacs|sed)\\s+/etc/(passwd|sudoers|crontab)") ||
+ regexMatch("log.message", "(?i)(vi|vim|nano|emacs|sed)\\s+/etc/ssh/sshd_config") ||
+ regexMatch("log.message", "(?i)(cp|scp|rsync)\\s+/etc/(shadow|gshadow|passwd)"))
+', '2026-02-09 16:39:11.211998', true, false, 'origin', null, '[{"indexPattern":"v11-log-linux-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-15m","count":3}]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (347, 'Setcap Privilege Escalation via cap_setuid', 3, 3, 2, 'Privilege Escalation', 'T1548 - Abuse Elevation Control Mechanism', 'Detects the use of setcap to grant cap_setuid or other dangerous capabilities to binaries. Linux capabilities allow splitting root privileges into distinct units. The cap_setuid capability allows a process to change its UID, effectively gaining root access. Attackers use setcap to create persistent privilege escalation backdoors that are harder to detect than traditional SUID bits.
+
+Next Steps:
+1. Identify the binary that was granted dangerous capabilities
+2. Determine if this is a legitimate administrative action
+3. Check the binary''s integrity against package manager records
+4. Remove unauthorized capabilities: setcap -r /path/to/binary
+5. Search for other binaries with dangerous capabilities: getcap -r / 2>/dev/null
+6. Investigate how the attacker gained the privileges needed to run setcap
+7. Check if the capability-enhanced binary has been used for privilege escalation
+', '["https://attack.mitre.org/techniques/T1548/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_cap_setuid.yml","https://gtfobins.github.io/"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)setcap\\s+.*cap_setuid") ||
+ regexMatch("log.message", "(?i)setcap\\s+.*cap_setgid") ||
+ regexMatch("log.message", "(?i)setcap\\s+.*cap_sys_admin") ||
+ regexMatch("log.message", "(?i)setcap\\s+.*cap_sys_ptrace") ||
+ regexMatch("log.message", "(?i)setcap\\s+.*cap_dac_override") ||
+ regexMatch("log.message", "(?i)setcap\\s+.*cap_net_raw") ||
+ regexMatch("log.message", "(?i)setcap\\s+.*cap_net_admin"))
+', '2026-02-09 16:39:11.356679', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (348, 'Shellshock Exploitation Attempt Detected', 3, 3, 3, 'Exploitation', 'T1505.003 - Server Software Component: Web Shell', 'Detects the Shellshock (CVE-2014-6271) exploitation pattern in system logs. The characteristic () { :; }; sequence in environment variables exploits a bash vulnerability that allows arbitrary command execution. Despite being discovered in 2014, Shellshock is still actively exploited against unpatched systems.
+
+Next Steps:
+1. Immediately patch bash on the affected system if vulnerable
+2. Identify the attack vector (CGI script, DHCP client, SSH ForceCommand)
+3. Determine if the exploitation was successful and what commands were executed
+4. Check for follow-up malware installation or persistence
+5. Review network logs for the source of the attack
+6. Scan all systems for the Shellshock vulnerability
+', '["https://attack.mitre.org/techniques/T1505/003/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/builtin/lnx_shellshock.yml","https://nvd.nist.gov/vuln/detail/CVE-2014-6271"]', 'regexMatch("log.message", "\\(\\)\\s*\\{\\s*:;\\s*\\};")
+', '2026-02-09 16:39:11.502542', true, false, 'origin', null, '[]', '["adversary.host","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (349, 'SSH Authorized Key Injection via System Logs', 3, 3, 1, 'Persistence', 'T1098.004 - Account Manipulation: SSH Authorized Keys', 'Detects unauthorized modifications to SSH authorized_keys files as seen in system logs, indicating potential persistence via injected SSH public keys.
+
+Next Steps:
+1. Review the authorized_keys file for unauthorized keys
+2. Identify the user and process that made the change
+3. Check SSH login logs for connections using the new key
+4. Remove unauthorized keys and rotate credentials
+5. Monitor for subsequent connections from unknown sources
+', '["https://attack.mitre.org/techniques/T1098/004/"]', 'contains("log.message", "authorized_keys") &&
+(contains("log.message", "modified") || contains("log.message", "write") ||
+ contains("log.message", "opened for writing") || contains("log.message", "changed"))
+', '2026-02-09 16:39:11.663111', true, false, 'origin', null, '[{"indexPattern":"v11-log-linux-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"},{"field":"log.message","operator":"filter_match","value":"authorized_keys"}],"or":null,"within":"now-1h","count":3}]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (350, 'Sudo Privilege Escalation Attempts', 3, 3, 2, 'Privilege Escalation', 'T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching', 'Detects unauthorized sudo usage attempts and privilege escalation through sudo command execution. This rule identifies failed sudo attempts including users not in sudoers file, authentication failures, and command restrictions.
+
+Next Steps:
+1. Verify the legitimacy of the user attempting sudo access
+2. Review the specific command that was attempted
+3. Check if this is part of a broader privilege escalation campaign
+4. Examine system logs for additional suspicious activity from this user/host
+5. Consider implementing additional sudo restrictions if unauthorized access attempts persist
+6. Correlate with other authentication events from the same user or host
+', '["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html","https://attack.mitre.org/techniques/T1548/003/"]', 'contains("log.message", "sudo") && (contains("log.message", "NOT in sudoers") || contains("log.message", "authentication failure") || contains("log.message", "command not allowed")) && exists("origin.host")', '2026-02-09 16:39:11.812675', true, false, 'origin', null, '[{"indexPattern":"v11-log-linux-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-10m","count":3}]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (696, 'Windows: PowerShell PSReflect Script', 2, 3, 1, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.', '["https://attack.mitre.org/tactics/TA0002/","https://attack.mitre.org/techniques/T1059/"]', 'regexMatch("log.message", "(New-InMemoryModule|Add-Win32Type|psenum|DefineDynamicAssembly|DefineDynamicModule|Reflection.TypeAttributes|Reflection.Emit.OpCodes|Reflection.Emit.CustomAttributeBuilder|Runtime.InteropServices.DllImportAttribute)")', '2026-02-09 16:57:29.062478', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (351, 'SUID/SGID Bit Set on Binary - Potential Backdoor', 3, 3, 2, 'Privilege Escalation', 'T1548.001 - Abuse Elevation Control Mechanism: Setuid and Setgid', 'Detects the use of chmod to set SUID (u+s) or SGID (g+s) bits on binaries, especially after a chown to root. Attackers use SUID/SGID bits to create backdoors that allow any user to execute a binary with root privileges. This is a well-known persistence and privilege escalation technique.
+
+Next Steps:
+1. Identify the binary that had the SUID/SGID bit set
+2. Determine if this is a known system binary or a dropped malicious file
+3. Check the binary''s contents and compare against package manager originals
+4. Review who set the SUID/SGID bit and their authorization level
+5. Remove the SUID/SGID bit from unauthorized binaries (chmod u-s g-s)
+6. Search for other SUID/SGID binaries that may have been modified: find / -perm -4000
+7. Investigate how the attacker gained root access to set the bit
+', '["https://attack.mitre.org/techniques/T1548/001/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)chmod\\s+.*[ug]\\+s\\s+") ||
+ regexMatch("log.message", "(?i)chmod\\s+[46][0-7]{3}\\s+") ||
+ regexMatch("log.message", "(?i)chmod\\s+.*4755\\s+") ||
+ regexMatch("log.message", "(?i)chmod\\s+.*2755\\s+") ||
+ regexMatch("log.message", "(?i)chmod\\s+.*6755\\s+"))
+', '2026-02-09 16:39:11.967086', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (352, 'Suspicious Package Installation Detected', 2, 2, 1, 'Execution', 'T1072 - Software Deployment Tools', 'Detects the installation of offensive security tools or suspicious packages via apt, yum, or dnf. Packages like nmap, netcat, wireshark, proxychains, socat, and similar tools are commonly installed by attackers during post-exploitation for reconnaissance, pivoting, and lateral movement.
+
+Next Steps:
+1. Verify if the package installation was authorized by system administrators
+2. Identify the user who installed the package and their access context
+3. Check for other reconnaissance or exploitation activity from the same user
+4. Review if the tools were actually used after installation
+5. Remove unauthorized tools and restrict package installation privileges
+6. Investigate how the attacker obtained privileges to install packages
+', '["https://attack.mitre.org/techniques/T1072/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_install_suspicious_packages.yml"]', 'contains("log.message", ["apt install", "apt-get install", "yum install", "dnf install"]) &&
+contains("log.message", ["nmap", "netcat", "ncat", "wireshark", "tshark", "proxychains", "socat", "masscan", "hydra", "john", "hashcat", "aircrack", "ettercap", "responder", "mimikatz", "crackmapexec", "enum4linux"])
+', '2026-02-09 16:39:12.107949', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (353, 'SSH Brute Force Attempts', 3, 3, 2, 'Credential Access', 'T1110.001 - Brute Force: Password Guessing', 'Detects multiple failed SSH authentication attempts from the same source IP address, indicating a potential brute force attack against SSH services. This rule identifies patterns where an attacker attempts to guess passwords by making repeated login attempts.
+
+Next Steps:
+1. Immediately block the attacking IP address at the firewall level
+2. Review SSH logs for the timeframe to identify targeted usernames
+3. Check if any successful logins occurred from the same IP after failed attempts
+4. Verify SSH configuration follows security best practices (disable root login, use key-based authentication)
+5. Consider implementing fail2ban or similar intrusion prevention tools
+6. Monitor for lateral movement if any accounts were compromised
+7. Review other systems for similar brute force attempts from the same IP
+8. Consider adding the IP to threat intelligence feeds if confirmed malicious
+', '["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html","https://attack.mitre.org/techniques/T1110/001/"]', 'contains("log.message", "Failed password") && contains("log.message", "ssh") && exists("origin.ip")', '2026-02-09 16:39:12.238043', true, false, 'origin', null, '[{"indexPattern":"v11-log-linux-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.message","operator":"filter_match","value":"Failed password"}],"or":null,"within":"now-5m","count":10}]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (354, 'Malicious Systemd Timer Creation', 2, 3, 2, 'Persistence', 'T1053.006 - Scheduled Task/Job: Systemd Timers', 'Detects creation or enablement of systemd timer units through system logs, which attackers use for persistent scheduled execution of malicious payloads.
+
+Next Steps:
+1. Review the timer unit and associated service unit file contents
+2. Check the ExecStart directive for suspicious binaries or scripts
+3. Verify the timer was created by an authorized administrator
+4. Compare against baseline of known legitimate timers
+5. If unauthorized, disable the timer and investigate
+', '["https://attack.mitre.org/techniques/T1053/006/"]', '(contains("log.message", "systemd") || contains("log.message", "systemctl")) &&
+contains("log.message", ".timer") &&
+(contains("log.message", "enabled") || contains("log.message", "Created symlink")) &&
+!contains("log.message", ["logrotate", "man-db", "fstrim", "apt-daily", "snapd", "certbot", "unattended-upgrades"])
+', '2026-02-09 16:39:12.381816', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (355, 'Timestomping of Service Files Detected', 1, 3, 1, 'Defense Evasion', 'T1070.006 - Indicator Removal: Timestomp', 'Detects the use of touch -t to modify timestamps on .service files. Attackers use timestomping to make malicious systemd service files appear as if they were created during system installation, hiding persistence mechanisms from forensic analysis.
+
+Next Steps:
+1. Identify the specific .service files that were timestomped
+2. Examine the contents of those service files for malicious commands
+3. Compare file timestamps with package manager records (dpkg/rpm)
+4. Check if the service files reference suspicious executables
+5. Review systemd unit files for unauthorized additions
+6. Verify the integrity of all service files against known-good baselines
+', '["https://attack.mitre.org/techniques/T1070/006/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml"]', 'contains("log.message", "touch") &&
+contains("log.message", "-t") &&
+contains("log.message", ".service")
+', '2026-02-09 16:39:12.521919', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (356, 'Triple Cross eBPF Rootkit Installation Detected', 3, 3, 3, 'Malware Detection', 'T1014 - Rootkit', 'Detects installation of the Triple Cross eBPF rootkit. This rootkit uses the Linux Traffic Control (tc) subsystem with qdisc and filter commands to install eBPF programs that can hide processes, files, and network connections while providing a backdoor. The characteristic pattern is sudo tc with qdisc/filter subcommands.
+
+Next Steps:
+1. Immediately isolate the affected system from the network
+2. Check for eBPF programs loaded in the kernel (bpftool prog list)
+3. Examine tc qdisc and filter configurations for malicious entries
+4. Review loaded kernel modules and eBPF programs
+5. Check for hidden processes, files, and network connections
+6. Consider reimaging the system as rootkit removal is unreliable
+', '["https://attack.mitre.org/techniques/T1014/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml","https://github.com/h3xduck/TripleCross"]', 'contains("log.message", "sudo") &&
+contains("log.message", " tc ") &&
+(contains("log.message", "qdisc") || contains("log.message", "filter"))
+', '2026-02-09 16:39:12.666738', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (357, 'Webshell Activity - Web Server Spawning Suspicious Commands', 3, 3, 3, 'Persistence', 'T1505.003 - Server Software Component: Web Shell', 'Detects web server processes (httpd, nginx, apache2, tomcat, java) spawning reconnaissance or system commands such as whoami, ifconfig, uname, id, cat, crontab, wget, curl. This pattern strongly indicates an active webshell being used by an attacker to execute commands on the compromised server.
+
+Next Steps:
+1. Immediately isolate the web server from the network
+2. Identify the specific webshell file by reviewing web server access logs around the alert time
+3. Search for recently created or modified files in web-accessible directories
+4. Check for uploaded files with PHP, JSP, ASP, or CGI extensions
+5. Review the commands executed through the webshell to assess scope of compromise
+6. Look for lateral movement or data exfiltration from this host
+7. Patch the vulnerability that allowed the webshell upload
+8. Restore web application files from a clean, verified backup
+', '["https://attack.mitre.org/techniques/T1505/003/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml"]', 'exists("log.message") &&
+(regexMatch("log.message", "(?i)(httpd|nginx|apache2|tomcat|catalina|java).*child process.*(whoami|ifconfig|uname|id |cat |crontab|wget |curl )") ||
+ regexMatch("log.message", "(?i)(httpd|nginx|apache2|tomcat|catalina)\\[\\d+\\].*exec.*(whoami|ifconfig|uname|/bin/id|/bin/cat|/bin/sh|/bin/bash|wget|curl)") ||
+ (contains("log.message", ["httpd", "nginx", "apache2", "tomcat"]) &&
+  contains("log.message", ["whoami", "ifconfig", "uname -a", "/etc/passwd", "id;", "cat /etc"])))
+', '2026-02-09 16:39:12.822317', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (358, 'Kafka Connect Malicious Connector Detection', 3, 3, 2, 'Code Execution', 'T1059 - Command and Scripting Interpreter', 'Detects deployment of potentially malicious Kafka Connect connectors. Attackers can deploy connectors to exfiltrate data to external systems, inject malicious data, or execute code through custom connector plugins.
+
+Next Steps:
+1. Review the connector configuration and plugin class
+2. Verify the connector deployment was authorized
+3. Check the connector source/sink endpoints for legitimacy
+4. Remove unauthorized connectors immediately
+5. Restrict Kafka Connect REST API access
+6. Implement connector class allowlisting
+', '["https://kafka.apache.org/documentation/#connect","https://attack.mitre.org/techniques/T1059/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "connector") && contains("log.message", "created")) ||
+  (contains("log.message", "connector") && contains("log.message", "Starting")) ||
+  contains("log.message", "ConnectorConfig") ||
+  (contains("log.message", "PUT /connectors/") && contains("log.message", "config")) ||
+  (contains("log.message", "POST /connectors") && !contains("log.message", "status")) ||
+  (contains("log.message", "connector.class") && (
+    contains("log.message", "FileStreamSink") ||
+    contains("log.message", "FileStreamSource") ||
+    contains("log.message", "S3Sink") ||
+    contains("log.message", "HttpSink")
+  ))
+)
+', '2026-02-09 16:39:12.962654', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (359, 'Kafka Unauthorized Producer Spoofing Detection', 1, 3, 2, 'Data Manipulation', 'T1565.001 - Data Manipulation: Stored Data Manipulation', 'Detects unauthorized message production to Kafka topics that could indicate data injection or message spoofing. Monitors for producer authorization failures and unusual producer registrations.
+
+Next Steps:
+1. Identify the unauthorized producer client and source host
+2. Review the messages produced to verify data integrity
+3. Check Kafka ACLs for producer permissions
+4. Block unauthorized producers via ACL configuration
+5. Implement idempotent producer settings for critical topics
+6. Review topic data for injected or manipulated messages
+', '["https://kafka.apache.org/documentation/#producerconfigs","https://attack.mitre.org/techniques/T1565/001/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "TOPIC_AUTHORIZATION_FAILED") && contains("log.message", "Produce")) ||
+  (contains("log.message", "not authorized to") && contains("log.message", "Write")) ||
+  (equals("log.severity", "ERROR") && contains("log.message", "ProduceRequest") && contains("log.message", "authorization")) ||
+  (contains("log.message", "transactional.id") && contains("log.message", "authorization"))
+)
+', '2026-02-09 16:39:13.092622', true, false, 'origin', null, '[{"indexPattern":"v11-log-kafka-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"},{"field":"log.message","operator":"filter_match","value":"TOPIC_AUTHORIZATION_FAILED OR not authorized OR ProduceRequest"}],"or":null,"within":"now-10m","count":5}]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (360, 'Kafka Topic Deletion Detection', 1, 3, 3, 'Data Destruction', 'T1485 - Data Destruction', 'Detects Kafka topic deletion operations that could result in message data loss. Topic deletion is a destructive operation that permanently removes all messages and partitions.
+
+Next Steps:
+1. Verify if the topic deletion was authorized
+2. Identify the user or service that initiated the deletion
+3. Check if any dependent applications were affected
+4. Review if message data can be recovered from other consumers
+5. Restrict topic deletion via Kafka ACLs
+6. Implement topic deletion protection for critical topics
+', '["https://kafka.apache.org/documentation/#topicconfigs","https://attack.mitre.org/techniques/T1485/"]', 'exists("log.message") &&
+(
+  contains("log.message", "Topic deletion") ||
+  (contains("log.message", "DeleteTopics") && !contains("log.message", "TOPIC_AUTHORIZATION_FAILED")) ||
+  contains("log.message", "Deleting topic") ||
+  (contains("log.message", "topic") && contains("log.message", "marked for deletion")) ||
+  contains("log.message", "TopicDeletion")
+)
+', '2026-02-09 16:39:13.237029', true, false, 'origin', null, '[{"indexPattern":"v11-log-kafka-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-10m","count":3}]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (361, 'NATS Unauthorized Route Poisoning Detection', 2, 3, 3, 'Network Manipulation', 'T1557 - Adversary-in-the-Middle', 'Detects unauthorized route advertisements and cluster join attempts in NATS. Attackers inject rogue routes to intercept messages, disrupt cluster operations, or perform man-in-the-middle attacks.
+
+Next Steps:
+1. Verify the connecting route/node is an authorized cluster member
+2. Review the cluster route configuration
+3. Check for any unauthorized servers in the cluster
+4. Disconnect unauthorized routes immediately
+5. Implement route authentication and TLS verification
+6. Monitor cluster topology for unexpected changes
+', '["https://docs.nats.io/running-a-nats-service/configuration/clustering","https://attack.mitre.org/techniques/T1557/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "route") && contains("log.message", "added")) ||
+  (contains("log.message", "route") && contains("log.message", "connected")) ||
+  (contains("log.message", "cluster") && contains("log.message", "unauthorized")) ||
+  (contains("log.message", "gateway") && contains("log.message", "unknown")) ||
+  (contains("log.message", "leaf node") && contains("log.message", "unauthorized")) ||
+  (equals("log.severity", "ERROR") && contains("log.message", "route") && contains("log.message", "TLS"))
+)
+', '2026-02-09 16:39:13.372724', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (363, 'NATS Credential Theft Detection', 3, 2, 1, 'Credential Access', 'T1528 - Steal Application Access Token', 'Detects credential theft attempts in NATS including repeated authentication failures, token replay attempts, and unauthorized credential access patterns that go beyond simple JWT validation failures.
+
+Next Steps:
+1. Review the authentication failure patterns and source hosts
+2. Check if any stolen credentials were successfully used
+3. Rotate compromised credentials immediately
+4. Review NATS account and user configurations
+5. Implement IP-based access restrictions
+6. Monitor for lateral movement using stolen credentials
+', '["https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro","https://attack.mitre.org/techniques/T1528/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "authentication") && contains("log.message", "failed")) ||
+  (contains("log.message", "Authorization") && contains("log.message", "Violation")) ||
+  (contains("log.message", "nkey") && contains("log.message", "not found")) ||
+  (contains("log.message", "token") && contains("log.message", "expired")) ||
+  (contains("log.message", "credentials") && contains("log.message", "invalid")) ||
+  (contains("log.message", "bad client credentials") && exists("origin.ip"))
+)
+', '2026-02-09 16:39:13.583614', true, false, 'origin', null, '[{"indexPattern":"v11-log-nats-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"},{"field":"log.message","operator":"filter_match","value":"authentication failed OR Authorization Violation OR credentials invalid"}],"or":null,"within":"now-10m","count":10}]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (364, 'NATS Wildcard Subscription Monitoring Detection', 3, 1, 1, 'Collection', 'T1040 - Network Sniffing', 'Detects NATS ">" wildcard subscriptions that capture all messages across all subjects. This pattern is used by attackers to intercept and monitor all messaging traffic within the NATS cluster.
+
+Next Steps:
+1. Identify the client that created the wildcard subscription
+2. Verify if the subscription is from a legitimate monitoring service
+3. Review the account and user permissions for the subscriber
+4. Remove unauthorized wildcard subscriptions
+5. Implement subject-level ACLs to restrict subscriptions
+6. Monitor the subscriber for data exfiltration
+', '["https://docs.nats.io/nats-concepts/subjects#wildcards","https://attack.mitre.org/techniques/T1040/"]', 'exists("log.message") &&
+(
+  regexMatch("log.message", "(?i)subscribe\\s+>") ||
+  (contains("log.message", "SUB >") && !contains("log.message", "system")) ||
+  (contains("log.message", "subscription") && contains("log.message", ">") && !contains("log.message", "_INBOX")) ||
+  (contains("log.message", "wildcard") && contains("log.message", "subscription"))
+)
+', '2026-02-09 16:39:13.727650', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (365, 'Traefik Docker/Kubernetes Provider Exploitation Detection', 3, 3, 3, 'Container Exploitation', 'T1610 - Deploy Container', 'Detects exploitation of Traefik''s Docker or Kubernetes provider integration. Attackers can manipulate container labels or Kubernetes annotations to inject malicious routing rules, redirect traffic, or gain access to internal services.
+
+Next Steps:
+1. Review recent Docker/Kubernetes label and annotation changes
+2. Check for unauthorized routing rules in Traefik configuration
+3. Verify container deployments are from authorized registries
+4. Review Traefik provider configuration for excessive permissions
+5. Restrict Docker socket access and Kubernetes RBAC
+6. Monitor for unauthorized traffic routing changes
+', '["https://doc.traefik.io/traefik/providers/docker/","https://attack.mitre.org/techniques/T1610/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "provider") && contains("log.message", "docker") && contains("log.message", "error")) ||
+  (contains("log.message", "provider") && contains("log.message", "kubernetes") && contains("log.message", "error")) ||
+  (contains("log.message", "label") && contains("log.message", "traefik") && contains("log.message", "changed")) ||
+  (contains("log.message", "router") && contains("log.message", "added") && !contains("log.message", "middleware")) ||
+  (contains("log.message", "service") && contains("log.message", "created") && contains("log.message", "docker")) ||
+  (contains("log.message", "ingress") && contains("log.message", "updated") && contains("log.message", "traefik"))
+)
+', '2026-02-09 16:39:13.867023', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (366, 'Traefik SSRF via Service Discovery Detection', 3, 2, 1, 'Server-Side Request Forgery', 'T1090 - Proxy', 'Detects SSRF attempts through Traefik service discovery mechanisms. Attackers manipulate service registrations or routing rules to force Traefik to proxy requests to internal services or cloud metadata endpoints.
+
+Next Steps:
+1. Review the request for internal IP or metadata endpoint references
+2. Check Traefik routing rules for unauthorized backend targets
+3. Verify service discovery configurations for tampering
+4. Implement IP allowlisting for backend services
+5. Block access to metadata endpoints at the network level
+6. Block the source IP if confirmed malicious
+', '["https://owasp.org/www-community/attacks/Server_Side_Request_Forgery","https://attack.mitre.org/techniques/T1090/"]', 'exists("origin.ip") &&
+(
+  (exists("origin.path") && (
+    contains("origin.path", "169.254.169.254") ||
+    contains("origin.path", "metadata.google.internal") ||
+    regexMatch("origin.path", "(?i)https?://(127\\.0\\.0\\.1|localhost|0\\.0\\.0\\.0)") ||
+    contains("origin.path", "file:///") ||
+    contains("origin.path", "gopher://")
+  )) ||
+  (exists("log.message") && (
+    regexMatch("log.message", "(?i)backend.*127\\.0\\.0\\.1") ||
+    regexMatch("log.message", "(?i)backend.*169\\.254\\.169\\.254") ||
+    (contains("log.message", "service") && contains("log.message", "localhost"))
+  ))
+)
+', '2026-02-09 16:39:14.007307', true, false, 'origin', null, '[]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (367, 'Admin Account Compromise Indicators', 3, 3, 2, 'Defense Evasion, Persistence, Privilege Escalation, Initial Access', 'T1078 - Valid Accounts', 'Detects multiple failed admin login attempts followed by a successful login from the same IP address, indicating potential account compromise through credential stuffing or brute force attacks.
+
+Next Steps:
+1. Review the source IP address and check if it''s from an expected location
+2. Contact the admin user to verify if the login was legitimate
+3. Check for any suspicious activities performed after the successful login
+4. Review other authentication logs from the same IP address
+5. Consider implementing IP-based access controls for admin accounts
+6. Enable multi-factor authentication if not already configured
+7. Reset the compromised admin account password if unauthorized access is confirmed
+', '["https://attack.mitre.org/techniques/T1078/","https://docs.fortinet.com/document/fortigate/7.4.1/fortios-log-message-reference/160372/list-of-log-types-and-subtypes"]', 'equals("log.logid", "0100032001") && 
+equals("log.type", "event") && 
+equals("log.subtype", "system") && 
+equals("log.logdesc", "Admin login successful") && 
+exists("origin.ip") &&
+exists("log.user")
+', '2026-02-09 16:41:54.437750', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortigate-traffic-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.logdesc","operator":"filter_term","value":"Admin login failed"},{"field":"log.user","operator":"filter_term","value":"{{log.user}}"}],"or":null,"within":"now-15m","count":5}]', '["adversary.ip","target.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (368, 'Fortinet Antivirus Malware Outbreak Detection', 3, 3, 2, 'Initial Access', 'T1566 - Phishing', 'Detects potential malware outbreak when multiple antivirus detections occur from the same source or targeting multiple destinations in a short time period. This could indicate a widespread infection attempt or a compromised system attempting to spread malware.
+
+Next Steps:
+1. Identify the specific malware detected by reviewing the virus field in the alert details
+2. Isolate the affected source IP addresses to prevent further spread
+3. Check if the blocked malware attempts indicate successful infections on any endpoints
+4. Review antivirus logs for the specific virus signature to understand the threat
+5. Scan all systems that communicated with the identified source IPs
+6. Update antivirus signatures and ensure all endpoints are protected
+7. Consider blocking the source IP at the perimeter if it''s external
+8. Document all affected systems and remediation actions taken
+', '["https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/198726/antivirus","https://attack.mitre.org/techniques/T1566/"]', 'equals("log.type", "utm") && 
+equals("log.subtype", "virus") && 
+equals("action", "blocked") &&
+(exists("origin.ip") || exists("target.ip"))
+', '2026-02-09 16:41:54.583358', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortigate-traffic-*","with":[{"field":"log.type","operator":"filter_term","value":"utm"},{"field":"log.subtype","operator":"filter_term","value":"virus"},{"field":"action","operator":"filter_term","value":"blocked"}],"or":null,"within":"now-1h","count":5}]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (369, 'FortiGate Admin Login from Unusual Source', 3, 2, 1, 'Initial Access', 'T1078 - Valid Accounts', 'Detects FortiGate admin logins from unusual or external IP addresses. Successful administrative access from non-management networks may indicate credential compromise.
+
+Next Steps:
+1. Verify the login was performed by a legitimate administrator
+2. Check the geographic location of the source IP
+3. Review actions performed during the admin session
+4. Verify if trusted host restrictions are configured for admin accounts
+5. Enable MFA for administrator accounts if not already active
+6. If unauthorized, disable the account and audit recent changes
+', '["https://docs.fortinet.com/document/fortigate/7.4.1/fortios-log-message-reference/160372/list-of-log-types-and-subtypes","https://attack.mitre.org/techniques/T1078/"]', 'equals("log.logid", "0100032001") &&
+equals("log.type", "event") &&
+equals("log.subtype", "system") &&
+equals("log.logdesc", "Admin login successful") &&
+exists("origin.ip") &&
+!inCIDR("origin.ip", "10.0.0.0/8") &&
+!inCIDR("origin.ip", "172.16.0.0/12") &&
+!inCIDR("origin.ip", "192.168.0.0/16") &&
+!inCIDR("origin.ip", "127.0.0.0/8")
+', '2026-02-09 16:41:54.727193', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (370, 'Data Loss Prevention Trigger', 3, 2, 1, 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 'Detects attempts to exfiltrate sensitive data that triggers DLP policies. This includes detection of credit card numbers, social security numbers, PII, financial records, and other regulated data attempting to leave the network.
+
+Next Steps:
+1. Identify the source IP and user associated with the DLP violation
+2. Review the DLP profile that was triggered to understand what type of sensitive data was involved
+3. Check if this is part of a pattern of data exfiltration attempts from the same source
+4. Verify if the blocked action was legitimate business activity or potential data theft
+5. Review other logs from the same source IP for suspicious activities
+6. Contact the user if needed to understand the context of the attempted data transfer
+7. Consider implementing additional access controls if unauthorized access to suspected
+', '["https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/153498/data-loss-prevention","https://attack.mitre.org/techniques/T1048/"]', '(equals("log.subtype", "dlp") && equals("log.action", "blocked")) ||
+(contains("log.msg", "DLP sensor")) ||
+(contains("log.msg", "sensitive data detected")) ||
+(exists("log.dlp_profile") && equals("log.dlp_action", "block")) ||
+(contains("log.msg", "Data pattern matched"))
+', '2026-02-09 16:41:54.862436', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortigate-traffic-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.subtype","operator":"filter_term","value":"dlp"}],"or":null,"within":"now-1h","count":3}]', '["lastEvent.log.dlp_profile","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (371, 'FortiGate VPN Authentication Brute Force', 3, 2, 1, 'Credential Access', 'T1133 - External Remote Services', 'Detects multiple SSL-VPN or IPsec VPN authentication failures from the same source IP on FortiGate, indicating brute force or credential stuffing attacks against remote access services.
+
+Next Steps:
+1. Investigate the source IP and check threat intelligence databases
+2. Review if the targeted user accounts exist and are active
+3. Check for any successful VPN connections following the failures
+4. Consider blocking the source IP or geo-restricting VPN access
+5. Enable MFA for VPN access if not already configured
+6. Check if the VPN portal is exposed to the internet unnecessarily
+', '["https://docs.fortinet.com/document/fortigate/7.4.1/fortios-log-message-reference/160372/list-of-log-types-and-subtypes","https://attack.mitre.org/techniques/T1133/"]', 'equals("log.type", "event") &&
+(equals("log.subtype", "vpn") || contains("log.msg", "vpn")) &&
+(contains("log.msg", ["ssl-login-fail", "tunnel-down", "negotiation-error", "auth-fail"]) ||
+ contains("log.logdesc", ["SSL VPN login fail", "IPsec phase1 negotiation failed", "VPN tunnel down"])) &&
+exists("origin.ip")
+', '2026-02-09 16:41:55.007696', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortigate-traffic-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":10}]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (372, 'Fortinet IPS Critical Severity Detection', 3, 3, 2, 'Execution', 'T1203 - Exploitation for Client Execution', 'Detects critical severity IPS events indicating active exploitation attempts or severe security threats targeting the network.
+
+Next Steps:
+1. Immediately investigate the source IP address and determine if it''s malicious
+2. Check if the attack was successfully blocked by reviewing firewall logs
+3. Identify the specific vulnerability or attack pattern that triggered the IPS alert
+4. Review other security events from the same source IP across all systems
+5. Consider blocking the source IP at the perimeter if multiple critical attacks are detected
+6. Update IPS signatures and verify all systems are patched against the detected vulnerability
+7. Document the incident and notify the security team if this is part of a larger campaign
+', '["https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/331728/ips-sensors","https://attack.mitre.org/techniques/T1203/"]', 'contains("log.msg", "type=utm") && contains("log.msg", "subtype=ips") && (contains("log.msg", "severity=critical") || contains("log.msg", "severity=high")) && contains("log.msg", "action=blocked")', '2026-02-09 16:41:55.147127', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortigate-traffic-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":3}]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (697, 'Windows: PowerShell Kerberos Ticket Request', 3, 2, 1, 'Credential Access', 'T1059 - Command and Scripting Interpreter', 'Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.', '["https://attack.mitre.org/tactics/TA0006/","https://attack.mitre.org/techniques/T1059/"]', 'regexMatch("log.message", "(KerberosRequestorSecurityToken)")', '2026-02-09 16:57:29.208224', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (373, 'FortiSandbox Malicious File Detection', 3, 3, 2, 'Execution', 'T1204 - User Execution', 'Detects when FortiSandbox identifies a file as malicious based on behavioral analysis and static scanning. This indicates active malware attempting to infiltrate the network through file transfers or downloads.
+
+Next Steps:
+- Immediately isolate the source IP address and affected systems
+- Identify the file hash and search for other instances across the network
+- Review network traffic from the source IP for additional suspicious activity
+- Check if the malicious file was successfully blocked or if remediation is needed
+- Update endpoint protection signatures with the identified file hash
+- Investigate the user account associated with the file download/transfer
+- Document the incident and notify the security team for further analysis
+', '["https://docs.fortinet.com/document/fortisandbox/4.4.0/administration-guide/274898/how-files-determined-to-be-suspicious-low-medium-or-high","https://attack.mitre.org/techniques/T1204/"]', '(equals("log.subtype", "sandbox") && equals("log.verdict", "malicious")) ||
+(contains("log.msg", "sandbox verdict: malicious")) ||
+(equals("log.risk", "high") && equals("log.subtype", "sandbox")) ||
+(contains("log.msg", "FortiSandbox detected malware")) ||
+(contains("log.msg", "verdict=malicious")) ||
+(contains("log.msg", "subtype=sandbox") && contains("log.msg", "malicious"))
+', '2026-02-09 16:41:55.296635', true, false, 'origin', null, '[]', '["lastEvent.log.filehash","adversary.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (374, 'FortiWeb Authentication Bypass Attempt Detected', 3, 3, 1, 'Defense Evasion, Persistence, Privilege Escalation, Initial Access', 'T1078 - Valid Accounts', 'Detects authentication bypass attempts including direct access to protected resources, authentication flow manipulation, and credential stuffing attacks on FortiWeb protected applications.
+
+Next Steps:
+1. Review the source IP address and check if it''s from a known location or VPN service
+2. Examine the specific authentication bypass technique attempted (check log.attack_type and log.msg fields)
+3. Verify if any successful authentication occurred from the same IP address
+4. Check for other attack patterns from the same source IP in the last 24 hours
+5. Consider blocking the source IP if multiple bypass attempts are confirmed
+6. Review application logs for any successful unauthorized access
+7. Validate that authentication mechanisms are properly configured and up to date
+', '["https://docs.fortinet.com/document/fortiweb/7.2.2/log-message-reference/252057/event","https://attack.mitre.org/techniques/T1078/","https://attack.mitre.org/techniques/T1190/"]', 'exists("origin.ip") && 
+equals("log.type", "attack") &&
+(
+  equals("log.subtype", "account-lockout-detection") ||
+  contains("log.msg", "authentication") ||
+  contains("log.msg", "Authentication") ||
+  contains("log.msg", "bypass") ||
+  contains("log.msg", "unauthorized access") ||
+  equals("log.attack_type", "auth_bypass") ||
+  contains("log.trigger_policy", "auth")
+) &&
+oneOf("action", ["deny", "alert", "block"])
+', '2026-02-09 16:41:55.436697', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortiweb-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":3}]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (375, 'FortiWeb File Upload Security Violation Detected', 3, 3, 2, 'Resource Development', 'T1608 - Stage Capabilities: Upload Malware', 'Detects file upload security violations including malicious file uploads, oversized files, restricted file types, and potential web shell upload attempts on FortiWeb protected applications. These violations could indicate attempts to upload malicious files, web shells, or bypass upload restrictions.
+
+Next Steps:
+1. Review the blocked file upload attempt details, including file name, type, and size
+2. Check if the source IP has made multiple file upload attempts in a short period
+3. Examine the web application logs for the specific URL path being targeted
+4. Verify if the file upload restriction policy is appropriate for the application
+5. If malicious activity is confirmed, consider blocking the source IP temporarily
+6. Review other requests from the same source IP for reconnaissance patterns
+7. Check if similar file upload attempts have been made to other applications
+', '["https://docs.fortinet.com/document/fortiweb/7.2.2/log-message-reference/252057/event","https://attack.mitre.org/techniques/T1608/","https://attack.mitre.org/techniques/T1505/003/"]', 'exists("origin.ip") && 
+(
+  contains("log.msg", "file upload") ||
+  contains("log.msg", "File upload") ||
+  contains("log.msg", "malicious file") ||
+  contains("log.msg", "file type") ||
+  contains("log.msg", "file size") ||
+  contains("log.msg", "anti-virus") ||
+  contains("log.msg", "upload violation") ||
+  contains("log.msg", "upload blocked")
+)
+', '2026-02-09 16:41:55.567321', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortiweb-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-30m","count":3}]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (376, 'FortiWeb SQL Injection Attack Detection', 3, 3, 2, 'Web Application Attack', 'T1190 - Exploit Public-Facing Application', 'Detects SQL injection attacks identified by FortiWeb WAF signatures. Multiple SQLi attempts from the same source indicate a targeted attack against database-backed applications.
+
+Next Steps:
+1. Review the specific SQL injection payloads to assess severity
+2. Check if the target application is vulnerable to the attempted injection
+3. Verify the attack was blocked by FortiWeb
+4. Review application logs for any successful SQLi exploitation
+5. Investigate the source IP for additional attack patterns
+6. Update WAF signatures and consider implementing parameterized queries
+', '["https://docs.fortinet.com/document/fortiweb/7.4.3/administration-guide/210196/blocking-known-attacks","https://attack.mitre.org/techniques/T1190/"]', 'oneOf("action", ["deny", "block", "alert_deny", "alert"]) &&
+(regexMatch("log.msg", "(?i)(sql.*inject|union.*select|concat.*0x|xp_cmdshell|information_schema|benchmark.*sleep|extractvalue|updatexml|load_file|into.*outfile)") ||
+ contains("log.attack_type", "sql_injection") ||
+ contains("log.signature", "SQL Injection"))
+', '2026-02-09 16:41:55.712275', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortiweb-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":5}]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (377, 'FortiWeb SSRF Attack Detection', 3, 2, 1, 'Web Application Attack', 'T1190 - Exploit Public-Facing Application', 'Detects Server-Side Request Forgery (SSRF) attacks identified by FortiWeb. SSRF attacks force the server to make requests to internal resources, potentially accessing cloud metadata services, internal APIs, or other restricted endpoints.
+
+Next Steps:
+1. Review the SSRF payload to identify the target internal resource
+2. Check if cloud metadata endpoints (169.254.169.254) were targeted
+3. Verify the application is not vulnerable to SSRF
+4. Review application code for user-controlled URL parameters
+5. Implement URL allowlisting for server-side requests
+6. Check for any successful SSRF exploitation in application logs
+', '["https://docs.fortinet.com/document/fortiweb/7.4.3/administration-guide/210196/blocking-known-attacks","https://attack.mitre.org/techniques/T1190/"]', 'oneOf("action", ["deny", "block", "alert_deny", "alert"]) &&
+(regexMatch("log.msg", "(?i)(ssrf|server.*side.*request.*forg|169\\.254\\.169\\.254|metadata.*api|internal.*service|localhost|127\\.0\\.0\\.1.*redirect|0x7f000001|file:///|gopher://)") ||
+ contains("log.attack_type", "ssrf") ||
+ contains("log.signature", "SSRF"))
+', '2026-02-09 16:41:55.862301', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortiweb-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":3}]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (378, 'FortiWeb Web Shell Upload Detection', 3, 3, 3, 'Persistence', 'T1505.003 - Server Software Component: Web Shell', 'Detects web shell upload attempts blocked or detected by FortiWeb. Web shells provide persistent remote access and command execution on compromised web servers.
+
+Next Steps:
+1. Verify if the upload attempt was blocked or if it succeeded
+2. Review the uploaded file name and extension for known web shell patterns
+3. Scan the web server for existing web shells that may have been uploaded earlier
+4. Check the upload endpoint for proper file validation controls
+5. Review the source IP for additional attack attempts
+6. If a web shell was successfully uploaded, immediately isolate the server
+', '["https://docs.fortinet.com/document/fortiweb/7.4.3/administration-guide/210196/blocking-known-attacks","https://attack.mitre.org/techniques/T1505/003/"]', 'oneOf("action", ["deny", "block", "alert_deny", "alert"]) &&
+(regexMatch("log.msg", "(?i)(web.*shell|backdoor.*upload|cmd.*shell|reverse.*shell|\.php.*upload|\.asp.*upload|\.jsp.*upload|c99|r57|china.*chopper|weevely|b374k)") ||
+ (contains("log.attack_type", "file_upload") && contains("log.msg", ["shell", "backdoor", "malicious"])) ||
+ regexMatch("log.msg", "(?i)(file.*upload.*violat|upload.*restrict|dangerous.*file.*type)"))
+', '2026-02-09 16:41:56.004881', true, false, 'origin', null, '[]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (379, 'FortiWeb OWASP Top 10 Violation Attempts', 3, 3, 2, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Detects attempts to exploit OWASP Top 10 vulnerabilities including injection flaws, broken authentication, sensitive data exposure, XXE, broken access control, security misconfiguration, and more. This rule triggers when FortiWeb blocks or alerts on attack attempts that match known OWASP Top 10 vulnerability patterns.
+
+Next Steps:
+1. Review the blocked request details in FortiWeb logs to understand the attack vector
+2. Check if the source IP has attempted multiple different attack types
+3. Verify if the targeted application has any known vulnerabilities
+4. Consider blocking the source IP if attacks persist
+5. Review application security headers and WAF rules for the targeted resource
+6. Check for any successful requests from the same source IP before the block
+7. Analyze the specific OWASP category and implement additional protections
+8. Review application code for the detected vulnerability type
+', '["https://docs.fortinet.com/document/fortiweb-cloud/23.3.0/user-guide/552829/known-attacks","https://owasp.org/www-project-top-ten/","https://attack.mitre.org/techniques/T1190/"]', 'oneOf("action", ["deny", "alert_deny", "block", "blocked"]) &&
+regexMatch("log.msg", "(?i)(injection|traversal|xxe|xml external entity|broken auth|sensitive data|security misconfig|owasp|sqli|xss|csrf|command injection|path traversal|lfi|rfi|deserialization)")
+', '2026-02-09 16:41:56.147214', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortiweb-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":5}]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (380, 'FortiWeb Web Application Attack Detection', 3, 3, 2, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Detects SQL injection, XSS, and other web application attacks blocked by FortiWeb WAF based on signature or syntax-based detection. These attacks attempt to exploit vulnerabilities in web applications to gain unauthorized access, steal data, or compromise application integrity.
+
+Next Steps:
+1. Review the specific attack type and payload in the FortiWeb logs
+2. Check if the source IP has a history of malicious activity
+3. Verify if the targeted application has known vulnerabilities
+4. Review application logs for any successful exploitation attempts
+5. Consider blocking the source IP if attacks persist
+6. Ensure WAF rules are up-to-date and properly configured
+7. Implement additional application-level security controls if needed
+8. Check for any bypass attempts or evasion techniques being used
+', '["https://docs.fortinet.com/document/fortiweb/7.6.0/administration-guide/981691/syntax-based-sql-xss-injection-detection","https://attack.mitre.org/techniques/T1190/"]', 'equals("action", "deny") && 
+(
+  equals("log.type", "attack") || 
+  equals("log.subtype", "waf") ||
+  oneOf("log.attack_type", ["SQL Injection", "Cross Site Scripting", "XSS", "SQLi"]) ||
+  contains("log.message", "sql injection") ||
+  contains("log.message", "SQL injection") ||
+  contains("log.message", "cross site scripting") ||
+  contains("log.message", "Cross Site Scripting") ||
+  contains("log.message", "xss") ||
+  contains("log.message", "XSS") ||
+  contains("log.message", "sqli") ||
+  contains("log.message", "SQLi") ||
+  equals("log.main_type", "SQL/XSS Syntax Based Detection")
+)
+', '2026-02-09 16:41:56.287116', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortiweb-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"action","operator":"filter_term","value":"deny"}],"or":null,"within":"now-15m","count":3}]', '["adversary.ip","target.ip"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (381, 'GitHub Action Secret Access Activity', 3, 3, 1, 'Collection', 'T1552 - Unsecured Credentials', 'Detects access, modification, or suspicious activities related to GitHub Action secrets. This could indicate attempts to steal credentials, API keys, or other sensitive information stored in repository or organization secrets.
+
+Next Steps:
+1. Review the GitHub audit logs to identify who accessed or modified the secrets
+2. Check if the user performing the action has legitimate business need for secret access
+3. Verify if any secrets were exposed in workflow logs or outputs
+4. Rotate any potentially compromised secrets immediately
+5. Review repository and organization permissions to ensure proper access controls
+6. Check for any unusual API calls or automated scripts accessing secrets
+7. Enable secret scanning alerts if not already configured
+8. Consider implementing additional controls like environment-specific secrets and approval workflows
+', '["https://docs.github.com/en/actions/security-guides/encrypted-secrets","https://attack.mitre.org/techniques/T1552/"]', 'oneOf("log.action", ["secret.create", "secret.update", "secret.remove"]) ||
+oneOf("log.action", ["actions.secret.create", "actions.secret.update", "actions.secret.remove", "dependabot.secret.create", "dependabot.secret.update", "dependabot.secret.remove"])
+', '2026-02-09 16:41:56.417751', true, false, 'origin', null, '[{"indexPattern":"v11-log-github-*","with":[{"field":"log.repositoryName","operator":"filter_term","value":"{{log.repositoryName}}"},{"field":"log.action","operator":"filter_match","value":"secret"}],"or":null,"within":"now-1h","count":3}]', '["lastEvent.log.action","lastEvent.log.repositoryName","lastEvent.log.senderLogin"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (382, 'GitHub CODEOWNERS File Modification', 2, 3, 1, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects modifications to CODEOWNERS files which define required reviewers for code changes. Attackers may modify CODEOWNERS to remove review requirements for sensitive paths, enabling them to merge malicious code without proper review.
+
+Next Steps:
+1. Review the CODEOWNERS file changes and identify removed or modified ownership rules
+2. Check if critical paths (workflows, configs, secrets) lost their code owners
+3. Verify the committer is an authorized repository administrator
+4. Review PRs merged after the CODEOWNERS change for unreviewed code
+5. Check if branch protection still requires CODEOWNERS review
+6. If unauthorized, revert the CODEOWNERS change and review recent merges
+7. Implement branch protection rules requiring CODEOWNERS approval
+8. Set up alerts on changes to repository configuration files
+', '["https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners","https://attack.mitre.org/techniques/T1562/001/"]', '(equals("log.action", "git.push") || equals("log.action", "repo.update_file")) &&
+exists("log.senderLogin") &&
+contains("log.commitMessage", "CODEOWNERS")
+', '2026-02-09 16:41:56.557312', true, false, 'origin', null, '[{"indexPattern":"v11-log-github-*","with":[{"field":"log.repositoryName","operator":"filter_term","value":"{{log.repositoryName}}"},{"field":"log.senderLogin","operator":"filter_term","value":"{{log.senderLogin}}"}],"or":null,"within":"now-24h","count":2}]', '["lastEvent.log.repositoryName","lastEvent.log.senderLogin"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (383, 'GitHub Dependabot Configuration Poisoning', 2, 3, 1, 'Supply Chain Compromise', 'T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain', 'Detects modifications to dependabot.yml configuration files that could redirect dependency updates to malicious registries or introduce malicious packages. Attackers may modify the Dependabot configuration to substitute legitimate dependencies with malicious alternatives.
+
+Next Steps:
+1. Review the dependabot.yml changes for suspicious registry configurations
+2. Check if custom registries point to legitimate package repositories
+3. Verify the committer is an authorized repository maintainer
+4. Review recently opened Dependabot PRs for unexpected dependency changes
+5. Check if any malicious packages were introduced through dependency updates
+6. If malicious, revert the configuration and audit all recent dependency changes
+7. Implement CODEOWNERS to require review for configuration file changes
+8. Enable dependency review for pull requests
+', '["https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates","https://attack.mitre.org/techniques/T1195/002/"]', '(equals("log.action", "git.push") || equals("log.action", "repo.update_file")) &&
+exists("log.senderLogin") &&
+contains("log.commitMessage", "dependabot")
+', '2026-02-09 16:41:56.687351', true, false, 'origin', null, '[{"indexPattern":"v11-log-github-*","with":[{"field":"log.repositoryName","operator":"filter_term","value":"{{log.repositoryName}}"},{"field":"log.senderLogin","operator":"filter_term","value":"{{log.senderLogin}}"}],"or":null,"within":"now-24h","count":2}]', '["lastEvent.log.repositoryName","lastEvent.log.senderLogin"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (384, 'GitHub App Installation Token Suspicious Access', 2, 2, 1, 'Credential Access', 'T1528 - Steal Application Access Token', 'Detects suspicious GitHub App installation and token activity from unexpected sources. Attackers who steal GitHub App private keys can generate installation tokens for any organization that installed the app, gaining broad access to repositories.
+
+Next Steps:
+1. Review the GitHub App installation and its configured permissions
+2. Verify the installation was authorized by an organization administrator
+3. Check the App''s webhook delivery history for unexpected endpoints
+4. Review repository access granted by the App installation
+5. Examine recent API calls made using the App''s installation token
+6. If compromised, revoke the App installation and rotate its private key
+7. Review all repositories the App had access to for unauthorized changes
+8. Implement IP allow-listing for the GitHub App
+', '["https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app","https://attack.mitre.org/techniques/T1528/"]', '(equals("log.action", "integration_installation.create") ||
+ equals("log.action", "integration_installation.repositories_added") ||
+ equals("log.action", "integration_installation.unsuspend")) &&
+exists("log.senderLogin")
+', '2026-02-09 16:41:56.832339', true, false, 'origin', null, '[]', '["lastEvent.log.action","lastEvent.log.senderLogin"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (385, 'GitHub Environment Protection Rule Bypass', 2, 3, 1, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects changes to GitHub environment protection rules including removal of required reviewers, wait timers, or branch restrictions. Attackers may modify these protections to deploy malicious code to production environments without approval.
+
+Next Steps:
+1. Verify the environment protection change was authorized
+2. Review the specific protections that were modified or removed
+3. Check which deployment environment was affected (production, staging)
+4. Review recent deployments to the affected environment
+5. Verify the repository admin making the change
+6. If unauthorized, restore the environment protection rules immediately
+7. Review deployment logs for unauthorized deployments during the protection gap
+8. Implement required reviewers for critical environment changes
+', '["https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment","https://attack.mitre.org/techniques/T1562/001/"]', '(equals("log.action", "environment.update_protection_rule") ||
+ equals("log.action", "environment.delete_protection_rule") ||
+ equals("log.action", "environment.update") ||
+ equals("log.action", "environment.delete")) &&
+exists("log.senderLogin")
+', '2026-02-09 16:41:56.982773', true, false, 'origin', null, '[]', '["lastEvent.log.repositoryName","lastEvent.log.senderLogin"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (386, 'GitHub Mass Repository Cloning Detection', 3, 2, 1, 'Collection', 'T1213 - Data from Information Repositories', 'Detects when multiple repositories are cloned or accessed in a short time period, which could indicate data exfiltration or reconnaissance activities. This rule monitors for patterns of repository access that exceed normal user behavior, potentially indicating an insider threat or compromised account attempting to steal source code.
+
+Next Steps:
+1. Review the user account activity to determine if this is legitimate behavior
+2. Check if the user typically accesses multiple repositories as part of their role
+3. Verify if the account shows signs of compromise (unusual login locations, times, or authentication methods)
+4. Review which repositories were accessed and determine their sensitivity
+5. Contact the user to verify the activity if suspicious
+6. Consider temporarily suspending the account if malicious activity is confirmed
+7. Review access logs for the specific repositories that were cloned
+8. Check for any data downloads or exports from the same user session
+', '["https://docs.github.com/en/webhooks/webhook-events-and-payloads#push","https://attack.mitre.org/techniques/T1213/"]', '(equals("log.action", "clone") ||
+ equals("log.action", "git.clone") ||
+ equals("log.action", "git.fetch")) &&
+exists("log.repositoryName") &&
+exists("log.senderLogin")
+', '2026-02-09 16:41:57.122256', true, false, 'origin', null, '[{"indexPattern":"v11-log-github-*","with":[{"field":"log.senderLogin","operator":"filter_term","value":"{{log.senderLogin}}"},{"field":"log.action","operator":"filter_match","value":"clone fetch"}],"or":null,"within":"now-30m","count":10}]', '["lastEvent.log.senderLogin"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (387, 'GitHub Repository Visibility Changed to Public', 3, 2, 1, 'Data Exfiltration', 'T1537 - Transfer Data to Cloud Account', 'Detects when a private repository''s visibility is changed to public, potentially exposing proprietary source code, credentials, and sensitive configuration. This is a critical event that can lead to data exposure and intellectual property theft.
+
+Next Steps:
+1. Immediately verify if the visibility change was authorized
+2. Review the repository contents for secrets, credentials, and proprietary code
+3. Check if the repository was cloned or forked after becoming public
+4. Scan the repository for exposed API keys, passwords, and tokens
+5. If unauthorized, immediately revert the repository to private
+6. Rotate any secrets or credentials found in the repository
+7. Review the repository''s commit history for sensitive data
+8. Implement organization policy to prevent public repository creation
+', '["https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility","https://attack.mitre.org/techniques/T1537/"]', '(equals("log.action", "repo.access") ||
+ equals("log.action", "repo.visibility_change") ||
+ equals("log.action", "repo.update")) &&
+equals("log.visibility", "public") &&
+exists("log.senderLogin")
+', '2026-02-09 16:41:57.262033', true, false, 'origin', null, '[]', '["lastEvent.log.repositoryName","lastEvent.log.senderLogin"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (388, 'GitHub Organization Member to Owner Role Escalation', 3, 3, 2, 'Privilege Escalation', 'T1098 - Account Manipulation', 'Detects escalation of GitHub organization member roles from member to owner. Organization owners have full administrative access including managing billing, teams, repositories, and security settings. Unauthorized role escalation can lead to complete organizational compromise.
+
+Next Steps:
+1. Verify the role change was authorized by an existing organization owner
+2. Review the user being promoted and their business justification
+3. Check if the promoting owner''s account shows signs of compromise
+4. Review the new owner''s recent activities post-escalation
+5. Check for changes to organization settings, webhooks, or security configurations
+6. If unauthorized, immediately demote the user and investigate the promoting account
+7. Enable required two-factor authentication for all organization owners
+8. Implement audit log streaming for real-time organization event monitoring
+', '["https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization","https://attack.mitre.org/techniques/T1098/"]', '(equals("log.action", "org.update_member") ||
+ equals("log.action", "org.add_member")) &&
+equals("log.permission", "admin") &&
+exists("log.senderLogin")
+', '2026-02-09 16:41:57.407580', true, false, 'origin', null, '[]', '["lastEvent.log.senderLogin","lastEvent.log.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (389, 'GitHub Self-Hosted Runner Compromise Detection', 3, 3, 2, 'Supply Chain Compromise', 'T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain', 'Detects suspicious self-hosted runner operations including unexpected runner registration, deregistration, or workflows specifically targeting self-hosted runners. Compromised self-hosted runners can provide access to the internal network and secrets stored on the runner machine.
+
+Next Steps:
+1. Verify the runner registration or deregistration was authorized
+2. Review the runner''s labels and the workflows targeting it
+3. Check if the runner machine has been compromised
+4. Review secrets and environment variables accessible to the runner
+5. Examine recent workflow runs on the affected runner for malicious jobs
+6. If compromised, deregister the runner and re-image the machine
+7. Rotate all secrets and tokens accessible to the runner
+8. Implement runner groups with restricted repository access
+', '["https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners","https://attack.mitre.org/techniques/T1195/002/"]', '(equals("log.action", "self_hosted_runner.register") ||
+ equals("log.action", "self_hosted_runner.remove") ||
+ equals("log.action", "self_hosted_runner.update") ||
+ equals("log.action", "self_hosted_runner_group.create") ||
+ equals("log.action", "self_hosted_runner_group.update")) &&
+exists("log.senderLogin")
+', '2026-02-09 16:41:57.567191', true, false, 'origin', null, '[]', '["lastEvent.log.action","lastEvent.log.senderLogin"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (390, 'GitHub Secret Scanning Alert Detected', 3, 2, 1, 'Credential Access', 'T1552: Unsecured Credentials', 'Detects when GitHub''s secret scanning feature identifies potential secrets, API keys, or credentials committed to a repository. This could indicate inadvertent exposure of sensitive information that could be exploited by attackers.
+
+Next Steps:
+1. Immediately review the alert details to identify the exposed secret type and location
+2. Rotate or revoke the exposed credential immediately
+3. Remove the secret from the repository history using git filter-branch or BFG Repo-Cleaner
+4. Audit access logs for any unauthorized use of the exposed credential
+5. Review commit history to identify who committed the secret
+6. Implement pre-commit hooks to prevent future secret exposures
+7. Enable push protection in GitHub to prevent secrets from being pushed
+', '["https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning","https://attack.mitre.org/techniques/T1552/"]', 'equals("log.action", "secret_scanning_alert.created") || equals("log.action", "secret_scanning.new_alert") || (equals("log.alert_type", "secret") && equals("log.state", "open"))', '2026-02-09 16:41:57.722013', true, false, 'origin', null, '[]', '["lastEvent.log.alert_number","lastEvent.log.repositoryName"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (391, 'GitHub Sensitive Data Commit Detection', 3, 2, 1, 'Collection', 'T1074 - Data Staged', 'Detects commits that may contain sensitive data such as API keys, passwords, private keys, or other credentials based on commit message patterns or file names.
+
+Next Steps:
+1. Review the commit content to verify if sensitive data was actually exposed
+2. Check the repository visibility (public vs private)
+3. If confirmed, immediately rotate any exposed credentials
+4. Remove the sensitive data from repository history using git filter-branch or BFG Repo-Cleaner
+5. Enable GitHub secret scanning for the repository
+6. Review repository access logs to determine if the exposed data was accessed
+7. Implement pre-commit hooks to prevent future credential commits
+', '["https://docs.github.com/en/webhooks/webhook-events-and-payloads#push","https://attack.mitre.org/techniques/T1074/"]', 'equals("log.action", "push") &&
+(contains("log.headCommitAdded", ".pem") ||
+ contains("log.headCommitAdded", ".key") ||
+ contains("log.headCommitAdded", ".p12") ||
+ contains("log.headCommitAdded", ".pfx") ||
+ contains("log.headCommitAdded", "id_rsa") ||
+ contains("log.headCommitAdded", "id_dsa") ||
+ contains("log.headCommitModified", ".pem") ||
+ contains("log.headCommitModified", ".key") ||
+ contains("log.headCommitModified", ".p12") ||
+ contains("log.headCommitModified", ".pfx") ||
+ contains("log.headCommitModified", "id_rsa") ||
+ contains("log.headCommitModified", "id_dsa"))
+', '2026-02-09 16:41:57.882248', true, false, 'origin', null, '[]', '["lastEvent.log.headCommitId","lastEvent.log.repositoryName"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (392, 'GitHub Workflow pull_request_target Injection', 3, 3, 1, 'Supply Chain Compromise', 'T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools', 'Detects modifications to GitHub Actions workflow files that may introduce pull_request_target trigger abuse. This trigger runs with repository write permissions and secrets access even on forked PRs, making it a high-value target for supply chain attacks.
+
+Next Steps:
+1. Review the workflow file changes for pull_request_target trigger usage
+2. Check if the workflow checks out PR head code (dangerous with pull_request_target)
+3. Verify the committer is an authorized repository maintainer
+4. Review the workflow for unsafe uses of PR title, body, or labels in script context
+5. Check for recent fork-based PRs that could exploit the workflow
+6. If malicious, revert the workflow change and review PR history
+7. Implement branch protection requiring code review for workflow changes
+8. Use workflow_run instead of pull_request_target where possible
+', '["https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target","https://attack.mitre.org/techniques/T1195/001/"]', '(equals("log.action", "workflows.completed_workflow_run") ||
+ equals("log.action", "workflows.created_workflow_run")) &&
+exists("log.senderLogin") &&
+(contains("log.workflowFileName", "pull_request_target") ||
+ contains("log.event", "pull_request_target"))
+', '2026-02-09 16:41:58.042469', true, false, 'origin', null, '[]', '["lastEvent.log.repositoryName","lastEvent.log.senderLogin"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (393, 'GitHub Workflow Modifications Detected', 3, 3, 2, 'Initial Access', 'T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools', 'Detects modifications to GitHub Actions workflows which could be used to inject malicious code into the CI/CD pipeline or steal secrets. Attackers may modify workflows to execute arbitrary code, exfiltrate secrets, or compromise the software supply chain.
+
+Next Steps:
+1. Review the modified workflow files to identify any suspicious changes or additions
+2. Check if the user who made the modifications has legitimate access and business justification
+3. Look for any attempts to access secrets or environment variables in the workflow
+4. Verify if any external actions or Docker images were added that could be malicious
+5. Review commit history and pull request approvals for the workflow changes
+6. Consider temporarily disabling the workflow if suspicious activity is confirmed
+7. Audit repository access permissions and enable branch protection rules for workflow files
+8. Check for any unusual timing of modifications (off-hours, weekends)
+9. Verify the integrity of the repository and look for other suspicious activities
+10. Review access logs for the user account that made the modifications
+', '["https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows","https://attack.mitre.org/techniques/T1195/001/"]', '(equals("log.action", "workflows.updated") || 
+ equals("log.action", "workflows.created") || 
+ equals("log.action", "workflow_run.completed") ||
+ equals("log.action", "workflow_dispatch")) &&
+exists("log.repositoryName") &&
+exists("log.senderLogin") &&
+(contains("log.headCommitModified", ".github/workflows/") ||
+ contains("log.headCommitAdded", ".github/workflows/") ||
+ contains("log.path", ".github/workflows/") ||
+ contains("log.filename", ".github/workflows/"))
+', '2026-02-09 16:41:58.207656', true, false, 'origin', null, '[]', '["lastEvent.log.repositoryName","lastEvent.log.senderLogin"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (396, 'IBM AIX NIM Master Exploitation Detection', 3, 3, 3, 'Lateral Movement', 'T1210 - Exploitation of Remote Services', 'Detects exploitation of IBM AIX Network Installation Management (NIM) master to deploy malicious packages, modify client configurations, or perform lateral movement across AIX infrastructure.
+
+Next Steps:
+1. Verify the NIM operations were authorized
+2. Review NIM client configurations for unauthorized changes
+3. Check for malicious LPP/installp packages in NIM resources
+4. Verify NIM master access controls
+5. Review NIM client machine definitions
+6. Audit NIM operation logs for unauthorized deployments
+', '["https://www.ibm.com/docs/en/aix/7.2?topic=management-network-installation-nim","https://attack.mitre.org/techniques/T1210/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "nim") && (
+    contains("log.message", "define") ||
+    contains("log.message", "cust") ||
+    contains("log.message", "maint") ||
+    contains("log.message", "bos_inst") ||
+    contains("log.message", "alt_disk_install")
+  )) ||
+  (contains("log.message", "nimclient") && contains("log.message", "-o")) ||
+  (contains("log.message", "NIM") && contains("log.message", "push") && contains("log.message", "operation")) ||
+  (contains("log.message", "lpp_source") && contains("log.message", "define"))
+)
+', '2026-02-09 16:47:09.768567', true, false, 'origin', null, '[{"indexPattern":"v11-log-ibm-aix-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-30m","count":3}]', '["adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (412, 'GraphQL Abuse Detection', 2, 1, 1, 'API Abuse', 'T1190 - Exploit Public-Facing Application', 'Detects GraphQL abuse patterns including introspection queries, query batching, deeply nested queries for DoS, and unauthorized schema discovery. These techniques are used to enumerate APIs and exploit GraphQL endpoints.
+
+Next Steps:
+1. Review the GraphQL queries for malicious patterns
+2. Check if introspection queries exposed the schema
+3. Verify if query batching was used for brute force
+4. Implement query depth limiting and complexity analysis
+5. Disable introspection in production environments
+6. Deploy rate limiting for GraphQL endpoints
+', '["https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html","https://attack.mitre.org/techniques/T1190/"]', 'exists("origin.ip") &&
+(
+  regexMatch("raw", "(?i)\\{\\s*__schema\\s*\\{") ||
+  contains("raw", "IntrospectionQuery") ||
+  contains("raw", "introspectionQuery") ||
+  regexMatch("raw", "(?i)(query|mutation)\\s*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{")
+)
+', '2026-02-09 16:47:12.188202', true, false, 'origin', null, '[{"indexPattern":"v11-log-json-input-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":5}]', '["adversary.ip","target.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (394, 'IBM AIX Unauthorized Crontab Modification Detection', 2, 3, 2, 'Persistence', 'T1053.003 - Scheduled Task/Job: Cron', 'Detects unauthorized crontab modifications on IBM AIX systems that could indicate persistence establishment by an attacker. Monitors for crontab changes, at job submissions, and modifications to /var/spool/cron.
+
+Next Steps:
+1. Review the crontab entries that were added or modified
+2. Verify the user account making the changes
+3. Check the scheduled commands for malicious payloads
+4. Review /var/spool/cron for all user crontabs
+5. Implement cron.allow/cron.deny restrictions
+6. Monitor execution of suspicious scheduled tasks
+', '["https://www.ibm.com/docs/en/aix/7.2?topic=c-crontab-command","https://attack.mitre.org/techniques/T1053/003/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "crontab") && (
+    contains("log.message", "EDIT") ||
+    contains("log.message", "REPLACE") ||
+    contains("log.message", "-e") ||
+    contains("log.message", "installed")
+  )) ||
+  (contains("log.message", "/var/spool/cron") && (
+    contains("log.message", "modified") ||
+    contains("log.message", "created") ||
+    contains("log.message", "changed")
+  )) ||
+  (contains("log.message", "at ") && contains("log.message", "job")) ||
+  (contains("log.message", "cron") && contains("log.message", "CMD") && (
+    contains("log.message", "/tmp/") ||
+    contains("log.message", "wget") ||
+    contains("log.message", "curl") ||
+    contains("log.message", "bash -c") ||
+    contains("log.message", "python")
+  ))
+)
+', '2026-02-09 16:47:09.477618', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (395, 'IBM AIX Unauthorized HMC Access Detection', 3, 3, 3, 'Unauthorized Access', 'T1078 - Valid Accounts', 'Detects unauthorized access to the IBM Hardware Management Console (HMC) that controls Power Systems hardware. HMC access allows management of LPARs, firmware, and hardware resources.
+
+Next Steps:
+1. Verify the HMC access was from an authorized administrator
+2. Review the HMC operations performed during the session
+3. Check for LPAR configuration changes
+4. Verify HMC user accounts and access controls
+5. Review HMC audit logs for additional suspicious activity
+6. Implement multi-factor authentication for HMC access
+', '["https://www.ibm.com/docs/en/power9?topic=console-hardware-management","https://attack.mitre.org/techniques/T1078/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "HMC") && (
+    contains("log.message", "login") ||
+    contains("log.message", "authentication") ||
+    contains("log.message", "session")
+  )) ||
+  (contains("log.message", "hmcshutdown") || contains("log.message", "hmcrestart")) ||
+  contains("log.message", "chsyscfg") ||
+  (contains("log.message", "lpar") && (
+    contains("log.message", "activate") ||
+    contains("log.message", "shutdown") ||
+    contains("log.message", "migrate")
+  )) ||
+  (contains("log.message", "Power Systems") && contains("log.message", "remote access"))
+)
+', '2026-02-09 16:47:09.612632', true, false, 'origin', null, '[{"indexPattern":"v11-log-ibm-aix-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-30m","count":3}]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (397, 'IBM AIX Rootkit Indicator Detection', 3, 3, 3, 'Defense Evasion', 'T1014 - Rootkit', 'Detects AIX-specific rootkit indicators including hidden processes, modified system binaries, suspicious kernel extensions, and integrity violations in the Trusted Computing Base.
+
+Next Steps:
+1. Run trustchk command to verify system binary integrity
+2. Compare running processes with ps output for hidden processes
+3. Check for modified shared libraries in /usr/lib
+4. Review recently loaded kernel extensions
+5. Initiate forensic investigation on the affected system
+6. Consider rebuilding the system from trusted media
+', '["https://www.ibm.com/docs/en/aix/7.2?topic=security-trusted-computing-base","https://attack.mitre.org/techniques/T1014/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "trustchk") && contains("log.message", "FAIL")) ||
+  (contains("log.message", "tcbck") && contains("log.message", "violation")) ||
+  (contains("log.message", "TCB") && contains("log.message", "integrity")) ||
+  (contains("log.message", "genkex") && contains("log.message", "unknown")) ||
+  (contains("log.message", "/dev/kmem") && !equals("origin.user", "root")) ||
+  (contains("log.message", "ld.so") && contains("log.message", "preload")) ||
+  (contains("log.message", "LIBPATH") && contains("log.message", "modified")) ||
+  contains("log.message", "LD_PRELOAD")
+)
+', '2026-02-09 16:47:09.917960', true, false, 'origin', null, '[]', '["adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (398, 'IBM AIX SSH Authorized Keys Manipulation Detection', 3, 3, 1, 'Persistence', 'T1098.004 - Account Manipulation: SSH Authorized Keys', 'Detects modifications to SSH authorized_keys files on IBM AIX systems. Attackers add their SSH public keys to maintain persistent access to compromised systems.
+
+Next Steps:
+1. Review the authorized_keys file changes
+2. Verify the added SSH keys belong to authorized users
+3. Check which user accounts had keys modified
+4. Remove unauthorized SSH keys immediately
+5. Implement SSH key management policies
+6. Monitor for SSH connections using the new keys
+', '["https://www.ibm.com/docs/en/aix/7.2?topic=security-configuring-openssh","https://attack.mitre.org/techniques/T1098/004/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "authorized_keys") && (
+    contains("log.message", "modified") ||
+    contains("log.message", "changed") ||
+    contains("log.message", "written") ||
+    contains("log.message", "appended")
+  )) ||
+  (contains("log.message", ".ssh/authorized_keys") && exists("origin.user")) ||
+  (contains("log.message", "ssh-rsa") && (
+    contains("log.message", ">>") ||
+    contains("log.message", "echo")
+  )) ||
+  (contains("log.message", "sshd_config") && contains("log.message", "AuthorizedKeysFile"))
+)
+', '2026-02-09 16:47:10.048060', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (399, 'IBM AIX Intrusion Detection Alert', 3, 3, 2, 'Privilege Escalation', 'T1068 - Exploitation for Privilege Escalation', 'Detects intrusion attempts and security violations identified by the IBM AIX intrusion detection system, including suspicious activities, privilege escalation attempts, and potential system compromises.
+
+Next Steps:
+1. Immediately isolate the affected system from the network to prevent lateral movement
+2. Review the intrusion detection logs for specific details about the attack vector and affected resources
+3. Check for any suspicious processes running with elevated privileges using ''ps aux'' and ''topas''
+4. Examine system integrity with ''trustchk'' command to verify critical system files
+5. Review recent user authentication logs and check for unauthorized account creation or privilege changes
+6. Collect forensic evidence including memory dumps, system logs, and file modifications
+7. Apply security patches and update AIX security configurations based on the vulnerability exploited
+8. Monitor related systems for similar intrusion attempts
+9. Check for any unauthorized file modifications using ''find'' command with modification time filters
+10. Review network connections and active ports using ''netstat'' and ''lsof'' commands
+11. Validate system configuration against security baselines and hardening guides
+12. Document the incident details and update security monitoring rules based on attack patterns
+', '["https://www.ibm.com/docs/en/powersc-standard/2.1.0?topic=ids-configuring-intrusion-detection-prevention-idp-aix-endpoints","https://attack.mitre.org/techniques/T1068/"]', '(
+  equals("log.eventType", "ids") ||
+  equals("log.eventType", "securityd") ||
+  equals("log.eventType", "audit") ||
+  contains("log.msg", "intrusion") ||
+  contains("log.msg", "suspicious") ||
+  contains("log.msg", "anomaly detected")
+) && 
+(
+  contains("log.msg", "buffer overflow") ||
+  contains("log.msg", "privilege escalation") ||
+  contains("log.msg", "unauthorized modification") ||
+  contains("log.msg", "rootkit") ||
+  contains("log.msg", "backdoor") ||
+  contains("log.msg", "suspicious process") ||
+  contains("log.msg", "file integrity") ||
+  contains("action", "ALERT") ||
+  equals("log.returnCode", "1")
+)
+', '2026-02-09 16:47:10.192353', true, false, 'origin', null, '[]', '["target.host","target.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (400, 'IBM AIX Security Audit Subsystem Alert', 3, 3, 2, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects critical security events from the IBM AIX audit subsystem, including audit configuration changes, audit service disruptions, or attempts to tamper with audit logs. This rule identifies when the audit subsystem fails, is disabled, or when audit-related files are modified.
+
+Next Steps:
+1. Verify the legitimacy of the audit subsystem changes with the system administrator
+2. Check if this is part of scheduled maintenance or authorized configuration changes
+3. Review the specific audit event type and return code for failure details
+4. Examine the user account that performed the action and verify it has appropriate permissions
+5. Investigate any recent changes to audit policies or configurations
+6. Check for additional security events around the same time period
+7. Verify audit log integrity and ensure no logs have been tampered with
+8. Review system logs for any other indicators of compromise
+', '["https://www.ibm.com/support/pages/aix-audit-audit-subsystem-aix","https://attack.mitre.org/techniques/T1562/"]', '(startsWith("log.eventType", "audit") && !equals("log.returnCode", "0")) || (contains("log.message", "audit") && (contains("log.message", "stop") || contains("log.message", "disable") || contains("log.message", "fail"))) || (equals("action", "FILE_MODIFY") && startsWith("log.objName", "/etc/security/audit/")) || (equals("log.commandType", "audit"))', '2026-02-09 16:47:10.337560', true, false, 'origin', null, '[]', '["lastEvent.log.eventType","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (401, 'IBM AIX System Integrity Violation Detected', 2, 3, 2, 'Defense Evasion', 'T1070 - Indicator Removal on Host', 'Detects attempts to compromise system integrity in IBM AIX, including unauthorized modifications to critical system files, audit tampering, security configuration changes, and privilege escalation attempts. This rule monitors for various indicators of system compromise including audit event tampering, security configuration file modifications, suspicious sudo usage, and privilege escalation attempts.
+
+Next Steps:
+1. Immediately investigate the affected system and user account
+2. Review audit logs for related suspicious activities
+3. Check for unauthorized changes to system configuration files
+4. Verify the legitimacy of any privilege escalation attempts
+5. Monitor for additional indicators of compromise
+6. Consider isolating the affected system if malicious activity is confirmed
+7. Review backup and recovery procedures for critical system files
+8. Examine command history and process execution logs
+9. Validate user permissions and access controls
+10. Check for presence of unauthorized tools or backdoors
+', '["https://www.ibm.com/docs/en/ssw_aix_72/security/security_pdf.pdf","https://attack.mitre.org/techniques/T1070/"]', '(contains("log.eventType", "AUD_") && equals("action", "FILE_Write")) || (contains("log.objName", "/etc/security/") && equals("action", "FILE_Write")) || (equals("log.commandType", "sudo") && contains("origin.command", "passwd")) || (contains("log.msg", "audit") && contains("log.msg", "disable")) || (equals("log.osUserID", "root") && !equals("origin.user", "root"))', '2026-02-09 16:47:10.681940', true, false, 'origin', null, '[]', '["lastEvent.log.objName","adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (402, 'IBM AIX Trusted Computing Base Violation', 3, 3, 2, 'Defense Evasion', 'T1070 - Indicator Removal', 'Detects violations of the Trusted Computing Base (TCB) in IBM AIX, including unauthorized modifications to critical system files, security database tampering, or attempts to modify files protected by TCB. TCB violations indicate potential system compromise or unauthorized privilege escalation attempts.
+
+Next Steps:
+1. Immediately investigate the user account and source host involved in the TCB violation
+2. Review the specific object/file that was modified and assess the impact
+3. Check system logs for any related authentication failures or privilege escalation attempts
+4. Verify the integrity of critical system files using tcbck command
+5. Review recent system changes and patches that might have triggered legitimate TCB events
+6. If malicious activity is confirmed, isolate the affected system and initiate incident response procedures
+7. Consider running a full system integrity check and malware scan
+', '["https://www.ibm.com/docs/en/aix/7.2?topic=configuration-trusted-computing-base","https://attack.mitre.org/techniques/T1070/"]', '(equals("log.eventType", "tcbck") && contains("log.message", "FAIL")) || (contains("log.message", "TCB") && (contains("log.message", "violation") || contains("log.message", "modified"))) || (equals("log.eventType", "FILE_Mode") && exists("log.objName") && startsWith("log.objName", "/etc/security/")) || (equals("action", "FILE_MODIFY") && exists("log.objName") && (startsWith("log.objName", "/usr/bin/") || startsWith("log.objName", "/usr/sbin/") || startsWith("log.objName", "/etc/security/")))', '2026-02-09 16:47:10.802736', true, false, 'origin', null, '[]', '["lastEvent.log.objName","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (403, 'IBM AIX Trusted Execution Violation', 3, 3, 2, 'Defense Evasion', 'T1036 - Masquerading', 'Detects violations of Trusted Execution (TE) policies in IBM AIX, including execution of untrusted binaries, signature verification failures, or attempts to bypass trusted execution controls. These violations may indicate attempts to execute malicious or unauthorized code on the system.
+
+Next Steps:
+1. Immediately verify the integrity of the executed binary and its digital signature
+2. Check if the binary is from a trusted source or has been tampered with
+3. Review system logs for any concurrent privilege escalation attempts or suspicious activities
+4. Examine the user''s recent activities, access patterns, and authentication history
+5. Validate the system''s trusted execution configuration and policies are properly enforced
+6. Check for any recent changes to the trusted execution database or policies
+7. Analyze the source and nature of the untrusted binary or process
+8. Consider isolating the affected system if malicious activity is confirmed
+9. Review file system integrity and check for signs of compromise
+10. Escalate to security team if this appears to be part of a broader attack
+', '["https://www.ibm.com/support/pages/trusted-execution-enablement","https://attack.mitre.org/techniques/T1036/"]', '(equals("log.eventType", "trustchk") && !equals("log.returnCode", "0")) || (contains("log.msg", "Trusted Execution") && (contains("log.msg", "fail") || contains("log.msg", "violat"))) || (equals("log.eventType", "PROC_Execute") && contains("log.msg", "untrusted")) || (equals("action", "EXEC") && contains("log.objName", "/tmp/") && equals("origin.user", "root"))', '2026-02-09 16:47:10.933106', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (404, 'IBM AS/400 Audit Journal Disabling Detection', 2, 3, 1, 'Defense Evasion', 'T1562.002 - Impair Defenses: Disable Windows Event Logging', 'Detects attempts to disable or modify IBM AS/400 security auditing via CHGAUD, QAUDCTL, or QAUDLVL system value changes. Attackers disable auditing to cover their tracks.
+
+Next Steps:
+1. Verify the audit configuration change was authorized
+2. Re-enable auditing immediately if unauthorized
+3. Check QAUDJRN journal for recent entries before the change
+4. Review system activity during the audit gap
+5. Restrict CHGAUD and system value change authority
+6. Implement monitoring for audit control system values
+', '["https://www.ibm.com/docs/en/i/7.5?topic=auditing-changing-security","https://attack.mitre.org/techniques/T1562/002/"]', 'exists("log.message") &&
+(
+  contains("log.message", "CHGAUD") ||
+  (contains("log.message", "QAUDCTL") && contains("log.message", "*NONE")) ||
+  (contains("log.message", "QAUDLVL") && contains("log.message", "changed")) ||
+  (contains("log.message", "QAUDLVL2") && contains("log.message", "changed")) ||
+  (contains("log.message", "audit") && contains("log.message", "disabled")) ||
+  (contains("log.message", "QAUDJRN") && contains("log.message", "DLTJRN")) ||
+  contains("log.message", "CHGSYSVAL SYSVAL(QAUDCTL) VALUE(''*NONE'')")
+)
+', '2026-02-09 16:47:11.062849', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (405, 'IBM AS/400 Unauthorized IFS Access Detection', 3, 2, 1, 'Collection', 'T1005 - Data from Local System', 'Detects unauthorized access to the IBM AS/400 Integrated File System (IFS). Monitors for access to sensitive directories, configuration files, and bulk file operations that could indicate data theft.
+
+Next Steps:
+1. Review the IFS paths and files being accessed
+2. Verify the user has authorization for the accessed directories
+3. Check for bulk file downloads or copies
+4. Review NetServer and FTP access logs
+5. Restrict IFS directory permissions
+6. Implement IFS object auditing for sensitive directories
+', '["https://www.ibm.com/docs/en/i/7.5?topic=system-integrated-file","https://attack.mitre.org/techniques/T1005/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "IFS") && (
+    contains("log.message", "QSYS.LIB") ||
+    contains("log.message", "/QIBM/") ||
+    contains("log.message", "/home/") ||
+    contains("log.message", "/tmp/")
+  ) && (
+    contains("log.message", "access") ||
+    contains("log.message", "read") ||
+    contains("log.message", "copy") ||
+    contains("log.message", "download")
+  )) ||
+  (contains("log.message", "CPYFRMSTMF") || contains("log.message", "CPYTOSTMF")) ||
+  (contains("log.message", "NetServer") && contains("log.message", "file access")) ||
+  (contains("log.message", "FTP") && contains("log.message", "GET") && contains("log.message", "/QSYS"))
+)
+', '2026-02-09 16:47:11.207711', true, false, 'origin', null, '[{"indexPattern":"v11-log-ibm-as400-*","with":[{"field":"log.message","operator":"filter_match","value":"IFS OR CPYFRMSTMF OR CPYTOSTMF OR NetServer"}],"or":null,"within":"now-15m","count":10}]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (406, 'IBM AS/400 Exit Point Tampering Detection', 3, 3, 2, 'Persistence', 'T1562 - Impair Defenses', 'Detects tampering with IBM AS/400 exit points using ADDEXITPGM to register malicious programs. Exit points intercept system operations and can be used for credential capture, data interception, or persistent backdoor access.
+
+Next Steps:
+1. Review the exit point program being registered
+2. Verify the exit point registration was authorized
+3. Check the program source code for malicious functionality
+4. List all registered exit points with WRKREGINF
+5. Remove unauthorized exit point programs
+6. Restrict ADDEXITPGM authority to security administrators
+', '["https://www.ibm.com/docs/en/i/7.5?topic=programs-exit","https://attack.mitre.org/techniques/T1562/"]', 'exists("log.message") &&
+(
+  contains("log.message", "ADDEXITPGM") ||
+  contains("log.message", "RMVEXITPGM") ||
+  contains("log.message", "CHGEXITPGM") ||
+  (contains("log.message", "exit point") && (
+    contains("log.message", "registered") ||
+    contains("log.message", "added") ||
+    contains("log.message", "changed")
+  )) ||
+  (contains("log.message", "WRKREGINF") && contains("log.message", "exit"))
+)
+', '2026-02-09 16:47:11.347239', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (407, 'IBM AS/400 Job Queue Manipulation Detection', 2, 3, 2, 'Execution', 'T1053 - Scheduled Task/Job', 'Detects suspicious job submissions and job queue manipulations on IBM AS/400 that could indicate unauthorized task execution with elevated authority or persistence mechanisms.
+
+Next Steps:
+1. Review the submitted job details and user profile
+2. Verify the job submission was authorized
+3. Check if the job runs with elevated authority (USER parameter)
+4. Review the job''s program and command list
+5. Restrict SBMJOB authority for non-administrative users
+6. Monitor job queue activity for unusual patterns
+', '["https://www.ibm.com/docs/en/i/7.5?topic=concepts-job-queues","https://attack.mitre.org/techniques/T1053/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "SBMJOB") && (
+    contains("log.message", "USER(QSECOFR)") ||
+    contains("log.message", "USER(QSYSOPR)") ||
+    contains("log.message", "*ALLOBJ")
+  )) ||
+  (contains("log.message", "CHGJOBQE") && exists("origin.user")) ||
+  (contains("log.message", "HLDJOBQ") || contains("log.message", "RLSJOBQ")) ||
+  (contains("log.message", "ADDJOBSCDE") && exists("origin.user")) ||
+  (contains("log.message", "job") && contains("log.message", "submitted") && (
+    contains("log.message", "QBATCH") ||
+    contains("log.message", "QSYSNOMAX")
+  ))
+)
+', '2026-02-09 16:47:11.482092', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (408, 'IBM AS/400 Program Adopt Authority Abuse Detection', 3, 3, 2, 'Privilege Escalation', 'T1548 - Abuse Elevation Control Mechanism', 'Detects programs using adopted authority with *ALLOBJ special authority on IBM AS/400. Attackers create programs that adopt elevated privileges to bypass authorization controls and access sensitive objects.
+
+Next Steps:
+1. Review the program using adopted authority
+2. Verify the program owner and adoption profile
+3. Check if *ALLOBJ authority is necessary for the program
+4. Remove unnecessary adopted authority
+5. Implement adopted authority auditing
+6. Review all programs adopting elevated authority
+', '["https://www.ibm.com/docs/en/i/7.5?topic=programs-adopted-authority","https://attack.mitre.org/techniques/T1548/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "ADOPTED") && contains("log.message", "*ALLOBJ")) ||
+  (contains("log.message", "ADOPT") && contains("log.message", "authority")) ||
+  (contains("log.message", "CRTPGM") && contains("log.message", "USRPRF(*OWNER)")) ||
+  (contains("log.message", "CHGPGM") && contains("log.message", "USRPRF(*OWNER)")) ||
+  (contains("log.message", "program adopt") && contains("log.message", "special authority")) ||
+  (contains("log.message", "adopted") && contains("log.message", "QSECOFR"))
+)
+', '2026-02-09 16:47:11.622623', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (409, 'IBM AS/400 Library List Manipulation Detection', 3, 3, 2, 'Privilege Escalation', 'T1574 - Hijack Execution Flow', 'Detects manipulation of IBM AS/400 library lists using CHGLIBL, ADDLIBLE, or CHGSYSLIBL commands. Attackers modify library lists to inject malicious programs that execute instead of legitimate system commands (library list hijacking).
+
+Next Steps:
+1. Review the library list changes and added libraries
+2. Verify the changes were authorized
+3. Check the contents of added libraries for malicious programs
+4. Compare program names in added libraries against system libraries
+5. Remove unauthorized library list entries
+6. Restrict CHGLIBL and ADDLIBLE authority
+', '["https://www.ibm.com/docs/en/i/7.5?topic=concepts-library-lists","https://attack.mitre.org/techniques/T1574/"]', 'exists("log.message") &&
+(
+  contains("log.message", "CHGLIBL") ||
+  contains("log.message", "ADDLIBLE") ||
+  contains("log.message", "CHGSYSLIBL") ||
+  contains("log.message", "RMVLIBLE") ||
+  (contains("log.message", "library list") && (
+    contains("log.message", "changed") ||
+    contains("log.message", "modified") ||
+    contains("log.message", "added")
+  )) ||
+  (contains("log.message", "EDTLIBL") && exists("origin.user"))
+)
+', '2026-02-09 16:47:11.768030', true, false, 'origin', null, '[{"indexPattern":"v11-log-ibm-as400-*","with":[{"field":"origin.user","operator":"filter_term","value":"{{origin.user}}"}],"or":null,"within":"now-15m","count":3}]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (410, 'IBM AS/400 Remote Command Execution Detection', 3, 3, 2, 'Lateral Movement', 'T1021 - Remote Services', 'Detects remote command execution on IBM AS/400 via RCMD, RMTCMD, DDM, or DRDA protocols. These commands allow attackers to execute operations from remote systems.
+
+Next Steps:
+1. Identify the remote system and user executing commands
+2. Verify the remote command execution was authorized
+3. Review the commands being executed remotely
+4. Check DDM and DRDA connection configurations
+5. Restrict remote command execution authority
+6. Implement IP allowlisting for remote connections
+', '["https://www.ibm.com/docs/en/i/7.5?topic=ssw_ibm_i_75/cl/runrmtcmd.htm","https://attack.mitre.org/techniques/T1021/"]', 'exists("log.message") &&
+(
+  contains("log.message", "RUNRMTCMD") ||
+  contains("log.message", "RCMD") ||
+  contains("log.message", "RMTCMD") ||
+  (contains("log.message", "DDM") && contains("log.message", "command")) ||
+  (contains("log.message", "DRDA") && contains("log.message", "remote")) ||
+  (contains("log.message", "REXEC") && exists("origin.ip")) ||
+  (contains("log.message", "SBMRMTCMD") && exists("origin.user"))
+)
+', '2026-02-09 16:47:11.918185', true, false, 'origin', null, '[{"indexPattern":"v11-log-ibm-as400-*","with":[{"field":"origin.user","operator":"filter_term","value":"{{origin.user}}"}],"or":null,"within":"now-30m","count":3}]', '["adversary.host","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (411, 'IBM AS/400 SQL Injection via ODBC/JDBC Detection', 3, 3, 2, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Detects SQL injection attempts targeting IBM AS/400 through ODBC/JDBC connections. Monitors for suspicious SQL patterns in database server job logs and diagnostic messages.
+
+Next Steps:
+1. Review the SQL statements for injection patterns
+2. Identify the source application and ODBC/JDBC connection
+3. Check for successful unauthorized data access
+4. Patch the vulnerable application with parameterized queries
+5. Restrict ODBC/JDBC connection permissions
+6. Block the source IP if confirmed malicious
+', '["https://www.ibm.com/docs/en/i/7.5?topic=services-sql-diagnostic","https://attack.mitre.org/techniques/T1190/"]', 'exists("log.message") &&
+(
+  (contains("log.message", "SQL") && (
+    regexMatch("log.message", "(?i)UNION\\s+(ALL\\s+)?SELECT") ||
+    contains("log.message", "'' OR ''1''=''1") ||
+    contains("log.message", "''; DROP") ||
+    contains("log.message", "QSYS2.") ||
+    contains("log.message", "SYSCOLUMNS") ||
+    contains("log.message", "SYSTABLES") ||
+    regexMatch("log.message", "(?i)CHAR\\s*\\([0-9]+\\)") ||
+    contains("log.message", "information_schema")
+  )) ||
+  (contains("log.message", "ODBC") && contains("log.message", "SQL error")) ||
+  (contains("log.message", "JDBC") && contains("log.message", "syntax error"))
+)
+', '2026-02-09 16:47:12.048070', true, false, 'origin', null, '[{"indexPattern":"v11-log-ibm-as400-*","with":[{"field":"log.message","operator":"filter_match","value":"SQL error OR syntax error OR UNION SELECT OR DROP"}],"or":null,"within":"now-15m","count":5}]', '["adversary.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (707, 'Windows: New ActiveSyncAllowedDeviceID Added via PowerShell', 3, 2, 1, 'Persistence', 'T1098.002 - Account Manipulation: Additional Email Delegate Permissions', 'Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.', '["https://attack.mitre.org/tactics/TA0003/","https://attack.mitre.org/techniques/T1098/002/"]', 'oneOf("log.eventDataProcessName", ["powershell.exe", "pwsh.exe", "powershell_ise.exe"]) && regexMatch("log.message", "(Set-CASMailbox(.+)ActiveSyncAllowedDeviceIDs)")', '2026-02-09 16:57:30.922913', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (413, 'Unsafe Deserialization Attack Detected', 3, 3, 2, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Detects attempts to exploit unsafe deserialization vulnerabilities through malicious JSON payloads containing serialized objects or code execution patterns. These attacks can lead to remote code execution, privilege escalation, or data compromise.
+
+Next Steps:
+1. Analyze the JSON payload structure and identify malicious patterns
+2. Check application logs for evidence of successful exploitation
+3. Review the target application''s deserialization implementation
+4. Implement input validation and use safe deserialization practices
+5. Monitor for any unusual process execution or system changes
+6. Consider blocking the source IP if attack patterns persist
+7. Examine target application for signs of compromise
+8. Review recent deployments or configuration changes
+9. Check for additional indicators of compromise on affected systems
+10. Document the attack pattern for threat intelligence purposes
+', '["https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_java.html","https://attack.mitre.org/techniques/T1190/"]', '(contains("raw", "java.lang.Runtime") ||
+ contains("raw", "java.lang.ProcessBuilder") ||
+ contains("raw", "$$beanFactory") ||
+ (contains("raw", "org.apache.commons.collections") && contains("raw", "Transformer")) ||
+ (contains("raw", "java.io.ObjectInputStream") && contains("raw", "exec")) ||
+ contains("raw", "com.sun.rowset.JdbcRowSetImpl") ||
+ contains("raw", "ysoserial") ||
+ contains("raw", "java.net.URLClassLoader"))
+', '2026-02-09 16:47:12.327720', true, false, 'origin', null, '[{"indexPattern":"v11-log-json-input-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-10m","count":3}]', '["adversary.ip","target.host"]');
+insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (414, 'JSON Hijacking Attempt Detected', 3, 2, 1, 'Execution', 'JSON Hijacking', 'Detects attempts to hijack JSON data through malicious script tags, Array constructor overrides, or cross-domain data theft patterns. JSON hijacking attacks attempt to steal sensitive data by exploiting vulnerabilities in JSON responses through script tag inclusion or prototype manipulation.
+
+Next Steps:
+1. Review the request details and identify the source of the hijacking attempt
+2. Check if the origin IP is from a known malicious source
+3. Examine the full request payload for additional malicious indicators
+4. Verify if any sensitive data was exposed in the JSON response
+5. Implement proper CSRF tokens and validate referer headers
+6. Consider blocking the source IP if malicious activity is confirmed
+7. Review application code for proper JSON response security measures
+', '["https://owasp.org/www-community/attacks/JSON_Hijacking","https://attack.mitre.org/techniques/T1059/007/"]', '(contains("raw", "") ||
+  contains("log.callback", "javascript:") ||
+  contains("log.callback", "alert(") ||
+  contains("log.callback", "eval(") ||
+  contains("log.callback", "Function(") ||
+  contains("log.callback", ".constructor("))) ||
+(exists("log.url_query") &&
+ contains("log.url_query", "callback=") &&
+ contains("log.url_query", "

From 1d5064a3af0c1661d1c1f07a5b6b80ce1d844768 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Tue, 10 Feb 2026 11:17:17 -0600
Subject: [PATCH 078/105] feat(utm): enhance configuration encryption to
 support file data type

---
 .../application_modules/UtmModuleGroupConfigurationService.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/src/main/java/com/park/utmstack/service/application_modules/UtmModuleGroupConfigurationService.java b/backend/src/main/java/com/park/utmstack/service/application_modules/UtmModuleGroupConfigurationService.java
index 1311b5f4d..d8d00387c 100644
--- a/backend/src/main/java/com/park/utmstack/service/application_modules/UtmModuleGroupConfigurationService.java
+++ b/backend/src/main/java/com/park/utmstack/service/application_modules/UtmModuleGroupConfigurationService.java
@@ -62,7 +62,7 @@ public UtmModule updateConfigurationKeys(Long moduleId, List
Date: Tue, 10 Feb 2026 11:32:40 -0600
Subject: [PATCH 079/105] refactor(assets-view): improve last input display
 logic and remove debug logging

Signed-off-by: Manuel Abascal 
---
 .../app/assets-discover/assets-view/assets-view.component.html  | 2 +-
 .../app/assets-discover/assets-view/assets-view.component.ts    | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/frontend/src/app/assets-discover/assets-view/assets-view.component.html b/frontend/src/app/assets-discover/assets-view/assets-view.component.html
index 0713f5e1d..2823407bb 100644
--- a/frontend/src/app/assets-discover/assets-view/assets-view.component.html
+++ b/frontend/src/app/assets-discover/assets-view/assets-view.component.html
@@ -198,7 +198,7 @@ 

                     

                   
                   
-                    {{ asset.lastInput | date }}
+                    {{ asset.lastInput !== 'Unknown' ? (asset.lastInput | date) : '-' }}
                   
 
                   
diff --git a/frontend/src/app/assets-discover/assets-view/assets-view.component.ts b/frontend/src/app/assets-discover/assets-view/assets-view.component.ts
index dc8bf7e0a..7a6e4a6f7 100644
--- a/frontend/src/app/assets-discover/assets-view/assets-view.component.ts
+++ b/frontend/src/app/assets-discover/assets-view/assets-view.component.ts
@@ -389,7 +389,6 @@ export class AssetsViewComponent implements OnInit, OnDestroy {
   }
 
   getLastInput(asset: NetScanType) {
-    console.log('getLastInput', asset.lastInput);
     if (asset.dataInputList.length > 0) {
       const lastInput = asset.dataInputList[asset.dataInputList.length - 1].timestamp;
       asset.lastInputTimestamp = lastInput;

From 6e2feba0743dfb8c3161a06655025a80454eb7c3 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Tue, 10 Feb 2026 11:32:53 -0600
Subject: [PATCH 080/105] refactor(int-generic-group-config): update file
 upload logic to simplify JSON handling

Signed-off-by: Manuel Abascal 
---
 .../int-generic-group-config.component.ts        | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/frontend/src/app/app-module/conf/int-generic-group-config/int-generic-group-config.component.ts b/frontend/src/app/app-module/conf/int-generic-group-config/int-generic-group-config.component.ts
index f6ba6b709..399158384 100644
--- a/frontend/src/app/app-module/conf/int-generic-group-config/int-generic-group-config.component.ts
+++ b/frontend/src/app/app-module/conf/int-generic-group-config/int-generic-group-config.component.ts
@@ -293,7 +293,7 @@ export class IntGenericGroupConfigComponent implements OnInit, OnChanges, OnDest
     return groups.some(group => this.pendingChangesForGroup(group));
   }
 
-  onFileUpload($event: any[], group: UtmModuleGroupType, integrationConfig: UtmModuleGroupConfType) {
+  /*onFileUpload($event: any[], group: UtmModuleGroupType, integrationConfig: UtmModuleGroupConfType) {
     if (integrationConfig.confKey === 'jsonKey') {
       this.encryptService.encrypt(JSON.stringify($event[0])).subscribe(response => {
         const indexGroup = this.groups.findIndex(value => value.id === group.id);
@@ -302,8 +302,22 @@ export class IntGenericGroupConfigComponent implements OnInit, OnChanges, OnDest
         this.addChange(integrationConfig);
       });
     }
+  }*/
+
+  onFileUpload($event: any[], group: UtmModuleGroupType, integrationConfig: UtmModuleGroupConfType) {
+    if (integrationConfig.confKey === 'jsonKey') {
+      const json = JSON.stringify($event[0]);
+
+      const indexGroup = this.groups.findIndex(value => value.id === group.id);
+      const indexConf = this.groups[indexGroup].moduleGroupConfigurations.findIndex(value => value.id === integrationConfig.id);
+
+      this.groups[indexGroup].moduleGroupConfigurations[indexConf].confValue = json;
+
+      this.addChange(integrationConfig);
+    }
   }
 
+
   collectorValid(groups: UtmModuleGroupType[]) {
     return groups.every(group => this.tenantIsConfigValid(group));
   }

From 13fe2fcbca59f069cbadfab9b2aa8980fd080cea Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Tue, 10 Feb 2026 11:33:02 -0600
Subject: [PATCH 081/105] refactor(guide-linux-agent): update installation
 steps for clarity and improve formatting

Signed-off-by: Manuel Abascal 
---
 .../guide-linux-agent.component.html                  | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/frontend/src/app/app-module/guides/guide-linux-agent/guide-linux-agent.component.html b/frontend/src/app/app-module/guides/guide-linux-agent/guide-linux-agent.component.html
index 19a394fca..6ccd7488b 100644
--- a/frontend/src/app/app-module/guides/guide-linux-agent/guide-linux-agent.component.html
+++ b/frontend/src/app/app-module/guides/guide-linux-agent/guide-linux-agent.component.html
@@ -12,10 +12,19 @@ 

     

 
     
    
+      
  1. 
+        
    
+          1
+          Check pre-installation requirements
+        
    
+        
      
+          
    • The UTMStack Linux Agent relies on the local rsyslog service to collect and forward system logs.
      • 
+        
    
+      
    2. 
       
  2. 
         
    
           
    
-            1
+            2
             Install or uninstall the UTMStack agent according to your operating system:
           
    
           
    

From ceafb521d60b92ab6f199f2cf8500e86c7a563dc Mon Sep 17 00:00:00 2001
From: Osmany Montero 
Date: Tue, 10 Feb 2026 20:23:46 +0000
Subject: [PATCH 082/105] refactor: use crypto/rand for cryptographically
 secure secret generation.

---
 installer/utils/secret.go | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/installer/utils/secret.go b/installer/utils/secret.go
index 03e24a7d6..378c48513 100644
--- a/installer/utils/secret.go
+++ b/installer/utils/secret.go
@@ -1,20 +1,23 @@
 package utils
 
 import (
-	"math/rand"
+	"crypto/rand"
+	"math/big"
 )
 
 func GenerateSecret(size int) string {
 	var characters = []rune("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
+	if size <= 0 {
+		return ""
+	}
 
-	var s string
-	for {
-		if len(s) >= size {
-			break
+	result := make([]rune, size)
+	for i := range result {
+		num, err := rand.Int(rand.Reader, big.NewInt(int64(len(characters))))
+		if err != nil {
+			panic(err) // Consider returning error if signature allows, but keeping panic for now as panic on CSPRNG fail is reasonable for secret gen
 		}
-
-		s += string(characters[rand.Intn(len(characters))])
+		result[i] = characters[num.Int64()]
 	}
-
-	return s
+	return string(result)
 }

From ab898143cec5cf0ba58bcd49d0171914c40dc753 Mon Sep 17 00:00:00 2001
From: Osmany Montero 
Date: Tue, 10 Feb 2026 20:51:26 +0000
Subject: [PATCH 083/105] refactor: deduplication and grouping now only apply
 when non-null fields are present.

---
 plugins/alerts/main.go | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/plugins/alerts/main.go b/plugins/alerts/main.go
index f7d6a8125..d2e2c539a 100644
--- a/plugins/alerts/main.go
+++ b/plugins/alerts/main.go
@@ -121,14 +121,18 @@ func isDuplicate(alert *plugins.Alert) bool {
 	// Compile regex for array index stripping
 	reArrayIndex := regexp.MustCompile(`\.[0-9]+(\.|$)`)
 
+	var execute bool = false
+
 	for _, d := range alert.DeduplicateBy {
 		d = strings.TrimSuffix(d, ".keyword")
 
 		value := gjson.Get(*alertString, d)
 		if value.Type == gjson.Null {
-			return false
+			continue
 		}
 
+		execute = true
+
 		// Calculate OpenSearch field name by removing array indices
 		searchField := reArrayIndex.ReplaceAllStringFunc(d, func(s string) string {
 			if strings.HasSuffix(s, ".") {
@@ -146,6 +150,10 @@ func isDuplicate(alert *plugins.Alert) bool {
 		}
 	}
 
+	if !execute {
+		return false
+	}
+
 	// Create QueryBuilder and inject the Bool query
 	qb := sdkos.NewQueryBuilder(ctx, indices, "plugin_com.utmstack.alerts")
 	qb.Size(1)
@@ -209,14 +217,18 @@ func getPreviousAlertId(alert *plugins.Alert) *string {
 	// Compile regex for array index stripping
 	reArrayIndex := regexp.MustCompile(`\.[0-9]+(\.|$)`)
 
+	var execute bool = false
+
 	for _, d := range alert.GroupBy {
 		d = strings.TrimSuffix(d, ".keyword")
 
 		value := gjson.Get(*alertString, d)
 		if value.Type == gjson.Null {
-			return nil
+			continue
 		}
 
+		execute = true
+
 		// Calculate OpenSearch field name by removing array indices
 		searchField := reArrayIndex.ReplaceAllStringFunc(d, func(s string) string {
 			if strings.HasSuffix(s, ".") {
@@ -234,6 +246,10 @@ func getPreviousAlertId(alert *plugins.Alert) *string {
 		}
 	}
 
+	if !execute {
+		return nil
+	}
+
 	// Create QueryBuilder and inject the Bool query
 	qb := sdkos.NewQueryBuilder(ctx, indices, "plugin_com.utmstack.alerts")
 	qb.Size(1)

From 5c7c0a800186831d17a3f593218467dae6c84e52 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Tue, 10 Feb 2026 14:31:12 -0600
Subject: [PATCH 084/105] feat(utm): add Cisco ASA, Switch, Firepower, and
 Meraki filter updates for version 3.0.2

---
 .../20260209024_update_filter_utmstack.xml    |    7 +-
 .../20260210001_update_filter_cisco_asa.xml   | 5939 +++++++++++++++++
 ...20260210002_update_filter_cisco_switch.xml |  181 +
 ...60210003_update_filter_cisco_firepower.xml | 5161 ++++++++++++++
 ...20260210004_update_filter_cisco_meraki.xml | 1569 +++++
 .../resources/config/liquibase/master.xml     |    8 +
 6 files changed, 12861 insertions(+), 4 deletions(-)
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260210001_update_filter_cisco_asa.xml
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260210002_update_filter_cisco_switch.xml
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260210003_update_filter_cisco_firepower.xml
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260210004_update_filter_cisco_meraki.xml

diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209024_update_filter_utmstack.xml b/backend/src/main/resources/config/liquibase/changelog/20260209024_update_filter_utmstack.xml
index 45402fadd..3d8751840 100644
--- a/backend/src/main/resources/config/liquibase/changelog/20260209024_update_filter_utmstack.xml
+++ b/backend/src/main/resources/config/liquibase/changelog/20260209024_update_filter_utmstack.xml
@@ -4,7 +4,7 @@
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
 
-    
+    
 
         
             
diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210001_update_filter_cisco_asa.xml b/backend/src/main/resources/config/liquibase/changelog/20260210001_update_filter_cisco_asa.xml
new file mode 100644
index 000000000..809279343
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260210001_update_filter_cisco_asa.xml
@@ -0,0 +1,5939 @@
+
+
+
+    
+
+        
+             Syslog
+#
+# 1. Parsing the message field containing the Cisco ASA log
+pipeline:
+  - dataTypes:
+      - firewall-cisco-asa
+    steps:
+      # Common ASA fields
+      - grok:
+          patterns:
+            - fieldName: log.syslogPri
+              pattern: '(\<{{.integer}}\>)'
+            - fieldName: log.ciscoTime
+              pattern: '({{.day}}\s)?{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}'
+            - fieldName: log.localIp
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.asaHeader
+              pattern: '{{.data}}ASA-'
+            - fieldName: log.severity
+              pattern: '{{.integer}}'
+            - fieldName: log.messageId
+              pattern: '-{{.integer}}'
+            - fieldName: log.ciscoSeparator
+              pattern: '\:{{.space}}'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: raw
+      - grok:
+          patterns:
+            - fieldName: log.ciscoTime
+              pattern: '({{.day}}\s)?{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}'
+            - fieldName: log.localIp
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.asaHeader
+              pattern: '{{.data}}ASA-'
+            - fieldName: log.severity
+              pattern: '{{.integer}}'
+            - fieldName: log.messageId
+              pattern: '-{{.integer}}'
+            - fieldName: log.ciscoSeparator
+              pattern: '\:{{.space}}'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: raw
+      #......................................................................#
+      # Adding log.localIp geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.localIp
+            destination: log.localIp.geolocation
+          where: exists("log.localIp")
+      # Removing unwanted prefixes
+      - trim:
+          function: prefix
+          substring: '-'
+          fields:
+            - log.messageId
+      # Field conversions
+      - cast:
+          fields:
+            - log.messageId
+          to: int
+      # Begining specific message parsing
+      #......................................................................#
+      # ASA-2-106001
+      - grok:
+          patterns:
+            - fieldName: log.direction
+              pattern: '{{.word}}'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'connection'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: origin.port
+              pattern: '/{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: target.port
+              pattern: '/{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'flags'
+            - fieldName: log.flags
+              pattern: '{{.data}}\s'
+            - fieldName: log.irrelevant
+              pattern: 'on\sinterface'
+            - fieldName: log.srcInterface
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==106001
+
+      - trim:
+          function: prefix
+          substring: '/'
+          fields:
+            - origin.port
+            - target.port
+          where: log.messageId==106001
+
+      #......................................................................#
+      #ASA-2-106017
+      - grok:
+          patterns:
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'IP\sdue\sto'
+            - fieldName: action
+              pattern: '{{.greedy}}from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+          source: log.msg
+          where: log.messageId==106017
+      - trim:
+          function: suffix
+          substring: 'from'
+          fields:
+            - action
+          where: log.messageId==106017
+      #......................................................................#
+      # ASA-1-106021
+      - grok:
+          patterns:
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: action
+              pattern: '{{.greedy}}from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: log.irrelevant
+              pattern: 'on\sinterface'
+            - fieldName: log.srcInterface
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==106021
+      - trim:
+          function: suffix
+          substring: 'from'
+          fields:
+            - action
+          where: log.messageId==106021
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==106021
+      #......................................................................#
+      # ASA-2-106101
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Number of cached deny-flows for ACL log has reached limit'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==106101
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Number of cached'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==106101
+      # Parsing the limit number
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.numFlows
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.rest
+          where: log.messageId==106101
+      # Field conversions
+      - cast:
+          fields:
+            - log.numFlows
+          to: int
+          where: log.messageId==106101
+
+      #......................................................................#
+      # ASA-6-106102,106103
+      # First variant
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'access-list'
+            - fieldName: log.accessList
+              pattern: '{{.data}}\s'
+            - fieldName: actionResult
+              pattern: '{{.word}}'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'for user'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}})\s'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}/'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}/'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'hit-cnt'
+            - fieldName: log.hitCount
+              pattern: '{{.integer}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==106102 || log.messageId==106103
+      # Second variant
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'access-list'
+            - fieldName: log.accessList
+              pattern: '{{.data}}\s'
+            - fieldName: actionResult
+              pattern: '{{.word}}'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'for user'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}})\s'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}/'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: origin.port
+              pattern: '\({{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '-\>'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}/'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: target.port
+              pattern: '\({{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'hit-cnt'
+            - fieldName: log.hitCount
+              pattern: '{{.integer}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==106102 || log.messageId==106103
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==106102 || log.messageId==106103
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - origin.user
+          where: log.messageId==106102 || log.messageId==106103
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.user
+          where: log.messageId==106102 || log.messageId==106103
+      - trim:
+          function: prefix
+          substring: '('
+          fields:
+            - origin.port
+            - target.port
+          where: log.messageId==106102 || log.messageId==106103
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - origin.port
+            - target.port
+          where: log.messageId==106102 || log.messageId==106103
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && equalsIgnoreCase("actionResult", "Permitted")
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && !equalsIgnoreCase("actionResult", "Permitted")
+      #......................................................................#
+      # ASA-4-109017
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'User at'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: log.irrelevant
+              pattern: 'exceeded auth proxy connection limit'
+            - fieldName: log.limit
+              pattern: '\({{.integer}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==109017
+
+      - trim:
+          function: prefix
+          substring: '('
+          fields:
+            - log.limit
+          where: log.messageId==109017
+      - cast:
+          fields:
+            - log.limit
+          to: int
+          where: log.messageId==109017
+      #......................................................................#
+      # ASA-6-109101
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Received CoA disconnect request'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: 'for user'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}}),'
+            - fieldName: log.irrelevant
+              pattern: 'with\saudit-session-id:'
+            - fieldName: log.auditSessionId
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==109101
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Received CoA'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==109101
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - origin.user
+          where: log.messageId==109101
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==109101
+      #......................................................................#
+      # ASA-4-109102
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Received CoA {{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: ', but cannot find named session'
+            - fieldName: log.auditSessionId
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==109102
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Received CoA'
+            - fieldName: log.ciscoResult
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==109102
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==109102
+      #......................................................................#
+      # ASA-3-109103
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'CoA {{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: 'failed for user'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}}),'
+            - fieldName: log.irrelevant
+              pattern: 'with session ID:'
+            - fieldName: log.auditSessionId
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==109103
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'CoA'
+            - fieldName: log.ciscoResult
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==109103
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - origin.user
+          where: log.messageId==109103
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==109103
+      #......................................................................#
+      # ASA-109201 to 109213
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'UAUTH(:)? Session(\s|=)'
+            - fieldName: log.session
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'User(\s|=)'
+            - fieldName: origin.user
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'Assigned IP(\s|=)'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: ','
+            - fieldName: action
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId>=109201 && log.messageId<=109213
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.session
+            - origin.user
+          where: log.messageId>=109201 && log.messageId<=109213
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId>=109201 && log.messageId<=109213
+      #......................................................................#
+      # ASA-6-113004
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA user {{.word}} Successful'
+            - fieldName: log.irrelevant
+              pattern: '\:'
+            - fieldName: log.irrelevant
+              pattern: 'server(\s)?=(\s)?'
+            - fieldName: target.ip
+              pattern: '{{.data}}(\:|,)'
+            - fieldName: log.irrelevant
+              pattern: '(U|u)ser(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113004
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'AAA user {{.word}}'
+            - fieldName: log.ciscoResult
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==113004
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - target.ip
+          where: log.messageId==113004
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - target.ip
+          where: log.messageId==113004
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==113004
+      #......................................................................#
+      # ASA-6-113005
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA user authentication Rejected(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?reason(\s)?=(\s)'
+            - fieldName: log.reason
+              pattern: '{{.data}}(\:|,)'
+            - fieldName: log.irrelevant
+              pattern: '(server|Server)(\s)?=(\s)?'
+            - fieldName: target.ip
+              pattern: '{{.data}}(\:|,)'
+            - fieldName: log.irrelevant
+              pattern: '(U|u)ser(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.data}}(\:|,)'
+            - fieldName: log.irrelevant
+              pattern: '(U|u)ser IP(\s)?=(\s)?'
+            - fieldName: origin.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113005
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'AAA user authentication'
+            - fieldName: log.ciscoResult
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==113005
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.reason
+            - target.ip
+            - origin.user
+          where: log.messageId==113005
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==113005
+      #......................................................................#
+      # ASA-6-113008
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA transaction status ACCEPT(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?(u|U)ser(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113008
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==113008
+      #......................................................................#
+      # ASA-6-113009
+      # First variant
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA retrieved default group policy'
+            - fieldName: log.policy
+              pattern: '\({{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'for (u|U)ser(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113009
+      - trim:
+          function: prefix
+          substring: '('
+          fields:
+            - log.policy
+          where: log.messageId==113009
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.policy
+          where: log.messageId==113009
+      # Second variant
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA retrieved default group policy'
+            - fieldName: log.policy
+              pattern: '{{.data}}\sfor'
+            - fieldName: log.irrelevant
+              pattern: '(u|U)ser(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113009
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.policy
+          where: log.messageId==113009
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==113009
+      #......................................................................#
+      # ASA-6-113010
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA challenge received for user'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}}) from server'
+            - fieldName: origin.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113010
+      - trim:
+          function: suffix
+          substring: 'from server'
+          fields:
+            - origin.user
+          where: log.messageId==113010
+      #......................................................................#
+      # ASA-6-113011
+      # First variant
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA retrieved user specific group policy'
+            - fieldName: log.policy
+              pattern: '\({{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'for (u|U)ser(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113011
+      - trim:
+          function: prefix
+          substring: '('
+          fields:
+            - log.policy
+          where: log.messageId==113011
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.policy
+          where: log.messageId==113011
+      # Second variant
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA retrieved user specific group policy'
+            - fieldName: log.policy
+              pattern: '{{.data}}\sfor'
+            - fieldName: log.irrelevant
+              pattern: '(u|U)ser(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113011
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.policy
+          where: log.messageId==113011
+      #......................................................................#
+      # ASA-6-113012
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA user authentication Successful(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?local database(\s)?:(\s)?user(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113012
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'AAA user authentication'
+            - fieldName: log.ciscoResult
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==113012
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==113012
+      #......................................................................#
+      # ASA-6-113013
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA unable to complete the request'
+            - fieldName: log.irrelevant
+              pattern: 'Error(\s)?:(\s)?reason(\s)?=(\s)?'
+            - fieldName: log.reason
+              pattern: '{{.data}}\:'
+            - fieldName: log.irrelevant
+              pattern: 'user(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113013
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.reason
+          where: log.messageId==113013
+      #......................................................................#
+      # ASA-6-113014
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA authentication server not accessible(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?server(\s)?=(\s)?'
+            - fieldName: target.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?(U|u)ser(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113014
+      #......................................................................#
+      # ASA-6-113015, 113017
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '(AAA user authentication|AAA credentials)\s(R|r)ejected(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?reason(\s)?=(\s)?'
+            - fieldName: log.reason
+              pattern: '{{.data}}(\s)?\:'
+            - fieldName: log.irrelevant
+              pattern: 'local database(\s)?:(\s)?(U|u)ser(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}})(\s)?:'
+            - fieldName: log.irrelevant
+              pattern: 'user IP(\s)?=(\s)?'
+            - fieldName: target.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113015 || log.messageId==113017
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.reason
+            - origin.user
+          where: log.messageId==113015 || log.messageId==113017
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(AAA user authentication|AAA credentials)\s'
+            - fieldName: log.ciscoResult
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==113015 || log.messageId==113017
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==113015 || log.messageId==113017
+      #......................................................................#
+      # ASA-6-113016
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA credentials rejected(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?reason(\s)?=(\s)?'
+            - fieldName: log.reason
+              pattern: '{{.data}}(\s)?\:'
+            - fieldName: log.irrelevant
+              pattern: 'server(\s)?=(\s)?'
+            - fieldName: target.ip
+              pattern: '{{.data}}(\s)?\:'
+            - fieldName: log.irrelevant
+              pattern: '(U|u)ser(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}})(\s)?:'
+            - fieldName: log.irrelevant
+              pattern: 'user IP(\s)?=(\s)?'
+            - fieldName: origin.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113016
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.reason
+            - target.ip
+            - origin.user
+          where: log.messageId==113016
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'AAA credentials'
+            - fieldName: log.ciscoResult
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==113016
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==113016
+      #......................................................................#
+      # ASA-4-113019
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Group(\s)?=(\s)?'
+            - fieldName: origin.group
+              pattern: '{{.data}}(\s)?,'
+            - fieldName: log.irrelevant
+              pattern: '(U|u)sername(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}})(\s)?,'
+            - fieldName: log.irrelevant
+              pattern: 'IP(\s)?=(\s)?'
+            - fieldName: origin.ip
+              pattern: '{{.data}},'
+            - fieldName: action
+              pattern: '(\s)?Session disconnected\.'
+            - fieldName: log.irrelevant
+              pattern: '(\s)?Session Type:(\s)?'
+            - fieldName: log.sessionType
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '(\s)?Duration:(\s)?'
+            - fieldName: log.duration
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '(\s)?Bytes xmt:(\s)?'
+            - fieldName: origin.bytesSent
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '(\s)?Bytes rcv:(\s)?'
+            - fieldName: origin.bytesReceived
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '(\s)?Reason:(\s)?'
+            - fieldName: log.reason
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113019
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - origin.group
+            - origin.user
+            - origin.ip
+            - log.sessionType
+            - log.duration
+            - origin.bytesSent
+            - origin.bytesReceived
+          where: log.messageId==113019
+      - cast:
+          fields:
+            - origin.bytesSent
+            - origin.bytesReceived
+          to: int
+          where: log.messageId==113019
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==113019
+      #......................................................................#
+      # ASA-113031,113032,113033
+      # Common fields
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Group(\s)?'
+            - fieldName: origin.group
+              pattern: '{{.data}}\sUser'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}})(\s)?IP'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033
+      - trim:
+          function: suffix
+          substring: 'User'
+          fields:
+            - origin.group
+          where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033
+      - trim:
+          function: suffix
+          substring: 'IP'
+          fields:
+            - origin.user
+          where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033
+      # Specific fields
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AnyConnect (vpn-filter|ipv6-vpn-filter|session not allowed)'
+            - fieldName: log.filter
+              pattern: '{{.data}}\sis'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.rest
+          where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AnyConnect (vpn-filter|ipv6-vpn-filter|session not allowed)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.rest
+          where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033
+      - trim:
+          function: suffix
+          substring: 'is'
+          fields:
+            - log.filter
+          where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033
+      #......................................................................#
+      # ASA-113034,113035,113036,113038,113039
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Group(\s)?'
+            - fieldName: origin.group
+              pattern: '(\<)?{{.data}}(\>)?\sUser'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|(\<)?{{.data}}(\>)?)(\s)?IP'
+            - fieldName: origin.ip
+              pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113034 || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'User'
+          fields:
+            - origin.group
+          where: log.messageId==113034 || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
+      - trim:
+          function: suffix
+          substring: 'IP'
+          fields:
+            - origin.user
+          where: log.messageId==113034 || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
+      - trim:
+          function: prefix
+          substring: '<'
+          fields:
+            - origin.group
+            - origin.user
+            - origin.ip
+          where: log.messageId==113034 || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
+      - trim:
+          function: suffix
+          substring: '>'
+          fields:
+            - origin.group
+            - origin.user
+            - origin.ip
+          where: log.messageId==113034 || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==113039
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==113035 || log.messageId==113038
+      #......................................................................#
+      # ASA-4-113042
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'CoA: Non-HTTP connection from'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'for user'
+            - fieldName: log.remoteUser
+              pattern: '(''{{.data}}''|{{.data}})(\s)?at'
+            - fieldName: log.remoteIp
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==113042
+      - trim:
+          function: suffix
+          substring: 'from'
+          fields:
+            - action
+          where: log.messageId==113042
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==113042
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: log.messageId==113042
+      - trim:
+          function: suffix
+          substring: 'at'
+          fields:
+            - log.remoteUser
+          where: log.messageId==113042
+      #......................................................................#
+      # ASA-2-201003
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Embryonic limit exceeded'
+            - fieldName: log.numCons
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '/(\s)?'
+            - fieldName: log.limit
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'for'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '/(\s)?'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.globalIp
+              pattern: '\({{.data}}\)'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '/(\s)?'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'on interface'
+            - fieldName: log.dstInterface
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==201003
+      - trim:
+          function: prefix
+          substring: '('
+          fields:
+            - log.globalIp
+          where: log.messageId==201003
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.globalIp
+          where: log.messageId==201003
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==201003
+      #......................................................................#
+      # ASA-4-209003
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Fragment database limit of'
+            - fieldName: log.limit
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'exceeded:(\s)?src(\s)?=(\s)?'
+            - fieldName: origin.ip
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'dest(\s)?=(\s)?'
+            - fieldName: target.ip
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'proto(\s)?=(\s)?'
+            - fieldName: protocol
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'id(\s)?=(\s)?'
+            - fieldName: log.id
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==209003
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - origin.ip
+            - target.ip
+            - protocol
+          where: log.messageId==209003
+      - cast:
+          fields:
+            - log.limit
+          to: int
+          where: log.messageId==209003
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==209003
+      #......................................................................#
+      # ASA-3-316001
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Denied new tunnel'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==316001
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==316001
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==316001
+      #......................................................................#
+      # ASA-3-316002
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'VPN Handle error'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?protocol='
+            - fieldName: protocol
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'src\s'
+            - fieldName: log.inIfNum
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: ',(\s)?dst'
+            - fieldName: log.outIfNum
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?'
+            - fieldName: target.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==316002
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - protocol
+          where: log.messageId==316002
+      - cast:
+          fields:
+            - log.inIfNum
+            - log.outIfNum
+          to: int
+          where: log.messageId==316002
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==316002
+      #......................................................................#
+      # ASA-302003,302004
+      # First variant
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '(Built H245 connection|Pre-allocate H323 UDP backconnection)'
+            - fieldName: log.irrelevant
+              pattern: 'for'
+            - fieldName: log.foreignAddress
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.tmpToip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?'
+            - fieldName: log.irrelevant
+              pattern: '(to\s)?'
+            - fieldName: log.localAddress
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.tmpFromip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?'
+          source: log.msg
+          where: log.messageId==302003 || log.messageId==302004
+      # Second variant
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '(Built H245 connection|Pre-allocate H323 UDP backconnection)'
+            - fieldName: log.irrelevant
+              pattern: 'for'
+            - fieldName: log.foreignAddress
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.tmpToip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?'
+            - fieldName: log.localAddress
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: log.tmpFromip
+              pattern: '({{.ipv4}}|{{.ipv6}})((\s)?/(\s)?{{.integer}}|(\s)?/)?'
+          source: log.msg
+          where: log.messageId==302003 || log.messageId==302004
+      # Parsing from/to ip and port
+      - grok:
+          patterns:
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: target.port
+              pattern: '{{.greedy}}'
+          source: log.tmpToip
+          where: log.messageId==302003 || log.messageId==302004
+      - grok:
+          patterns:
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+          source: log.tmpToip
+          where: log.messageId==302003 || log.messageId==302004
+      - grok:
+          patterns:
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: origin.port
+              pattern: '{{.greedy}}'
+          source: log.tmpFromip
+          where: log.messageId==302003 || log.messageId==302004
+      - grok:
+          patterns:
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+          source: log.tmpFromip
+          where: log.messageId==302003 || log.messageId==302004
+      - trim:
+          function: prefix
+          substring: '/'
+          fields:
+            - origin.port
+            - target.port
+          where: log.messageId==302003 || log.messageId==302004
+      # Removing temp fields
+      - delete:
+          fields:
+            - log.tmpFromip
+            - log.tmpToip
+          where: log.messageId==302003 || log.messageId==302004
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302003 || log.messageId==302004
+      #......................................................................#
+      # ASA-6-302012
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Pre-allocate H225 Call Signalling Connection'
+            - fieldName: log.irrelevant
+              pattern: 'for faddr'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: origin.port
+              pattern: '/(\s)?{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to laddr'
+            - fieldName: target.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302012
+      - trim:
+          function: prefix
+          substring: '/'
+          fields:
+            - origin.port
+          where: log.messageId==302012
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302012
+      #......................................................................#
+      # ASA-6-302013
+      - grok:
+          patterns:
+            - fieldName: log.tmpDirection
+              pattern: 'Built\s{{.word}}\s(Probe)?'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})for'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpFrom
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortFrom
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpTo
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortTo
+              pattern: '{{.integer}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302013
+      # Parsing direction field
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Built'
+            - fieldName: log.direction
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpDirection
+          where: log.messageId==302013
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: log.messageId==302013
+      # Parsing firewall user to, and AAA name of the user if exists
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+          source: log.rest
+          where: log.messageId==302013
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+          source: log.rest
+          where: log.messageId==302013
+
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - origin.user
+          where: log.messageId==302013
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpDirection
+            - log.tmpFwUserFrom
+          where: log.messageId==302013
+
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==302013
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+            - log.mappedIpFrom
+            - log.mappedIpTo
+          where: log.messageId==302013
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.connectionId
+          where: log.messageId==302013
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302013
+      #......................................................................#
+      # ASA-6-302014
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Teardown\s(Probe)?'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'connection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})for'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserTo
+              pattern: '({{.data}})?duration'
+            - fieldName: log.duration
+              pattern: '{{.time}}'
+            - fieldName: log.irrelevant
+              pattern: 'bytes'
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302014
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: log.messageId==302014
+      # Parsing firewall user to
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserTo
+          where: log.messageId==302014
+      # Parsing AAA user if exists
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+          source: log.rest
+          where: log.messageId==302014
+
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - origin.user
+          where: log.messageId==302014
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+            - log.tmpFwUserTo
+          where: log.messageId==302014
+
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==302014
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: log.messageId==302014
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.connectionId
+          where: log.messageId==302014
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302014
+      #......................................................................#
+      # ASA-6-302015
+      - grok:
+          patterns:
+            - fieldName: log.tmpDirection
+              pattern: 'Built\s{{.word}}'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'connection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})for'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpFrom
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortFrom
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpTo
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortTo
+              pattern: '{{.integer}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302015
+      # Parsing direction field
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Built'
+            - fieldName: log.direction
+              pattern: '{{.greedy}}'
+          source: log.tmpDirection
+          where: log.messageId==302015
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: log.messageId==302015
+      # Parsing firewall user to, and AAA name of the user if exists
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+          source: log.rest
+          where: log.messageId==302015
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+          source: log.rest
+          where: log.messageId==302015
+
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - origin.user
+          where: log.messageId==302015
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpDirection
+            - log.tmpFwUserFrom
+          where: log.messageId==302015
+
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==302015
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+            - log.mappedIpFrom
+            - log.mappedIpTo
+          where: log.messageId==302015
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.connectionId
+          where: log.messageId==302015
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302015
+      #......................................................................#
+      # ASA-6-302016
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Teardown'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'connection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})for'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserTo
+              pattern: '({{.data}})?duration'
+            - fieldName: log.duration
+              pattern: '{{.time}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302016
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: log.messageId==302016
+      # Parsing firewall user to
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserTo
+          where: log.messageId==302016
+      # Parsing firewall user to, and AAA name of the user if exists
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'bytes'
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+          source: log.rest
+          where: log.messageId==302016
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'bytes'
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+          source: log.rest
+          where: log.messageId==302016
+
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - origin.user
+          where: log.messageId==302016
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+            - log.tmpFwUserTo
+          where: log.messageId==302016
+
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==302016
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: log.messageId==302016
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.connectionId
+          where: log.messageId==302016
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302016
+      #......................................................................#
+      # ASA-6-302017
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Built'
+            - fieldName: log.direction
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'GRE connection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})from'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.translatedIpFrom
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.realCid
+              pattern: '{{.data}}\('
+            - fieldName: log.translatedIpTo
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302017
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: log.messageId==302017
+      # Parsing translatedCid and, firewall user to and AAA user if present
+      - grok:
+          patterns:
+            - fieldName: log.translatedCid
+              pattern: '{{.data}}\)'
+            - fieldName: log.tmpUserInfo
+              pattern: '{{.greedy}}'
+          source: log.rest
+          where: log.messageId==302017
+      - grok:
+          patterns:
+            - fieldName: log.translatedCid
+              pattern: '{{.data}}\)'
+          source: log.rest
+          where: log.messageId==302017
+      # FW user and AAA user
+      - grok:
+          patterns:
+            - fieldName: log.tmpFwUserTo
+              pattern: '\({{.data}}\)'
+            - fieldName: target.user
+              pattern: '\({{.data}}\)'
+          source: log.tmpUserInfo
+          where: log.messageId==302017
+      - grok:
+          patterns:
+            - fieldName: log.tmpFwUserTo
+              pattern: '\({{.data}}\)'
+          source: log.tmpUserInfo
+          where: log.messageId==302017
+      # Parsing firewall user to
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserTo
+          where: log.messageId==302017
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - target.user
+            - log.translatedCid
+          where: log.messageId==302017
+      - trim:
+          function: suffix
+          substring: '('
+          fields:
+            - log.realCid
+            - target.user
+          where: log.messageId==302017
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpDirection
+            - log.tmpFwUserFrom
+            - log.tmpFwUserTo
+            - log.tmpUserInfo
+          where: log.messageId==302017
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==302017
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - target.ip
+            - log.translatedIpTo
+          where: log.messageId==302017
+      - trim:
+          function: suffix
+          substring: 'from'
+          fields:
+            - log.connectionId
+          where: log.messageId==302017
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302017
+      #......................................................................#
+      # ASA-6-302018
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Teardown GRE connection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})from'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.translatedIpFrom
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.realCid
+              pattern: '{{.data}}\('
+            - fieldName: log.translatedIpTo
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.translatedCid
+              pattern: '{{.data}}\)'
+            - fieldName: log.tmpFwUserTo
+              pattern: '({{.data}})?duration'
+            - fieldName: log.duration
+              pattern: '{{.time}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302018
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: log.messageId==302018
+      # Parsing firewall user to
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserTo
+          where: log.messageId==302018
+      # Parsing firewall user to, and AAA name of the user if exists
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'bytes'
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+          source: log.rest
+          where: log.messageId==302018
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'bytes'
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+          source: log.rest
+          where: log.messageId==302018
+
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - origin.user
+            - log.translatedCid
+          where: log.messageId==302018
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+            - log.tmpFwUserTo
+          where: log.messageId==302018
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '('
+          fields:
+            - log.realCid
+          where: log.messageId==302018
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==302018
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - target.ip
+            - log.translatedIpTo
+          where: log.messageId==302018
+      - trim:
+          function: suffix
+          substring: 'from'
+          fields:
+            - log.connectionId
+          where: log.messageId==302018
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302018
+      #......................................................................#
+      # ASA-6-302020, 302021
+      # 302020
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Built'
+            - fieldName: log.direction
+              pattern: '{{.word}}'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'connection for faddr'
+            - fieldName: log.tmpFaddrAndFwUser
+              pattern: '({{.data}})gaddr'
+            - fieldName: log.tmpGaddrAndFwUser
+              pattern: '({{.data}})laddr'
+            - fieldName: log.tmpLaddrAndFwUser
+              pattern: '({{.data}})type'
+            - fieldName: log.icmpType
+              pattern: '({{.data}})code'
+            - fieldName: log.icmpCode
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302020
+      # 302021
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Teardown'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'connection for faddr'
+            - fieldName: log.tmpFaddrAndFwUser
+              pattern: '({{.data}})gaddr'
+            - fieldName: log.tmpGaddrAndFwUser
+              pattern: '({{.data}})laddr'
+            - fieldName: log.tmpLaddrAndFwUser
+              pattern: '({{.data}})type'
+            - fieldName: log.icmpType
+              pattern: '({{.data}})code'
+            - fieldName: log.icmpCode
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302021
+      # Common parsing for 302020 and 302021
+      # For parsing faddr and fwuser from (Begin with ip/port), or icmpSeqNum
+      - grok:
+          patterns:
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '{{.greedy}}'
+          source: log.tmpFaddrAndFwUser
+          where: log.messageId==302020 || log.messageId==302021
+      - grok:
+          patterns:
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '{{.greedy}}'
+          source: log.tmpFaddrAndFwUser
+          where: log.messageId==302020 || log.messageId==302021
+      # icmpSeqNum variants
+      - grok:
+          patterns:
+            - fieldName: log.icmpSeqNum
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '\({{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'gaddr'
+          source: log.tmpFaddrAndFwUser
+          where: log.messageId==302020 || log.messageId==302021
+      - grok:
+          patterns:
+            - fieldName: log.icmpSeqNum
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserFrom
+              pattern: 'gaddr'
+          source: log.tmpFaddrAndFwUser
+          where: log.messageId==302020 || log.messageId==302021
+      # Cleaning icmpSeqNum
+      - trim:
+          function: suffix
+          substring: 'gaddr'
+          fields:
+            - log.icmpSeqNum
+          where: log.messageId==302020 || log.messageId==302021
+      # Continue with firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: log.messageId==302020 || log.messageId==302021
+      # For parsing gaddr and global fwuser (Begin with ip/port), or icmpType
+      - grok:
+          patterns:
+            - fieldName: log.globalIp
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.globalPort
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserGlobal
+              pattern: '{{.greedy}}'
+          source: log.tmpGaddrAndFwUser
+          where: log.messageId==302020 || log.messageId==302021
+      - grok:
+          patterns:
+            - fieldName: log.globalIp
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.tmpFwUserGlobal
+              pattern: '{{.greedy}}'
+          source: log.tmpGaddrAndFwUser
+          where: log.messageId==302020 || log.messageId==302021
+      # icmpType variants
+      - grok:
+          patterns:
+            - fieldName: log.icmpType
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserGlobal
+              pattern: '\({{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'laddr'
+          source: log.tmpGaddrAndFwUser
+          where: log.messageId==302020 || log.messageId==302021
+      - grok:
+          patterns:
+            - fieldName: log.icmpType
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserGlobal
+              pattern: 'laddr'
+          source: log.tmpGaddrAndFwUser
+          where: log.messageId==302020 || log.messageId==302021
+      # Cleaning icmpType
+      - trim:
+          function: suffix
+          substring: 'laddr'
+          fields:
+            - log.icmpType
+          where: log.messageId==302020 || log.messageId==302021
+      - trim:
+          function: suffix
+          substring: 'code'
+          fields:
+            - log.icmpType
+          where: log.messageId==302020 || log.messageId==302021
+      # Continue with global firewall
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.globalFirewallUser
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserGlobal
+          where: log.messageId==302020 || log.messageId==302021
+      # For parsing laddr and fwuser to (Begin with ip/port)
+      - grok:
+          patterns:
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserTo
+              pattern: '{{.greedy}}'
+          source: log.tmpLaddrAndFwUser
+          where: log.messageId==302020 || log.messageId==302021
+      - grok:
+          patterns:
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.tmpFwUserTo
+              pattern: '{{.greedy}}'
+          source: log.tmpLaddrAndFwUser
+          where: log.messageId==302020 || log.messageId==302021
+      # Continue with firewall user to
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserTo
+          where: log.messageId==302020 || log.messageId==302021
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - target.ip
+            - origin.ip
+          where: log.messageId==302020 || log.messageId==302021
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - log.globalFirewallUser
+          where: log.messageId==302020 || log.messageId==302021
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+            - log.tmpFwUserTo
+            - log.tmpFwUserGlobal
+            - log.tmpFaddrAndFwUser
+            - log.tmpGaddrAndFwUser
+            - log.tmpLaddrAndFwUser
+          where: log.messageId==302020 || log.messageId==302021
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302020 || log.messageId==302021
+      #......................................................................#
+      # ASA-6-302022, 302024, 302026
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Built'
+            - fieldName: log.role
+              pattern: '({{.data}})stub'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'connection for'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpMappedIpPortFrom
+              pattern: '\({{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpMappedIpPortTo
+              pattern: '\({{.data}}\)'
+          source: log.msg
+          where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026
+      # Parsing mapped ip,port from tmp fields
+      # With port
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpFrom
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortFrom
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+          source: log.tmpMappedIpPortFrom
+          where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026
+      # Without port
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpFrom
+              pattern: '{{.data}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+          source: log.tmpMappedIpPortFrom
+          where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026
+      # Parsing mapped ip,port to, from tmp fields
+      # With port
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpTo
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortTo
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+          source: log.tmpMappedIpPortTo
+          where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026
+      # Without port
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpTo
+              pattern: '{{.data}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+          source: log.tmpMappedIpPortTo
+          where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'stub'
+          fields:
+            - log.role
+          where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+            - log.mappedIpFrom
+            - log.mappedIpTo
+          where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpMappedIpPortFrom
+            - log.tmpMappedIpPortTo
+          where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026
+      #......................................................................#
+      # ASA-6-302023, 302025, 302027
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Teardown stub'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'connection for'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'duration'
+            - fieldName: log.duration
+              pattern: '{{.time}}'
+            - fieldName: log.irrelevant
+              pattern: 'bytes'
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+            - fieldName: log.reason
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302023 || log.messageId==302025 || log.messageId==302027
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==302023 || log.messageId==302025 || log.messageId==302027
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: log.messageId==302023 || log.messageId==302025 || log.messageId==302027
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302023 || log.messageId==302025 || log.messageId==302027
+      #......................................................................#
+      # ASA-302033,302034
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '(Pre-allocated|Unable to pre-allocate) H323 GUP Connection'
+            - fieldName: log.irrelevant
+              pattern: 'for faddr'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.tmpPortFrom
+              pattern: '{{.data}}to laddr'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: log.tmpIpPortTo
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302033 || log.messageId==302034
+      # Parsing optional ports from y to
+      - grok:
+          patterns:
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpPortFrom
+          where: log.messageId==302033 || log.messageId==302034
+      - grok:
+          patterns:
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.greedy}}'
+          source: log.tmpIpPortTo
+          where: log.messageId==302033 || log.messageId==302034
+      - grok:
+          patterns:
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?'
+          source: log.tmpIpPortTo
+          where: log.messageId==302033 || log.messageId==302034
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==302033 || log.messageId==302034
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: log.messageId==302033 || log.messageId==302034
+      # Remove tmp fields
+      - delete:
+          fields:
+            - log.tmpPortFrom
+            - log.tmpIpPortTo
+          where: log.messageId==302033 || log.messageId==302034
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302033
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==302034
+      #......................................................................#
+      #ASA-6-302035
+      - grok:
+          patterns:
+            - fieldName: log.tmpDirection
+              pattern: 'Built\s{{.word}}\s{{.word}}\sconnection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})for'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpFrom
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortFrom
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpTo
+              pattern: '{{.data}}/'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302035
+      # Parsing direction field
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Built'
+            - fieldName: log.direction
+              pattern: '{{.word}}'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpDirection
+          where: log.messageId==302035
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: log.messageId==302035
+      # Parsing port to, firewall user to, and, from user
+      - grok:
+          patterns:
+            - fieldName: log.mappedPortTo
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.tmpFwUserTo
+              pattern: '{{.greedy}}'
+          source: log.rest
+          where: log.messageId==302035
+      # Without user info
+      - grok:
+          patterns:
+            - fieldName: log.mappedPortTo
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+          source: log.rest
+          where: log.messageId==302035
+      # Parsing firewall user to
+      # With origin.user
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+          source: log.tmpFwUserTo
+          where: log.messageId==302035
+      # Without origin.user
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+          source: log.tmpFwUserTo
+          where: log.messageId==302035
+
+      # Decoding outside and inside sg_info
+      - grok:
+          patterns:
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}(\s)?,'
+            - fieldName: log.outsideSgInfo
+              pattern: '{{.data}}\)'
+          source: log.firewallUserFrom
+          where: log.messageId==302035
+      - grok:
+          patterns:
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}(\s)?,'
+            - fieldName: log.insideSgInfo
+              pattern: '{{.data}}\)'
+          source: log.firewallUserTo
+          where: log.messageId==302035
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - origin.user
+            - log.insideSgInfo
+            - log.outsideSgInfo
+          where: log.messageId==302035
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpDirection
+            - log.tmpFwUserFrom
+            - log.tmpFwUserTo
+          where: log.messageId==302035
+
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==302035
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+            - log.mappedIpFrom
+            - log.mappedIpTo
+          where: log.messageId==302035
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.connectionId
+          where: log.messageId==302035
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+          where: log.messageId==302035
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302035
+      #......................................................................#
+      # ASA-6-302036
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Teardown\s{{.word}}\sconnection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})for'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserTo
+              pattern: '({{.data}})?duration'
+            - fieldName: log.duration
+              pattern: '{{.time}}'
+            - fieldName: log.irrelevant
+              pattern: 'bytes'
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+            - fieldName: log.reason
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302036
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Teardown'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==302036
+      # Decoding outside and inside firewall user, and sg_info
+      # Side from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}(\s)?,'
+            - fieldName: log.outsideSgInfo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: log.messageId==302036
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: log.messageId==302036
+      # Side to
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}(\s)?,'
+            - fieldName: log.insideSgInfo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserTo
+          where: log.messageId==302036
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserTo
+          where: log.messageId==302036
+      # Parsing origin.user from log.reason field
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+          source: log.reason
+          where: log.messageId==302036
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - origin.user
+          where: log.messageId==302036
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+            - log.tmpFwUserTo
+          where: log.messageId==302036
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==302036
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: log.messageId==302036
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.connectionId
+          where: log.messageId==302036
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+          where: log.messageId==302036
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302036
+      #......................................................................#
+      # ASA-6-302303
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Built\s{{.word}}\sstate-bypass\sconnection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})from'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpFrom
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortFrom
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpTo
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortTo
+              pattern: '{{.integer}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302303
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Built'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==302303
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==302303
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+            - log.mappedIpFrom
+            - log.mappedIpTo
+          where: log.messageId==302303
+      - trim:
+          function: suffix
+          substring: 'from'
+          fields:
+            - log.connectionId
+          where: log.messageId==302303
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302303
+      #......................................................................#
+      # ASA-6-302304
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Teardown\s{{.word}}\sstate-bypass\sconnection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})from'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.duration
+              pattern: '{{.time}}'
+            - fieldName: log.irrelevant
+              pattern: ','
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: ','
+            - fieldName: log.reason
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302304
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Built'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==302304
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==302304
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: log.messageId==302304
+      - trim:
+          function: suffix
+          substring: 'from'
+          fields:
+            - log.connectionId
+          where: log.messageId==302304
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302304
+      #......................................................................#
+      # ASA-6-302305
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Built\s{{.word}}\sstate-bypass\sconnection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})for'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpFrom
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortFrom
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpTo
+              pattern: '{{.data}}/'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302305
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Built'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==302305
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: log.messageId==302305
+      # Parsing port to, firewall user to, and, from user
+      - grok:
+          patterns:
+            - fieldName: log.mappedPortTo
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.tmpFwUserTo
+              pattern: '{{.greedy}}'
+          source: log.rest
+          where: log.messageId==302305
+      # Without user info
+      - grok:
+          patterns:
+            - fieldName: log.mappedPortTo
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+          source: log.rest
+          where: log.messageId==302305
+      # Parsing firewall user to
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+          source: log.tmpFwUserTo
+          where: log.messageId==302305
+
+      # Decoding outside and inside sg_info
+      - grok:
+          patterns:
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}(\s)?,'
+            - fieldName: log.outsideSgInfo
+              pattern: '{{.data}}\)'
+          source: log.firewallUserFrom
+          where: log.messageId==302305
+      - grok:
+          patterns:
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}(\s)?,'
+            - fieldName: log.insideSgInfo
+              pattern: '{{.data}}\)'
+          source: log.firewallUserTo
+          where: log.messageId==302305
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - origin.user
+            - log.insideSgInfo
+            - log.outsideSgInfo
+          where: log.messageId==302305
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+            - log.tmpFwUserTo
+          where: log.messageId==302305
+
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==302305
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+            - log.mappedIpFrom
+            - log.mappedIpTo
+          where: log.messageId==302305
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.connectionId
+          where: log.messageId==302305
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+          where: log.messageId==302305
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302305
+      #......................................................................#
+      # ASA-6-302306
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Teardown\s{{.word}}\sstate-bypass\sconnection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})for'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserTo
+              pattern: '({{.data}})?duration'
+            - fieldName: log.duration
+              pattern: '{{.time}}'
+            - fieldName: log.irrelevant
+              pattern: 'bytes'
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+            - fieldName: log.reason
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==302306
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Teardown'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==302306
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: log.messageId==302306
+      # Parsing firewall user to
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+          source: log.tmpFwUserTo
+          where: log.messageId==302306
+
+      # Decoding outside and inside sg_info
+      - grok:
+          patterns:
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}(\s)?,'
+            - fieldName: log.outsideSgInfo
+              pattern: '{{.data}}\)'
+          source: log.firewallUserFrom
+          where: log.messageId==302306
+      - grok:
+          patterns:
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}(\s)?,'
+            - fieldName: log.insideSgInfo
+              pattern: '{{.data}}\)'
+          source: log.firewallUserTo
+          where: log.messageId==302306
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - log.insideSgInfo
+            - log.outsideSgInfo
+          where: log.messageId==302306
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+            - log.tmpFwUserTo
+          where: log.messageId==302306
+
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==302306
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: log.messageId==302306
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.connectionId
+          where: log.messageId==302306
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+          where: log.messageId==302306
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==302306
+      #......................................................................#
+      # ASA-6-305009
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Built (dynamic|static) translation'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: log.tmpAclSrcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: log.mappedIpTo
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==305009
+      # Parsing srcInterface
+      # With ACL
+      - grok:
+          patterns:
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}\('
+            - fieldName: log.accessList
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpAclSrcInterface
+          where: log.messageId==305009
+      # Without ACL
+      - grok:
+          patterns:
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}:'
+          source: log.tmpAclSrcInterface
+          where: log.messageId==305009
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: log.messageId==305009
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+            - log.tmpAclSrcInterface
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.accessList
+          where: log.messageId==305009
+      - trim:
+          function: suffix
+          substring: '('
+          fields:
+            - log.srcInterface
+          where: log.messageId==305009
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==305009
+      #......................................................................#
+      # ASA-6-305010
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Teardown (dynamic|static) translation'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'duration'
+            - fieldName: log.duration
+              pattern: '{{.time}}'
+          source: log.msg
+          where: log.messageId==305010
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: log.messageId==305010
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+          where: log.messageId==305010
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==305010
+      #......................................................................#
+      # ASA-6-305011
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Built\s(dynamic|static)\s(TCP|UDP|ICMP)\stranslation'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+          source: log.msg
+          where: log.messageId==305011
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: log.messageId==305011
+      # Parsing protocol
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Built\s(dynamic|static)'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==305011
+
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+          where: log.messageId==305011
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+          where: log.messageId==305011
+
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==305011
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: log.messageId==305011
+      #......................................................................#
+      # ASA-6-305012
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Teardown\s(dynamic|static)\s(TCP|UDP|ICMP)\stranslation'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: log.tmpAclSrcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'duration'
+            - fieldName: log.duration
+              pattern: '{{.time}}'
+          source: log.msg
+          where: log.messageId==305012
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: log.messageId==305012
+      # Parsing protocol
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Teardown\s(dynamic|static)'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==305012
+      # Parsing srcInterface
+      # With ACL
+      - grok:
+          patterns:
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}\('
+            - fieldName: log.accessList
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpAclSrcInterface
+          where: log.messageId==305012
+      # Without ACL
+      - grok:
+          patterns:
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}:'
+          source: log.tmpAclSrcInterface
+          where: log.messageId==305012
+      # Parsing srcInterface from himself to avoid parsing issues
+      - grok:
+          patterns:
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}\('
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.srcInterface
+          where: log.messageId==305012
+
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.accessList
+          where: log.messageId==305012
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+            - log.tmpAclSrcInterface
+          where: log.messageId==305012
+
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: log.messageId==305012
+      - trim:
+          function: suffix
+          substring: '('
+          fields:
+            - log.srcInterface
+          where: log.messageId==305012
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: log.messageId==305012
+      #......................................................................#
+      # ASA-3-322001
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '{{.word}}\sMAC\saddress'
+            - fieldName: log.localMac
+              pattern: '{{.data}}(\s)?,'
+            - fieldName: log.reason
+              pattern: '{{.data}}on'
+            - fieldName: log.irrelevant
+              pattern: 'interface'
+            - fieldName: log.srcInterface
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==322001
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==322001
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.localMac
+          where: log.messageId==322001
+      - trim:
+          function: suffix
+          substring: 'on'
+          fields:
+            - log.reason
+          where: log.messageId==322001
+      #......................................................................#
+      # ASA-3-322002
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '{{.word}}\sinspection\scheck'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'for\sarp'
+            - fieldName: log.httpMessageType
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'received\sfrom\shost'
+            - fieldName: origin.mac
+              pattern: '{{.data}}on'
+            - fieldName: log.irrelevant
+              pattern: 'interface'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}\.'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}Address'
+            - fieldName: log.fakeSrcMac
+              pattern: '{{.data}}for'
+            - fieldName: log.irrelevant
+              pattern: 'IP\sAddress'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}Address'
+            - fieldName: log.boudSrcMac
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==322002
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'inspection check'
+          source: action
+          where: log.messageId==322002
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'on'
+          fields:
+            - origin.mac
+          where: log.messageId==322002
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.fakeSrcMac
+          where: log.messageId==322002
+      - trim:
+          function: suffix
+          substring: '.'
+          fields:
+            - log.srcInterface
+          where: log.messageId==322002
+      #......................................................................#
+      # ASA-3-322003
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '{{.word}}\sinspection\scheck'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'for\sarp'
+            - fieldName: log.httpMessageType
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'received\sfrom\shost'
+            - fieldName: origin.mac
+              pattern: '{{.data}}on'
+            - fieldName: log.irrelevant
+              pattern: 'interface'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}\.'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}Address'
+            - fieldName: log.fakeSrcMac
+              pattern: '{{.data}}for'
+            - fieldName: log.irrelevant
+              pattern: 'IP\sAddress'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==322003
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'inspection check'
+          source: action
+          where: log.messageId==322003
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'on'
+          fields:
+            - origin.mac
+          where: log.messageId==322003
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.fakeSrcMac
+          where: log.messageId==322003
+      - trim:
+          function: suffix
+          substring: '.'
+          fields:
+            - log.srcInterface
+          where: log.messageId==322003
+      #......................................................................#
+      # ASA-4-400000 to 400050
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'IPS\:(\s)?'
+            - fieldName: log.signatureId
+              pattern: '{{.integer}}'
+            - fieldName: action
+              pattern: '{{.data}}from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'on\sinterface'
+            - fieldName: log.srcInterface
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId>=400000 && log.messageId<=400050
+      # Cleaning action before extract protocol
+      - trim:
+          function: suffix
+          substring: 'from'
+          fields:
+            - action
+          where: log.messageId>=400000 && log.messageId<=400050
+      - grok:
+          patterns:
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: (log.messageId>=400000 && log.messageId<=400022) || (log.messageId>=400026 && log.messageId<=400040)
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '{{.word}}'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==400023 || log.messageId==400024 || log.messageId==400041
+      #......................................................................#
+      # ASA-4-402114
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'IPSEC\:(\s)?'
+            - fieldName: action
+              pattern: 'Received\s(an|a)\s{{.word}}\spacket'
+            - fieldName: log.irrelevant
+              pattern: '\({{.data}}='
+            - fieldName: log.spi
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}='
+            - fieldName: log.seqNum
+              pattern: '{{.integer}}(\s)?\)'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==402114
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Received\s(an|a)'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==402114
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.spi
+          where: log.messageId==402114
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.seqNum
+          where: log.messageId==402114
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==402114
+      #......................................................................#
+      # ASA-4-402115
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'IPSEC\:(\s)?'
+            - fieldName: action
+              pattern: 'Received\sa\spacket'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'containing'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'data instead of'
+            - fieldName: log.expectedProtocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==402115
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==402115
+      #......................................................................#
+      # ASA-4-402116
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'IPSEC\:(\s)?'
+            - fieldName: action
+              pattern: 'Received\s(an|a)\s{{.word}}\spacket'
+            - fieldName: log.irrelevant
+              pattern: '\({{.data}}='
+            - fieldName: log.spi
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}='
+            - fieldName: log.seqNum
+              pattern: '{{.integer}}(\s)?\)'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}as'
+            - fieldName: log.decapsulatedPktDestAddr
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}as'
+            - fieldName: log.decapsulatedPktSrcAddr
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}as'
+            - fieldName: log.decapsulatedPktProto
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}as'
+            - fieldName: log.localProxyIpAddr
+              pattern: '{{.data}}/'
+            - fieldName: log.localProxyIpMask
+              pattern: '{{.data}}/'
+            - fieldName: log.localProxyProto
+              pattern: '{{.data}}/'
+            - fieldName: log.localProxyPort
+              pattern: '{{.data}}and'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}as'
+            - fieldName: log.remoteProxyIpAddr
+              pattern: '{{.data}}/'
+            - fieldName: log.remoteProxyIpMask
+              pattern: '{{.data}}/'
+            - fieldName: log.remoteProxyProto
+              pattern: '{{.data}}/'
+            - fieldName: log.remoteProxyPort
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==402116
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Received\s(an|a)'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==402116
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.spi
+          where: log.messageId==402116
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.seqNum
+            - origin.user
+          where: log.messageId==402116
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - log.localProxyIpAddr
+            - log.localProxyIpMask
+            - log.localProxyProto
+            - log.remoteProxyIpAddr
+            - log.remoteProxyIpMask
+            - log.remoteProxyPort
+            - log.remoteProxyProto
+          where: log.messageId==402116
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.seqNum
+            - origin.user
+          where: log.messageId==402116
+      - trim:
+          function: suffix
+          substring: 'and'
+          fields:
+            - log.localProxyPort
+          where: log.messageId==402116
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==402116
+      #......................................................................#
+      # ASA-4-402117
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'IPSEC\:(\s)?'
+            - fieldName: action
+              pattern: 'Received a non-IPsec \((\s)?{{.word}}(\s)?\) packet'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==402117
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Received a non-IPsec \('
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==402117
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==402117
+      #......................................................................#
+      # ASA-4-402118
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'IPSEC\:(\s)?'
+            - fieldName: action
+              pattern: 'Received\s(an|a)\s{{.word}}\spacket'
+            - fieldName: log.irrelevant
+              pattern: '\({{.data}}='
+            - fieldName: log.spi
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}='
+            - fieldName: log.seqNum
+              pattern: '{{.integer}}(\s)?\)'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}length'
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'with offset'
+            - fieldName: log.fragmentOffset
+              pattern: '{{.integer}}'
+          source: log.msg
+          where: log.messageId==402118
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Received\s(an|a)'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==402118
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.seqNum
+            - origin.user
+          where: log.messageId==402118
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.spi
+          where: log.messageId==402118
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==402118
+      #......................................................................#
+      # ASA-4-402119, 402120
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'IPSEC\:(\s)?'
+            - fieldName: action
+              pattern: 'Received\s(an|a)\s{{.word}}\spacket'
+            - fieldName: log.irrelevant
+              pattern: '\({{.data}}='
+            - fieldName: log.spi
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}='
+            - fieldName: log.seqNum
+              pattern: '{{.integer}}(\s)?\)'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==402119 || log.messageId==402120
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Received\s(an|a)'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==402119 || log.messageId==402120
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.seqNum
+            - origin.user
+          where: log.messageId==402119 || log.messageId==402120
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.spi
+          where: log.messageId==402119 || log.messageId==402120
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==402119 || log.messageId==402120
+      #......................................................................#
+      # ASA-5-402128
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'CRYPTO\:(\s)?'
+            - fieldName: action
+              pattern: 'An attempt to allocate a large memory block'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\:'
+            - fieldName: log.memorySize
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\:'
+            - fieldName: log.memoryLimit
+              pattern: '{{.integer}}'
+          source: log.msg
+          where: log.messageId==402128
+      #......................................................................#
+      # ASA-4-405001
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Received ARP (request|response) collision'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.mac
+              pattern: '{{.data}}on'
+            - fieldName: log.irrelevant
+              pattern: 'interface'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}with'
+            - fieldName: log.irrelevant
+              pattern: 'existing ARP entry'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.mac
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==405001
+      # Adding protocol
+      - add:
+          function: 'string'
+          params:
+            key: protocol
+            value: 'ARP'
+          where: log.messageId==405001
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: log.messageId==405001
+      - trim:
+          function: suffix
+          substring: 'on'
+          fields:
+            - origin.mac
+          where: log.messageId==405001
+      - trim:
+          function: suffix
+          substring: 'with'
+          fields:
+            - log.srcInterface
+          where: log.messageId==405001
+      #......................................................................#
+      # ASA-4-405002
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Received mac mismatch collision'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.mac
+              pattern: '{{.data}}for'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==405002
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - origin.mac
+          where: log.messageId==405002
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+          where: log.messageId==405002
+      #......................................................................#
+      # ASA-4-406001
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'FTP port command low port(\s)?\:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?'
+            - fieldName: log.irrelevant
+              pattern: 'on interface'
+            - fieldName: log.srcInterface
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==406001
+      # Adding protocol
+      - add:
+          function: 'string'
+          params:
+            key: protocol
+            value: 'FTP'
+          where: log.messageId==406001
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - action
+          where: log.messageId==406001
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+          where: log.messageId==406001
+      #......................................................................#
+      # ASA-4-406002
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'FTP port command different address(\s)?\:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.connectionIp
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '(\s)?\)'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'on interface'
+            - fieldName: log.srcInterface
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==406002
+      # Adding protocol
+      - add:
+          function: 'string'
+          params:
+            key: protocol
+            value: 'FTP'
+          where: log.messageId==406002
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - action
+          where: log.messageId==406002
+      #......................................................................#
+      # ASA-4-407002
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Embryonic limit {{.data}} for through connections exceeded'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\.'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: log.globalIp
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '(\s)?\)(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'on interface'
+            - fieldName: log.srcInterface
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==407002
+      # Connection number and connection limit
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Embryonic limit'
+            - fieldName: log.numCons
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '/'
+            - fieldName: log.limit
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==407002
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: log.messageId==407002
+      #......................................................................#
+      # ASA-6-603109
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Teardown PPPOE Tunnel'
+            - fieldName: log.irrelevant
+              pattern: 'at'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'tunnel-id(\s)?=(\s)?'
+            - fieldName: log.tunnelId
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'remote-peer(\s)?=(\s)?'
+            - fieldName: origin.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==603109
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Teardown'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==603109
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.srcInterface
+            - log.tunnelId
+          where: log.messageId==603109
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==603109
+      #......................................................................#
+      # ASA-6-605004
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Login\s{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}\:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.service
+              pattern: '{{.data}}for'
+            - fieldName: log.irrelevant
+              pattern: 'user'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==605004
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Login'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+          source: action
+          where: log.messageId==605004
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==605004
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: log.messageId==605004
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.service
+          where: log.messageId==605004
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.dstInterface
+          where: log.messageId==605004
+      - trim:
+          function: prefix
+          substring: '"'
+          fields:
+            - origin.user
+          where: log.messageId==605004
+      - trim:
+          function: suffix
+          substring: '"'
+          fields:
+            - origin.user
+          where: log.messageId==605004
+      #......................................................................#
+      # ASA-6-617100
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Teardown {{.integer}} connection(\s)?(\(s\))?'
+            - fieldName: log.irrelevant
+              pattern: 'for user'
+            - fieldName: origin.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==617100
+      # Connection number
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Teardown'
+            - fieldName: log.numCons
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==617100
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==617100
+      #......................................................................#
+      # ASA-2-106018
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'ICMP packet'
+            - fieldName: log.irrelevant
+              pattern: 'type'
+            - fieldName: log.icmpType
+              pattern: '{{.data}}\s'
+            - fieldName: log.ciscoResult
+              pattern: 'denied'
+            - fieldName: log.irrelevant
+              pattern: 'by'
+            - fieldName: log.direction
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'list'
+            - fieldName: log.accessList
+              pattern: '{{.data}}src'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'dest'
+            - fieldName: target.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==106018
+      # Adding protocol
+      - add:
+          function: 'string'
+          params:
+            key: protocol
+            value: 'ICMP'
+          where: log.messageId==106018
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'src'
+          fields:
+            - log.accessList
+          where: log.messageId==106018
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==106018
+      #......................................................................#
+      # ASA-2-106020
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Deny IP teardrop fragment'
+            - fieldName: log.irrelevant
+              pattern: '\((\s)?size(\s)?='
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: ',(\s)?offset(\s)?='
+            - fieldName: log.fragmentOffset
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)(\s)?from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==106020
+      # Adding log.ciscoResult
+      - add:
+          function: 'string'
+          params:
+            key: log.ciscoResult
+            value: 'Denied'
+          where: log.messageId==106020
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==106020
+      #......................................................................#
+      # ASA-6-611301
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:'
+            - fieldName: action
+              pattern: 'NAT configured for Client Mode with no split tunneling'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}ress\:'
+            - fieldName: log.mappedIp
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==611301
+      # Adding protocol
+      - add:
+          function: 'string'
+          params:
+            key: protocol
+            value: 'NAT'
+          where: log.messageId==611301
+      #......................................................................#
+      # ASA-6-611303
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:'
+            - fieldName: action
+              pattern: 'NAT configured for Client Mode with split tunneling'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}ress\:'
+            - fieldName: log.mappedIp
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}works\:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.netmaskFrom
+              pattern: '{{.data}}\s'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.netmaskTo
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==611303
+      # Adding protocol
+      - add:
+          function: 'string'
+          params:
+            key: protocol
+            value: 'NAT'
+          where: log.messageId==611303
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: log.messageId==611303
+      #......................................................................#
+      # ASA-6-611304
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:'
+            - fieldName: action
+              pattern: 'NAT exemption configured for Network Extension Mode with split tunneling'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}works\:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.netmaskFrom
+              pattern: '{{.data}}\s'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.netmaskTo
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==611304
+      # Adding protocol
+      - add:
+          function: 'string'
+          params:
+            key: protocol
+            value: 'NAT'
+          where: log.messageId==611304
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: log.messageId==611304
+      #......................................................................#
+      # ASA-6-611307
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:(\s)?Head end\:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+          source: log.msg
+          where: log.messageId==611307
+      # Adding action and log.ciscoResult
+      - add:
+          function: 'string'
+          params:
+            key: action
+            value: 'The VPN client is connected to the specified headend'
+          where: log.messageId==611307
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==611307
+      #......................................................................#
+      # ASA-6-611309
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:'
+            - fieldName: action
+              pattern: 'Disconnecting from head end and uninstalling previously downloaded policy'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}End\:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+          source: log.msg
+          where: log.messageId==611309
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==611309
+      #......................................................................#
+      # ASA-6-611310,611311
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:'
+            - fieldName: action
+              pattern: 'XAUTH'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?Peer(\s)?\:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+          source: log.msg
+          where: log.messageId==611310 || log.messageId==611311
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==611310
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==611311
+      #......................................................................#
+      # ASA-6-611314
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:(\s)?Load Balancing Cluster with Virtual IP\:(\s)?'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}server'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+          source: log.msg
+          where: log.messageId==611314
+      # Adding action
+      - add:
+          function: 'string'
+          params:
+            key: action
+            value: 'Load Balancing Cluster redirected the Secure Firewall'
+          where: log.messageId==611314
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==611314
+      #......................................................................#
+      # ASA-6-611315
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:(\s)?Disconnecting from Load Balancing Cluster member(\:)?(\s)?'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+          source: log.msg
+          where: log.messageId==611315
+      # Adding action
+      - add:
+          function: 'string'
+          params:
+            key: action
+            value: 'Disconnecting from Load Balancing Cluster'
+          where: log.messageId==611315
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==611315
+      #......................................................................#
+      # ASA-6-611318
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:'
+            - fieldName: action
+              pattern: 'User Authentication Enabled'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}IP(\s)?\:'
+            - fieldName: log.authServerIp
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}Port(\s)?\:'
+            - fieldName: log.authServerPort
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}out(\s)?\:'
+            - fieldName: log.timeOut
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==611318
+      #......................................................................#
+      # ASA-3-710003
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '(TCP|UDP) access denied by ACL'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==710003
+      # Protocol and log.ciscoResult
+      - grok:
+          patterns:
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.word}}'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==710003
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: log.messageId==710003
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.dstInterface
+          where: log.messageId==710003
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==710003
+      #......................................................................#
+      # ASA-5-713252,713253
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Group(\s)?='
+            - fieldName: origin.group
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'Username(\s)?='
+            - fieldName: origin.user
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'IP(\s)?='
+            - fieldName: origin.ip
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}available(\.)?'
+            - fieldName: action
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==713252 || log.messageId==713253
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - origin.group
+            - origin.user
+            - origin.ip
+          where: log.messageId==713252 || log.messageId==713253
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - origin.user
+          where: log.messageId==713252 || log.messageId==713253
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.user
+          where: log.messageId==713252 || log.messageId==713253
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==713252
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==713253
+      #......................................................................#
+      # ASA-6-716001,716002,716003
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Group(\s)?'
+            - fieldName: origin.group
+              pattern: '{{.data}}User'
+            - fieldName: origin.user
+              pattern: '{{.data}}IP'
+            - fieldName: origin.ip
+              pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?'
+            - fieldName: action
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'User'
+          fields:
+            - origin.group
+          where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003
+      - trim:
+          function: suffix
+          substring: 'IP'
+          fields:
+            - origin.user
+          where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003
+      - trim:
+          function: prefix
+          substring: '<'
+          fields:
+            - origin.group
+            - origin.user
+            - origin.ip
+          where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003
+      - trim:
+          function: suffix
+          substring: '>'
+          fields:
+            - origin.group
+            - origin.user
+            - origin.ip
+          where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - origin.user
+          where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.user
+          where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==716001 || log.messageId==716002
+      #......................................................................#
+      # ASA-6-716004,716005,716006,716007,716009
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Group(\s)?'
+            - fieldName: origin.group
+              pattern: '{{.data}}User'
+            - fieldName: origin.user
+              pattern: '{{.data}}\s'
+            - fieldName: action
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'User'
+          fields:
+            - origin.group
+          where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+      - trim:
+          function: prefix
+          substring: '<'
+          fields:
+            - origin.group
+            - origin.user
+          where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+      - trim:
+          function: suffix
+          substring: '>'
+          fields:
+            - origin.group
+            - origin.user
+          where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - origin.user
+          where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.user
+          where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==716004 || log.messageId==716007 || log.messageId==716009
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==716006
+      #......................................................................#
+      # ASA-6-716038
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Group(\s)?'
+            - fieldName: origin.group
+              pattern: '{{.data}}User'
+            - fieldName: origin.user
+              pattern: '{{.data}}IP'
+            - fieldName: origin.ip
+              pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?'
+            - fieldName: action
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==716038
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==716038
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'User'
+          fields:
+            - origin.group
+          where: log.messageId==716038
+      - trim:
+          function: suffix
+          substring: 'IP'
+          fields:
+            - origin.user
+          where: log.messageId==716038
+      - trim:
+          function: prefix
+          substring: '<'
+          fields:
+            - origin.group
+            - origin.user
+            - origin.ip
+          where: log.messageId==716038
+      - trim:
+          function: suffix
+          substring: '>'
+          fields:
+            - origin.group
+            - origin.user
+            - origin.ip
+          where: log.messageId==716038
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - origin.user
+          where: log.messageId==716038
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.user
+          where: log.messageId==716038
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - action
+          where: log.messageId==716038
+      #......................................................................#
+      # ASA-6-716039
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'group(\s)?='
+            - fieldName: origin.group
+              pattern: '{{.data}}user'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: origin.user
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==716039
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==716039
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - action
+            - origin.user
+          where: log.messageId==716039
+      - trim:
+          function: suffix
+          substring: 'user'
+          fields:
+            - origin.group
+          where: log.messageId==716039
+      #......................................................................#
+      # ASA-6-719017,719019,719020,719021,719022,719023
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'WebVPN user(\:)?'
+            - fieldName: origin.user
+              pattern: '{{.data}}\s'
+            - fieldName: action
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==719017 || (log.messageId>=719019 && log.messageId<=719023)
+      # Adding log.ciscoResult and modifying some actions
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==719019 || log.messageId==719023
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==719020 || log.messageId==719022
+      - add:
+          function: 'string'
+          params:
+            key: action
+            value: 'WebVPN user is not checked against ACL'
+          where: log.messageId==719021
+      - add:
+          function: 'string'
+          params:
+            key: action
+            value: 'WebVPN user has been authenticated'
+          where: log.messageId==719022
+      - add:
+          function: 'string'
+          params:
+            key: action
+            value: 'WebVPN user has not been authenticated'
+          where: log.messageId==719023
+      # Cleaning fields
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - origin.user
+          where: log.messageId==719017 || (log.messageId>=719019 && log.messageId<=719023)
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.user
+          where: log.messageId==719017 || (log.messageId>=719019 && log.messageId<=719023)
+      #......................................................................#
+      # ASA-6-719018
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'WebVPN user(\:)?'
+            - fieldName: origin.user
+              pattern: '{{.data}}\s'
+            - fieldName: log.irrelevant
+              pattern: 'ACL ID'
+            - fieldName: log.accessList
+              pattern: '{{.data}}not'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==719018
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.user
+          where: log.messageId==719018
+      - trim:
+          function: suffix
+          substring: 'not'
+          fields:
+            - log.accessList
+          where: log.messageId==719018
+      #......................................................................#
+      # ASA-6-719024
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Email Proxy piggyback auth fail'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}='
+            - fieldName: log.sessionPointer
+              pattern: '{{.data}}user'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: origin.user
+              pattern: '{{.data}}addr'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: origin.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==719024
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'user'
+          fields:
+            - log.sessionPointer
+          where: log.messageId==719024
+      - trim:
+          function: suffix
+          substring: 'addr'
+          fields:
+            - origin.user
+          where: log.messageId==719024
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: log.messageId==719024
+      #......................................................................#
+      # ASA-7-609002
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Teardown local-host'
+            - fieldName: log.zoneName
+              pattern: '{{.data}}/'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'duration'
+            - fieldName: log.duration
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==609002
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - log.zoneName
+          where: log.messageId==609002
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==609002
+      #......................................................................#
+      # ASA-6-611305
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient(\s)?\:'
+            - fieldName: action
+              pattern: 'DHCP Policy installed'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}DNS(\s)?\:'
+            - fieldName: log.primaryDns
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}DNS(\s)?\:'
+            - fieldName: log.secondaryDns
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}WINS(\s)?\:'
+            - fieldName: log.primaryWins
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}WINS(\s)?\:'
+            - fieldName: log.secondaryWins
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+          source: log.msg
+          where: log.messageId==611305
+      #......................................................................#
+      # ASA-4-733100
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '{{.data}}exceeded'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.burstRateValue
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.maxBurstRateValue
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.avgRateValue
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.maxAvgRateValue
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.cumulativeTotalCount
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==733100
+      # Cleaning cumulative total count
+      - grok:
+          patterns:
+            - fieldName: log.cumulativeTotalCount
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.cumulativeTotalCount
+          where: log.messageId==733100
+      # Parsing drop source object
+      - grok:
+          patterns:
+            - fieldName: log.dropSourceObject
+              pattern: '{{.data}}drop'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==733100
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'drop'
+          fields:
+            - log.dropSourceObject
+          where: log.messageId==733100
+      - trim:
+          function: suffix
+          substring: ']'
+          fields:
+            - log.dropSourceObject
+          where: log.messageId==733100
+      - trim:
+          function: prefix
+          substring: '['
+          fields:
+            - log.dropSourceObject
+          where: log.messageId==733100
+      #......................................................................#
+      # ASA-4-733101
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '{{.data}}(targeted|attacking)'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.burstRateValue
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.maxBurstRateValue
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.avgRateValue
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.maxAvgRateValue
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.cumulativeTotalCount
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==733101
+      # Cleaning cumulative total count
+      - grok:
+          patterns:
+            - fieldName: log.cumulativeTotalCount
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.cumulativeTotalCount
+          where: log.messageId==733101
+      # Parsing drop source object
+      - grok:
+          patterns:
+            - fieldName: log.dropSourceObject
+              pattern: '{{.word}}'
+            - fieldName: log.tmpIp
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: log.messageId==733101
+      # Renaming from or to ip, according to -> if (targeted|attacking)
+      - rename:
+          from:
+            - log.tmpIp
+          to: origin.ip
+          where: log.messageId==733101 && contains("action", "attacking")
+      - rename:
+          from:
+            - log.tmpIp
+          to: target.ip
+          where: log.messageId==733101 && contains("action", "targeted")
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: log.messageId==733101
+      #......................................................................#
+      # ASA-4-733102, 733103
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}host'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: log.messageId==733102 || log.messageId==733103
+      # Adding action
+      - add:
+          function: 'string'
+          params:
+            key: action
+            value: 'Threat-detection add host to shun list'
+          where: (equals("log.messageId", 733102) || equals("log.messageId", 733103)) && contains("log.msg", "add")
+      - add:
+          function: 'string'
+          params:
+            key: action
+            value: 'Threat-detection removes host to shun list'
+          where: (equals("log.messageId", 733102) || equals("log.messageId", 733103)) && contains("log.msg", "removes")
+      #......................................................................#
+      # Decoding severity
+      - add:
+          function: 'string'
+          params:
+            key: severity
+            value: 'high'
+          where: oneOf("log.severity", ["1", "2", "3"])
+      - add:
+          function: 'string'
+          params:
+            key: severity
+            value: 'medium'
+          where: log.severity=="4"
+      - add:
+          function: 'string'
+          params:
+            key: severity
+            value: 'low'
+          where: oneOf("log.severity", ["5", "6", "7"])
+      #......................................................................#
+      # Adding common geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: origin.ip
+            destination: origin.geolocation
+          where: exists("origin.ip")
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: target.ip
+            destination: target.geolocation
+          where: exists("target.ip")
+      # Adding log.mappedIpFrom geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.mappedIpFrom
+            destination: log.mappedIpFrom.geolocation
+          where: exists("log.mappedIpFrom")
+      # Adding log.mappedIpTo geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.mappedIpTo
+            destination: log.mappedIpTo.geolocation
+          where: exists("log.mappedIpTo")
+      # Adding log.translatedIpFrom geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.translatedIpFrom
+            destination: log.translatedIpFrom.geolocation
+          where: exists("log.translatedIpFrom")
+      # Adding log.translatedIpTo geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.translatedIpTo
+            destination: log.translatedIpTo.geolocation
+          where: exists("log.translatedIpTo")
+      # Adding log.globalIp geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.globalIp
+            destination: log.globalIp.geolocation
+          where: exists("log.globalIp")
+      # Adding log.remoteIp geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.remoteIp
+            destination: log.remoteIp.geolocation
+          where: exists("log.remoteIp")
+      # Adding log.mappedIp geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.mappedIp
+            destination: log.mappedIp.geolocation
+          where: exists("log.mappedIp")
+      # Adding log.decapsulatedPktDestAddr geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.decapsulatedPktDestAddr
+            destination: log.decapsulatedPktDestAddr.geolocation
+          where: exists("log.decapsulatedPktDestAddr")
+      # Adding log.decapsulatedPktSrcAddr geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.decapsulatedPktSrcAddr
+            destination: log.decapsulatedPktSrcAddr.geolocation
+          where: exists("log.decapsulatedPktSrcAddr")
+      # Adding log.localProxyIpAddr geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.localProxyIpAddr
+            destination: log.localProxyIpAddr.geolocation
+          where: exists("log.localProxyIpAddr")
+      # Adding log.remoteProxyIpAddr geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.remoteProxyIpAddr
+            destination: log.remoteProxyIpAddr.geolocation
+          where: exists("log.remoteProxyIpAddr")
+      # Adding log.primaryDns geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.primaryDns
+            destination: log.primaryDns.geolocation
+          where: exists("log.primaryDns")
+      # Adding log.secondaryDns geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.secondaryDns
+            destination: log.secondaryDns.geolocation
+          where: exists("log.secondaryDns")
+      # Adding log.primaryWins geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.primaryWins
+            destination: log.primaryWins.geolocation
+          where: exists("log.primaryWins")
+      # Adding log.secondaryWins geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.secondaryWins
+            destination: log.secondaryWins.geolocation
+          where: exists("log.secondaryWins")
+      #......................................................................#
+      # Common field conversions
+      - cast:
+          fields:
+            - origin.port
+            - target.port
+          to: int
+      # Removing unused fields
+      - delete:
+          fields:
+            - log.asaHeader
+            - log.ciscoSeparator
+            - log.irrelevant
+            - log.syslogPri
+            - log.rest
+
+
+                $$
+	WHERE id = 301 ;
+            ]]>
+        
+    
+
\ No newline at end of file
diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210002_update_filter_cisco_switch.xml b/backend/src/main/resources/config/liquibase/changelog/20260210002_update_filter_cisco_switch.xml
new file mode 100644
index 000000000..207beaa8e
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260210002_update_filter_cisco_switch.xml
@@ -0,0 +1,181 @@
+
+
+
+    
+
+        
+             Syslog
+#
+# 1. Parsing the message field
+pipeline:
+  - dataTypes:
+      - cisco-switch
+    steps:
+      # Header fields
+      - grok:
+          patterns:
+            - fieldName: log.switchHeader
+              pattern: '{{.data}}%'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: raw
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(\<{{.integer}}\>)'
+            - fieldName: log.irrelevant
+              pattern: '{{.integer}}(\s)?\:'
+            - fieldName: log.ciscoTime
+              pattern: '{{.greedy}}'
+          source: log.switchHeader
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(\<{{.integer}}\>)'
+            - fieldName: log.ciscoTime
+              pattern: '{{.monthName}}{{.greedy}}'
+          source: log.switchHeader
+      - grok:
+          patterns:
+            - fieldName: log.ciscoTime
+              pattern: '{{.monthName}}{{.greedy}}'
+          source: log.switchHeader
+      #......................................................................#
+      # Beginning message parsing
+      # Variant -> %FACILITY-SUBFACILITY-SEVERITY-MNEMONIC: Message-text
+      - grok:
+          patterns:
+            - fieldName: log.facility
+              pattern: '{{.data}}-'
+            - fieldName: log.severity
+              pattern: '{{.data}}{{.integer}}'
+            - fieldName: log.facilityMnemonic
+              pattern: '{{.data}}\:'
+            - fieldName: log.ciscoMsg
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: '(!contains("log.msg", "-MSG:SLOT")) && (!contains("log.msg", "-MSG: SLOT"))'
+      # Extracting subfacility if present
+      - grok:
+          patterns:
+            - fieldName: log.subFacility
+              pattern: '{{.greedy}}-'
+            - fieldName: log.severity
+              pattern: '{{.integer}}'
+          source: log.severity
+          where: '(!contains("log.msg", "-MSG:SLOT")) && (!contains("log.msg", "-MSG: SLOT"))'
+      # --------------------------
+      # Variant -> %CARD-SEVERITY-MSG:SLOT %FACILITY-SEVERITY-MNEMONIC: Message-text
+      - grok:
+          patterns:
+            - fieldName: log.card
+              pattern: '{{.data}}-'
+            - fieldName: log.irrelevant
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\:'
+            - fieldName: log.slot
+              pattern: 'SLOT{{.integer}}'
+            - fieldName: log.tmpFacilityMnemonic
+              pattern: '{{.data}}\:'
+            - fieldName: log.ciscoMsg
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: 'contains("log.msg", "-MSG:SLOT") || contains("log.msg", "-MSG: SLOT")'
+
+      - trim:
+          function: prefix
+          substring: '%'
+          fields:
+            - log.tmpFacilityMnemonic
+          where: 'contains("log.msg", "-MSG:SLOT") || contains("log.msg", "-MSG: SLOT")'
+      # %FACILITY-SEVERITY-MNEMONIC
+      - grok:
+          patterns:
+            - fieldName: log.facility
+              pattern: '{{.data}}-'
+            - fieldName: log.severity
+              pattern: '{{.data}}{{.integer}}'
+            - fieldName: log.facilityMnemonic
+              pattern: '{{.data}}\:'
+          source: log.tmpFacilityMnemonic
+          where: 'contains("log.msg", "-MSG:SLOT") || contains("log.msg", "-MSG: SLOT")'
+      # Extracting subfacility if present
+      - grok:
+          patterns:
+            - fieldName: log.subFacility
+              pattern: '{{.greedy}}-'
+            - fieldName: log.severity
+              pattern: '{{.integer}}'
+          source: log.severity
+          where: 'contains("log.msg", "-MSG:SLOT") || contains("log.msg", "-MSG: SLOT")'
+
+      # Cleaning common fields
+      - trim:
+          function: suffix
+          substring: '-'
+          fields:
+            - log.facility
+            - log.subFacility
+            - log.card
+      - trim:
+          function: suffix
+          substring: '%'
+          fields:
+            - log.ciscoTime
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.facilityMnemonic
+            - log.ciscoTime
+      - trim:
+          function: prefix
+          substring: '-'
+          fields:
+            - log.facilityMnemonic
+      #......................................................................#
+      # Decoding severity
+      - add:
+          function: 'string'
+          params:
+            key: severity
+            value: 'high'
+          where: oneOf("log.severity", ["0", "1", "2", "3"])
+      - add:
+          function: 'string'
+          params:
+            key: severity
+            value: 'medium'
+          where: log.severity=="4"
+      - add:
+          function: 'string'
+          params:
+            key: severity
+            value: 'low'
+          where: oneOf("log.severity", ["5", "6", "7"])
+      #......................................................................#
+      # Removing unused fields
+      - delete:
+          fields:
+            - log.switchHeader
+            - log.irrelevant
+            - log.tmpFacilityMnemonic
+                $$
+	WHERE id = 1510 ;
+            ]]>
+        
+    
+
\ No newline at end of file
diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210003_update_filter_cisco_firepower.xml b/backend/src/main/resources/config/liquibase/changelog/20260210003_update_filter_cisco_firepower.xml
new file mode 100644
index 000000000..2e35a2350
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260210003_update_filter_cisco_firepower.xml
@@ -0,0 +1,5161 @@
+
+
+
+    
+
+        
+             Syslog
+#
+# 1. Parsing the message field containing the Cisco Firepower log
+pipeline:
+  - dataTypes:
+      - firewall-cisco-firepower
+    steps:
+      # Common Firepower fields
+      - grok:
+          patterns:
+            - fieldName: log.syslogPri
+              pattern: '(\<{{.integer}}\>)'
+            - fieldName: log.ciscoTime
+              pattern: '{{.day}}\s{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}'
+            - fieldName: log.localIp
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.firePowerHeader
+              pattern: '{{.data}}FTD-'
+            - fieldName: log.severity
+              pattern: '{{.integer}}'
+            - fieldName: log.messageId
+              pattern: '-{{.integer}}'
+            - fieldName: log.ciscoSeparator
+              pattern: '\:{{.space}}'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: raw
+      - grok:
+          patterns:
+            - fieldName: log.ciscoTime
+              pattern: '{{.day}}\s{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}'
+            - fieldName: log.localIp
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.firePowerHeader
+              pattern: '{{.data}}FTD-'
+            - fieldName: log.severity
+              pattern: '{{.integer}}'
+            - fieldName: log.messageId
+              pattern: '-{{.integer}}'
+            - fieldName: log.ciscoSeparator
+              pattern: '\:{{.space}}'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: raw
+      #......................................................................#
+      # Adding log.localIp geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.localIp
+            destination: log.localIp.geolocation
+          where: exists("log.localIp")
+      # Removing unwanted prefixes
+      - trim:
+          function: prefix
+          substring: '-'
+          fields:
+            - log.messageId
+      # Field conversions
+      - cast:
+          fields:
+            - log.messageId
+          to: int
+      # Begining specific message parsing
+      #......................................................................#
+      # FTD-2-106001
+      - grok:
+          patterns:
+            - fieldName: log.direction
+              pattern: '{{.word}}'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'connection'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: origin.port
+              pattern: '/{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: target.port
+              pattern: '/{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'flags'
+            - fieldName: log.flags
+              pattern: '{{.data}}\s'
+            - fieldName: log.irrelevant
+              pattern: 'on\sinterface'
+            - fieldName: log.srcInterface
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 106001)
+
+      - trim:
+          function: prefix
+          substring: '/'
+          fields:
+            - origin.port
+            - target.port
+          where: equals("log.messageId", 106001)
+      #......................................................................#
+      # FTD-2-106017
+      - grok:
+          patterns:
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'IP\sdue\sto'
+            - fieldName: action
+              pattern: '{{.greedy}}from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+          source: log.msg
+          where: equals("log.messageId", 106017)
+      - trim:
+          function: suffix
+          substring: 'from'
+          fields:
+            - action
+          where: equals("log.messageId", 106017)
+      #......................................................................#
+      # FTD-1-106021
+      - grok:
+          patterns:
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: action
+              pattern: '{{.greedy}}from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: log.irrelevant
+              pattern: 'on\sinterface'
+            - fieldName: log.srcInterface
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 106021)
+      - trim:
+          function: suffix
+          substring: 'from'
+          fields:
+            - action
+          where: equals("log.messageId", 106021)
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 106021)
+      #......................................................................#
+      # FTD-2-106101
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Number of cached deny-flows for ACL log has reached limit'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 106101)
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Number of cached'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 106101)
+      # Parsing the limit number
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.numFlows
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.rest
+          where: equals("log.messageId", 106101)
+      # Field conversions
+      - cast:
+          fields:
+            - log.numFlows
+          to: int
+          where: equals("log.messageId", 106101)
+      #......................................................................#
+      # FTD-6-106102,FTD-4-106103
+      # First variant
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'access-list'
+            - fieldName: log.accessList
+              pattern: '{{.data}}\s'
+            - fieldName: actionResult
+              pattern: '{{.word}}'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'for user'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}})\s'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}/'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}/'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'hit-cnt'
+            - fieldName: log.hitCount
+              pattern: '{{.integer}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 106102) || equals("log.messageId", 106103)
+      # Second variant
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'access-list'
+            - fieldName: log.accessList
+              pattern: '{{.data}}\s'
+            - fieldName: actionResult
+              pattern: '{{.word}}'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'for user'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}})\s'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}/'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: origin.port
+              pattern: '\({{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '-\>'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}/'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: target.port
+              pattern: '\({{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'hit-cnt'
+            - fieldName: log.hitCount
+              pattern: '{{.integer}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 106102) || equals("log.messageId", 106103)
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 106102) || equals("log.messageId", 106103)
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - origin.user
+          where: equals("log.messageId", 106102) || equals("log.messageId", 106103)
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.user
+          where: equals("log.messageId", 106102) || equals("log.messageId", 106103)
+      - trim:
+          function: prefix
+          substring: '('
+          fields:
+            - origin.port
+            - target.port
+          where: equals("log.messageId", 106102) || equals("log.messageId", 106103)
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - origin.port
+            - target.port
+          where: equals("log.messageId", 106102) || equals("log.messageId", 106103)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && equalsIgnoreCase("actionResult", "Permitted")
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && !equalsIgnoreCase("actionResult", "Permitted")
+      #......................................................................#
+      # FTD-6-109101
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Received CoA disconnect request'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: 'for user'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}}),'
+            - fieldName: log.irrelevant
+              pattern: 'with\saudit-session-id:'
+            - fieldName: log.auditSessionId
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 109101)
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Received CoA'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 109101)
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - origin.user
+          where: equals("log.messageId", 109101)
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 109101)
+      #......................................................................#
+      # FTD-4-109102
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Received CoA {{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: ', but cannot find named session'
+            - fieldName: log.auditSessionId
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 109102)
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Received CoA'
+            - fieldName: log.ciscoResult
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 109102)
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 109102)
+      #......................................................................#
+      # FTD-3-109103
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'CoA {{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: 'failed for user'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}}),'
+            - fieldName: log.irrelevant
+              pattern: 'with session ID:'
+            - fieldName: log.auditSessionId
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 109103)
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'CoA'
+            - fieldName: log.ciscoResult
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 109103)
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - origin.user
+          where: equals("log.messageId", 109103)
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 109103)
+      #......................................................................#
+      # FTD-109201 to 109213
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'UAUTH(:)? Session(\s|=)'
+            - fieldName: log.session
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'User(\s|=)'
+            - fieldName: origin.user
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'Assigned IP(\s|=)'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: ','
+            - fieldName: action
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: greaterOrEqual("log.messageId", 109201) && log.messageId<=109213
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.session
+            - origin.user
+          where: lgreaterOrEqual("log.messageId", 109201) && log.messageId<=109213
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: greaterOrEqual("log.messageId", 109201) && log.messageId<=109213
+      #......................................................................#
+      # FTD-6-113004
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA user {{.word}} Successful'
+            - fieldName: log.irrelevant
+              pattern: '\:'
+            - fieldName: log.irrelevant
+              pattern: 'server(\s)?=(\s)?'
+            - fieldName: target.ip
+              pattern: '{{.data}}(\:|,)'
+            - fieldName: log.irrelevant
+              pattern: '(U|u)ser(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113004)
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'AAA user {{.word}}'
+            - fieldName: log.ciscoResult
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 113004)
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - target.ip
+          where: equals("log.messageId", 113004)
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - target.ip
+          where: equals("log.messageId", 113004)
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 113004)
+      #......................................................................#
+      # FTD-6-113005
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA user authentication Rejected(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?reason(\s)?=(\s)'
+            - fieldName: log.reason
+              pattern: '{{.data}}(\:|,)'
+            - fieldName: log.irrelevant
+              pattern: '(server|Server)(\s)?=(\s)?'
+            - fieldName: target.ip
+              pattern: '{{.data}}(\:|,)'
+            - fieldName: log.irrelevant
+              pattern: '(U|u)ser(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.data}}(\:|,)'
+            - fieldName: log.irrelevant
+              pattern: '(U|u)ser IP(\s)?=(\s)?'
+            - fieldName: origin.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113005)
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'AAA user authentication'
+            - fieldName: log.ciscoResult
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 113005)
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.reason
+            - target.ip
+            - origin.user
+          where: equals("log.messageId", 113005)
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 113005)
+      #......................................................................#
+      # FTD-6-113008
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA transaction status ACCEPT(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?(u|U)ser(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113008)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 113008)
+      #......................................................................#
+      # FTD-6-113009
+      # First variant
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA retrieved default group policy'
+            - fieldName: log.policy
+              pattern: '\({{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'for (u|U)ser(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113009)
+      - trim:
+          function: prefix
+          substring: '('
+          fields:
+            - log.policy
+          where: equals("log.messageId", 113009)
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.policy
+          where: equals("log.messageId", 113009)
+      # Second variant
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA retrieved default group policy'
+            - fieldName: log.policy
+              pattern: '{{.data}}\sfor'
+            - fieldName: log.irrelevant
+              pattern: '(u|U)ser(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113009)
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.policy
+          where: equals("log.messageId", 113009)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 113009)
+      #......................................................................#
+      # FTD-6-113010
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA challenge received for user'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}}) from server'
+            - fieldName: origin.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113010)
+      - trim:
+          function: suffix
+          substring: 'from server'
+          fields:
+            - origin.user
+          where: equals("log.messageId", 113010)
+      #......................................................................#
+      # FTD-6-113011
+      # First variant
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA retrieved user specific group policy'
+            - fieldName: log.policy
+              pattern: '\({{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'for (u|U)ser(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113011)
+      - trim:
+          function: prefix
+          substring: '('
+          fields:
+            - log.policy
+          where: equals("log.messageId", 113011)
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.policy
+          where: equals("log.messageId", 113011)
+      # Second variant
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA retrieved user specific group policy'
+            - fieldName: log.policy
+              pattern: '{{.data}}\sfor'
+            - fieldName: log.irrelevant
+              pattern: '(u|U)ser(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113011)
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.policy
+          where: equals("log.messageId", 113011)
+      #......................................................................#
+      # FTD-6-113012
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA user authentication Successful(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?local database(\s)?:(\s)?user(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113012)
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'AAA user authentication'
+            - fieldName: log.ciscoResult
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 113012)
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 113012)
+      #......................................................................#
+      # FTD-6-113013
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA unable to complete the request'
+            - fieldName: log.irrelevant
+              pattern: 'Error(\s)?:(\s)?reason(\s)?=(\s)?'
+            - fieldName: log.reason
+              pattern: '{{.data}}\:'
+            - fieldName: log.irrelevant
+              pattern: 'user(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113013)
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.reason
+          where: equals("log.messageId", 113013)
+      #......................................................................#
+      # FTD-6-113014
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA authentication server not accessible(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?server(\s)?=(\s)?'
+            - fieldName: target.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?(U|u)ser(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113014)
+      #......................................................................#
+      # FTD-6-113015, 113017
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '(AAA user authentication|AAA credentials)\s(R|r)ejected(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?reason(\s)?=(\s)?'
+            - fieldName: log.reason
+              pattern: '{{.data}}(\s)?\:'
+            - fieldName: log.irrelevant
+              pattern: 'local database(\s)?:(\s)?(U|u)ser(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}})(\s)?:'
+            - fieldName: log.irrelevant
+              pattern: 'user IP(\s)?=(\s)?'
+            - fieldName: target.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113015) || equals("log.messageId", 113017)
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.reason
+            - origin.user
+          where: equals("log.messageId", 113015) || equals("log.messageId", 113017)
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(AAA user authentication|AAA credentials)\s'
+            - fieldName: log.ciscoResult
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 113015) || equals("log.messageId", 113017)
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 113015) || equals("log.messageId", 113017)
+      #......................................................................#
+      # FTD-6-113016
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AAA credentials rejected(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?reason(\s)?=(\s)?'
+            - fieldName: log.reason
+              pattern: '{{.data}}(\s)?\:'
+            - fieldName: log.irrelevant
+              pattern: 'server(\s)?=(\s)?'
+            - fieldName: target.ip
+              pattern: '{{.data}}(\s)?\:'
+            - fieldName: log.irrelevant
+              pattern: '(U|u)ser(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}})(\s)?:'
+            - fieldName: log.irrelevant
+              pattern: 'user IP(\s)?=(\s)?'
+            - fieldName: origin.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113016)
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.reason
+            - target.ip
+            - origin.user
+          where: equals("log.messageId", 113016)
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'AAA credentials'
+            - fieldName: log.ciscoResult
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 113016)
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 113016)
+      #......................................................................#
+      # FTD-4-113019
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Group(\s)?=(\s)?'
+            - fieldName: origin.group
+              pattern: '{{.data}}(\s)?,'
+            - fieldName: log.irrelevant
+              pattern: '(U|u)sername(\s)?=(\s)?'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}})(\s)?,'
+            - fieldName: log.irrelevant
+              pattern: 'IP(\s)?=(\s)?'
+            - fieldName: origin.ip
+              pattern: '{{.data}},'
+            - fieldName: action
+              pattern: '(\s)?Session disconnected\.'
+            - fieldName: log.irrelevant
+              pattern: '(\s)?Session Type:(\s)?'
+            - fieldName: log.sessionType
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '(\s)?Duration:(\s)?'
+            - fieldName: log.duration
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '(\s)?Bytes xmt:(\s)?'
+            - fieldName: origin.bytesSent
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '(\s)?Bytes rcv:(\s)?'
+            - fieldName: origin.bytesReceived
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '(\s)?Reason:(\s)?'
+            - fieldName: log.reason
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113019)
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - origin.group
+            - origin.user
+            - origin.ip
+            - log.sessionType
+            - log.duration
+            - origin.bytesSent
+            - origin.bytesReceived
+          where: equals("log.messageId", 113019)
+      - cast:
+          fields:
+            - origin.bytesSent
+            - origin.bytesReceived
+          to: int
+          where: equals("log.messageId", 113019)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 113019)
+      #......................................................................#
+      # FTD-113031,113032,113033
+      # Common fields
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Group(\s)?'
+            - fieldName: origin.group
+              pattern: '{{.data}}\sUser'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|{{.data}})(\s)?IP'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033
+      - trim:
+          function: suffix
+          substring: 'User'
+          fields:
+            - origin.group
+          where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033
+      - trim:
+          function: suffix
+          substring: 'IP'
+          fields:
+            - origin.user
+          where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033
+      # Specific fields
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AnyConnect (vpn-filter|ipv6-vpn-filter|session not allowed)'
+            - fieldName: log.filter
+              pattern: '{{.data}}\sis'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.rest
+          where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'AnyConnect (vpn-filter|ipv6-vpn-filter|session not allowed)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.rest
+          where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033
+      - trim:
+          function: suffix
+          substring: 'is'
+          fields:
+            - log.filter
+          where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033
+      #......................................................................#
+      # FTD-113034,113035,113036,113038,113039
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Group(\s)?'
+            - fieldName: origin.group
+              pattern: '(\<)?{{.data}}(\>)?\sUser'
+            - fieldName: origin.user
+              pattern: '(''{{.data}}''|(\<)?{{.data}}(\>)?)(\s)?IP'
+            - fieldName: origin.ip
+              pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'User'
+          fields:
+            - origin.group
+          where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
+      - trim:
+          function: suffix
+          substring: 'IP'
+          fields:
+            - origin.user
+          where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
+      - trim:
+          function: prefix
+          substring: '<'
+          fields:
+            - origin.group
+            - origin.user
+            - origin.ip
+          where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
+      - trim:
+          function: suffix
+          substring: '>'
+          fields:
+            - origin.group
+            - origin.user
+            - origin.ip
+          where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 113039)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 113035) || log.messageId==113038
+      #......................................................................#
+      # FTD-4-113042
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'CoA: Non-HTTP connection from'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'for user'
+            - fieldName: log.remoteUser
+              pattern: '(''{{.data}}''|{{.data}})(\s)?at'
+            - fieldName: log.remoteIp
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 113042)
+      - trim:
+          function: suffix
+          substring: 'from'
+          fields:
+            - action
+          where: equals("log.messageId", 113042)
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 113042)
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: equals("log.messageId", 113042)
+      - trim:
+          function: suffix
+          substring: 'at'
+          fields:
+            - log.remoteUser
+          where: equals("log.messageId", 113042)
+      #......................................................................#
+      # FTD-2-201003
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Embryonic limit exceeded'
+            - fieldName: log.numCons
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '/(\s)?'
+            - fieldName: log.limit
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'for'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '/(\s)?'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.globalIp
+              pattern: '\({{.data}}\)'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '/(\s)?'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'on interface'
+            - fieldName: log.dstInterface
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 201003)
+      - trim:
+          function: prefix
+          substring: '('
+          fields:
+            - log.globalIp
+          where: equals("log.messageId", 201003)
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.globalIp
+          where: equals("log.messageId", 201003)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 201003)
+      #......................................................................#
+      # FTD-4-209003
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Fragment database limit of'
+            - fieldName: log.limit
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'exceeded:(\s)?src(\s)?=(\s)?'
+            - fieldName: origin.ip
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'dest(\s)?=(\s)?'
+            - fieldName: target.ip
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'proto(\s)?=(\s)?'
+            - fieldName: protocol
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'id(\s)?=(\s)?'
+            - fieldName: log.id
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 209003)
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - origin.ip
+            - target.ip
+            - protocol
+          where: equals("log.messageId", 209003)
+      - cast:
+          fields:
+            - log.limit
+          to: int
+          where: equals("log.messageId", 209003)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 209003)
+      #......................................................................#
+      # FTD-3-316001
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Denied new tunnel'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 316001)
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 316001)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 316001)
+      #......................................................................#
+      # FTD-3-316002
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'VPN Handle error'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?protocol='
+            - fieldName: protocol
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'src\s'
+            - fieldName: log.inIfNum
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: ',(\s)?dst'
+            - fieldName: log.outIfNum
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?'
+            - fieldName: target.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 316002)
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - protocol
+          where: equals("log.messageId", 316002)
+      - cast:
+          fields:
+            - log.inIfNum
+            - log.outIfNum
+          to: int
+          where: equals("log.messageId", 316002)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 316002)
+      #......................................................................#
+      # FTD-6-302003,302004
+      # First variant
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '(Built H245 connection|Pre-allocate H323 UDP backconnection)'
+            - fieldName: log.irrelevant
+              pattern: 'for'
+            - fieldName: log.foreignAddress
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.tmpToip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?'
+            - fieldName: log.irrelevant
+              pattern: '(to\s)?'
+            - fieldName: log.localAddress
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.tmpFromip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?'
+          source: log.msg
+          where: equals("log.messageId", 302003) || log.messageId==302004
+      # Second variant
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '(Built H245 connection|Pre-allocate H323 UDP backconnection)'
+            - fieldName: log.irrelevant
+              pattern: 'for'
+            - fieldName: log.foreignAddress
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.tmpToip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?'
+            - fieldName: log.localAddress
+              pattern: '({{.ipv4}}|{{.ipv6}})'
+            - fieldName: log.tmpFromip
+              pattern: '({{.ipv4}}|{{.ipv6}})((\s)?/(\s)?{{.integer}}|(\s)?/)?'
+          source: log.msg
+          where: equals("log.messageId", 302003) || log.messageId==302004
+      # Parsing from/to ip and port
+      - grok:
+          patterns:
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: target.port
+              pattern: '{{.greedy}}'
+          source: log.tmpToip
+          where: equals("log.messageId", 302003) || log.messageId==302004
+      - grok:
+          patterns:
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+          source: log.tmpToip
+          where: equals("log.messageId", 302003) || log.messageId==302004
+      - grok:
+          patterns:
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: origin.port
+              pattern: '{{.greedy}}'
+          source: log.tmpFromip
+          where: equals("log.messageId", 302003) || log.messageId==302004
+      - grok:
+          patterns:
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+          source: log.tmpFromip
+          where: equals("log.messageId", 302003) || log.messageId==302004
+      - trim:
+          function: prefix
+          substring: '/'
+          fields:
+            - origin.port
+            - target.port
+          where: equals("log.messageId", 302003) || log.messageId==302004
+      # Removing temp fields
+      - delete:
+          fields:
+            - log.tmpFromip
+            - log.tmpToip
+          where: equals("log.messageId", 302003) || log.messageId==302004
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 302003) || log.messageId==302004
+      #......................................................................#
+      # FTD-6-302012
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Pre-allocate H225 Call Signalling Connection'
+            - fieldName: log.irrelevant
+              pattern: 'for faddr'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: origin.port
+              pattern: '/(\s)?{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to laddr'
+            - fieldName: target.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 302012)
+      - trim:
+          function: prefix
+          substring: '/'
+          fields:
+            - origin.port
+          where: equals("log.messageId", 302012)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 302012)
+      #......................................................................#
+      # FTD-6-302013
+      - grok:
+          patterns:
+            - fieldName: log.tmpDirection
+              pattern: 'Built\s{{.word}}\s(Probe)?'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})for'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpFrom
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortFrom
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpTo
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortTo
+              pattern: '{{.integer}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 302013)
+      # Parsing direction field
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Built'
+            - fieldName: log.direction
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpDirection
+          where: equals("log.messageId", 302013)
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: equals("log.messageId", 302013)
+      # Parsing firewall user to, and AAA name of the user if exists
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+          source: log.rest
+          where: equals("log.messageId", 302013)
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+          source: log.rest
+          where: equals("log.messageId", 302013)
+
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - origin.user
+          where: equals("log.messageId", 302013)
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpDirection
+            - log.tmpFwUserFrom
+          where: equals("log.messageId", 302013)
+
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 302013)
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+            - log.mappedIpFrom
+            - log.mappedIpTo
+          where: equals("log.messageId", 302013)
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.connectionId
+          where: equals("log.messageId", 302013)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 302013)
+      #......................................................................#
+      # FTD-6-302014
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Teardown\s(Probe)?'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'connection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})for'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserTo
+              pattern: '({{.data}})?duration'
+            - fieldName: log.duration
+              pattern: '{{.time}}'
+            - fieldName: log.irrelevant
+              pattern: 'bytes'
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 302014)
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: equals("log.messageId", 302014)
+      # Parsing firewall user to
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserTo
+          where: equals("log.messageId", 302014)
+      # Parsing AAA user if exists
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+          source: log.rest
+          where: equals("log.messageId", 302014)
+
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - origin.user
+          where: equals("log.messageId", 302014)
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+            - log.tmpFwUserTo
+          where: equals("log.messageId", 302014)
+
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 302014)
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: equals("log.messageId", 302014)
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.connectionId
+          where: equals("log.messageId", 302014)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 302014)
+      #......................................................................#
+      # FTD-6-302015
+      - grok:
+          patterns:
+            - fieldName: log.tmpDirection
+              pattern: 'Built\s{{.word}}'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'connection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})for'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpFrom
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortFrom
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpTo
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortTo
+              pattern: '{{.integer}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 302015)
+      # Parsing direction field
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Built'
+            - fieldName: log.direction
+              pattern: '{{.greedy}}'
+          source: log.tmpDirection
+          where: equals("log.messageId", 302015)
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: equals("log.messageId", 302015)
+      # Parsing firewall user to, and AAA name of the user if exists
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+          source: log.rest
+          where: equals("log.messageId", 302015)
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+          source: log.rest
+          where: equals("log.messageId", 302015)
+
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - origin.user
+          where: equals("log.messageId", 302015)
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpDirection
+            - log.tmpFwUserFrom
+          where: equals("log.messageId", 302015)
+
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 302015)
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+            - log.mappedIpFrom
+            - log.mappedIpTo
+          where: equals("log.messageId", 302015)
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.connectionId
+          where: equals("log.messageId", 302015)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 302015)
+      #......................................................................#
+      # FTD-6-302016
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Teardown'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'connection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})for'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserTo
+              pattern: '({{.data}})?duration'
+            - fieldName: log.duration
+              pattern: '{{.time}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 302016)
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: equals("log.messageId", 302016)
+      # Parsing firewall user to
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserTo
+          where: equals("log.messageId", 302016)
+      # Parsing firewall user to, and AAA name of the user if exists
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'bytes'
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+          source: log.rest
+          where: equals("log.messageId", 302016)
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'bytes'
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+          source: log.rest
+          where: equals("log.messageId", 302016)
+
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - origin.user
+          where: equals("log.messageId", 302016)
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+            - log.tmpFwUserTo
+          where: equals("log.messageId", 302016)
+
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 302016)
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: equals("log.messageId", 302016)
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.connectionId
+          where: equals("log.messageId", 302016)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 302016)
+      #......................................................................#
+      # FTD-6-302017
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Built'
+            - fieldName: log.direction
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'GRE connection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})from'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.translatedIpFrom
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.realCid
+              pattern: '{{.data}}\('
+            - fieldName: log.translatedIpTo
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 302017)
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: equals("log.messageId", 302017)
+      # Parsing translatedCid and, firewall user to and AAA user if present
+      - grok:
+          patterns:
+            - fieldName: log.translatedCid
+              pattern: '{{.data}}\)'
+            - fieldName: log.tmpUserInfo
+              pattern: '{{.greedy}}'
+          source: log.rest
+          where: equals("log.messageId", 302017)
+      - grok:
+          patterns:
+            - fieldName: log.translatedCid
+              pattern: '{{.data}}\)'
+          source: log.rest
+          where: equals("log.messageId", 302017)
+      # FW user and AAA user
+      - grok:
+          patterns:
+            - fieldName: log.tmpFwUserTo
+              pattern: '\({{.data}}\)'
+            - fieldName: target.user
+              pattern: '\({{.data}}\)'
+          source: log.tmpUserInfo
+          where: equals("log.messageId", 302017)
+      - grok:
+          patterns:
+            - fieldName: log.tmpFwUserTo
+              pattern: '\({{.data}}\)'
+          source: log.tmpUserInfo
+          where: equals("log.messageId", 302017)
+      # Parsing firewall user to
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserTo
+          where: equals("log.messageId", 302017)
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - target.user
+            - log.translatedCid
+          where: equals("log.messageId", 302017)
+      - trim:
+          function: suffix
+          substring: '('
+          fields:
+            - log.realCid
+            - target.user
+          where: equals("log.messageId", 302017)
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpDirection
+            - log.tmpFwUserFrom
+            - log.tmpFwUserTo
+            - log.tmpUserInfo
+          where: equals("log.messageId", 302017)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 302017)
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - target.ip
+            - log.translatedIpTo
+          where: equals("log.messageId", 302017)
+      - trim:
+          function: suffix
+          substring: 'from'
+          fields:
+            - log.connectionId
+          where: equals("log.messageId", 302017)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 302017)
+      #......................................................................#
+      # FTD-6-302018
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Teardown GRE connection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})from'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.translatedIpFrom
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.realCid
+              pattern: '{{.data}}\('
+            - fieldName: log.translatedIpTo
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.translatedCid
+              pattern: '{{.data}}\)'
+            - fieldName: log.tmpFwUserTo
+              pattern: '({{.data}})?duration'
+            - fieldName: log.duration
+              pattern: '{{.time}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 302018)
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: equals("log.messageId", 302018)
+      # Parsing firewall user to
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserTo
+          where: equals("log.messageId", 302018)
+      # Parsing firewall user to, and AAA name of the user if exists
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'bytes'
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+          source: log.rest
+          where: equals("log.messageId", 302018)
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'bytes'
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+          source: log.rest
+          where: equals("log.messageId", 302018)
+
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - origin.user
+            - log.translatedCid
+          where: equals("log.messageId", 302018)
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+            - log.tmpFwUserTo
+          where: equals("log.messageId", 302018)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '('
+          fields:
+            - log.realCid
+          where: equals("log.messageId", 302018)
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 302018)
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - target.ip
+            - log.translatedIpTo
+          where: equals("log.messageId", 302018)
+      - trim:
+          function: suffix
+          substring: 'from'
+          fields:
+            - log.connectionId
+          where: equals("log.messageId", 302018)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 302018)
+      #......................................................................#
+      # FTD-6-302020, 302021
+      # 302020
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Built'
+            - fieldName: log.direction
+              pattern: '{{.word}}'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'connection for faddr'
+            - fieldName: log.tmpFaddrAndFwUser
+              pattern: '({{.data}})gaddr'
+            - fieldName: log.tmpGaddrAndFwUser
+              pattern: '({{.data}})laddr'
+            - fieldName: log.tmpLaddrAndFwUser
+              pattern: '({{.data}})type'
+            - fieldName: log.icmpType
+              pattern: '({{.data}})code'
+            - fieldName: log.icmpCode
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 302020)
+      # 302021
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Teardown'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'connection for faddr'
+            - fieldName: log.tmpFaddrAndFwUser
+              pattern: '({{.data}})gaddr'
+            - fieldName: log.tmpGaddrAndFwUser
+              pattern: '({{.data}})laddr'
+            - fieldName: log.tmpLaddrAndFwUser
+              pattern: '({{.data}})type'
+            - fieldName: log.icmpType
+              pattern: '({{.data}})code'
+            - fieldName: log.icmpCode
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 302021)
+      # Common parsing for 302020 and 302021
+      # For parsing faddr and fwuser from (Begin with ip/port), or icmpSeqNum
+      - grok:
+          patterns:
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '{{.greedy}}'
+          source: log.tmpFaddrAndFwUser
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      - grok:
+          patterns:
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '{{.greedy}}'
+          source: log.tmpFaddrAndFwUser
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      # icmpSeqNum variants
+      - grok:
+          patterns:
+            - fieldName: log.icmpSeqNum
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '\({{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'gaddr'
+          source: log.tmpFaddrAndFwUser
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      - grok:
+          patterns:
+            - fieldName: log.icmpSeqNum
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserFrom
+              pattern: 'gaddr'
+          source: log.tmpFaddrAndFwUser
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      # Cleaning icmpSeqNum
+      - trim:
+          function: suffix
+          substring: 'gaddr'
+          fields:
+            - log.icmpSeqNum
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      # Continue with firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      # For parsing gaddr and global fwuser (Begin with ip/port), or icmpType
+      - grok:
+          patterns:
+            - fieldName: log.globalIp
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.globalPort
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserGlobal
+              pattern: '{{.greedy}}'
+          source: log.tmpGaddrAndFwUser
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      - grok:
+          patterns:
+            - fieldName: log.globalIp
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.tmpFwUserGlobal
+              pattern: '{{.greedy}}'
+          source: log.tmpGaddrAndFwUser
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      # icmpType variants
+      - grok:
+          patterns:
+            - fieldName: log.icmpType
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserGlobal
+              pattern: '\({{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'laddr'
+          source: log.tmpGaddrAndFwUser
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      - grok:
+          patterns:
+            - fieldName: log.icmpType
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserGlobal
+              pattern: 'laddr'
+          source: log.tmpGaddrAndFwUser
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      # Cleaning icmpType
+      - trim:
+          function: suffix
+          substring: 'laddr'
+          fields:
+            - log.icmpType
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      - trim:
+          function: suffix
+          substring: 'code'
+          fields:
+            - log.icmpType
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      # Continue with global firewall
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.globalFirewallUser
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserGlobal
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      # For parsing laddr and fwuser to (Begin with ip/port)
+      - grok:
+          patterns:
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserTo
+              pattern: '{{.greedy}}'
+          source: log.tmpLaddrAndFwUser
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      - grok:
+          patterns:
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.tmpFwUserTo
+              pattern: '{{.greedy}}'
+          source: log.tmpLaddrAndFwUser
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      # Continue with firewall user to
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserTo
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserTo
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - target.ip
+            - origin.ip
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.firewallUserTo
+            - log.globalFirewallUser
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+            - log.tmpFwUserTo
+            - log.tmpFwUserGlobal
+            - log.tmpFaddrAndFwUser
+            - log.tmpGaddrAndFwUser
+            - log.tmpLaddrAndFwUser
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 302020) || log.messageId==302021
+      #......................................................................#
+      # FTD-6-302022, 302024, 302026
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Built'
+            - fieldName: log.role
+              pattern: '({{.data}})stub'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'connection for'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpMappedIpPortFrom
+              pattern: '\({{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpMappedIpPortTo
+              pattern: '\({{.data}}\)'
+          source: log.msg
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
+      # Parsing mapped ip,port from tmp fields
+      # With port
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpFrom
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortFrom
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+          source: log.tmpMappedIpPortFrom
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
+      # Without port
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpFrom
+              pattern: '{{.data}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+          source: log.tmpMappedIpPortFrom
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
+      # Parsing mapped ip,port to, from tmp fields
+      # With port
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpTo
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortTo
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+          source: log.tmpMappedIpPortTo
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
+      # Without port
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpTo
+              pattern: '{{.data}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+          source: log.tmpMappedIpPortTo
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'stub'
+          fields:
+            - log.role
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+            - log.mappedIpFrom
+            - log.mappedIpTo
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpMappedIpPortFrom
+            - log.tmpMappedIpPortTo
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026
+      #......................................................................#
+      # FTD-6-302023, 302025, 302027
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Teardown stub'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'connection for'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'duration'
+            - fieldName: log.duration
+              pattern: '{{.time}}'
+            - fieldName: log.irrelevant
+              pattern: 'bytes'
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+            - fieldName: log.reason
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 302023) || log.messageId==302025 || log.messageId==302027
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 302023) || log.messageId==302025 || log.messageId==302027
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: equals("log.messageId", 302023) || log.messageId==302025 || log.messageId==302027
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 302023) || log.messageId==302025 || log.messageId==302027
+      #......................................................................#
+      # FTD-302033,302034
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '(Pre-allocated|Unable to pre-allocate) H323 GUP Connection'
+            - fieldName: log.irrelevant
+              pattern: 'for faddr'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.tmpPortFrom
+              pattern: '{{.data}}to laddr'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: log.tmpIpPortTo
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 302033) || log.messageId==302034
+      # Parsing optional ports from y to
+      - grok:
+          patterns:
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpPortFrom
+          where: equals("log.messageId", 302033) || log.messageId==302034
+      - grok:
+          patterns:
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.greedy}}'
+          source: log.tmpIpPortTo
+          where: equals("log.messageId", 302033) || log.messageId==302034
+      - grok:
+          patterns:
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?'
+          source: log.tmpIpPortTo
+          where: equals("log.messageId", 302033) || log.messageId==302034
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 302033) || log.messageId==302034
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: equals("log.messageId", 302033) || log.messageId==302034
+      # Remove tmp fields
+      - delete:
+          fields:
+            - log.tmpPortFrom
+            - log.tmpIpPortTo
+          where: equals("log.messageId", 302033) || log.messageId==302034
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 302033)
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 302034)
+      #......................................................................#
+      # FTD-6-302303
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Built\s{{.word}}\sstate-bypass\sconnection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})from'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpFrom
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortFrom
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.mappedIpTo
+              pattern: '{{.data}}/'
+            - fieldName: log.mappedPortTo
+              pattern: '{{.integer}}'
+            - fieldName: log.rest
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 302303)
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Built'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 302303)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 302303)
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+            - log.mappedIpFrom
+            - log.mappedIpTo
+          where: equals("log.messageId", 302303)
+      - trim:
+          function: suffix
+          substring: 'from'
+          fields:
+            - log.connectionId
+          where: equals("log.messageId", 302303)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 302303)
+      #......................................................................#
+      # FTD-6-302304
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Teardown\s{{.word}}\sstate-bypass\sconnection'
+            - fieldName: log.connectionId
+              pattern: '({{.data}})from'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.duration
+              pattern: '{{.time}}'
+            - fieldName: log.irrelevant
+              pattern: ','
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: ','
+            - fieldName: log.reason
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 302304)
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Built'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 302304)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 302304)
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: equals("log.messageId", 302304)
+      - trim:
+          function: suffix
+          substring: 'from'
+          fields:
+            - log.connectionId
+          where: equals("log.messageId", 302304)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 302304)
+      #......................................................................#
+      # FTD-6-305009
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Built (dynamic|static) translation'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: log.tmpAclSrcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: log.mappedIpTo
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 305009)
+      # Parsing srcInterface
+      # With ACL
+      - grok:
+          patterns:
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}\('
+            - fieldName: log.accessList
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpAclSrcInterface
+          where: equals("log.messageId", 305009)
+      # Without ACL
+      - grok:
+          patterns:
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}:'
+          source: log.tmpAclSrcInterface
+          where: equals("log.messageId", 305009)
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: equals("log.messageId", 305009)
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+            - log.tmpAclSrcInterface
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.accessList
+          where: equals("log.messageId", 305009)
+      - trim:
+          function: suffix
+          substring: '('
+          fields:
+            - log.srcInterface
+          where: equals("log.messageId", 305009)
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 305009)
+      #......................................................................#
+      # FTD-6-305010
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Teardown (dynamic|static) translation'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'duration'
+            - fieldName: log.duration
+              pattern: '{{.time}}'
+          source: log.msg
+          where: equals("log.messageId", 305010)
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: equals("log.messageId", 305010)
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+          where: equals("log.messageId", 305010)
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 305010)
+      #......................................................................#
+      # FTD-6-305011
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Built\s(dynamic|static)\s(TCP|UDP|ICMP)\stranslation'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+          source: log.msg
+          where: equals("log.messageId", 305011)
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: equals("log.messageId", 305011)
+      # Parsing protocol
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Built\s(dynamic|static)'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 305011)
+
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+          where: equals("log.messageId", 305011)
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+          where: equals("log.messageId", 305011)
+
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 305011)
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: equals("log.messageId", 305011)
+      #......................................................................#
+      # FTD-6-305012
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Teardown\s(dynamic|static)\s(TCP|UDP|ICMP)\stranslation'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: log.tmpAclSrcInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.tmpFwUserFrom
+              pattern: '({{.data}})?to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'duration'
+            - fieldName: log.duration
+              pattern: '{{.time}}'
+          source: log.msg
+          where: equals("log.messageId", 305012)
+      # Parsing firewall user from
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.firewallUserFrom
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpFwUserFrom
+          where: equals("log.messageId", 305012)
+      # Parsing protocol
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Teardown\s(dynamic|static)'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 305012)
+      # Parsing srcInterface
+      # With ACL
+      - grok:
+          patterns:
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}\('
+            - fieldName: log.accessList
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.tmpAclSrcInterface
+          where: equals("log.messageId", 305012)
+      # Without ACL
+      - grok:
+          patterns:
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}:'
+          source: log.tmpAclSrcInterface
+          where: equals("log.messageId", 305012)
+      # Parsing srcInterface from himself to avoid parsing issues
+      - grok:
+          patterns:
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}\('
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.srcInterface
+          where: equals("log.messageId", 305012)
+
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.firewallUserFrom
+            - log.accessList
+          where: equals("log.messageId", 305012)
+      # Removing tmp fields
+      - delete:
+          fields:
+            - log.tmpFwUserFrom
+            - log.tmpAclSrcInterface
+          where: equals("log.messageId", 305012)
+
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.srcInterface
+            - log.dstInterface
+          where: equals("log.messageId", 305012)
+      - trim:
+          function: suffix
+          substring: '('
+          fields:
+            - log.srcInterface
+          where: equals("log.messageId", 305012)
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: equals("log.messageId", 305012)
+      #......................................................................#
+      # FTD-3-322001
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '{{.word}}\sMAC\saddress'
+            - fieldName: log.localMac
+              pattern: '{{.data}}(\s)?,'
+            - fieldName: log.reason
+              pattern: '{{.data}}on'
+            - fieldName: log.irrelevant
+              pattern: 'interface'
+            - fieldName: log.srcInterface
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 322001)
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 322001)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.localMac
+          where: equals("log.messageId", 322001)
+      - trim:
+          function: suffix
+          substring: 'on'
+          fields:
+            - log.reason
+          where: equals("log.messageId", 322001)
+      #......................................................................#
+      # FTD-3-322002
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '{{.word}}\sinspection\scheck'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'for\sarp'
+            - fieldName: log.httpMessageType
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'received\sfrom\shost'
+            - fieldName: origin.mac
+              pattern: '{{.data}}on'
+            - fieldName: log.irrelevant
+              pattern: 'interface'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}\.'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}Address'
+            - fieldName: log.fakeSrcMac
+              pattern: '{{.data}}for'
+            - fieldName: log.irrelevant
+              pattern: 'IP\sAddress'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}Address'
+            - fieldName: log.boudSrcMac
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 322002)
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'inspection check'
+          source: action
+          where: equals("log.messageId", 322002)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'on'
+          fields:
+            - origin.mac
+          where: equals("log.messageId", 322002)
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.fakeSrcMac
+          where: equals("log.messageId", 322002)
+      - trim:
+          function: suffix
+          substring: '.'
+          fields:
+            - log.srcInterface
+          where: equals("log.messageId", 322002)
+      #......................................................................#
+      # FTD-3-322003
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '{{.word}}\sinspection\scheck'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'for\sarp'
+            - fieldName: log.httpMessageType
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'received\sfrom\shost'
+            - fieldName: origin.mac
+              pattern: '{{.data}}on'
+            - fieldName: log.irrelevant
+              pattern: 'interface'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}\.'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}Address'
+            - fieldName: log.fakeSrcMac
+              pattern: '{{.data}}for'
+            - fieldName: log.irrelevant
+              pattern: 'IP\sAddress'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 322003)
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'inspection check'
+          source: action
+          where: equals("log.messageId", 322003)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'on'
+          fields:
+            - origin.mac
+          where: equals("log.messageId", 322003)
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.fakeSrcMac
+          where: equals("log.messageId", 322003)
+      - trim:
+          function: suffix
+          substring: '.'
+          fields:
+            - log.srcInterface
+          where: equals("log.messageId", 322003)
+      #......................................................................#
+      # FTD-4-402114
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'IPSEC\:(\s)?'
+            - fieldName: action
+              pattern: 'Received\s(an|a)\s{{.word}}\spacket'
+            - fieldName: log.irrelevant
+              pattern: '\({{.data}}='
+            - fieldName: log.spi
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}='
+            - fieldName: log.seqNum
+              pattern: '{{.integer}}(\s)?\)'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 402114)
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Received\s(an|a)'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 402114)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.spi
+          where: equals("log.messageId", 402114)
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.seqNum
+          where: equals("log.messageId", 402114)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 402114)
+      #......................................................................#
+      # FTD-4-402115
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'IPSEC\:(\s)?'
+            - fieldName: action
+              pattern: 'Received\sa\spacket'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'containing'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'data instead of'
+            - fieldName: log.expectedProtocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 402115)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 402115)
+      #......................................................................#
+      # FTD-4-402116
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'IPSEC\:(\s)?'
+            - fieldName: action
+              pattern: 'Received\s(an|a)\s{{.word}}\spacket'
+            - fieldName: log.irrelevant
+              pattern: '\({{.data}}='
+            - fieldName: log.spi
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}='
+            - fieldName: log.seqNum
+              pattern: '{{.integer}}(\s)?\)'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}as'
+            - fieldName: log.decapsulatedPktDestAddr
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}as'
+            - fieldName: log.decapsulatedPktSrcAddr
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}as'
+            - fieldName: log.decapsulatedPktProto
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}as'
+            - fieldName: log.localProxyIpAddr
+              pattern: '{{.data}}/'
+            - fieldName: log.localProxyIpMask
+              pattern: '{{.data}}/'
+            - fieldName: log.localProxyProto
+              pattern: '{{.data}}/'
+            - fieldName: log.localProxyPort
+              pattern: '{{.data}}and'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}as'
+            - fieldName: log.remoteProxyIpAddr
+              pattern: '{{.data}}/'
+            - fieldName: log.remoteProxyIpMask
+              pattern: '{{.data}}/'
+            - fieldName: log.remoteProxyProto
+              pattern: '{{.data}}/'
+            - fieldName: log.remoteProxyPort
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 402116)
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Received\s(an|a)'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 402116)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.spi
+          where: equals("log.messageId", 402116)
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.seqNum
+            - origin.user
+          where: equals("log.messageId", 402116)
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - log.localProxyIpAddr
+            - log.localProxyIpMask
+            - log.localProxyProto
+            - log.remoteProxyIpAddr
+            - log.remoteProxyIpMask
+            - log.remoteProxyPort
+            - log.remoteProxyProto
+          where: equals("log.messageId", 402116)
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.seqNum
+            - origin.user
+          where: equals("log.messageId", 402116)
+      - trim:
+          function: suffix
+          substring: 'and'
+          fields:
+            - log.localProxyPort
+          where: equals("log.messageId", 402116)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 402116)
+      #......................................................................#
+      # FTD-4-402117
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'IPSEC\:(\s)?'
+            - fieldName: action
+              pattern: 'Received a non-IPsec \((\s)?{{.word}}(\s)?\) packet'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 402117)
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Received a non-IPsec \('
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 402117)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 402117)
+      #......................................................................#
+      # FTD-4-402118
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'IPSEC\:(\s)?'
+            - fieldName: action
+              pattern: 'Received\s(an|a)\s{{.word}}\spacket'
+            - fieldName: log.irrelevant
+              pattern: '\({{.data}}='
+            - fieldName: log.spi
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}='
+            - fieldName: log.seqNum
+              pattern: '{{.integer}}(\s)?\)'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}length'
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'with offset'
+            - fieldName: log.fragmentOffset
+              pattern: '{{.integer}}'
+          source: log.msg
+          where: equals("log.messageId", 402118)
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Received\s(an|a)'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 402118)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.seqNum
+            - origin.user
+          where: equals("log.messageId", 402118)
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.spi
+          where: equals("log.messageId", 402118)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 402118)
+      #......................................................................#
+      # FTD-4-402119, 402120
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'IPSEC\:(\s)?'
+            - fieldName: action
+              pattern: 'Received\s(an|a)\s{{.word}}\spacket'
+            - fieldName: log.irrelevant
+              pattern: '\({{.data}}='
+            - fieldName: log.spi
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}='
+            - fieldName: log.seqNum
+              pattern: '{{.integer}}(\s)?\)'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: origin.user
+              pattern: '{{.data}}\)'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 402119) || log.messageId==402120
+      # Protocol
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Received\s(an|a)'
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 402119) || log.messageId==402120
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ')'
+          fields:
+            - log.seqNum
+            - origin.user
+          where: equals("log.messageId", 402119) || log.messageId==402120
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.spi
+          where: equals("log.messageId", 402119) || log.messageId==402120
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 402119) || log.messageId==402120
+      #......................................................................#
+      # FTD-5-402128
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'CRYPTO\:(\s)?'
+            - fieldName: action
+              pattern: 'An attempt to allocate a large memory block'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\:'
+            - fieldName: log.memorySize
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\:'
+            - fieldName: log.memoryLimit
+              pattern: '{{.integer}}'
+          source: log.msg
+          where: equals("log.messageId", 402128)
+      #......................................................................#
+      # FTD-4-405001
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Received ARP (request|response) collision'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.mac
+              pattern: '{{.data}}on'
+            - fieldName: log.irrelevant
+              pattern: 'interface'
+            - fieldName: log.srcInterface
+              pattern: '{{.data}}with'
+            - fieldName: log.irrelevant
+              pattern: 'existing ARP entry'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.mac
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 405001)
+      # Adding protocol
+      - add:
+          function: 'string'
+          params:
+            key: protocol
+            value: 'ARP'
+          where: equals("log.messageId", 405001)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: equals("log.messageId", 405001)
+      - trim:
+          function: suffix
+          substring: 'on'
+          fields:
+            - origin.mac
+          where: equals("log.messageId", 405001)
+      - trim:
+          function: suffix
+          substring: 'with'
+          fields:
+            - log.srcInterface
+          where: equals("log.messageId", 405001)
+      #......................................................................#
+      # FTD-4-405002
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Received mac mismatch collision'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.mac
+              pattern: '{{.data}}for'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 405002)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - origin.mac
+          where: equals("log.messageId", 405002)
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+          where: equals("log.messageId", 405002)
+      #......................................................................#
+      # FTD-4-406001
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'FTP port command low port(\s)?\:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?'
+            - fieldName: log.irrelevant
+              pattern: 'on interface'
+            - fieldName: log.srcInterface
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 406001)
+      # Adding protocol
+      - add:
+          function: 'string'
+          params:
+            key: protocol
+            value: 'FTP'
+          where: equals("log.messageId", 406001)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - action
+          where: equals("log.messageId", 406001)
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+          where: equals("log.messageId", 406001)
+      #......................................................................#
+      # FTD-4-406002
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'FTP port command different address(\s)?\:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: log.connectionIp
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '(\s)?\)'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'on interface'
+            - fieldName: log.srcInterface
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 406002)
+      # Adding protocol
+      - add:
+          function: 'string'
+          params:
+            key: protocol
+            value: 'FTP'
+          where: equals("log.messageId", 406002)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - action
+          where: equals("log.messageId", 406002)
+      #......................................................................#
+      # FTD-4-407002
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Embryonic limit {{.data}} for through connections exceeded'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\.'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: log.globalIp
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?'
+            - fieldName: log.irrelevant
+              pattern: '\('
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '(\s)?\)(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'on interface'
+            - fieldName: log.srcInterface
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 407002)
+      # Connection number and connection limit
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Embryonic limit'
+            - fieldName: log.numCons
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '/'
+            - fieldName: log.limit
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 407002)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: equals("log.messageId", 407002)
+      #......................................................................#
+      # FTD-6-605004
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Login\s{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}\:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.service
+              pattern: '{{.data}}for'
+            - fieldName: log.irrelevant
+              pattern: 'user'
+            - fieldName: origin.user
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 605004)
+      # Action result
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Login'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+          source: action
+          where: equals("log.messageId", 605004)
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 605004)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: equals("log.messageId", 605004)
+      - trim:
+          function: suffix
+          substring: 'for'
+          fields:
+            - log.service
+          where: equals("log.messageId", 605004)
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.dstInterface
+          where: equals("log.messageId", 605004)
+      - trim:
+          function: prefix
+          substring: '"'
+          fields:
+            - origin.user
+          where: equals("log.messageId", 605004)
+      - trim:
+          function: suffix
+          substring: '"'
+          fields:
+            - origin.user
+          where: equals("log.messageId", 605004)
+      #......................................................................#
+      # FTD-2-106018
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'ICMP packet'
+            - fieldName: log.irrelevant
+              pattern: 'type'
+            - fieldName: log.icmpType
+              pattern: '{{.data}}\s'
+            - fieldName: log.ciscoResult
+              pattern: 'denied'
+            - fieldName: log.irrelevant
+              pattern: 'by'
+            - fieldName: log.direction
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'list'
+            - fieldName: log.accessList
+              pattern: '{{.data}}src'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'dest'
+            - fieldName: target.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 106018)
+      # Adding protocol
+      - add:
+          function: 'string'
+          params:
+            key: protocol
+            value: 'ICMP'
+          where: equals("log.messageId", 106018)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'src'
+          fields:
+            - log.accessList
+          where: equals("log.messageId", 106018)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 106018)
+      #......................................................................#
+      # FTD-2-106020
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Deny IP teardrop fragment'
+            - fieldName: log.irrelevant
+              pattern: '\((\s)?size(\s)?='
+            - fieldName: origin.bytesSent
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: ',(\s)?offset(\s)?='
+            - fieldName: log.fragmentOffset
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '\)(\s)?from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: target.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 106020)
+      # Adding log.ciscoResult
+      - add:
+          function: 'string'
+          params:
+            key: log.ciscoResult
+            value: 'Denied'
+          where: equals("log.messageId", 106020)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 106020)
+      #......................................................................#
+      # FTD-6-611301
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:'
+            - fieldName: action
+              pattern: 'NAT configured for Client Mode with no split tunneling'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}ress\:'
+            - fieldName: log.mappedIp
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 611301)
+      # Adding protocol
+      - add:
+          function: 'string'
+          params:
+            key: protocol
+            value: 'NAT'
+          where: equals("log.messageId", 611301)
+      #......................................................................#
+      # FTD-6-611303
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:'
+            - fieldName: action
+              pattern: 'NAT configured for Client Mode with split tunneling'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}ress\:'
+            - fieldName: log.mappedIp
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}works\:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.netmaskFrom
+              pattern: '{{.data}}\s'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.netmaskTo
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 611303)
+      # Adding protocol
+      - add:
+          function: 'string'
+          params:
+            key: protocol
+            value: 'NAT'
+          where: equals("log.messageId", 611303)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: equals("log.messageId", 611303)
+      #......................................................................#
+      # FTD-6-611304
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:'
+            - fieldName: action
+              pattern: 'NAT exemption configured for Network Extension Mode with split tunneling'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}works\:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.netmaskFrom
+              pattern: '{{.data}}\s'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: log.netmaskTo
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 611304)
+      # Adding protocol
+      - add:
+          function: 'string'
+          params:
+            key: protocol
+            value: 'NAT'
+          where: equals("log.messageId", 611304)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: equals("log.messageId", 611304)
+      #......................................................................#
+      # FTD-6-611307
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:(\s)?Head end\:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+          source: log.msg
+          where: equals("log.messageId", 611307)
+      # Adding action and log.ciscoResult
+      - add:
+          function: 'string'
+          params:
+            key: action
+            value: 'The VPN client is connected to the specified headend'
+          where: equals("log.messageId", 611307)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 611307)
+      #......................................................................#
+      # FTD-6-611309
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:'
+            - fieldName: action
+              pattern: 'Disconnecting from head end and uninstalling previously downloaded policy'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}End\:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+          source: log.msg
+          where: equals("log.messageId", 611309)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 611309)
+      #......................................................................#
+      # FTD-6-611310,611311
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:'
+            - fieldName: action
+              pattern: 'XAUTH'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '\:(\s)?Peer(\s)?\:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+          source: log.msg
+          where: equals("log.messageId", 611310) || log.messageId==611311
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 611310)
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 611311)
+      #......................................................................#
+      # FTD-6-611314
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:(\s)?Load Balancing Cluster with Virtual IP\:(\s)?'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}server'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+          source: log.msg
+          where: equals("log.messageId", 611314)
+      # Adding action
+      - add:
+          function: 'string'
+          params:
+            key: action
+            value: 'Load Balancing Cluster redirected the Secure Firewall'
+          where: equals("log.messageId", 611314)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 611314)
+      #......................................................................#
+      # FTD-6-611315
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:(\s)?Disconnecting from Load Balancing Cluster member(\:)?(\s)?'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+          source: log.msg
+          where: equals("log.messageId", 611315)
+      # Adding action
+      - add:
+          function: 'string'
+          params:
+            key: action
+            value: 'Disconnecting from Load Balancing Cluster'
+          where: equals("log.messageId", 611315)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 611315)
+      #......................................................................#
+      # FTD-6-611318
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient\:'
+            - fieldName: action
+              pattern: 'User Authentication Enabled'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}IP(\s)?\:'
+            - fieldName: log.authServerIp
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}Port(\s)?\:'
+            - fieldName: log.authServerPort
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}out(\s)?\:'
+            - fieldName: log.timeOut
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 611318)
+      #......................................................................#
+      # FTD-3-710003
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '(TCP|UDP) access denied by ACL'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'to'
+            - fieldName: log.dstInterface
+              pattern: '{{.data}}(\s)?:'
+            - fieldName: target.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/'
+            - fieldName: target.port
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 710003)
+      # Protocol and log.ciscoResult
+      - grok:
+          patterns:
+            - fieldName: protocol
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.word}}'
+            - fieldName: log.ciscoResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 710003)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - origin.ip
+            - target.ip
+          where: equals("log.messageId", 710003)
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.dstInterface
+          where: equals("log.messageId", 710003)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 710003)
+      #......................................................................#
+      # FTD-5-713252,713253
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Group(\s)?='
+            - fieldName: origin.group
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'Username(\s)?='
+            - fieldName: origin.user
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'IP(\s)?='
+            - fieldName: origin.ip
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}available(\.)?'
+            - fieldName: action
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 713252) || equals("log.messageId", 713253)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - origin.group
+            - origin.user
+            - origin.ip
+          where: equals("log.messageId", 713252) || equals("log.messageId", 713253)
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - origin.user
+          where: equals("log.messageId", 713252) || equals("log.messageId", 713253)
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.user
+          where: equals("log.messageId", 713252) || equals("log.messageId", 713253)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 713252)
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 713253)
+      #......................................................................#
+      # FTD-6-716001,716002,716003
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Group(\s)?'
+            - fieldName: origin.group
+              pattern: '{{.data}}User'
+            - fieldName: origin.user
+              pattern: '{{.data}}IP'
+            - fieldName: origin.ip
+              pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?'
+            - fieldName: action
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'User'
+          fields:
+            - origin.group
+          where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003
+      - trim:
+          function: suffix
+          substring: 'IP'
+          fields:
+            - origin.user
+          where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003
+      - trim:
+          function: prefix
+          substring: '<'
+          fields:
+            - origin.group
+            - origin.user
+            - origin.ip
+          where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003
+      - trim:
+          function: suffix
+          substring: '>'
+          fields:
+            - origin.group
+            - origin.user
+            - origin.ip
+          where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - origin.user
+          where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.user
+          where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 716001) || log.messageId==716002
+      #......................................................................#
+      # FTD-6-716004,716005,716006,716007,716009
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Group(\s)?'
+            - fieldName: origin.group
+              pattern: '{{.data}}User'
+            - fieldName: origin.user
+              pattern: '{{.data}}\s'
+            - fieldName: action
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'User'
+          fields:
+            - origin.group
+          where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+      - trim:
+          function: prefix
+          substring: '<'
+          fields:
+            - origin.group
+            - origin.user
+          where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+      - trim:
+          function: suffix
+          substring: '>'
+          fields:
+            - origin.group
+            - origin.user
+          where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - origin.user
+          where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.user
+          where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 716004) || log.messageId==716007 || log.messageId==716009
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 716006)
+      #......................................................................#
+      # FTD-6-716038
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Group(\s)?'
+            - fieldName: origin.group
+              pattern: '{{.data}}User'
+            - fieldName: origin.user
+              pattern: '{{.data}}IP'
+            - fieldName: origin.ip
+              pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?'
+            - fieldName: action
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 716038)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 716038)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'User'
+          fields:
+            - origin.group
+          where: equals("log.messageId", 716038)
+      - trim:
+          function: suffix
+          substring: 'IP'
+          fields:
+            - origin.user
+          where: equals("log.messageId", 716038)
+      - trim:
+          function: prefix
+          substring: '<'
+          fields:
+            - origin.group
+            - origin.user
+            - origin.ip
+          where: equals("log.messageId", 716038)
+      - trim:
+          function: suffix
+          substring: '>'
+          fields:
+            - origin.group
+            - origin.user
+            - origin.ip
+          where: equals("log.messageId", 716038)
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - origin.user
+          where: equals("log.messageId", 716038)
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.user
+          where: equals("log.messageId", 716038)
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - action
+          where: equals("log.messageId", 716038)
+      #......................................................................#
+      # FTD-6-716039
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: 'group(\s)?='
+            - fieldName: origin.group
+              pattern: '{{.data}}user'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: origin.user
+              pattern: '{{.data}},'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 716039)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 716039)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - action
+            - origin.user
+          where: equals("log.messageId", 716039)
+      - trim:
+          function: suffix
+          substring: 'user'
+          fields:
+            - origin.group
+          where: equals("log.messageId", 716039)
+      #......................................................................#
+      # FTD-6-719017,719019,719020,719021,719022,719023
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'WebVPN user(\:)?'
+            - fieldName: origin.user
+              pattern: '{{.data}}\s'
+            - fieldName: action
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 719017) || (log.messageId>=719019 && log.messageId<=719023)
+      # Adding log.ciscoResult and modifying some actions
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 719019) || log.messageId==719023
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 719020) || log.messageId==719022
+      - add:
+          function: 'string'
+          params:
+            key: action
+            value: 'WebVPN user is not checked against ACL'
+          where: equals("log.messageId", 719021)
+      - add:
+          function: 'string'
+          params:
+            key: action
+            value: 'WebVPN user has been authenticated'
+          where: equals("log.messageId", 719022)
+      - add:
+          function: 'string'
+          params:
+            key: action
+            value: 'WebVPN user has not been authenticated'
+          where: equals("log.messageId", 719023)
+      # Cleaning fields
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - origin.user
+          where: equals("log.messageId", 719017) || (log.messageId>=719019 && log.messageId<=719023)
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.user
+          where: equals("log.messageId", 719017) || (log.messageId>=719019 && log.messageId<=719023)
+      #......................................................................#
+      # FTD-6-719018
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'WebVPN user(\:)?'
+            - fieldName: origin.user
+              pattern: '{{.data}}\s'
+            - fieldName: log.irrelevant
+              pattern: 'ACL ID'
+            - fieldName: log.accessList
+              pattern: '{{.data}}not'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 719018)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.user
+          where: equals("log.messageId", 719018)
+      - trim:
+          function: suffix
+          substring: 'not'
+          fields:
+            - log.accessList
+          where: equals("log.messageId", 719018)
+      #......................................................................#
+      # FTD-6-719024
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Email Proxy piggyback auth fail'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}='
+            - fieldName: log.sessionPointer
+              pattern: '{{.data}}user'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: origin.user
+              pattern: '{{.data}}addr'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: origin.ip
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 719024)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'user'
+          fields:
+            - log.sessionPointer
+          where: equals("log.messageId", 719024)
+      - trim:
+          function: suffix
+          substring: 'addr'
+          fields:
+            - origin.user
+          where: equals("log.messageId", 719024)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: equals("log.messageId", 719024)
+      #......................................................................#
+      # FTD-7-609002
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Teardown local-host'
+            - fieldName: log.zoneName
+              pattern: '{{.data}}/'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\:'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: 'duration'
+            - fieldName: log.duration
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 609002)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - log.zoneName
+          where: equals("log.messageId", 609002)
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 609002)
+      #......................................................................#
+      # FTD-6-611305
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'VPNClient(\s)?\:'
+            - fieldName: action
+              pattern: 'DHCP Policy installed'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}DNS(\s)?\:'
+            - fieldName: log.primaryDns
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}DNS(\s)?\:'
+            - fieldName: log.secondaryDns
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}WINS(\s)?\:'
+            - fieldName: log.primaryWins
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}WINS(\s)?\:'
+            - fieldName: log.secondaryWins
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+          source: log.msg
+          where: equals("log.messageId", 611305)
+      #......................................................................#
+      # FTD-4-733100
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '{{.data}}exceeded'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.burstRateValue
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.maxBurstRateValue
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.avgRateValue
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.maxAvgRateValue
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.cumulativeTotalCount
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 733100)
+      # Cleaning cumulative total count
+      - grok:
+          patterns:
+            - fieldName: log.cumulativeTotalCount
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.cumulativeTotalCount
+          where: equals("log.messageId", 733100)
+      # Parsing drop source object
+      - grok:
+          patterns:
+            - fieldName: log.dropSourceObject
+              pattern: '{{.data}}drop'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 733100)
+      # Cleaning fields
+      - trim:
+          function: suffix
+          substring: 'drop'
+          fields:
+            - log.dropSourceObject
+          where: equals("log.messageId", 733100)
+      - trim:
+          function: suffix
+          substring: ']'
+          fields:
+            - log.dropSourceObject
+          where: equals("log.messageId", 733100)
+      - trim:
+          function: prefix
+          substring: '['
+          fields:
+            - log.dropSourceObject
+          where: equals("log.messageId", 733100)
+      #......................................................................#
+      # FTD-4-733101
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '{{.data}}(targeted|attacking)'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.burstRateValue
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.maxBurstRateValue
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.avgRateValue
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.maxAvgRateValue
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}is'
+            - fieldName: log.cumulativeTotalCount
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 733101)
+      # Cleaning cumulative total count
+      - grok:
+          patterns:
+            - fieldName: log.cumulativeTotalCount
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.cumulativeTotalCount
+          where: equals("log.messageId", 733101)
+      # Parsing drop source object
+      - grok:
+          patterns:
+            - fieldName: log.dropSourceObject
+              pattern: '{{.word}}'
+            - fieldName: log.tmpIp
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: action
+          where: equals("log.messageId", 733101)
+      # Renaming from or to ip, according to -> if (targeted|attacking)
+      - rename:
+          from:
+            - log.tmpIp
+          to: origin.ip
+          where: equals("log.messageId", 733101) && contains("action", "attacking")
+      - rename:
+          from:
+            - log.tmpIp
+          to: target.ip
+          where: equals("log.messageId", 733101) && contains("action", "targeted")
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.messageId", 733101)
+      #......................................................................#
+      # FTD-4-733102, 733103
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}host'
+            - fieldName: origin.ip
+              pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: equals("log.messageId", 733102) || log.messageId==733103
+      # Adding action
+      - add:
+          function: 'string'
+          params:
+            key: action
+            value: 'Threat-detection add host to shun list'
+          where: (equals("log.messageId", 733102) || log.messageId==733103) && contains("log.msg", "add")
+      - add:
+          function: 'string'
+          params:
+            key: action
+            value: 'Threat-detection removes host to shun list'
+          where: (equals("log.messageId", 733102) || log.messageId==733103) && contains("log.msg", "removes")
+      #......................................................................#
+      # Decoding severity
+      - add:
+          function: 'string'
+          params:
+            key: severity
+            value: 'high'
+          where: log.severity=="1" || log.severity=="2" || log.severity=="3"
+      - add:
+          function: 'string'
+          params:
+            key: severity
+            value: 'medium'
+          where: log.severity=="4"
+      - add:
+          function: 'string'
+          params:
+            key: severity
+            value: 'low'
+          where: log.severity=="5" || log.severity=="6" || log.severity=="7"
+      #......................................................................#
+      # Adding common geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: origin.ip
+            destination: origin.geolocation
+          where: exists("origin.ip")
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: target.ip
+            destination: target.geolocation
+          where: exists("target.ip")
+      # Adding log.mappedIpFrom geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.mappedIpFrom
+            destination: log.mappedIpFrom.geolocation
+          where: exists("log.mappedIpFrom")
+      # Adding log.mappedIpTo geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.mappedIpTo
+            destination: log.mappedIpTo.geolocation
+          where: exists("log.mappedIpTo")
+      # Adding log.translatedIpFrom geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.translatedIpFrom
+            destination: log.translatedIpFrom.geolocation
+          where: exists("log.translatedIpFrom")
+      # Adding log.translatedIpTo geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.translatedIpTo
+            destination: log.translatedIpTo.geolocation
+          where: exists("log.translatedIpTo")
+      # Adding log.globalIp geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.globalIp
+            destination: log.globalIp.geolocation
+          where: exists("log.globalIp")
+      # Adding log.remoteIp geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.remoteIp
+            destination: log.remoteIp.geolocation
+          where: exists("log.remoteIp")
+      # Adding log.mappedIp geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.mappedIp
+            destination: log.mappedIp.geolocation
+          where: exists("log.mappedIp")
+      # Adding log.decapsulatedPktDestAddr geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.decapsulatedPktDestAddr
+            destination: log.decapsulatedPktDestAddr.geolocation
+          where: exists("log.decapsulatedPktDestAddr")
+      # Adding log.decapsulatedPktSrcAddr geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.decapsulatedPktSrcAddr
+            destination: log.decapsulatedPktSrcAddr.geolocation
+          where: exists("log.decapsulatedPktSrcAddr")
+      # Adding log.localProxyIpAddr geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.localProxyIpAddr
+            destination: log.localProxyIpAddr.geolocation
+          where: exists("log.localProxyIpAddr")
+      # Adding log.remoteProxyIpAddr geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.remoteProxyIpAddr
+            destination: log.remoteProxyIpAddr.geolocation
+          where: exists("log.remoteProxyIpAddr")
+      # Adding log.primaryDns geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.primaryDns
+            destination: log.primaryDns.geolocation
+          where: exists("log.primaryDns")
+      # Adding log.secondaryDns geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.secondaryDns
+            destination: log.secondaryDns.geolocation
+          where: exists("log.secondaryDns")
+      # Adding log.primaryWins geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.primaryWins
+            destination: log.primaryWins.geolocation
+          where: exists("log.primaryWins")
+      # Adding log.secondaryWins geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.secondaryWins
+            destination: log.secondaryWins.geolocation
+          where: exists("log.secondaryWins")
+      #......................................................................#
+      # Common field conversions
+      - cast:
+          fields:
+            - origin.port
+            - target.port
+          to: int
+      # Removing unused fields
+      - delete:
+          fields:
+            - log.firePowerHeader
+            - log.ciscoSeparator
+            - log.irrelevant
+            - log.syslogPri
+            - log.rest
+                $$
+	WHERE id = 303 ;
+            ]]>
+        
+    
+
\ No newline at end of file
diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210004_update_filter_cisco_meraki.xml b/backend/src/main/resources/config/liquibase/changelog/20260210004_update_filter_cisco_meraki.xml
new file mode 100644
index 000000000..6f00ab3bd
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260210004_update_filter_cisco_meraki.xml
@@ -0,0 +1,1569 @@
+
+
+
+    
+
+        
+             Syslog
+#
+# 1. Parsing the message field
+pipeline:
+  - dataTypes:
+      - firewall-meraki
+    steps:
+      # Header fields
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(\<{{.integer}}\>)'
+            - fieldName: log.ciscoTime
+              pattern: '{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}'
+            - fieldName: log.serverIp
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}(\s)?\:'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: raw
+      - grok:
+          patterns:
+            - fieldName: log.ciscoTime
+              pattern: '{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}'
+            - fieldName: log.serverIp
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}(\s)?\:'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: raw
+      # Adding control log.controlFlag field (Used to know if the message don't contains the header INT.INT mx_type mx_group)
+      - add:
+          function: 'string'
+          params:
+            key: log.controlFlag
+            value: 'Init'
+      # Begin message parsing
+      # First extract the generic message, then parse it
+      - grok:
+          patterns:
+            - fieldName: log.controlFlag
+              pattern: '{{.data}}(\s)(events|flows|urls|ids-alerts|security_event)'
+            - fieldName: log.genericEvent
+              pattern: '{{.greedy}}'
+          source: log.msg
+      # Parsing variant INT.INT mx_type mx_group
+      # Parsing from controlFlag (Format: Date? IP PORT INT.INT mx_type mx_group)
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}{{.time}}'
+            - fieldName: log.localIp
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.local.port
+              pattern: '{{.integer}}'
+            - fieldName: log.msgEventTime
+              pattern: '{{.integer}}\.{{.integer}}'
+            - fieldName: log.merakiType
+              pattern: '{{.data}}\s'
+            - fieldName: log.merakiGroup
+              pattern: '{{.greedy}}'
+          source: log.controlFlag
+          where: '!equals("log.controlFlag", "Init")'
+      - grok:
+          patterns:
+            - fieldName: log.msgEventTime
+              pattern: '{{.integer}}\.{{.integer}}'
+            - fieldName: log.merakiType
+              pattern: '{{.data}}\s'
+            - fieldName: log.merakiGroup
+              pattern: '{{.greedy}}'
+          source: log.controlFlag
+          where: '!equals("log.controlFlag", "Init")'
+      # ........................................
+      # event vpn connectivity change
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'type(\s)?='
+            - fieldName: action
+              pattern: '{{.data}}\s'
+            - fieldName: log.irrelevant
+              pattern: 'vpn_type(\s)?='
+            - fieldName: log.vpnType
+              pattern: '''{{.data}}'''
+            - fieldName: log.irrelevant
+              pattern: 'peer_contact(\s)?='
+            - fieldName: origin.ip
+              pattern: '''{{.data}}\:'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'''
+            - fieldName: log.irrelevant
+              pattern: 'peer_ident(\s)?='
+            - fieldName: log.peerIdent
+              pattern: '''{{.data}}'''
+            - fieldName: log.irrelevant
+              pattern: 'connectivity(\s)?='
+            - fieldName: log.connectivity
+              pattern: '{{.greedy}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init")'
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equals("log.connectivity", "true")
+      # ........................................
+      # event uplink connectivity change
+      - rename:
+          from:
+            - log.genericEvent
+          to: action
+          where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "failover to")'
+      # ........................................
+      # event uplink connectivity change
+      # Event: urls, HTTP GET requests in MR Access Points
+      - rename:
+          from:
+            - log.genericEvent
+          to: action
+          where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "Cellular connection")'
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Cellular connection'
+            - fieldName: log.connectionState
+              pattern: '(up|Up|down|Down)'
+            - fieldName: log.msgEventTime
+              pattern: '{{.integer}}\.{{.integer}}'
+            - fieldName: log.merakiTypeIn
+              pattern: '{{.data}}\s'
+            - fieldName: log.merakiGroupIn
+              pattern: '(events|flows|urls|ids-alerts|security_event)'
+            - fieldName: log.irrelevant
+              pattern: 'src(\s)?='
+            - fieldName: origin.ip
+              pattern: '{{.data}}\:'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'dst(\s)?='
+            - fieldName: target.ip
+              pattern: '{{.data}}\:'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'mac(\s)?='
+            - fieldName: origin.mac
+              pattern: '{{.data}}(\s)'
+            - fieldName: log.irrelevant
+              pattern: 'request(\s)?\:'
+            - fieldName: log.method
+              pattern: '{{.word}}'
+            - fieldName: target.url
+              pattern: '{{.greedy}}'
+          source: action
+          where: '!equals("log.controlFlag", "Init") && contains("action", "Cellular connection")'
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: 'Cellular connection'
+            - fieldName: log.connectionState
+              pattern: '(up|Up|down|Down)'
+          source: action
+          where: '!equals("log.controlFlag", "Init") && contains("action", "Cellular connection")'
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: equalsIgnoreCase("log.connectionState", "up")
+      # ........................................
+      # Event: event, dhcp no offers
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '{{.data}}for\smac'
+            - fieldName: origin.mac
+              pattern: '{{.data}}\s'
+            - fieldName: log.irrelevant
+              pattern: 'host(\s)?='
+            - fieldName: origin.ip
+              pattern: '{{.greedy}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "dhcp no offers")'
+      - trim:
+          function: suffix
+          substring: 'for mac'
+          fields:
+            - action
+          where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "dhcp no offers")'
+      # ........................................
+      # Event: event, dhcp lease
+      - grok:
+          patterns:
+            - fieldName: action
+              pattern: '{{.data}}of\sip'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: 'from server mac'
+            - fieldName: log.serverMac
+              pattern: '{{.data}}\s'
+            - fieldName: log.irrelevant
+              pattern: 'for client mac'
+            - fieldName: origin.mac
+              pattern: '{{.data}}\s'
+            - fieldName: log.irrelevant
+              pattern: 'from router'
+            - fieldName: log.routerIp
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: 'on subnet'
+            - fieldName: log.subnet
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: 'with dns'
+            - fieldName: log.dns
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: ','
+            - fieldName: log.dns1
+              pattern: '{{.greedy}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "dhcp lease")'
+      - trim:
+          function: suffix
+          substring: 'of ip'
+          fields:
+            - action
+          where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "dhcp lease")'
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: contains("log.genericEvent", "dhcp lease")
+      # ........................................
+      # Event: event, HTTP GET requests in Meraki MX Security Appliance
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'src(\s)?='
+            - fieldName: origin.ip
+              pattern: '{{.data}}\:'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'dst(\s)?='
+            - fieldName: target.ip
+              pattern: '{{.data}}\:'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'mac(\s)?='
+            - fieldName: origin.mac
+              pattern: '{{.data}}(\s)'
+            - fieldName: log.irrelevant
+              pattern: 'request(\s)?\:'
+            - fieldName: log.method
+              pattern: '{{.word}}'
+            - fieldName: target.url
+              pattern: '{{.greedy}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="urls"'
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="urls"'
+      # ........................................
+      # Event: flows, IP session initiated in Meraki MX Security Appliance
+      # First variant
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'src(\s)?='
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: 'dst(\s)?='
+            - fieldName: target.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: 'mac(\s)?='
+            - fieldName: origin.mac
+              pattern: '{{.data}}(\s)'
+            - fieldName: log.irrelevant
+              pattern: 'protocol(\s)?='
+            - fieldName: protocol
+              pattern: '{{.data}}(\s)'
+            - fieldName: log.irrelevant
+              pattern: 'sport(\s)?='
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'dport(\s)?='
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'pattern(\s)?\:'
+            - fieldName: log.pattern
+              pattern: '{{.greedy}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows"'
+      # Second variant
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'src(\s)?='
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: 'dst(\s)?='
+            - fieldName: target.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: 'protocol(\s)?='
+            - fieldName: protocol
+              pattern: '{{.data}}(\s)'
+            - fieldName: log.irrelevant
+              pattern: 'sport(\s)?='
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'dport(\s)?='
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'pattern(\s)?\:'
+            - fieldName: log.pattern
+              pattern: '{{.greedy}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows"'
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows" && (startsWith("log.pattern", "0") || startsWith("log.pattern", "allow") || startsWith("log.pattern", "Allow"))'
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows" && (startsWith("log.pattern", "deny") || startsWith("log.pattern", "Deny"))'
+      # ........................................
+      # Event: ids-alerts, ids signature matched in Meraki MX Security Appliance
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'signature(\s)?='
+            - fieldName: log.signature
+              pattern: '{{.data}}priority'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}='
+            - fieldName: log.priority
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'timestamp(\s)?='
+            - fieldName: log.msgEventTimeIn
+              pattern: '{{.integer}}\.{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'direction(\s)?='
+            - fieldName: log.direction
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'protocol(\s)?='
+            - fieldName: protocol
+              pattern: '{{.data}}(\s)'
+            - fieldName: log.irrelevant
+              pattern: 'src(\s)?='
+            - fieldName: origin.ip
+              pattern: '{{.data}}\:'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "signature") && log.merakiGroup=="ids-alerts"'
+      - trim:
+          function: suffix
+          substring: 'priority'
+          fields:
+            - log.signature
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "signature") && log.merakiGroup=="ids-alerts"'
+      # ........................................
+      # Event: event IPsec-SA request queued due to no phase 1 found, phase2 negotiation failed, initiate new phase 1 negotiation,
+      # ISAKMP-SA established, initiate new phase 2 negotiation, IPsec-SA established, ISAKMP-SA established, and ISAKMP-SA deleted
+      # in Meraki MX Security Appliance
+      # This type of message mx_type=labs_appliance mx_group=events
+      # First variant
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Site-to-site VPN(\s)?\:(\s)?{{.greedy}}(\s)(deleted|established)'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: origin.port
+              pattern: '\[(\s)?{{.integer}}(\s)?\]'
+            - fieldName: log.irrelevant
+              pattern: '-'
+            - fieldName: target.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: target.port
+              pattern: '\[(\s)?{{.integer}}(\s)?\]'
+            - fieldName: log.irrelevant
+              pattern: 'spi(\s)?\:'
+            - fieldName: log.spi
+              pattern: '{{.greedy}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"'
+      # Second variant
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Site-to-site VPN(\s)?\:(\s)?{{.greedy}}(\s)request(\s)for'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"'
+      # Third variant
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Site-to-site VPN(\s)?\:(\s)?{{.greedy}}(\s)negotiation(\s)failed'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}ESP'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: origin.port
+              pattern: '\[(\s)?{{.integer}}(\s)?\]'
+            - fieldName: log.irrelevant
+              pattern: '-\>'
+            - fieldName: target.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: target.port
+              pattern: '\[(\s)?{{.integer}}(\s)?\]'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"'
+      # Fourth variant
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Site-to-site VPN(\s)?\:(\s)?{{.greedy}}(\s)negotiation(\s)?\:'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: origin.port
+              pattern: '\[(\s)?{{.integer}}(\s)?\]'
+            - fieldName: log.irrelevant
+              pattern: '\<=\>'
+            - fieldName: target.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: target.port
+              pattern: '\[(\s)?{{.integer}}(\s)?\]'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"'
+      # Fifth variant
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Site-to-site VPN(\s)?\:(\s)?{{.greedy}}(\s)established\:(\s)?ESP/Tunnel'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: origin.port
+              pattern: '\[(\s)?{{.integer}}(\s)?\]'
+            - fieldName: log.irrelevant
+              pattern: '-\>'
+            - fieldName: target.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}'
+            - fieldName: target.port
+              pattern: '\[(\s)?{{.integer}}(\s)?\]'
+            - fieldName: log.irrelevant
+              pattern: 'spi(\s)?='
+            - fieldName: log.spi
+              pattern: '{{.greedy}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"'
+      - trim:
+          function: prefix
+          substring: '['
+          fields:
+            - origin.port
+            - target.port
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"'
+      - trim:
+          function: suffix
+          substring: ']'
+          fields:
+            - origin.port
+            - target.port
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"'
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events" && (contains("log.genericEvent", "queued due to no phase 1") || contains("log.genericEvent", "queued due to no phase1") || || contains("log.genericEvent", "established"))'
+      # ........................................
+      # Event: event spanning-tree guard state change in Meraki MS Switches
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Port'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'received an'
+            - fieldName: protocol
+              pattern: '{{.data}}BPDU'
+            - fieldName: log.irrelevant
+              pattern: 'from'
+            - fieldName: origin.mac
+              pattern: '{{.data}}so'
+            - fieldName: log.irrelevant
+              pattern: 'the port was'
+            - fieldName: actionResult
+              pattern: '{{.greedy}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Port") && log.merakiGroup=="events"'
+      - trim:
+          function: suffix
+          substring: 'BPDU'
+          fields:
+            - protocol
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Port") && log.merakiGroup=="events"'
+      - trim:
+          function: suffix
+          substring: 'so'
+          fields:
+            - origin.mac
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Port") && log.merakiGroup=="events"'
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Port") && log.merakiGroup=="events" && contains("log.genericEvent", "blocked")'
+      # ........................................
+      # Event: event blocked DHCP server response in Meraki MS Switches
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'Blocked'
+            - fieldName: protocol
+              pattern: '{{.data}}server'
+            - fieldName: log.irrelevant
+              pattern: 'response from'
+            - fieldName: origin.mac
+              pattern: '{{.data}}on'
+            - fieldName: log.irrelevant
+              pattern: 'VLAN'
+            - fieldName: log.vlan
+              pattern: '{{.greedy}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Blocked") && log.merakiGroup=="events"'
+      - trim:
+          function: suffix
+          substring: 'server'
+          fields:
+            - protocol
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Blocked") && log.merakiGroup=="events"'
+      - trim:
+          function: suffix
+          substring: 'on'
+          fields:
+            - origin.mac
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Blocked") && log.merakiGroup=="events"'
+      # ........................................
+      # Event: event 802.1X (all events) in Meraki MS Switches
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'type(\s)?='
+            - fieldName: action
+              pattern: '{{.data}}port'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: origin.port
+              pattern: '{{.data}}identity'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.identity
+              pattern: '{{.greedy}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "identity") && contains("log.genericEvent", "port")'
+      - trim:
+          function: suffix
+          substring: 'port'
+          fields:
+            - action
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "identity") && contains("log.genericEvent", "port")'
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - origin.port
+            - log.identity
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "identity") && contains("log.genericEvent", "port")'
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.port
+            - log.identity
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "identity") && contains("log.genericEvent", "port")'
+      # ........................................
+      # Event: event 802.11 disassociation in Meraki MR Access Points
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'type(\s)?='
+            - fieldName: action
+              pattern: '{{.data}}radio'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.radio
+              pattern: '{{.data}}vap'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.vap
+              pattern: '{{.data}}channel'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.channel
+              pattern: '{{.data}}reason'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.reason
+              pattern: '{{.data}}instigator'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.instigator
+              pattern: '{{.data}}duration'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.duration
+              pattern: '{{.data}}auth_neg_dur'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.authNegDur
+              pattern: '{{.data}}last_auth_ago'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.lastAuthAgo
+              pattern: '{{.data}}is_wpa'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.isWpa
+              pattern: '{{.data}}full_conn'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.fullConn
+              pattern: '{{.data}}ip_resp'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.ipResp
+              pattern: '{{.data}}ip_src'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: origin.ip
+              pattern: '{{.data}}arp_resp'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.arpResp
+              pattern: '{{.data}}arp_src'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.arpSrc
+              pattern: '{{.data}}dns_server'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.dnsServer
+              pattern: '{{.data}}dns_req_rtt'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.dnsReqRtt
+              pattern: '{{.data}}dns_resp'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.dnsResp
+              pattern: '{{.data}}aid'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.aid
+              pattern: '{{.greedy}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'radio'
+          fields:
+            - action
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'vap'
+          fields:
+            - log.radio
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'channel'
+          fields:
+            - log.vap
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'reason'
+          fields:
+            - log.channel
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'instigator'
+          fields:
+            - log.reason
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'duration'
+          fields:
+            - log.instigator
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'auth_neg_dur'
+          fields:
+            - log.duration
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'last_auth_ago'
+          fields:
+            - log.authNegDur
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'is_wpa'
+          fields:
+            - log.lastAuthAgo
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'full_conn'
+          fields:
+            - log.isWpa
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'ip_resp'
+          fields:
+            - log.fullConn
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'ip_src'
+          fields:
+            - log.ipResp
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'arp_resp'
+          fields:
+            - origin.ip
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'arp_src'
+          fields:
+            - log.arpResp
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'dns_server'
+          fields:
+            - log.arpSrc
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'dns_req_rtt'
+          fields:
+            - log.dnsServer
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'dns_resp'
+          fields:
+            - log.dnsReqRtt
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: 'aid'
+          fields:
+            - log.dnsResp
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - log.radio
+            - log.vap
+            - log.channel
+            - log.reason
+            - log.instigator
+            - log.duration
+            - log.authNegDur
+            - log.lastAuthAgo
+            - log.isWpa
+            - log.fullConn
+            - log.ipResp
+            - origin.ip
+            - log.arpResp
+            - log.arpSrc
+            - log.dnsServer
+            - log.dnsReqRtt
+            - log.dnsResp
+            - log.aid
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - log.radio
+            - log.vap
+            - log.channel
+            - log.reason
+            - log.instigator
+            - log.duration
+            - log.authNegDur
+            - log.lastAuthAgo
+            - log.isWpa
+            - log.fullConn
+            - log.ipResp
+            - origin.ip
+            - log.arpResp
+            - log.arpSrc
+            - log.dnsServer
+            - log.dnsReqRtt
+            - log.dnsResp
+            - log.aid
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")'
+      # ........................................
+      # Event: event 802.1X (all events) in Meraki MR Access Points
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'type(\s)?='
+            - fieldName: action
+              pattern: '{{.data}}radio'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.radio
+              pattern: '{{.data}}vap'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.vap
+              pattern: '{{.data}}identity'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.identity
+              pattern: '{{.data}}aid'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.aid
+              pattern: '{{.greedy}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")'
+      - trim:
+          function: suffix
+          substring: 'radio'
+          fields:
+            - action
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")'
+      - trim:
+          function: suffix
+          substring: 'vap'
+          fields:
+            - log.radio
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")'
+      - trim:
+          function: suffix
+          substring: 'identity'
+          fields:
+            - log.vap
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")'
+      - trim:
+          function: suffix
+          substring: 'aid'
+          fields:
+            - log.identity
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")'
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - log.radio
+            - log.vap
+            - log.identity
+            - log.aid
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")'
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - log.radio
+            - log.vap
+            - log.identity
+            - log.aid
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")'
+      # ........................................
+      # Event: event splash authentication in Meraki MR Access Points
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'type(\s)?='
+            - fieldName: action
+              pattern: '{{.data}}ip'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: origin.ip
+              pattern: '{{.data}}duration'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.duration
+              pattern: '{{.data}}vap'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.vap
+              pattern: '{{.data}}download'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.download
+              pattern: '{{.data}}upload'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.upload
+              pattern: '{{.greedy}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
+      - trim:
+          function: suffix
+          substring: 'ip'
+          fields:
+            - action
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
+      - trim:
+          function: suffix
+          substring: 'duration'
+          fields:
+            - origin.ip
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
+      - trim:
+          function: suffix
+          substring: 'vap'
+          fields:
+            - log.duration
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
+      - trim:
+          function: suffix
+          substring: 'download'
+          fields:
+            - log.vap
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
+      - trim:
+          function: suffix
+          substring: 'upload'
+          fields:
+            - log.download
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - origin.ip
+            - log.vap
+            - log.duration
+            - log.download
+            - log.upload
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.ip
+            - log.vap
+            - log.duration
+            - log.download
+            - log.upload
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")'
+      # ........................................
+      # Event: event wireless packet flood detected in Meraki MR Access Points
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'type(\s)?='
+            - fieldName: action
+              pattern: '{{.data}}(\s)packet'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.packet
+              pattern: '{{.data}}device'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: origin.mac
+              pattern: '{{.data}}radio'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.radio
+              pattern: '{{.data}}state'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.state
+              pattern: '{{.data}}alarm_id'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.alarmId
+              pattern: '{{.data}}dos_count'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.dosCount
+              pattern: '{{.data}}inter_arrival'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.interArrival
+              pattern: '{{.greedy}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
+      - trim:
+          function: suffix
+          substring: 'packet'
+          fields:
+            - action
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
+      - trim:
+          function: suffix
+          substring: 'device'
+          fields:
+            - log.packet
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
+      - trim:
+          function: suffix
+          substring: 'radio'
+          fields:
+            - origin.mac
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
+      - trim:
+          function: suffix
+          substring: 'state'
+          fields:
+            - log.radio
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
+      - trim:
+          function: suffix
+          substring: 'alarm_id'
+          fields:
+            - log.state
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
+      - trim:
+          function: suffix
+          substring: 'dos_count'
+          fields:
+            - log.alarmId
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
+      - trim:
+          function: suffix
+          substring: 'inter_arrival'
+          fields:
+            - log.dosCount
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - origin.ip
+            - origin.mac
+            - log.radio
+            - log.packet
+            - log.dosCount
+            - log.alarmId
+            - log.state
+            - log.interArrival
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.ip
+            - origin.mac
+            - log.radio
+            - log.packet
+            - log.dosCount
+            - log.alarmId
+            - log.state
+            - log.interArrival
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")'
+      # ........................................
+      # Event: flows, flow allowed by Layer 3 firewall in Meraki MR Access Points
+      - grok:
+          patterns:
+            - fieldName: actionResult
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: 'src(\s)?='
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}'
+            - fieldName: log.irrelevant
+              pattern: 'dst(\s)?='
+            - fieldName: target.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}'
+            - fieldName: log.irrelevant
+              pattern: 'mac(\s)?='
+            - fieldName: origin.mac
+              pattern: '{{.data}}protocol'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: protocol
+              pattern: '{{.data}}sport'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'dport(\s)?='
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+          source: log.genericEvent
+          where: '!equals("log.controlFlag", "Init") && (startsWith("log.genericEvent", "allow") || startsWith("log.genericEvent", "deny")) && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")'
+      - trim:
+          function: suffix
+          substring: 'sport'
+          fields:
+            - protocol
+          where: '!equals("log.controlFlag", "Init") && (startsWith("log.genericEvent", "allow") || startsWith("log.genericEvent", "deny")) && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")'
+      - trim:
+          function: suffix
+          substring: 'protocol'
+          fields:
+            - origin.mac
+          where: '!equals("log.controlFlag", "Init") && (startsWith("log.genericEvent", "allow") || startsWith("log.genericEvent", "deny")) && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")'
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "allow") && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")'
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "deny") && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")'
+      # ........................................
+      # Event: event rogue SSID detected and SSID spoofing detected in Meraki MR Access Points
+      # First variant
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'airmarshal_events(\s)type(\s)?='
+            - fieldName: action
+              pattern: '{{.data}}ssid(\s)?='
+            - fieldName: log.ssid
+              pattern: '{{.data}}bssid'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.bssid
+              pattern: '{{.data}}src'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: origin.mac
+              pattern: '{{.data}}dst'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: target.mac
+              pattern: '{{.data}}wired_mac'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.wiredMac
+              pattern: '{{.data}}vlan_id'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.vlanId
+              pattern: '{{.data}}channel'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.channel
+              pattern: '{{.data}}rssi'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.rssi
+              pattern: '{{.data}}fc_type'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.fcType
+              pattern: '{{.data}}fc_subtype'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.fcSubType
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      # Second variant
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'airmarshal_events(\s)type(\s)?='
+            - fieldName: action
+              pattern: '{{.data}}ssid(\s)?='
+            - fieldName: log.ssid
+              pattern: '{{.data}}vap'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.vap
+              pattern: '{{.data}}bssid'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.bssid
+              pattern: '{{.data}}src'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: origin.mac
+              pattern: '{{.data}}dst'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: target.mac
+              pattern: '{{.data}}channel'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.channel
+              pattern: '{{.data}}rssi'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.rssi
+              pattern: '{{.data}}fc_type'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.fcType
+              pattern: '{{.data}}fc_subtype'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.fcSubType
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      - trim:
+          function: suffix
+          substring: '='
+          fields:
+            - action
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      - trim:
+          function: suffix
+          substring: 'ssid'
+          fields:
+            - action
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      - trim:
+          function: suffix
+          substring: 'bssid'
+          fields:
+            - log.ssid
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      - trim:
+          function: suffix
+          substring: 'vap'
+          fields:
+            - log.ssid
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      - trim:
+          function: suffix
+          substring: 'bssid'
+          fields:
+            - log.vap
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      - trim:
+          function: suffix
+          substring: 'src'
+          fields:
+            - log.bssid
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      - trim:
+          function: suffix
+          substring: 'dst'
+          fields:
+            - origin.mac
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      - trim:
+          function: suffix
+          substring: 'wired_mac'
+          fields:
+            - target.mac
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      - trim:
+          function: suffix
+          substring: 'channel'
+          fields:
+            - target.mac
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      - trim:
+          function: suffix
+          substring: 'vlan_id'
+          fields:
+            - log.wiredMac
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      - trim:
+          function: suffix
+          substring: 'channel'
+          fields:
+            - log.vlanId
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      - trim:
+          function: suffix
+          substring: 'rssi'
+          fields:
+            - log.channel
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      - trim:
+          function: suffix
+          substring: 'fc_type'
+          fields:
+            - log.rssi
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      - trim:
+          function: suffix
+          substring: 'fc_subtype'
+          fields:
+            - log.fcType
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - action
+            - log.ssid
+            - log.bssid
+            - origin.mac
+            - target.mac
+            - log.wiredMac
+            - log.vlanId
+            - log.channel
+            - log.rssi
+            - log.fcType
+            - log.fcSubType
+            - log.vap
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - action
+            - log.ssid
+            - log.bssid
+            - origin.mac
+            - target.mac
+            - log.wiredMac
+            - log.vlanId
+            - log.channel
+            - log.rssi
+            - log.fcType
+            - log.fcSubType
+            - log.vap
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid")
+      # ........................................
+      # Event: security_event ids_alerted, ids signature matched in Meraki MX Security Appliance
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: 'signature(\s)?='
+            - fieldName: log.signature
+              pattern: '{{.data}}priority'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.priority
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'timestamp(\s)?='
+            - fieldName: log.msgEventTime
+              pattern: '{{.data}}dhost'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: origin.mac
+              pattern: '{{.data}}direction'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: log.direction
+              pattern: '{{.data}}protocol'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: protocol
+              pattern: '{{.data}}src'
+            - fieldName: log.irrelevant
+              pattern: '='
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}\:'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: 'dst(\s)?='
+            - fieldName: target.ip
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}\:'
+            - fieldName: target.port
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost")
+      - trim:
+          function: suffix
+          substring: 'priority'
+          fields:
+            - log.signature
+          where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost")
+      - trim:
+          function: suffix
+          substring: 'dhost'
+          fields:
+            - log.msgEventTime
+          where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost")
+      - trim:
+          function: suffix
+          substring: 'direction'
+          fields:
+            - origin.mac
+          where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost")
+      - trim:
+          function: suffix
+          substring: 'protocol'
+          fields:
+            - log.direction
+          where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost")
+      - trim:
+          function: suffix
+          substring: 'src'
+          fields:
+            - protocol
+          where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost")
+      # Adding action result
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost")
+      # ............................................................................
+      # Cleaning common fields
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.localIp
+            - origin.ip
+            - target.ip
+            - log.serverIp
+      - trim:
+          function: prefix
+          substring: ''''
+          fields:
+            - origin.ip
+            - log.peerIdent
+            - log.connectivity
+            - log.vpnType
+      - trim:
+          function: suffix
+          substring: ''''
+          fields:
+            - origin.port
+            - log.peerIdent
+            - log.connectivity
+            - log.vpnType
+      #......................................................................#
+      # Adding geolocation
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: origin.ip
+            destination: origin.geolocation
+          where: exists("origin.ip")
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: target.ip
+            destination: target.geolocation
+          where: exists("target.ip")
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.serverIp
+            destination: log.serverIp.geolocation
+          where: exists("log.serverIp")
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.localIp
+            destination: log.localIp.geolocation
+          where: exists("log.localIp")
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: log.ipResp
+            destination: log.ipResp.geolocation
+          where: exists("log.ipResp")
+      #......................................................................#
+      # Common field conversions
+      - cast:
+          fields:
+            - origin.port
+            - target.port
+          to: int
+      #......................................................................#
+      # Removing unused fields
+      - delete:
+          fields:
+            - log.controlFlag
+            - log.irrelevant
+            - log.genericEvent
+                $$
+	WHERE id = 302 ;
+            ]]>
+        
+    
+
\ No newline at end of file
diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml
index 6c3e8342a..43ec7b199 100644
--- a/backend/src/main/resources/config/liquibase/master.xml
+++ b/backend/src/main/resources/config/liquibase/master.xml
@@ -387,6 +387,14 @@
 
     
 
+    
+
+    
+
+    
+
+    
+
 
 
 

From 84547c9acd308c6da848ba18d076190dc7ca0f4a Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Tue, 10 Feb 2026 14:37:41 -0600
Subject: [PATCH 085/105] feat(utm): add Cisco Deceptive Bytes and IBM AIX
 filter updates for version 3.0.1 and 3.0.3

---
 ...05_update_filter_cisco_deceptive_bytes.xml | 510 +++++++++++++++
 ...0260210006_update_filter_cisco_aix_ibm.xml | 588 ++++++++++++++++++
 .../resources/config/liquibase/master.xml     |   4 +
 3 files changed, 1102 insertions(+)
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260210005_update_filter_cisco_deceptive_bytes.xml
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260210006_update_filter_cisco_aix_ibm.xml

diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210005_update_filter_cisco_deceptive_bytes.xml b/backend/src/main/resources/config/liquibase/changelog/20260210005_update_filter_cisco_deceptive_bytes.xml
new file mode 100644
index 000000000..94646afdd
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260210005_update_filter_cisco_deceptive_bytes.xml
@@ -0,0 +1,510 @@
+
+
+
+    
+
+        
+            '
+            - fieldName: log.syslogVersion
+              pattern: '{{.integer}}'
+            - fieldName: log.syslogDeviceTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
+            - fieldName: log.syslogHostIP
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}'
+            - fieldName: log.notDefined
+              pattern: '{{.integer}}'
+            - fieldName: log.0trash
+              pattern: '{{.word}}\:{{.integer}}'
+            - fieldName: log.restData
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.syslogPriority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.syslogDeviceTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
+            - fieldName: log.syslogHostIP
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}'
+            - fieldName: log.0trash
+              pattern: '{{.word}}\:{{.integer}}'
+            - fieldName: log.restData
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.syslogPriority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.syslogVersion
+              pattern: '{{.integer}}'
+            - fieldName: log.syslogDeviceTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
+            - fieldName: log.syslogHostIP
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}'
+            - fieldName: log.0trash
+              pattern: '{{.word}}\:{{.integer}}'
+            - fieldName: log.restData
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.syslogPriority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.syslogVersion
+              pattern: '{{.integer}}'
+            - fieldName: log.syslogDeviceTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
+            - fieldName: log.restData
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.syslogPriority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.0trash
+              pattern: '{{.word}}\:{{.integer}}'
+            - fieldName: log.restData
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.syslogPriority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.syslogVersion
+              pattern: '{{.integer}}'
+            - fieldName: log.syslogDeviceTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
+            - fieldName: log.syslogHostIP
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}'
+            - fieldName: log.0trash
+              pattern: '{{.word}}\:'
+            - fieldName: log.userWithTrash
+              pattern: '{{.data}}CEF'
+            - fieldName: log.1trash
+              pattern: '\:{{.integer}}'
+            - fieldName: log.messageWithTrash
+              pattern: '{{.data}}{{.word}}\={{.data}}{{.space}}'
+            - fieldName: log.restData
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.syslogPriority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.syslogDeviceTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
+            - fieldName: log.syslogHostIP
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}'
+            - fieldName: log.0trash
+              pattern: '{{.word}}\:'
+            - fieldName: log.userWithTrash
+              pattern: '{{.data}}CEF'
+            - fieldName: log.1trash
+              pattern: '\:{{.integer}}'
+            - fieldName: log.messageWithTrash
+              pattern: '{{.data}}{{.word}}\={{.data}}{{.space}}'
+            - fieldName: log.restData
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.user
+              pattern: '{{.greedy}}{{.space}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.userWithTrash
+
+      - grok:
+          patterns:
+            - fieldName: log.message
+              pattern: '{{.greedy}}{{.space}}'
+            - fieldName: log.restMessageToKv
+              pattern: '{{.greedy}}'
+          source: log.messageWithTrash
+
+      # Parsing the common fields
+      - grok:
+          patterns:
+            - fieldName: log.syslogPriority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.eventTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
+            - fieldName: log.restMessage
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.syslogPriority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.eventTime
+              pattern: '\[{{.year}}-{{.monthNumber}}-{{.monthDay}}{{.space}}{{.hour}}\:{{.minute}}\:{{.seconds}}'
+            - fieldName: log.restMessage
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.syslogPriority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.eventTime
+              pattern: '{{.monthDay}}-{{.monthNumber}}{{.space}}{{.hour}}\:{{.minute}}\:{{.seconds}}'
+            - fieldName: log.restMessage
+              pattern: '{{.greedy}}'
+          source: raw
+
+      # Parse the restMessage field from the rest of the common fields
+      - grok:
+          patterns:
+            - fieldName: log.processId
+              pattern: '\,{{.integer}}'
+            - fieldName: log.trheadId
+              pattern: '\,\-'
+            - fieldName: log.eventType
+              pattern: '\,{{.integer}}'
+            - fieldName: log.eventSource
+              pattern: '\,{{.word}}'
+            - fieldName: log.processName
+              pattern: '\,{{.integer}}'
+            - fieldName: log.processPath
+              pattern: '\,{{.word}}'
+            - fieldName: log.platform
+              pattern: '\,{{.data}}\,'
+            - fieldName: origin.path
+              pattern: '{{.greedy}}\,'
+            - fieldName: command
+              pattern: '{{.greedy}}'
+          source: log.restMessage
+
+      - grok:
+          patterns:
+            - fieldName: log.processId
+              pattern: '\,{{.integer}}'
+            - fieldName: log.trheadId
+              pattern: '\,{{.data}}\,'
+            - fieldName: log.eventType
+              pattern: '{{.integer}}'
+            - fieldName: log.eventSource
+              pattern: '\,\-'
+            - fieldName: log.processName
+              pattern: '\,{{.word}}\.{{.word}}'
+          source: log.restMessage
+
+      - grok:
+          patterns:
+            - fieldName: log.processId
+              pattern: '\,{{.integer}}'
+            - fieldName: log.trheadId
+              pattern: '\,{{.data}}\,'
+            - fieldName: log.eventType
+              pattern: '{{.integer}}'
+            - fieldName: log.eventSource
+              pattern: '\,\-\,'
+          source: log.restMessage
+
+      - grok:
+          patterns:
+            - fieldName: log.severityLabelCharacter
+              pattern: '{{.word}}\s'
+            - fieldName: log.trheadId
+              pattern: '{{.integer}}\,'
+            - fieldName: log.eventSource
+              pattern: '{{.integer}}\s'
+            - fieldName: log.component
+              pattern: '{{.word}}\,'
+            - fieldName: log.errorCode
+              pattern: '{{.integer}}\]'
+            - fieldName: log.restDataMessage
+              pattern: '{{.greedy}}'
+          source: log.restMessage
+
+      - grok:
+          patterns:
+            - fieldName: log.severityLabelCharacter
+              pattern: '{{.word}}\s'
+            - fieldName: log.trheadId
+              pattern: '{{.integer}}\,'
+            - fieldName: log.eventSource
+              pattern: '{{.integer}}\s'
+            - fieldName: log.component
+              pattern: '{{.word}}\,'
+            - fieldName: log.trheadId
+              pattern: '{{.integer}}\,'
+            - fieldName: log.eventSource
+              pattern: '{{.integer}}\s'
+            - fieldName: log.component
+              pattern: '{{.word}}\,'
+            - fieldName: log.errorCode
+              pattern: '{{.integer}}\]\s'
+            - fieldName: origin.path
+              pattern: '(?:[A-Z]:\\(?:[^\\\n]+\\)*[^\\\n]*|\/(?:[^\/\n]+\/)*[^\/\n]*)'
+          source: log.restMessage
+          where: contains("log.severityLabelCharacter", "V")
+
+      - grok:
+          patterns:
+            - fieldName: log.severityLabelCharacter
+              pattern: '{{.word}}\s'
+            - fieldName: log.processId
+              pattern: '{{.integer}}\,'
+            - fieldName: log.trheadId
+              pattern: '{{.integer}}\s'
+            - fieldName: log.methodName
+              pattern: '\:\:{{.data}}\,'
+            - fieldName: log.returnCode
+              pattern: '{{.integer}}\]\s'
+            - fieldName: log.detailedMessage
+              pattern: '\({{.data}}\)'
+          source: log.restMessage
+
+      - grok:
+          patterns:
+            - fieldName: log.severityLabelCharacter
+              pattern: '{{.word}}\s'
+            - fieldName: log.processId
+              pattern: '{{.integer}}\,'
+            - fieldName: log.trheadId
+              pattern: '{{.integer}}\s'
+            - fieldName: log.methodName
+              pattern: '{{.data}}\:\:{{.data}}\,'
+            - fieldName: log.returnCode
+              pattern: '{{.integer}}\]\s'
+            - fieldName: log.message
+              pattern: '{{.greedy}}'
+          source: log.restMessage
+
+      - grok:
+          patterns:
+            - fieldName: log.severityLabelCharacter
+              pattern: '\[{{.data}}\]'
+            - fieldName: log.processId
+              pattern: '\[{{.integer}}\/'
+            - fieldName: log.trheadId
+              pattern: '{{.data}}\]:?\s'
+            - fieldName: log.message
+              pattern: '{{.greedy}}'
+          source: log.restMessage
+
+      # Using kv for the rest of the trash in the message
+      - kv:
+          fieldSplit: " "
+          valueSplit: "="
+          source: log.restMessageToKv
+
+      # Using grok to analyze the rest of the data
+      - grok:
+          patterns:
+            - fieldName: log.productVendor
+              pattern: '\|{{.data}}\|'
+            - fieldName: log.product
+              pattern: '{{.data}}\|'
+            - fieldName: log.productVersion
+              pattern: '{{.data}}\|'
+            - fieldName: log.signatureID
+              pattern: '{{.data}}\|'
+            - fieldName: log.eventType
+              pattern: '{{.data}}\|'
+            - fieldName: log.severity
+              pattern: '{{.data}}\|'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.restData
+
+      - grok:
+          patterns:
+            - fieldName: log.pidStatusToKv
+              pattern: '\[{{.data}}\]'
+            - fieldName: log.message
+              pattern: '{{.greedy}}'
+          source: log.restDataMessage
+
+      - grok:
+          patterns:
+            - fieldName: log.0trash
+              pattern: '{{.data}}PID='
+            - fieldName: log.pid
+              pattern: '{{.integer}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: raw
+          where: contains("log.severityLabelCharacter", "W")
+
+      # Removing unnecessary characters
+      - trim:
+          function: prefix
+          substring: '|'
+          fields:
+            - log.productVendor
+
+      - trim:
+          function: suffix
+          substring: '|'
+          fields:
+            - log.productVendor
+            - log.product
+            - log.productVersion
+            - log.signatureID
+            - log.eventType
+            - log.severity
+
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.trheadId
+
+      - trim:
+          function: suffix
+          substring: '/'
+          fields:
+            - log.processId
+
+      - trim:
+          function: prefix
+          substring: '<'
+          fields:
+            - log.syslogPriority
+
+      - trim:
+          function: suffix
+          substring: '>'
+          fields:
+            - log.syslogPriority
+
+      - trim:
+          function: prefix
+          substring: ','
+          fields:
+            - log.trheadId
+            - log.processId
+            - log.eventType
+            - log.eventSource
+            - log.processName
+            - log.processPath
+            - log.platform
+            - origin.path
+
+      - trim:
+          function: suffix
+          substring: ','
+          fields:
+            - log.trheadId
+            - log.component
+            - log.platform
+            - origin.path
+            - log.eventSource
+            - log.processId
+            - log.methodName
+
+      - trim:
+          function: prefix
+          substring: '"'
+          fields:
+            - command
+
+      - trim:
+          function: suffix
+          substring: '"'
+          fields:
+            - command
+
+      - trim:
+          function: prefix
+          substring: '['
+          fields:
+            - log.eventTime
+            - log.processId
+            - log.severityLabelCharacter
+
+      - trim:
+          function: suffix
+          substring: ']'
+          fields:
+            - log.status
+            - log.errorCode
+            - log.returnCode
+            - log.severityLabelCharacter
+            - log.trheadId
+
+      # Using the kv filter with default config, usefull in key-value logs
+      - kv:
+          fieldSplit: " "
+          valueSplit: "="
+          source: log.restData
+
+      # Using the kv filter with other config, usefull in key-value logs
+      - kv:
+          fieldSplit: ", "
+          valueSplit: "="
+          source: log.pidStatusToKv
+
+      # Adding severity based on log.severityLabelCharacter
+      - add:
+          function: 'string'
+          params:
+            key: severity
+            value: 'high'
+          where: oneOf("log.severityLabelCharacter", ["C", "A", "E"])
+
+      - add:
+          function: 'string'
+          params:
+            key: severity
+            value: 'medium'
+          where: equals("log.severityLabelCharacter", "W")
+
+      - add:
+          function: 'string'
+          params:
+            key: severity
+            value: 'low'
+          where: oneOf("log.severityLabelCharacter", ["D", "V", "N", "I", "T"])
+
+      # Removing unused fields
+      - delete:
+          fields:
+            - log.0trash
+            - log.1trash
+            - log.restData
+            - log.restMessage
+            - log.restDataMessage
+            - log.irrelevant
+            - log.messageWithTrash
+            - log.restMessageToKv
+            - log.pidStatusToKv
+            - log.userWithTrash
+            - log.severityLabelCharacter
+
+
+                $$
+	WHERE id = 1512 ;
+            ]]>
+        
+    
+
\ No newline at end of file
diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210006_update_filter_cisco_aix_ibm.xml b/backend/src/main/resources/config/liquibase/changelog/20260210006_update_filter_cisco_aix_ibm.xml
new file mode 100644
index 000000000..700b33d8c
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260210006_update_filter_cisco_aix_ibm.xml
@@ -0,0 +1,588 @@
+
+
+
+    
+
+        
+            '
+            - fieldName: log.deviceTime
+              pattern: '{{.monthName}}{{.space}}{{.monthDay}}{{.space}}{{.time}}'
+            - fieldName: log.msgInit
+              pattern: '{{.greedy}}'
+          source: raw
+
+      #......................................................................#
+      # Removing unnecessary characters of the syslogHeader
+      #......................................................................#
+      - trim:
+          function: prefix
+          substring: "<"
+          fields:
+            - log.priority
+      - trim:
+          function: suffix
+          substring: ">"
+          fields:
+            - log.priority
+
+      # .......................................................................#
+      # Checking that the message contains Message forwarded from
+      # .......................................................................#
+      - grok:
+          patterns:
+            - fildName: log.irrelevant
+              pattern: 'Message(\s)forwarded(\s)from'
+            - fieldName: from.host
+              pattern: '{{.data}}(\:)'
+            - fieldName: log.msgAll
+              pattern: '{{.greedy}}'
+          source: log.msgInit
+          where: contains("log.msgInit", "Message forwarded from")
+
+      # Removing unnecessary characters
+      - trim:
+          function: suffix
+          substring: ":"
+          fields:
+            - from.host
+
+      #......................................................................#
+      # Checking that the message contains TTY= or PWD= or COMMAND= or USER=
+      #......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.commandType
+              pattern: '{{.data}}(\:)'
+            - fieldName: origin.user
+              pattern: '{{.data}}(\s)?(\:)'
+            - fieldName: log.msgWithTTY
+              pattern: '{{.greedy}}'
+          source: log.msgAll
+          where: contains("log.msgAll", "TTY=") || contains("log.msgAll", "PWD=") || contains("log.msgAll", "USER=") || contains("log.msgAll", "COMMAND=")
+
+      # Removing unnecessary characters
+      - trim:
+          function: suffix
+          substring: ":"
+          fields:
+            - log.commandType
+            - origin.user
+      # ......................................................................#
+      # Using grok to parse msgWithTTY individual fields
+      # If "TTY=" in [msgWithTTY]
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(TTY=)'
+            - fieldName: log.tty
+              pattern: '{{.data}}(\;)'
+            - fieldName: log.msgWithTTY
+              pattern: '{{.greedy}}'
+          source: log.msgWithTTY
+          where: contains("log.msgWithTTY", "TTY=") || contains("log.msgWithTTY", "PWD=") || contains("log.msgWithTTY", "USER=") || contains("log.msgWithTTY", "COMMAND=")
+
+      # ......................................................................#
+      # If "PWD=" in [msgWithTTY]
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(PWD=)'
+            - fieldName: log.pwd
+              pattern: '{{.data}}(\;)'
+            - fieldName: log.msgWithTTY
+              pattern: '{{.greedy}}'
+          source: log.msgWithTTY
+          where: contains("log.msgWithTTY", "TTY=") || contains("log.msgWithTTY", "PWD=") || contains("log.msgWithTTY", "USER=") || contains("log.msgWithTTY", "COMMAND=")
+
+      # ......................................................................#
+      # If "USER=" in [msgWithTTY]
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(USER=)'
+            - fieldName: origin.user
+              pattern: '{{.data}}(\;)'
+            - fieldName: log.msgWithTTY
+              pattern: '{{.greedy}}'
+          source: log.msgWithTTY
+          where: contains("log.msgWithTTY", "TTY=") || contains("log.msgWithTTY", "PWD=") || contains("log.msgWithTTY", "USER=") || contains("log.msgWithTTY", "COMMAND=")
+
+      # ......................................................................#
+      # If "COMMAND=" in [msgWithTTY]
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(COMMAND=)'
+            - fieldName: origin.command
+              pattern: '{{.greedy}}'
+          source: log.msgWithTTY
+          where: contains("log.msgWithTTY", "TTY=") || contains("log.msgWithTTY", "PWD=") || contains("log.msgWithTTY", "USER=") || contains("log.msgWithTTY", "COMMAND=")
+
+      # ......................................................................#
+      # Using grok to parse msgAll
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.commandType
+              pattern: '{{.data}}(\:)'
+            - fieldName: origin.user
+              pattern: '{{.data}}(\s)?(\:)'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}\)'
+            - fieldName: origin.command
+              pattern: '{{.greedy}}'
+          source: log.msgAll
+          where: contains("log.msgAll", "(command continued)")
+
+      # ......................................................................#
+      # Removing unnecessary characters
+      # ......................................................................#
+      - trim:
+          function: suffix
+          substring: ";"
+          fields:
+            - log.tty
+            - log.pwd
+            - origin.user
+      - trim:
+          function: suffix
+          substring: ":"
+          fields:
+            - log.commandType
+            - origin.user
+
+      # ......................................................................#
+      # if message.matches("\\w+\\[[0-9]+\\]\\:") to parse msgAll
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.eventType
+              pattern: '{{.data}}\['
+            - fieldName: log.pid
+              pattern: '{{.integer}}\]:'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: log.msgAll
+          where: regexMatch("log.msgAll", "\\w+\\[[0-9]+\\]\\:")
+
+      # ......................................................................#
+      #  Removing unnecessary characters
+      # ......................................................................#
+      - trim:
+          function: suffix
+          substring: "["
+          fields:
+            - log.eventType
+      - trim:
+          function: suffix
+          substring: "]:"
+          fields:
+            - log.pid
+
+      # ......................................................................#
+      # Format where the LENGTH, SESSIONID, ENTRYID, STATEMENT, USERID, USERHOST, ACTION, RETURNCODE, OBJ$CREATOR, OBJ$NAME, and OS$USERID fields exist
+      # ......................................................................#
+      # if ("LENGTH" in [message] or "SESSIONID" in [message] or "ENTRYID" in [message] or "STATEMENT" in [message] or "USERID" in [message] or "USERHOST" in [message] or "ACTION" in [message]
+      # or "RETURNCODE" in [message] or "OBJ$CREATOR" in [message] or "OBJ$NAME" in [message] or "OS$USERID" in [message])
+      # ......................................................................#
+      # Using grok to parse msg individual fields
+      # ......................................................................#
+      # If "LENGTH:" in [msg]
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(LENGTH:)'
+            - fieldName: log.length
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:")
+
+      # ......................................................................#
+      # If "SESSIONID:" in [msg]
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(SESSIONID:)'
+            - fieldName: log.irrelevant
+              pattern: '\[{{.data}}\]'
+            - fieldName: log.sessionID
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:")
+
+      # ......................................................................#
+      # If "ENTRYID:" in [msg]
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(ENTRYID:)'
+            - fieldName: log.irrelevant
+              pattern: '\[{{.data}}\]'
+            - fieldName: log.entryID
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:")
+
+      # ......................................................................#
+      # If "STATEMENT:" in [msg]
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(STATEMENT:)'
+            - fieldName: log.irrelevant
+              pattern: '\[{{.data}}\]'
+            - fieldName: log.statement
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:")
+
+      # ......................................................................#
+      # If "USERID:" in [msg]
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(USERID:)'
+            - fieldName: log.irrelevant
+              pattern: '\[{{.data}}\]'
+            - fieldName: log.userID
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:")
+
+      # ......................................................................#
+      # If "USERHOST:" in [msg]
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(USERHOST:)'
+            - fieldName: log.irrelevant
+              pattern: '\[{{.data}}\]'
+            - fieldName: log.userHost
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:")
+
+      # ......................................................................#
+      # If "ACTION:" in [msg]
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(ACTION:)'
+            - fieldName: log.irrelevant
+              pattern: '\[{{.data}}\]'
+            - fieldName: action
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:")
+
+      # ......................................................................#
+      # If "RETURNCODE:" in [msg]
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(RETURNCODE:)'
+            - fieldName: log.irrelevant
+              pattern: '\[{{.data}}\]'
+            - fieldName: log.returnCode
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:")
+
+      # ......................................................................#
+      # If "OBJ$CREATOR:" in [msg]
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(OBJ$CREATOR:)'
+            - fieldName: log.irrelevant
+              pattern: '\[{{.data}}\]'
+            - fieldName: log.objCreator
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:")
+
+      # ......................................................................#
+      # If "OBJ$NAME:" in [msg]
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(OBJ$NAME:)'
+            - fieldName: log.irrelevant
+              pattern: '\[{{.data}}\]'
+            - fieldName: log.objName
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:")
+
+      # ......................................................................#
+      # If "OS$USERID:" in [msg]
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '(OS$USERID:)'
+            - fieldName: log.irrelevant
+              pattern: '\[{{.data}}\]'
+            - fieldName: log.osUserID
+              pattern: '\"{{.data}}\"'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:")
+
+      # ......................................................................
+      # Removing msg field
+      # ......................................................................
+      - delete:
+          fields:
+            - log.msg
+          where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:")
+
+      # ......................................................................#
+      # if ([msg]=~/from(.+)port/)
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}from(\s)'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}'
+            - fieldName: log.irrelevant
+              pattern: '(port)'
+            - fieldName: origin.port
+              pattern: '{{.integer}}'
+            - fieldName: log.restMsg
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where:  regexMatch("log.msg", "from(.+)port")
+
+      - grok:
+          patterns:
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}from(\s)user(\s)'
+            - fieldName: origin.user
+              pattern: '{{.word}}'
+            - fieldName: origin.ip
+              pattern: '{{.ipv4}}'
+            - fieldName: log.irrelevant
+              pattern: '(port)'
+            - fieldName: origin.port
+              pattern: '{{.greedy}}'
+          source: log.msg
+          where:  regexMatch("log.msg", "from(.+)port")
+
+      # ......................................................................#
+      # if restmsg contains protocol SSH  and SHA256
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: protocol
+              pattern: '{{.data}}(\:)'
+            - fieldName: log.sshKey
+              pattern: '{{.word}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}(\:)'
+            - fieldName: origin.sha256
+              pattern: '{{.greedy}}'
+          source: log.restMsg
+          where: contains("log.restMsg", "ssh") && contains("log.restMsg", "SHA256")
+
+      # ......................................................................#
+      # Fileds conversions
+      # ......................................................................#
+      - cast:
+          fields:
+            - origin.port
+          to: int
+
+      # ......................................................................#
+      # Removing unnecessary characters
+      # ......................................................................#
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.eventType
+            - protocol
+
+      # ......................................................................#
+      # Using grok to parse msgAll
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.eventType
+              pattern: '{{.word}}(\:)'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: log.msgAll
+
+      - grok:
+          patterns:
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: log.msgAll
+
+      # ......................................................................#
+      # Using grok to parse msgInit
+      # ......................................................................#
+      - grok:
+          patterns:
+            - fieldName: log.eventType
+              pattern: '{{.word}}(\:)'
+            - fieldName: log.irrelevant
+              pattern: '{{.data}}(\[)'
+            - fieldName: log.pid
+              pattern: '{{.integer}}(\])'
+            - fieldName: log.msg
+              pattern: '{{.greedy}}'
+          source: log.msgInit
+      # ......................................................................#
+
+      # ......................................................................#
+      # Removing unnecessary characters
+      # ......................................................................#
+      - trim:
+          function: suffix
+          substring: ':'
+          fields:
+            - log.eventType
+
+      - trim:
+          function: suffix
+          substring: ']'
+          fields:
+            - log.pid
+
+      # ......................................................................#
+      # Removing unnecessary characters
+      # ......................................................................#
+      - trim:
+          function: suffix
+          substring: '"'
+          fields:
+            - log.length
+            - log.sessionID
+            - log.entryID
+            - log.statement
+            - log.userID
+            - log.userHost
+            - action
+            - log.returnCode
+            - log.objCreator
+            - log.objName
+            - log.osUserID
+
+      - trim:
+          function: prefix
+          substring: '"'
+          fields:
+            - log.length
+            - log.sessionID
+            - log.entryID
+            - log.statement
+            - log.userID
+            - log.userHost
+            - action
+            - log.returnCode
+            - log.objCreator
+            - log.objName
+            - log.osUserID
+
+      # Adding geolocation to origin.ip
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: origin.ip
+            destination: origin.geolocation
+          where: exists("origin.ip")
+
+      # Adding geolocation to target.ip
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: target.ip
+            destination: target.geolocation
+          where: exists("target.ip")
+
+      # ..........................................................................#
+      # Remove issues fileds
+      # ..........................................................................#
+      - delete:
+          fields:
+            - log.irrelevant
+            - log.msgWithTTY
+            - log.msgAll
+            - log.msgInit
+            - log.restMsg
+
+
+                $$
+	WHERE id = 1525;
+            ]]>
+        
+    
+
\ No newline at end of file
diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml
index 43ec7b199..1c393b687 100644
--- a/backend/src/main/resources/config/liquibase/master.xml
+++ b/backend/src/main/resources/config/liquibase/master.xml
@@ -395,6 +395,10 @@
 
     
 
+    
+
+    
+
 
 
 

From 0614c6fe2c34aa39816b643c7768b79a251f74b6 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Tue, 10 Feb 2026 14:41:43 -0600
Subject: [PATCH 086/105] feat(utm): update Microsoft 365 filter update for
 version 1.0.3 and rename Cisco AIX filter file

---
 ... => 20260210006_update_filter_aix_ibm.xml} |   0
 .../20260210007_update_filter_o365.xml        | 124 ++++++++++++++++++
 .../resources/config/liquibase/master.xml     |   4 +-
 3 files changed, 127 insertions(+), 1 deletion(-)
 rename backend/src/main/resources/config/liquibase/changelog/{20260210006_update_filter_cisco_aix_ibm.xml => 20260210006_update_filter_aix_ibm.xml} (100%)
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260210007_update_filter_o365.xml

diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210006_update_filter_cisco_aix_ibm.xml b/backend/src/main/resources/config/liquibase/changelog/20260210006_update_filter_aix_ibm.xml
similarity index 100%
rename from backend/src/main/resources/config/liquibase/changelog/20260210006_update_filter_cisco_aix_ibm.xml
rename to backend/src/main/resources/config/liquibase/changelog/20260210006_update_filter_aix_ibm.xml
diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210007_update_filter_o365.xml b/backend/src/main/resources/config/liquibase/changelog/20260210007_update_filter_o365.xml
new file mode 100644
index 000000000..91ca908e5
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260210007_update_filter_o365.xml
@@ -0,0 +1,124 @@
+
+
+
+    
+
+        
+            
+        
+    
+
\ No newline at end of file
diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml
index 1c393b687..c6cf769e3 100644
--- a/backend/src/main/resources/config/liquibase/master.xml
+++ b/backend/src/main/resources/config/liquibase/master.xml
@@ -397,7 +397,9 @@
 
     
 
-    
+    
+
+    
 
 
 

From ada9702f3485bef4f5bff7f834f1f904a579fc4d Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Tue, 10 Feb 2026 14:46:04 -0600
Subject: [PATCH 087/105] feat(utm): update Windows Events filter update for
 version 1.0.0

---
 ...260210008_update_filter_windows_events.xml | 2998 +++++++++++++++++
 .../resources/config/liquibase/master.xml     |    2 +
 2 files changed, 3000 insertions(+)
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260210008_update_filter_windows_events.xml

diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210008_update_filter_windows_events.xml b/backend/src/main/resources/config/liquibase/changelog/20260210008_update_filter_windows_events.xml
new file mode 100644
index 000000000..aaf4e3d46
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260210008_update_filter_windows_events.xml
@@ -0,0 +1,2998 @@
+
+
+
+    
+
+        
+            
+        
+    
+
\ No newline at end of file
diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml
index c6cf769e3..64f6c3c0b 100644
--- a/backend/src/main/resources/config/liquibase/master.xml
+++ b/backend/src/main/resources/config/liquibase/master.xml
@@ -401,6 +401,8 @@
 
     
 
+    
+
 
 
 

From 1453120e37e4acb564c7ff31f27b17c2e20b8c18 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Tue, 10 Feb 2026 15:20:19 -0600
Subject: [PATCH 088/105] refactor(UtmDataInputStatusService): improve handling
 of last processed timestamp

---
 .../service/UtmDataInputStatusService.java    | 12 +++++------
 ...09_update_data_input_status_checkpoint.xml | 20 +++++++++++++++++++
 .../resources/config/liquibase/master.xml     |  2 ++
 3 files changed, 28 insertions(+), 6 deletions(-)
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260210009_update_data_input_status_checkpoint.xml

diff --git a/backend/src/main/java/com/park/utmstack/service/UtmDataInputStatusService.java b/backend/src/main/java/com/park/utmstack/service/UtmDataInputStatusService.java
index f21e5a1c9..7bbd975f6 100644
--- a/backend/src/main/java/com/park/utmstack/service/UtmDataInputStatusService.java
+++ b/backend/src/main/java/com/park/utmstack/service/UtmDataInputStatusService.java
@@ -485,14 +485,14 @@ private Map getLatestStatisticsByDataSource() {
             }
         });
 
-        Instant lastTimestamp = result.values().stream()
+        Optional maybeLastTimestamp = result.values().stream()
                 .map(doc -> Instant.parse(doc.getTimestamp()))
-                .max(Instant::compareTo)
-                .orElse(Instant.now());
+                .max(Instant::compareTo);
 
-        checkpoint.setLastProcessedTimestamp(lastTimestamp);
-
-        this.checkpointRepository.save(checkpoint);
+        if (maybeLastTimestamp.isPresent()) {
+            checkpoint.setLastProcessedTimestamp(maybeLastTimestamp.get());
+            this.checkpointRepository.save(checkpoint);
+        }
 
         return result;
     }
diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210009_update_data_input_status_checkpoint.xml b/backend/src/main/resources/config/liquibase/changelog/20260210009_update_data_input_status_checkpoint.xml
new file mode 100644
index 000000000..ed77c3aae
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260210009_update_data_input_status_checkpoint.xml
@@ -0,0 +1,20 @@
+
+
+
+    
+
+        
+            
+        
+
+    
+
diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml
index 64f6c3c0b..39767b5ac 100644
--- a/backend/src/main/resources/config/liquibase/master.xml
+++ b/backend/src/main/resources/config/liquibase/master.xml
@@ -403,6 +403,8 @@
 
     
 
+    
+
 
 
 

From 4c6bb1c91b7a737f706314d044e3278d29781284 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Tue, 10 Feb 2026 15:33:10 -0600
Subject: [PATCH 089/105] feat(UtmModuleService): update filter activation
 logic to include timestamp

---
 .../service/application_modules/UtmModuleService.java       | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/backend/src/main/java/com/park/utmstack/service/application_modules/UtmModuleService.java b/backend/src/main/java/com/park/utmstack/service/application_modules/UtmModuleService.java
index 65c978fe3..a594db273 100644
--- a/backend/src/main/java/com/park/utmstack/service/application_modules/UtmModuleService.java
+++ b/backend/src/main/java/com/park/utmstack/service/application_modules/UtmModuleService.java
@@ -20,6 +20,7 @@
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.util.CollectionUtils;
 
+import java.time.Instant;
 import java.util.List;
 import java.util.NoSuchElementException;
 import java.util.Optional;
@@ -128,7 +129,10 @@ private void enableDisableModuleFilter(ModuleName nameShort, Boolean activationS
                 if ((!activationStatus && moduleInstancesActives > 0) || (activationStatus && moduleInstancesActives > 1))
                     return;
 
-                filters.forEach(filter -> filter.setActive(activationStatus));
+                filters.forEach(filter -> {
+                    filter.setActive(activationStatus);
+                    filter.setUpdatedAt(Instant.now());
+                });
                 logstashFilterService.saveAll(filters);
             } else {
                 return;

From 51d45a2096caeda34a2cbe9bcf81c34e5bafe9f0 Mon Sep 17 00:00:00 2001
From: JocLRojas 
Date: Wed, 11 Feb 2026 01:07:53 +0300
Subject: [PATCH 090/105] feat(azure-plugin): configure Event Hub processor to
 read from earliest position

---
 plugins/azure/main.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/plugins/azure/main.go b/plugins/azure/main.go
index 4892c484b..723b24bb9 100644
--- a/plugins/azure/main.go
+++ b/plugins/azure/main.go
@@ -11,6 +11,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 	"github.com/Azure/azure-sdk-for-go/sdk/messaging/azeventhubs/v2"
 	"github.com/Azure/azure-sdk-for-go/sdk/messaging/azeventhubs/v2/checkpoints"
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
@@ -237,7 +238,13 @@ func pull(group *config.ModuleGroup) {
 	}
 	defer client.Close(context.Background())
 
-	processor, err := azeventhubs.NewProcessor(client, checkpointStore, nil)
+	processor, err := azeventhubs.NewProcessor(client, checkpointStore, &azeventhubs.ProcessorOptions{
+		StartPositions: azeventhubs.StartPositions{
+			Default: azeventhubs.StartPosition{
+				Earliest: to.Ptr(true),
+			},
+		},
+	})
 	if err != nil {
 		_ = catcher.Error("cannot create Event Hub processor", err, map[string]any{
 			"group":   agent.GroupName,

From efc1cd2321518a6bb80ca337f949e74fb1243007 Mon Sep 17 00:00:00 2001
From: JocLRojas 
Date: Wed, 11 Feb 2026 01:50:48 +0300
Subject: [PATCH 091/105] feat(azure-plugin): add processor initialization
 timeout and improve partition handling

---
 plugins/azure/main.go | 37 ++++++++++++++++++++++++++++++++-----
 1 file changed, 32 insertions(+), 5 deletions(-)

diff --git a/plugins/azure/main.go b/plugins/azure/main.go
index 723b24bb9..d785038e6 100644
--- a/plugins/azure/main.go
+++ b/plugins/azure/main.go
@@ -28,11 +28,12 @@ const (
 	defaultTenant string = "ce66672c-e36d-4761-a8c8-90058fee1a24"
 	wait                 = 1 * time.Second
 
-	processingTimeout  = 2 * time.Hour
-	maxEmptyBatches    = 5
-	emptyBatchWaitTime = 10 * time.Second
-	receiveTimeout     = 30 * time.Second
-	maxEventsPerBatch  = 100
+	processingTimeout    = 2 * time.Hour
+	processorInitTimeout = 30 * time.Second
+	maxEmptyBatches      = 5
+	emptyBatchWaitTime   = 10 * time.Second
+	receiveTimeout       = 30 * time.Second
+	maxEventsPerBatch    = 100
 
 	AzurePublic     AzureCloud = "AzurePublic"
 	AzureGovernment AzureCloud = "AzureGovernment"
@@ -257,6 +258,9 @@ func pull(group *config.ModuleGroup) {
 	defer cancel()
 
 	var partitionsWg sync.WaitGroup
+	processorReady := make(chan struct{})
+	var firstPartitionAssigned bool
+	var readyMutex sync.Mutex
 
 	go func() {
 		for {
@@ -264,6 +268,14 @@ func pull(group *config.ModuleGroup) {
 			if pc == nil {
 				return
 			}
+
+			readyMutex.Lock()
+			if !firstPartitionAssigned {
+				firstPartitionAssigned = true
+				close(processorReady)
+			}
+			readyMutex.Unlock()
+
 			partitionsWg.Add(1)
 			go processPartition(ctx, pc, agent.GroupName, &partitionsWg)
 		}
@@ -276,8 +288,23 @@ func pull(group *config.ModuleGroup) {
 				"process": "plugin_com.utmstack.azure",
 			})
 		}
+
+		readyMutex.Lock()
+		if !firstPartitionAssigned {
+			firstPartitionAssigned = true
+			close(processorReady)
+		}
+		readyMutex.Unlock()
 	}()
 
+	select {
+	case <-processorReady:
+	case <-time.After(processorInitTimeout):
+		catcher.Info("processor initialization timeout reached", map[string]any{
+			"process": "plugin_com.utmstack.azure",
+		})
+	}
+
 	partitionsWg.Wait()
 
 	cancel()

From b3b411b9512720703fc24ca1b98b911a535c4135 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Tue, 10 Feb 2026 17:55:53 -0600
Subject: [PATCH 092/105] feat(UtmDataInputStatusRepository): enhance query to
 normalize dataType comparison

---
 .../UtmDataInputStatusRepository.java                | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/backend/src/main/java/com/park/utmstack/repository/datainput_ingestion/UtmDataInputStatusRepository.java b/backend/src/main/java/com/park/utmstack/repository/datainput_ingestion/UtmDataInputStatusRepository.java
index 4cf0c3c0f..47be50866 100644
--- a/backend/src/main/java/com/park/utmstack/repository/datainput_ingestion/UtmDataInputStatusRepository.java
+++ b/backend/src/main/java/com/park/utmstack/repository/datainput_ingestion/UtmDataInputStatusRepository.java
@@ -47,9 +47,19 @@ public interface UtmDataInputStatusRepository extends JpaRepository findDataSourcesToConfigure(@Param("dataType") String dataType);
 
+
+
     Optional findByDataType(String dataType);
     Optional findBySourceAndDataType(String source, String dataType);
 

From 96d8d3b5a62aeae9d22e2a394fd95e7e4453f733 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Tue, 10 Feb 2026 19:42:45 -0600
Subject: [PATCH 093/105] feat(add-type): enhance validation and search
 functionality for data types

Signed-off-by: Manuel Abascal 
---
 .../types/components/add-type.component.html  | 44 ++++++++++++---
 .../types/components/add-type.component.ts    | 55 ++++++++++++++++++-
 .../app-rule/validators/customs.validators.ts | 15 +++++
 3 files changed, 102 insertions(+), 12 deletions(-)

diff --git a/frontend/src/app/rule-management/app-correlation-management/components/types/components/add-type.component.html b/frontend/src/app/rule-management/app-correlation-management/components/types/components/add-type.component.html
index b1402c717..93a7e4fdc 100644
--- a/frontend/src/app/rule-management/app-correlation-management/components/types/components/add-type.component.html
+++ b/frontend/src/app/rule-management/app-correlation-management/components/types/components/add-type.component.html
@@ -3,25 +3,51 @@
   
    
     
    
       
-      
-      
    
-        
    
+      
+
+      
    
+
+        
    
           Data Type is required.
         
    
-        
    
-          Maximum length exceeded.
+
+        
    
+          Minimum length is 3 characters.
         
    
+
+        
    
+          Maximum length is 50 characters.
+        
    
+
+        
    
+          Data Type must be unique.
+        
    
+
       
    
+
     
    
     
    
       
-      
+      
+
       
    
-        
    
+        
    
           Data Type Name  is required.
         
    
-        
    
-          Maximum length exceeded.
+        
    
+          Minimum length is 4 characters.
+        
    
+
+        
    
+          Maximum length is 50 characters.
         
    
       
    
     
    
diff --git a/frontend/src/app/rule-management/app-correlation-management/components/types/components/add-type.component.ts b/frontend/src/app/rule-management/app-correlation-management/components/types/components/add-type.component.ts
index 0e52ef9cc..e87711e37 100644
--- a/frontend/src/app/rule-management/app-correlation-management/components/types/components/add-type.component.ts
+++ b/frontend/src/app/rule-management/app-correlation-management/components/types/components/add-type.component.ts
@@ -4,6 +4,9 @@ import {NgbActiveModal, NgbModal} from '@ng-bootstrap/ng-bootstrap';
 import {UtmToastService} from '../../../../../shared/alert/utm-toast.service';
 import {DataType} from '../../../../models/rule.model';
 import {DataTypeService} from '../../../../services/data-type.service';
+import {uniqueStringValidator} from "../../../../app-rule/validators/customs.validators";
+import {debounceTime, map, tap} from "rxjs/operators";
+import {HttpResponse} from "@angular/common/http";
 
 @Component({
   selector: 'app-add-type',
@@ -13,6 +16,8 @@ import {DataTypeService} from '../../../../services/data-type.service';
 export class AddTypeComponent implements OnInit {
 
   @Input() type: DataType;
+
+  dataTypes: string[] = [];
   dataTypeForm: FormGroup;
   loading = false;
   mode: 'ADD' | 'EDIT';
@@ -25,7 +30,13 @@ export class AddTypeComponent implements OnInit {
 
   ngOnInit() {
     this.mode = this.type ? 'EDIT' : 'ADD';
+
     this.initForm();
+
+    this.dataType.valueChanges
+      .pipe(
+        debounceTime(500),
+      ).subscribe(value => this.searchDataTypes(value));
   }
 
   get dataType() {
@@ -43,12 +54,30 @@ export class AddTypeComponent implements OnInit {
 
   initForm() {
     this.dataTypeForm = this.formBuilder.group({
-      dataType: [ this.type ? this.type.dataType : '', [Validators.required, Validators.maxLength(250)]],
-      dataTypeName: [ this.type ? this.type.dataTypeName : '', [Validators.required, Validators.maxLength(250)]],
-      dataTypeDescription: [this.type ? this.type.dataTypeDescription : '']
+      dataType: [
+        this.type ? this.type.dataType : '',
+        [
+          Validators.required,
+          Validators.minLength(3),
+          Validators.maxLength(50),
+          uniqueStringValidator(this.dataTypes)
+        ]
+      ],
+      dataTypeName: [
+        this.type ? this.type.dataTypeName : '',
+        [
+          Validators.required,
+          Validators.minLength(4),
+          Validators.maxLength(50)
+        ]
+      ],
+      dataTypeDescription: [
+        this.type ? this.type.dataTypeDescription : ''
+      ]
     });
   }
 
+
   onSubmit() {
     if (this.dataTypeForm.valid) {
       this.loading = true;
@@ -81,4 +110,24 @@ export class AddTypeComponent implements OnInit {
     }
   }
 
+  searchDataTypes(term: string) {
+
+    const request =   {
+      page: 0,
+      search: term
+    };
+
+    this.dataTypeService.getAll(request)
+      .pipe(
+        map((response: HttpResponse ) =>  response.body || []))
+      .subscribe({
+        next: types => {
+          this.dataTypes.length = 0;
+          this.dataTypes.push(...types.map(t => t.dataType));
+          this.dataType.updateValueAndValidity({ emitEvent: false });
+        },
+        error: err => console.error('Error searching data types:', err.message)
+      });
+  }
+
 }
diff --git a/frontend/src/app/rule-management/app-rule/validators/customs.validators.ts b/frontend/src/app/rule-management/app-rule/validators/customs.validators.ts
index f21953037..21ac5190b 100644
--- a/frontend/src/app/rule-management/app-rule/validators/customs.validators.ts
+++ b/frontend/src/app/rule-management/app-rule/validators/customs.validators.ts
@@ -25,3 +25,18 @@ export function minWordsValidator(minWords: number, minLengthPerWord: number): V
 }
 
 
+export function uniqueStringValidator(existing: string[]): ValidatorFn {
+  return (control: AbstractControl): ValidationErrors | null => {
+    if (!control.value) { return null; }
+
+    const normalized = control.value.trim().toLowerCase();
+    const exists = existing
+      .map(x => x.trim().toLowerCase())
+      .includes(normalized);
+
+    return exists ? { unique: true } : null;
+  };
+}
+
+
+

From 257fec7ab6916d43f56ca9d6625ddfb8019e0f00 Mon Sep 17 00:00:00 2001
From: JocLRojas 
Date: Wed, 11 Feb 2026 16:08:34 +0300
Subject: [PATCH 094/105] refactor(azure-plugin): implement persistent Event
 Hub processor lifecycle management

---
 plugins/azure/main.go | 323 +++++++++++++++++++++---------------------
 1 file changed, 163 insertions(+), 160 deletions(-)

diff --git a/plugins/azure/main.go b/plugins/azure/main.go
index d785038e6..c124baac2 100644
--- a/plugins/azure/main.go
+++ b/plugins/azure/main.go
@@ -2,7 +2,6 @@ package main
 
 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
@@ -28,12 +27,8 @@ const (
 	defaultTenant string = "ce66672c-e36d-4761-a8c8-90058fee1a24"
 	wait                 = 1 * time.Second
 
-	processingTimeout    = 2 * time.Hour
-	processorInitTimeout = 30 * time.Second
-	maxEmptyBatches      = 5
-	emptyBatchWaitTime   = 10 * time.Second
-	receiveTimeout       = 30 * time.Second
-	maxEventsPerBatch    = 100
+	receiveTimeout    = 30 * time.Second
+	maxEventsPerBatch = 100
 
 	AzurePublic     AzureCloud = "AzurePublic"
 	AzureGovernment AzureCloud = "AzureGovernment"
@@ -72,6 +67,18 @@ var SupportedClouds = []CloudEndpoints{
 	},
 }
 
+type ProcessorManager struct {
+	processors sync.Map
+}
+
+type ActiveProcessor struct {
+	cancel context.CancelFunc
+	config AzureConfig
+	done   chan struct{}
+}
+
+var processorManager = &ProcessorManager{}
+
 func main() {
 	mode := plugins.GetCfg("plugin_com.utmstack.azure").Env.Mode
 	if mode != "worker" {
@@ -86,48 +93,127 @@ func main() {
 		}()
 	}
 
+	catcher.Info("Azure plugin started", map[string]any{
+		"process": "plugin_com.utmstack.azure",
+	})
+
+	processorManager.syncProcessors()
+
 	delay := 5 * time.Minute
 	ticker := time.NewTicker(delay)
 	defer ticker.Stop()
 
 	for range ticker.C {
-		moduleConfig := config.GetConfig()
-		if moduleConfig != nil && moduleConfig.ModuleActive {
-			cloudsInUse := detectCloudsInUse(moduleConfig)
-			for cloudName, loginAuthority := range cloudsInUse {
-				if err := connectionChecker(loginAuthority); err != nil {
-					catcher.Info("Airgap or limited connectivity detected", map[string]any{
-						"cloud":          cloudName,
-						"loginAuthority": loginAuthority,
-						"process":        "plugin_com.utmstack.azure",
-					})
-				}
-			}
+		processorManager.syncProcessors()
+	}
+}
 
-			var wg sync.WaitGroup
-			wg.Add(len(moduleConfig.ModuleGroups))
-			for _, grp := range moduleConfig.ModuleGroups {
-				go func(group *config.ModuleGroup) {
-					defer wg.Done()
-					var invalid bool
-					for _, cnf := range group.ModuleGroupConfigurations {
-						if strings.TrimSpace(cnf.ConfValue) == "" {
-							invalid = true
-							break
-						}
-					}
-					if !invalid {
-						pull(group)
-					}
-				}(grp)
+func (pm *ProcessorManager) syncProcessors() {
+	moduleConfig := config.GetConfig()
+	if moduleConfig == nil || !moduleConfig.ModuleActive {
+		pm.stopAll()
+		return
+	}
+
+	cloudsInUse := detectCloudsInUse(moduleConfig)
+	for cloudName, loginAuthority := range cloudsInUse {
+		if err := connectionChecker(loginAuthority); err != nil {
+			catcher.Info("airgap or limited connectivity detected", map[string]any{
+				"cloud":          cloudName,
+				"loginAuthority": loginAuthority,
+				"process":        "plugin_com.utmstack.azure",
+			})
+		}
+	}
+
+	currentGroups := make(map[string]*config.ModuleGroup)
+	for _, grp := range moduleConfig.ModuleGroups {
+		valid := true
+		for _, cnf := range grp.ModuleGroupConfigurations {
+			if strings.TrimSpace(cnf.ConfValue) == "" {
+				valid = false
+				break
 			}
+		}
+		if valid {
+			currentGroups[grp.GroupName] = grp
+		}
+	}
 
-			wg.Wait()
+	pm.processors.Range(func(key, value any) bool {
+		groupName := key.(string)
+		if _, exists := currentGroups[groupName]; !exists {
+			pm.stop(groupName)
 		}
+		return true
+	})
+
+	for groupName, grp := range currentGroups {
+		newConfig := getAzureProcessor(grp)
 
+		if existing, ok := pm.processors.Load(groupName); ok {
+			activeProc := existing.(*ActiveProcessor)
+
+			if configChanged(activeProc.config, newConfig) {
+				pm.stop(groupName)
+				pm.start(groupName, newConfig)
+			} else {
+				select {
+				case <-activeProc.done:
+					pm.start(groupName, newConfig)
+				default:
+				}
+			}
+		} else {
+			pm.start(groupName, newConfig)
+		}
 	}
 }
 
+func (pm *ProcessorManager) start(groupName string, config AzureConfig) {
+	ctx, cancel := context.WithCancel(context.Background())
+
+	activeProc := &ActiveProcessor{
+		cancel: cancel,
+		config: config,
+		done:   make(chan struct{}),
+	}
+
+	pm.processors.Store(groupName, activeProc)
+
+	go func() {
+		defer close(activeProc.done)
+		runProcessor(ctx, config)
+	}()
+}
+
+func (pm *ProcessorManager) stop(groupName string) {
+	if value, ok := pm.processors.LoadAndDelete(groupName); ok {
+		activeProc := value.(*ActiveProcessor)
+		activeProc.cancel()
+
+		select {
+		case <-activeProc.done:
+		case <-time.After(30 * time.Second):
+		}
+	}
+}
+
+func (pm *ProcessorManager) stopAll() {
+	pm.processors.Range(func(key, value any) bool {
+		groupName := key.(string)
+		pm.stop(groupName)
+		return true
+	})
+}
+
+func configChanged(old, new AzureConfig) bool {
+	return old.EventHubConnection != new.EventHubConnection ||
+		old.ConsumerGroup != new.ConsumerGroup ||
+		old.StorageContainer != new.StorageContainer ||
+		old.StorageConnection != new.StorageConnection
+}
+
 func detectCloudsInUse(moduleConfig *config.ConfigurationSection) map[string]string {
 	cloudsMap := make(map[string]string)
 
@@ -162,9 +248,7 @@ func detectCloudFromConnectionString(connectionString string) (CloudEndpoints, e
 	return CloudEndpoints{}, fmt.Errorf("unable to detect Azure cloud from connection string")
 }
 
-func pull(group *config.ModuleGroup) {
-	agent := getAzureProcessor(group)
-
+func runProcessor(ctx context.Context, agent AzureConfig) {
 	if agent.EventHubConnection == "" || agent.ConsumerGroup == "" ||
 		agent.StorageContainer == "" || agent.StorageConnection == "" {
 		_ = catcher.Error("missing required configuration for Event Hub", nil, map[string]any{
@@ -224,9 +308,12 @@ func pull(group *config.ModuleGroup) {
 		})
 
 		if retry < maxRetries-1 {
-			time.Sleep(retryDelay)
-			// Increase delay for next retry
-			retryDelay *= 2
+			select {
+			case <-ctx.Done():
+				return
+			case <-time.After(retryDelay):
+				retryDelay *= 2
+			}
 		}
 	}
 
@@ -237,7 +324,14 @@ func pull(group *config.ModuleGroup) {
 		})
 		return
 	}
-	defer client.Close(context.Background())
+	defer func() {
+		if err := client.Close(context.Background()); err != nil {
+			_ = catcher.Error("error closing consumer client", err, map[string]any{
+				"group":   agent.GroupName,
+				"process": "plugin_com.utmstack.azure",
+			})
+		}
+	}()
 
 	processor, err := azeventhubs.NewProcessor(client, checkpointStore, &azeventhubs.ProcessorOptions{
 		StartPositions: azeventhubs.StartPositions{
@@ -254,13 +348,7 @@ func pull(group *config.ModuleGroup) {
 		return
 	}
 
-	ctx, cancel := context.WithTimeout(context.Background(), processingTimeout)
-	defer cancel()
-
 	var partitionsWg sync.WaitGroup
-	processorReady := make(chan struct{})
-	var firstPartitionAssigned bool
-	var readyMutex sync.Mutex
 
 	go func() {
 		for {
@@ -269,63 +357,45 @@ func pull(group *config.ModuleGroup) {
 				return
 			}
 
-			readyMutex.Lock()
-			if !firstPartitionAssigned {
-				firstPartitionAssigned = true
-				close(processorReady)
-			}
-			readyMutex.Unlock()
-
 			partitionsWg.Add(1)
 			go processPartition(ctx, pc, agent.GroupName, &partitionsWg)
 		}
 	}()
 
+	processorDone := make(chan error, 1)
 	go func() {
-		if err := processor.Run(ctx); err != nil && !errors.Is(err, context.Canceled) {
-			_ = catcher.Error("error running Event Hub processor", err, map[string]any{
+		processorDone <- processor.Run(ctx)
+	}()
+
+	select {
+	case <-ctx.Done():
+	case err := <-processorDone:
+		if err != nil && !errors.Is(err, context.Canceled) {
+			_ = catcher.Error("processor stopped with error", err, map[string]any{
 				"group":   agent.GroupName,
 				"process": "plugin_com.utmstack.azure",
 			})
 		}
-
-		readyMutex.Lock()
-		if !firstPartitionAssigned {
-			firstPartitionAssigned = true
-			close(processorReady)
-		}
-		readyMutex.Unlock()
-	}()
-
-	select {
-	case <-processorReady:
-	case <-time.After(processorInitTimeout):
-		catcher.Info("processor initialization timeout reached", map[string]any{
-			"process": "plugin_com.utmstack.azure",
-		})
 	}
 
 	partitionsWg.Wait()
-
-	cancel()
-
-	time.Sleep(1 * time.Second)
 }
 
 func processPartition(ctx context.Context, pc *azeventhubs.ProcessorPartitionClient, groupName string, wg *sync.WaitGroup) {
 	defer wg.Done()
-	defer pc.Close(context.Background())
-
-	emptyBatchCount := 0
+	defer func() {
+		if err := pc.Close(context.Background()); err != nil {
+			_ = catcher.Error("error closing partition client", err, map[string]any{
+				"group":       groupName,
+				"partitionID": pc.PartitionID(),
+				"process":     "plugin_com.utmstack.azure",
+			})
+		}
+	}()
 
 	for {
 		select {
 		case <-ctx.Done():
-			catcher.Info("partition processing cancelled", map[string]any{
-				"group":   groupName,
-				"reason":  ctx.Err().Error(),
-				"process": "plugin_com.utmstack.azure",
-			})
 			return
 		default:
 		}
@@ -344,85 +414,18 @@ func processPartition(ctx context.Context, pc *azeventhubs.ProcessorPartitionCli
 		}
 
 		if len(events) == 0 {
-			emptyBatchCount++
-
-			if emptyBatchCount >= maxEmptyBatches {
-				catcher.Info("partition completed - no more events available", map[string]any{
-					"group":           groupName,
-					"emptyBatchCount": emptyBatchCount,
-					"process":         "plugin_com.utmstack.azure",
-				})
-				return
-			}
-
-			time.Sleep(emptyBatchWaitTime)
 			continue
 		}
 
-		emptyBatchCount = 0
-
 		for _, event := range events {
-			var logData map[string]any
-			if err := json.Unmarshal(event.Body, &logData); err != nil {
-				_ = catcher.Error("cannot parse event body", err, map[string]any{
-					"group":       groupName,
-					"partitionID": pc.PartitionID(),
-					"process":     "plugin_com.utmstack.azure",
-				})
-				continue
-			}
-
-			if records, ok := logData["records"].([]any); ok && len(records) > 0 {
-				for _, record := range records {
-					recordMap, ok := record.(map[string]any)
-					if !ok {
-						_ = catcher.Error("invalid record format in records array", nil, map[string]any{
-							"group":       groupName,
-							"partitionID": pc.PartitionID(),
-							"process":     "plugin_com.utmstack.azure",
-						})
-						continue
-					}
-
-					jsonLog, err := json.Marshal(recordMap)
-					if err != nil {
-						_ = catcher.Error("cannot encode record to JSON", err, map[string]any{
-							"group":       groupName,
-							"partitionID": pc.PartitionID(),
-							"process":     "plugin_com.utmstack.azure",
-						})
-						continue
-					}
-
-					plugins.EnqueueLog(&plugins.Log{
-						Id:         uuid.New().String(),
-						TenantId:   defaultTenant,
-						DataType:   "azure",
-						DataSource: groupName,
-						Timestamp:  time.Now().UTC().Format(time.RFC3339Nano),
-						Raw:        string(jsonLog),
-					}, "com.utmstack.azure")
-				}
-			} else {
-				jsonLog, err := json.Marshal(logData)
-				if err != nil {
-					_ = catcher.Error("cannot encode log to JSON", err, map[string]any{
-						"group":       groupName,
-						"partitionID": pc.PartitionID(),
-						"process":     "plugin_com.utmstack.azure",
-					})
-					continue
-				}
-
-				plugins.EnqueueLog(&plugins.Log{
-					Id:         uuid.New().String(),
-					TenantId:   defaultTenant,
-					DataType:   "azure",
-					DataSource: groupName,
-					Timestamp:  time.Now().UTC().Format(time.RFC3339Nano),
-					Raw:        string(jsonLog),
-				}, "com.utmstack.azure")
-			}
+			_ = plugins.EnqueueLog(&plugins.Log{
+				Id:         uuid.New().String(),
+				TenantId:   defaultTenant,
+				DataType:   "azure",
+				DataSource: groupName,
+				Timestamp:  time.Now().UTC().Format(time.RFC3339Nano),
+				Raw:        string(event.Body),
+			}, "com.utmstack.azure")
 		}
 
 		if err := pc.UpdateCheckpoint(context.Background(), events[len(events)-1], nil); err != nil {

From b21fdc008b5a52b2c3146d18b92659f5994789ef Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Wed, 11 Feb 2026 07:54:55 -0600
Subject: [PATCH 095/105] feat(assets-view): update sorting to prioritize asset
 status and add sorting on last input

Signed-off-by: Manuel Abascal 
---
 .../app/assets-discover/assets-view/assets-view.component.ts   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/frontend/src/app/assets-discover/assets-view/assets-view.component.ts b/frontend/src/app/assets-discover/assets-view/assets-view.component.ts
index 7a6e4a6f7..e5cd403d0 100644
--- a/frontend/src/app/assets-discover/assets-view/assets-view.component.ts
+++ b/frontend/src/app/assets-discover/assets-view/assets-view.component.ts
@@ -56,7 +56,7 @@ export class AssetsViewComponent implements OnInit, OnDestroy {
   loading = false;
   itemsPerPage = ITEMS_PER_PAGE;
   viewAssetDetail: NetScanType;
-  sortBy = AssetFieldEnum.ASSET_ID + ',asc';
+  sortBy = AssetFieldEnum.ASSET_IS_ALIVE + ',DESC';
   assetsFields: UtmFieldType[] = ASSETS_FIELDS;
   checkbox: any;
   assetFieldEnum = AssetFieldEnum;
@@ -144,6 +144,7 @@ export class AssetsViewComponent implements OnInit, OnDestroy {
       .subscribe( {
         next: (assets: NetScanType[]) => {
           this.assets = assets;
+          this.sortLastInput('desc');
           this.loading = false;
           this.cdr.markForCheck();
         },

From eab3e3d0c3bd0fd5b5b36870324c8b8e9c7985de Mon Sep 17 00:00:00 2001
From: JocLRojas 
Date: Wed, 11 Feb 2026 17:09:43 +0300
Subject: [PATCH 096/105] feat(azure-plugin): add JSON parsing and records
 array handling for Event Hub events

---
 plugins/azure/main.go | 70 ++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 62 insertions(+), 8 deletions(-)

diff --git a/plugins/azure/main.go b/plugins/azure/main.go
index c124baac2..1d53a0280 100644
--- a/plugins/azure/main.go
+++ b/plugins/azure/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
@@ -418,14 +419,67 @@ func processPartition(ctx context.Context, pc *azeventhubs.ProcessorPartitionCli
 		}
 
 		for _, event := range events {
-			_ = plugins.EnqueueLog(&plugins.Log{
-				Id:         uuid.New().String(),
-				TenantId:   defaultTenant,
-				DataType:   "azure",
-				DataSource: groupName,
-				Timestamp:  time.Now().UTC().Format(time.RFC3339Nano),
-				Raw:        string(event.Body),
-			}, "com.utmstack.azure")
+			var logData map[string]any
+			if err := json.Unmarshal(event.Body, &logData); err != nil {
+				_ = catcher.Error("cannot parse event body", err, map[string]any{
+					"group":       groupName,
+					"partitionID": pc.PartitionID(),
+					"process":     "plugin_com.utmstack.azure",
+				})
+				continue
+			}
+
+			if records, ok := logData["records"].([]any); ok && len(records) > 0 {
+				for _, record := range records {
+					recordMap, ok := record.(map[string]any)
+					if !ok {
+						_ = catcher.Error("invalid record format in records array", nil, map[string]any{
+							"group":       groupName,
+							"partitionID": pc.PartitionID(),
+							"process":     "plugin_com.utmstack.azure",
+						})
+						continue
+					}
+
+					jsonLog, err := json.Marshal(recordMap)
+					if err != nil {
+						_ = catcher.Error("cannot encode record to JSON", err, map[string]any{
+							"group":       groupName,
+							"partitionID": pc.PartitionID(),
+							"process":     "plugin_com.utmstack.azure",
+						})
+						continue
+					}
+
+					_ = plugins.EnqueueLog(&plugins.Log{
+						Id:         uuid.New().String(),
+						TenantId:   defaultTenant,
+						DataType:   "azure",
+						DataSource: groupName,
+						Timestamp:  time.Now().UTC().Format(time.RFC3339Nano),
+						Raw:        string(jsonLog),
+					}, "com.utmstack.azure")
+				}
+			} else {
+				jsonLog, err := json.Marshal(logData)
+				if err != nil {
+					_ = catcher.Error("cannot encode log to JSON", err, map[string]any{
+						"group":       groupName,
+						"partitionID": pc.PartitionID(),
+						"process":     "plugin_com.utmstack.azure",
+					})
+					continue
+				}
+
+				_ = plugins.EnqueueLog(&plugins.Log{
+					Id:         uuid.New().String(),
+					TenantId:   defaultTenant,
+					DataType:   "azure",
+					DataSource: groupName,
+					Timestamp:  time.Now().UTC().Format(time.RFC3339Nano),
+					Raw:        string(jsonLog),
+				}, "com.utmstack.azure")
+			}
 		}
 
 		if err := pc.UpdateCheckpoint(context.Background(), events[len(events)-1], nil); err != nil {

From b4a7201fa6f0f0125b9f5896dbf944f8ae593d87 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Wed, 11 Feb 2026 09:59:20 -0600
Subject: [PATCH 097/105] fix(vmware.steps): correct loghost syntax in syslog
 configuration commands

Signed-off-by: Manuel Abascal 
---
 .../app/app-module/guides/guide-vmware-syslog/vmware.steps.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/frontend/src/app/app-module/guides/guide-vmware-syslog/vmware.steps.ts b/frontend/src/app/app-module/guides/guide-vmware-syslog/vmware.steps.ts
index bd9eab66d..7808697e0 100644
--- a/frontend/src/app/app-module/guides/guide-vmware-syslog/vmware.steps.ts
+++ b/frontend/src/app/app-module/guides/guide-vmware-syslog/vmware.steps.ts
@@ -20,8 +20,8 @@ export const VMWARE_STEPS: Step[] = [
   {id: '11', name: 'Set new host configuration, specifying options to change, by running a command:',
     content: {
       id: 'stepContent11',
-      commands: ['esxcli system syslog config set --loghost=\'tcp://your_utmstack_agent_ip:7002’',
-                 'esxcli system syslog config set --logdir=/scratch/log --loghost=your_utmstack_agent_ip --logdir-unique=true']
+      commands: ['esxcli system syslog config set --loghost=\'tcp://your_utmstack_agent_ip:7002\'',
+                 'esxcli system syslog config set --logdir=/scratch/log --loghost=your_utmstack_agent_ip:7002 --logdir-unique=true']
     }
   },
   {id: '12', name: 'After making configuration changes, load the new configuration by running this command:',

From 0865792aa22c90d38b25572ddf66255acf1525ea Mon Sep 17 00:00:00 2001
From: Yadian Llada Lopez 
Date: Wed, 11 Feb 2026 12:26:22 -0500
Subject: [PATCH 098/105] feat(bitdefender_gz): update filter version to 3.0.2
 and enhance grok patterns for log parsing

---
 filters/antivirus/bitdefender_gz.yml | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/filters/antivirus/bitdefender_gz.yml b/filters/antivirus/bitdefender_gz.yml
index d53d1b110..927236e39 100644
--- a/filters/antivirus/bitdefender_gz.yml
+++ b/filters/antivirus/bitdefender_gz.yml
@@ -1,4 +1,4 @@
-# Bitdefender GravityZone filter, version 3.0.1
+# Bitdefender GravityZone filter, version 3.0.2
 # Based on https://www.bitdefender.com/business/support/en/77212-237089-event-types.html
 # and the previous version of the same filter
 
@@ -101,6 +101,14 @@ pipeline:
               pattern: '{{.greedy}}'
           source: raw
 
+      - grok:
+          patterns:
+            - fieldName: log.cefVersion
+              pattern: 'CEF\:{{.integer}}'
+            - fieldName: log.restData
+              pattern: '{{.greedy}}'
+          source: raw
+
       # Using grok to parse components of the cef_message
       - grok:
           patterns:
@@ -116,7 +124,7 @@ pipeline:
               pattern: '{{.data}}\|'
             - fieldName: log.severity
               pattern: '{{.data}}\|'
-            - fieldName: log.irrelevant
+            - fieldName: log.restData
               pattern: '{{.greedy}}'
           source: log.restData
 
@@ -253,4 +261,5 @@ pipeline:
             - log.sproc
             - log.filePath
             - log.dvc
-            - log.request
\ No newline at end of file
+            - log.request
+            - log.dvcToParse
\ No newline at end of file

From be153b2b57314372bb51fc2f04ac3b69c45d5390 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Wed, 11 Feb 2026 11:27:29 -0600
Subject: [PATCH 099/105] feat: update update bit defender filter

---
 ...20260211001_update_filter_bit_defender.xml | 21 +++++++++++++++++++
 .../resources/config/liquibase/master.xml     |  2 ++
 2 files changed, 23 insertions(+)
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260211001_update_filter_bit_defender.xml

diff --git a/backend/src/main/resources/config/liquibase/changelog/20260211001_update_filter_bit_defender.xml b/backend/src/main/resources/config/liquibase/changelog/20260211001_update_filter_bit_defender.xml
new file mode 100644
index 000000000..1fe3b6710
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260211001_update_filter_bit_defender.xml
@@ -0,0 +1,21 @@
+
+
+
+    
+
+        
+            
+        
+    
+
\ No newline at end of file
diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml
index 39767b5ac..36bbcc7e0 100644
--- a/backend/src/main/resources/config/liquibase/master.xml
+++ b/backend/src/main/resources/config/liquibase/master.xml
@@ -405,6 +405,8 @@
 
     
 
+    
+
 
 
 

From 3fb01f379e0528a957db8d7d9088e5f85d3b3fcb Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Wed, 11 Feb 2026 11:31:38 -0600
Subject: [PATCH 100/105] feat: update update bit defender filter

---
 ...20260211001_update_filter_bit_defender.xml | 268 +++++++++++++++++-
 1 file changed, 266 insertions(+), 2 deletions(-)

diff --git a/backend/src/main/resources/config/liquibase/changelog/20260211001_update_filter_bit_defender.xml b/backend/src/main/resources/config/liquibase/changelog/20260211001_update_filter_bit_defender.xml
index 1fe3b6710..c6b41c762 100644
--- a/backend/src/main/resources/config/liquibase/changelog/20260211001_update_filter_bit_defender.xml
+++ b/backend/src/main/resources/config/liquibase/changelog/20260211001_update_filter_bit_defender.xml
@@ -12,9 +12,273 @@
             UPDATE public.utm_logstash_filter
             SET filter_version='3.0.2',
                 updated_at = now(),
-                logstash_filter = $$
+                logstash_filter = $$ # Bitdefender GravityZone filter, version 3.0.2
+# Based on https://www.bitdefender.com/business/support/en/77212-237089-event-types.html
+# and the previous version of the same filter
+
+pipeline:
+  - dataTypes:
+      - antivirus-bitdefender-gz
+    steps:
+      # Using grok to parse header of the message
+      - grok:
+          patterns:
+            - fieldName: log.syslogPriority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.syslogVersion
+              pattern: '{{.integer}}'
+            - fieldName: log.syslogDeviceTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
+            - fieldName: log.syslogHostIP
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}'
+            - fieldName: log.notDefined
+              pattern: '{{.integer}}'
+            - fieldName: log.0trash
+              pattern: '{{.word}}\:{{.integer}}'
+            - fieldName: log.restData
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.syslogPriority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.syslogVersion
+              pattern: '{{.integer}}'
+            - fieldName: log.syslogDeviceTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
+            - fieldName: log.hostId
+              pattern: '{{.word}}'
+            - fieldName: log.0trash
+              pattern: '{{.word}}'
+            - fieldName: log.processPid
+              pattern: '\[{{.integer}}\]'
+            - fieldName: log.1trash
+              pattern: '{{.word}}\:{{.integer}}'
+            - fieldName: log.restData
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.syslogPriority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.syslogDeviceTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
+            - fieldName: log.hostId
+              pattern: '{{.word}}'
+            - fieldName: log.0trash
+              pattern: '{{.word}}'
+            - fieldName: log.processPid
+              pattern: '\[{{.integer}}\]'
+            - fieldName: log.1trash
+              pattern: '{{.word}}\:{{.integer}}'
+            - fieldName: log.restData
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.syslogPriority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.syslogVersion
+              pattern: '{{.integer}}'
+            - fieldName: log.syslogDeviceTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
+            - fieldName: log.syslogHostIP
+              pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}'
+            - fieldName: log.0trash
+              pattern: '{{.word}}\:{{.integer}}'
+            - fieldName: log.restData
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.syslogPriority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.syslogVersion
+              pattern: '{{.integer}}'
+            - fieldName: log.syslogDeviceTime
+              pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
+            - fieldName: log.restData
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.syslogPriority
+              pattern: '\<{{.data}}\>'
+            - fieldName: log.0trash
+              pattern: '{{.word}}\:{{.integer}}'
+            - fieldName: log.restData
+              pattern: '{{.greedy}}'
+          source: raw
+
+      - grok:
+          patterns:
+            - fieldName: log.cefVersion
+              pattern: 'CEF\:{{.integer}}'
+            - fieldName: log.restData
+              pattern: '{{.greedy}}'
+          source: raw
+
+      # Using grok to parse components of the cef_message
+      - grok:
+          patterns:
+            - fieldName: log.productVendor
+              pattern: '\|{{.data}}\|'
+            - fieldName: log.product
+              pattern: '{{.data}}\|'
+            - fieldName: log.productVersion
+              pattern: '{{.data}}\|'
+            - fieldName: log.signatureID
+              pattern: '{{.data}}\|'
+            - fieldName: log.eventType
+              pattern: '{{.data}}\|'
+            - fieldName: log.severity
+              pattern: '{{.data}}\|'
+            - fieldName: log.restData
+              pattern: '{{.greedy}}'
+          source: log.restData
+
+      # Using grok to parse kv issued fields with space
+      - grok:
+          patterns:
+            - fieldName: log.2trash
+              pattern: '{{.data}}dvc='
+            - fieldName: log.dvcToParse
+              pattern: '{{.data}}{{.word}}\='
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.restData
+
+      - grok:
+          patterns:
+            - fieldName: log.2trash
+              pattern: '{{.data}}request='
+            - fieldName: log.requestToParse
+              pattern: '{{.data}}{{.word}}\='
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.restData
+
+      # Applying grok to remove unnecessary data
+      - grok:
+          patterns:
+            - fieldName: log.deviceIps
+              pattern: '{{.greedy}}{{.space}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.dvcToParse
+
+      - grok:
+          patterns:
+            - fieldName: log.requested
+              pattern: '{{.greedy}}{{.space}}'
+            - fieldName: log.irrelevant
+              pattern: '{{.greedy}}'
+          source: log.requestToParse
+
+      # Using the kv filter with default config, usefull in key-value logs
+      - kv:
+          fieldSplit: " "
+          valueSplit: "="
+          source: log.restData
+
+      # Renaming useful fields
+      - rename:
+          from:
+            - log.spt
+          to: origin.port
+
+      - rename:
+          from:
+            - log.src
+          to: origin.ip
+
+      - rename:
+          from:
+            - log.sproc
+          to: origin.path
+
+      - rename:
+          from:
+            - log.filePath
+          to: origin.path
+
+      # Removing unnecessary characters
+      - trim:
+          function: prefix
+          substring: '|'
+          fields:
+            - log.productVendor
+
+      - trim:
+          function: suffix
+          substring: '|'
+          fields:
+            - log.productVendor
+            - log.product
+            - log.productVersion
+            - log.signatureID
+            - log.eventType
+            - log.severityLabel
+
+      - trim:
+          function: prefix
+          substring: '<'
+          fields:
+            - log.syslogPriority
+
+      - trim:
+          function: suffix
+          substring: '>'
+          fields:
+            - log.syslogPriority
+
+      - trim:
+          function: prefix
+          substring: '['
+          fields:
+            - log.processPid
+
+      - trim:
+          function: suffix
+          substring: ']'
+          fields:
+            - log.processPid
+
+      # Adding geolocation to origin ip
+      - dynamic:
+          plugin: com.utmstack.geolocation
+          params:
+            source: origin.ip
+            destination: origin.geolocation
+          where: exists("origin.ip")
+
+      # Reformat and field conversions
+      - cast:
+          fields:
+            - origin.port
+          to: int
+
+      # Removing unused fields
+      - delete:
+          fields:
+            - log.0trash
+            - log.1trash
+            - log.restData
+            - log.irrelevant
+            - log.spt
+            - log.src
+            - log.sproc
+            - log.filePath
+            - log.dvc
+            - log.request
+            - log.dvcToParse
                 $$
-	WHERE id = 1524;
+	WHERE id = 1514;
             ]]>
         
     

From fc75297300a3fde3a3911b1f5ff745c6a31008ac Mon Sep 17 00:00:00 2001
From: Yadian Llada Lopez 
Date: Wed, 11 Feb 2026 13:01:10 -0500
Subject: [PATCH 101/105] fix(bitdefender_gz): update log severity field and
 add additional trash fields

---
 filters/antivirus/bitdefender_gz.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/filters/antivirus/bitdefender_gz.yml b/filters/antivirus/bitdefender_gz.yml
index 927236e39..e8605dc75 100644
--- a/filters/antivirus/bitdefender_gz.yml
+++ b/filters/antivirus/bitdefender_gz.yml
@@ -209,7 +209,7 @@ pipeline:
             - log.productVersion
             - log.signatureID
             - log.eventType
-            - log.severityLabel
+            - log.severity
 
       - trim:
           function: prefix
@@ -254,6 +254,7 @@ pipeline:
           fields:
             - log.0trash
             - log.1trash
+            - log.2trash
             - log.restData
             - log.irrelevant
             - log.spt
@@ -262,4 +263,5 @@ pipeline:
             - log.filePath
             - log.dvc
             - log.request
-            - log.dvcToParse
\ No newline at end of file
+            - log.dvcToParse
+            - log.cefVersion
\ No newline at end of file

From fa23d4d57ba26a54114b7095ee06b93d3f090945 Mon Sep 17 00:00:00 2001
From: JocLRojas 
Date: Wed, 11 Feb 2026 21:14:06 +0300
Subject: [PATCH 102/105] update netflow filter

---
 filters/netflow/netflow.yml | 49 +++++++++++++++++++------------------
 1 file changed, 25 insertions(+), 24 deletions(-)

diff --git a/filters/netflow/netflow.yml b/filters/netflow/netflow.yml
index 7fecd53fe..a92c36581 100644
--- a/filters/netflow/netflow.yml
+++ b/filters/netflow/netflow.yml
@@ -48,97 +48,97 @@ pipeline:
       - grok:
           patterns:
             - fieldName: log.irrelevant
-              pattern: '{{.data}}bytes="['
+              pattern: '{{.data}}bytes="\['
             - fieldName: log.totalBytes
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant1
-              pattern: '{{.data}}packets="['
+              pattern: '{{.data}}packets="\['
             - fieldName: log.totalPackets
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant2
-              pattern: '{{.data}}inEth="['
+              pattern: '{{.data}}inEth="\['
             - fieldName: log.inEthernet
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant3
-              pattern: '{{.data}}outEth="['
+              pattern: '{{.data}}outEth="\['
             - fieldName: log.outEthernet
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant4
-              pattern: '{{.data}}proto="/['
+              pattern: '{{.data}}proto="\['
             - fieldName: protocol
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant5
-              pattern: '{{.data}}srcPort="['
+              pattern: '{{.data}}srcPort="\['
             - fieldName: log.srcPortg
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant6
-              pattern: '{{.data}}dstPort="['
+              pattern: '{{.data}}dstPort="\['
             - fieldName: log.dstPortg
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant7
-              pattern: '{{.data}}dstMask="['
+              pattern: '{{.data}}dstMask="\['
             - fieldName: log.destMask
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant8
-              pattern: '{{.data}}srcMask="['
+              pattern: '{{.data}}srcMask="\['
             - fieldName: log.sourceMask
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant9
-              pattern: '{{.data}}tcpFlags="['
+              pattern: '{{.data}}tcpFlags="\['
             - fieldName: log.tcpFlgs
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant10
-              pattern: '{{.data}}dstAs="['
+              pattern: '{{.data}}dstAs="\['
             - fieldName: log.destAs
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant11
-              pattern: '{{.data}}srcAs="['
+              pattern: '{{.data}}srcAs="\['
             - fieldName: log.sourceAs
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       # Rename filds
@@ -260,6 +260,7 @@ pipeline:
             - log.tcpFlags
             - log.dstAs
             - log.srcAs
+            - log.dstPort
             - log.irrelevant
             - log.irrelevant1
             - log.irrelevant2

From 326c4dae1558693c28ed2777a8923aef5427f20c Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Wed, 11 Feb 2026 12:10:17 -0600
Subject: [PATCH 103/105] feat: update update bit defender filter

---
 .../20260211002_update_utm_correlation_seq.xml   | 16 ++++++++++++++++
 .../main/resources/config/liquibase/master.xml   |  2 ++
 2 files changed, 18 insertions(+)
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260211002_update_utm_correlation_seq.xml

diff --git a/backend/src/main/resources/config/liquibase/changelog/20260211002_update_utm_correlation_seq.xml b/backend/src/main/resources/config/liquibase/changelog/20260211002_update_utm_correlation_seq.xml
new file mode 100644
index 000000000..37936cbe4
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260211002_update_utm_correlation_seq.xml
@@ -0,0 +1,16 @@
+
+
+
+    
+
+        
+            
+        
+    
+
\ No newline at end of file
diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml
index 36bbcc7e0..c9be8b847 100644
--- a/backend/src/main/resources/config/liquibase/master.xml
+++ b/backend/src/main/resources/config/liquibase/master.xml
@@ -407,6 +407,8 @@
 
     
 
+    
+
 
 
 

From 49872b0a6444df4c68307e247fea3729f436b2f1 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Wed, 11 Feb 2026 12:23:40 -0600
Subject: [PATCH 104/105] feat: update Netflow filter update and modify Bit
 Defender filter configuration

---
 ...20260211001_update_filter_bit_defender.xml |   4 +-
 ...20260211002_update_utm_correlation_seq.xml |   2 +-
 .../20260211003_update_filter_netflow.xml     | 294 ++++++++++++++++++
 .../resources/config/liquibase/master.xml     |   2 +
 4 files changed, 300 insertions(+), 2 deletions(-)
 create mode 100644 backend/src/main/resources/config/liquibase/changelog/20260211003_update_filter_netflow.xml

diff --git a/backend/src/main/resources/config/liquibase/changelog/20260211001_update_filter_bit_defender.xml b/backend/src/main/resources/config/liquibase/changelog/20260211001_update_filter_bit_defender.xml
index c6b41c762..d7257df07 100644
--- a/backend/src/main/resources/config/liquibase/changelog/20260211001_update_filter_bit_defender.xml
+++ b/backend/src/main/resources/config/liquibase/changelog/20260211001_update_filter_bit_defender.xml
@@ -223,7 +223,7 @@ pipeline:
             - log.productVersion
             - log.signatureID
             - log.eventType
-            - log.severityLabel
+            - log.severity
 
       - trim:
           function: prefix
@@ -268,6 +268,7 @@ pipeline:
           fields:
             - log.0trash
             - log.1trash
+            - log.2trash
             - log.restData
             - log.irrelevant
             - log.spt
@@ -277,6 +278,7 @@ pipeline:
             - log.dvc
             - log.request
             - log.dvcToParse
+            - log.cefVersion
                 $$
 	WHERE id = 1514;
             ]]>
diff --git a/backend/src/main/resources/config/liquibase/changelog/20260211002_update_utm_correlation_seq.xml b/backend/src/main/resources/config/liquibase/changelog/20260211002_update_utm_correlation_seq.xml
index 37936cbe4..a5fdfa105 100644
--- a/backend/src/main/resources/config/liquibase/changelog/20260211002_update_utm_correlation_seq.xml
+++ b/backend/src/main/resources/config/liquibase/changelog/20260211002_update_utm_correlation_seq.xml
@@ -9,7 +9,7 @@
         
             
         
     
diff --git a/backend/src/main/resources/config/liquibase/changelog/20260211003_update_filter_netflow.xml b/backend/src/main/resources/config/liquibase/changelog/20260211003_update_filter_netflow.xml
new file mode 100644
index 000000000..ef9a37575
--- /dev/null
+++ b/backend/src/main/resources/config/liquibase/changelog/20260211003_update_filter_netflow.xml
@@ -0,0 +1,294 @@
+
+
+
+    
+
+        
+            
+        
+    
+
\ No newline at end of file
diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml
index c9be8b847..a1ba2df2f 100644
--- a/backend/src/main/resources/config/liquibase/master.xml
+++ b/backend/src/main/resources/config/liquibase/master.xml
@@ -409,6 +409,8 @@
 
     
 
+    
+
 
 
 

From 54c33da293ea20d5729b636b804d468358779f07 Mon Sep 17 00:00:00 2001
From: Manuel Abascal 
Date: Wed, 11 Feb 2026 12:33:01 -0600
Subject: [PATCH 105/105] feat: update Netflow filter update and modify Bit
 Defender filter configuration

---
 ...20260211002_update_utm_correlation_seq.xml |  2 +-
 .../20260211003_update_filter_netflow.xml     | 49 ++++++++++---------
 2 files changed, 26 insertions(+), 25 deletions(-)

diff --git a/backend/src/main/resources/config/liquibase/changelog/20260211002_update_utm_correlation_seq.xml b/backend/src/main/resources/config/liquibase/changelog/20260211002_update_utm_correlation_seq.xml
index a5fdfa105..50ae828bb 100644
--- a/backend/src/main/resources/config/liquibase/changelog/20260211002_update_utm_correlation_seq.xml
+++ b/backend/src/main/resources/config/liquibase/changelog/20260211002_update_utm_correlation_seq.xml
@@ -9,7 +9,7 @@
         
             
         
     
diff --git a/backend/src/main/resources/config/liquibase/changelog/20260211003_update_filter_netflow.xml b/backend/src/main/resources/config/liquibase/changelog/20260211003_update_filter_netflow.xml
index ef9a37575..44e923b60 100644
--- a/backend/src/main/resources/config/liquibase/changelog/20260211003_update_filter_netflow.xml
+++ b/backend/src/main/resources/config/liquibase/changelog/20260211003_update_filter_netflow.xml
@@ -62,97 +62,97 @@ pipeline:
       - grok:
           patterns:
             - fieldName: log.irrelevant
-              pattern: '{{.data}}bytes="['
+              pattern: '{{.data}}bytes="\['
             - fieldName: log.totalBytes
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant1
-              pattern: '{{.data}}packets="['
+              pattern: '{{.data}}packets="\['
             - fieldName: log.totalPackets
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant2
-              pattern: '{{.data}}inEth="['
+              pattern: '{{.data}}inEth="\['
             - fieldName: log.inEthernet
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant3
-              pattern: '{{.data}}outEth="['
+              pattern: '{{.data}}outEth="\['
             - fieldName: log.outEthernet
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant4
-              pattern: '{{.data}}proto="/['
+              pattern: '{{.data}}proto="\['
             - fieldName: protocol
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant5
-              pattern: '{{.data}}srcPort="['
+              pattern: '{{.data}}srcPort="\['
             - fieldName: log.srcPortg
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant6
-              pattern: '{{.data}}dstPort="['
+              pattern: '{{.data}}dstPort="\['
             - fieldName: log.dstPortg
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant7
-              pattern: '{{.data}}dstMask="['
+              pattern: '{{.data}}dstMask="\['
             - fieldName: log.destMask
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant8
-              pattern: '{{.data}}srcMask="['
+              pattern: '{{.data}}srcMask="\['
             - fieldName: log.sourceMask
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant9
-              pattern: '{{.data}}tcpFlags="['
+              pattern: '{{.data}}tcpFlags="\['
             - fieldName: log.tcpFlgs
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant10
-              pattern: '{{.data}}dstAs="['
+              pattern: '{{.data}}dstAs="\['
             - fieldName: log.destAs
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       - grok:
           patterns:
             - fieldName: log.irrelevant11
-              pattern: '{{.data}}srcAs="['
+              pattern: '{{.data}}srcAs="\['
             - fieldName: log.sourceAs
-              pattern: '{{.data}}]"'
+              pattern: '{{.data}}\]"'
           source: raw
 
       # Rename filds
@@ -274,6 +274,7 @@ pipeline:
             - log.tcpFlags
             - log.dstAs
             - log.srcAs
+            - log.dstPort
             - log.irrelevant
             - log.irrelevant1
             - log.irrelevant2