rule "firepower sensors rule"
when
has_field("message")
then
let message_field = to_string($message.message);
let fps0 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{WORD:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{WORD:ingress_intf}, IngressZone: %{WORD:ingress_zone}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, Client: %{DATA:client}, ApplicationProtocol: %{DATA:app_protocol}, FileCount: %{DATA:host}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}, HTTPResponse: %{NUMBER:http_response}, ReferencedHost: %{DATA:referenced_host}, URLCategory: %{DATA:url_category}, URLReputation: %{DATA:url_reputation}, URL: %{GREEDYDATA:url}", value: message_field, only_named_captures: true);
let fps1 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{WORD:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{WORD:ingress_intf}, IngressZone: %{WORD:ingress_zone}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, UserAgent: %{DATA:user_agent}, Client: %{DATA:client}, ApplicationProtocol: %{DATA:app_protocol}, FileCount: %{DATA:host}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}, HTTPResponse: %{NUMBER:http_response}, ReferencedHost: %{DATA:referenced_host}, URLCategory: %{DATA:url_category}, URLReputation: %{DATA:url_reputation}, URL: %{GREEDYDATA:url}", value: message_field, only_named_captures: true);
let fps2 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{WORD:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{WORD:ingress_intf}, IngressZone: %{WORD:ingress_zone}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, Client: %{DATA:client}, ApplicationProtocol: %{DATA:app_protocol}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, NAPPolicy: %{DATA:net_analysis_policy}, DNSRecordType: %{DATA:dns_record_type}, DNSResponseType: %{DATA:dns_response_type}, DNS_TTL: %{DATA:dns_ttl}, Sinkhole: %{WORD:sinkhole}, URLCategory: %{DATA:url_category}, URLReputation: %{GREEDYDATA:url_reputation}", value: message_field, only_named_captures: true);
let fps3 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{WORD:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{WORD:ingress_intf}, IngressZone: %{WORD:ingress_zone}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, AccessControlRuleReason: %{DATA:access_ctrl_reason}, Prefilter Policy: %{DATA:prefilter_policy}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}, SecIntMatchingIP: %{DATA:sec_int_match_IP}, IPReputationSICategory: %{DATA:reputation_IP_category}, URLCategory: %{DATA:url_category}, URLReputation: %{GREEDYDATA:url_reputation}", value: message_field, only_named_captures: true);
let fps4 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{WORD:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{WORD:ingress_intf}, IngressZone: %{WORD:ingress_zone}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}, URLCategory: %{DATA:url_category}, URLReputation: %{GREEDYDATA:url_reputation}", value: message_field, only_named_captures: true);
let fps5 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{WORD:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{WORD:ingress_intf}, IngressZone: %{WORD:ingress_zone}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}, URLCategory: %{DATA:url_category}, URLReputation: %{DATA:url_reputation}, URL: %{GREEDYDATA:url}", value: message_field, only_named_captures: true);
let fps6 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, ICMPType: %{DATA:icmp_type}, ICMPCode: %{DATA:icmp_code}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{WORD:ingress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, Client: %{DATA:client}, ApplicationProtocol: %{DATA:app_protocol}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}, URLCategory: %{DATA:url_category}, URLReputation: %{GREEDYDATA:url_reputation}", value: message_field, only_named_captures: true);
let fps7 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{DATA:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{DATA:sinkhole}, URLCategory: %{DATA:url_category}, URLReputation: %{GREEDYDATA:url_reputation}", value: message_field, only_named_captures: true);
let fps8 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, ICMPType: %{DATA:icmp_type}, ICMPCode: %{DATA:icmp_code}, TCPFlags: %{DATA:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{DATA:sinkhole}, URLCategory: %{DATA:url_category}, URLReputation: %{GREEDYDATA:url_reputation}", value: message_field, only_named_captures: true);
let fps9 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, TCPFlags: %{DATA:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, Client: %{DATA:client}, ApplicationProtocol: %{DATA:app_protocol}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{DATA:sinkhole}, URLCategory: %{DATA:url_category}, URLReputation: %{GREEDYDATA:url_reputation}", value: message_field, only_named_captures: true);
let fps10 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, EgressInterface: %{DATA:egress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, AccessControlRuleReason: %{DATA:access_ctrl_reason}, Prefilter Policy: %{DATA:prefilter_policy}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, Context: %{DATA:context}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}, SecIntMatchingIP: %{DATA:sec_int_match_IP}, IPReputationSICategory: %{DATA:reputation_IP_category}, URLCategory: %{DATA:url_category}, URLReputation: %{GREEDYDATA:url_reputation}", value: message_field, only_named_captures: true);
let fps11 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, AccessControlRuleReason: %{DATA:access_ctrl_reason}, Prefilter Policy: %{DATA:prefilter_policy}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{DATA:sinkhole}, IPReputationSICategory: %{DATA:reputation_IP_category}, URLCategory: %{DATA:url_category}, URLReputation: %{GREEDYDATA:url_reputation}", value: message_field, only_named_captures: true);
let fps12 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, TCPFlags: %{DATA:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}, URLCategory: %{DATA:url_category}, URLReputation: %{GREEDYDATA:url_reputation}", value: message_field, only_named_captures: true);
let fps13 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, ICMPType: %{DATA:icmp_type}, ICMPCode: %{DATA:icmp_code}, TCPFlags: %{DATA:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, EgressInterface: %{DATA:egress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, AccessControlRuleReason: %{DATA:access_ctrl_reason}, Prefilter Policy: %{DATA:prefilter_policy}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, Context: %{DATA:context}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}, SecIntMatchingIP: %{DATA:sec_int_match_IP}, IPReputationSICategory: %{DATA:reputation_IP_category}, URLCategory: %{DATA:url_category}, URLReputation: %{GREEDYDATA:url_reputation}", value: message_field, only_named_captures: true);
let fps14 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, ICMPType: %{DATA:icmp_type}, ICMPCode: %{DATA:icmp_code}, TCPFlags: %{DATA:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, AccessControlRuleReason: %{DATA:access_ctrl_reason}, Prefilter Policy: %{DATA:prefilter_policy}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}, SecIntMatchingIP: %{DATA:sec_int_match_IP}, IPReputationSICategory: %{DATA:reputation_IP_category}, URLCategory: %{DATA:url_category}, URLReputation: %{GREEDYDATA:url_reputation}", value: message_field, only_named_captures: true);
let fps15 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, ICMPType: %{DATA:icmp_type}, ICMPCode: %{DATA:icmp_code}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{WORD:ingress_intf}, IngressZone: %{WORD:ingress_zone}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, AccessControlRuleReason: %{DATA:access_ctrl_reason}, Prefilter Policy: %{DATA:prefilter_policy}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}, IPReputationSICategory: %{DATA:reputation_IP_category}, URLCategory: %{DATA:url_category}, URLReputation: %{GREEDYDATA:url_reputation}", value: message_field, only_named_captures: true);
let fps16 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, EgressInterface: %{DATA:egress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, Client: %{DATA:client}, ApplicationProtocol: %{DATA:app_protocol}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, Context: %{DATA:context}, NAPPolicy: %{DATA:net_analysis_policy}, DNSRery: %{DATA:reputation_IP_category}, URLCategory: %{DATA:url_category}, URLReputation: %{GREEDYDATA:url_reputation}", value: message_field, only_named_captures: true);
let fps17 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, EgressInterface: %{DATA:egress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, Client: %{DATA:client}, ApplicationProtocol: %{DATA:app_protocol}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, Context: %{DATA:context}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}, URLCategory: %{GREEDYDATA:url_category}", value: message_field, only_named_captures: true);
let fps18 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, EgressInterface: %{DATA:egress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, Client: %{DATA:client}, ApplicationProtocol: %{DATA:app_protocol}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, Context: %{DATA:context}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{GREEDYDATA:sinkhole}", value: message_field, only_named_captures: true);
let fps19 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, EgressInterface: %{DATA:egress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, AccessControlRuleReason: %{DATA:access_ctrl_reason}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, UserAgent: %{DATA:user_agent}, ApplicationProtocol: %{DATA:app_protocol}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, Context: %{DATA:context}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}, URLSICategory: %{DATA:url_security_category}, URLCategory: %{DATA:url_category}, URLReputation: %{DATA:url_reputation}, URL: %{GREEDYDATA:url}", value: message_field, only_named_captures: true);
let fps20 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, ICMPType: %{DATA:icmp_type}, ICMPCode: %{DATA:icmp_code}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, EgressInterface: %{DATA:egress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, Client: %{DATA:client}, ApplicationProtocol: %{DATA:app_protocol}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, Context: %{DATA:context}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}", value: message_field, only_named_captures: true);
let fps21 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, EgressInterface: %{DATA:egress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, Client: %{DATA:client}, ApplicationProtocol: %{DATA:app_protocol}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, Context: %{DATA:context}, NAPPolicy: %{DATA:net_analysis_policy}, DNSQuery: %{DATA:dns_query}, DNSRecordType: %{GREEDYDATA:dns_record_type}", value: message_field, only_named_captures: true);
let fps22 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, EgressInterface: %{DATA:egress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, Client: %{DATA:client}, ApplicationProtocol: %{DATA:app_protocol}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, Context: %{DATA:context}, NAPPolicy: %{DATA:net_analysis_policy}, DNry: %{DATA:dns_query}, URLCategory: %{DATA:url_category}, URLReputation: %{GREEDYDATA:url_reputation}", value: message_field, only_named_captures: true);
let fps23 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, EgressInterface: %{DATA:egress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, Client: %{DATA:client}, ApplicationProtocol: %{DATA:app_protocol}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, Context: %{DATA:context}, NAPPolicy: %{DATA:net_analysis_policy}, DNSQuery: %{GREEDYDATA:dns_query}", value: message_field, only_named_captures: true);
let fps24 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, EgressInterface: %{DATA:egress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, Context: %{DATA:context}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}, SecIntMatchingIP: %{DATA:sec_int_match_IP}, IPReputationSICategory: %{DATA:reputation_IP_category}, URLCategory: %{GREEDYDATA:url_category}", value: message_field, only_named_captures: true);
let fps25 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, Dst: %{DATA:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, EgressInterface: %{DATA:egress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleAction: %{DATA:access_ctrl_action}, Prefilter Policy: %{DATA:prefilter_policy}, UserName: %{DATA:user_name}, Client: %{DATA:client}, ApplicationProtocol: %{DATA:app_protocol}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, Context: %{DATA:context}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}, URLCategory: %{GREEDYDATA:url_category}", value: message_field, only_named_captures: true);
let fps26 = grok(pattern: "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:UNWANTED}: Protocol: %{DATA:protocol}, SrcIP: %{IP:src_ip}, OriginalClientIP: %{IP:original_IP}, DstIP: %{IP:dst_ip}, SrcPort: %{NUMBER:src_port}, DstPort: %{NUMBER:dst_port}, TCPFlags: %{WORD:tcp_flags}, IngressInterface: %{DATA:ingress_intf}, EgressInterface: %{DATA:egress_intf}, DE: %{DATA:primary_det_engine}, Policy: %{DATA:policy}, ConnectType: %{DATA:connect_type}, AccessControlRuleName: %{DATA:access_ctrl_name}, AccessControlRuleReason: %{DATA:access_ctrl_reason}, Prefilter Policy: %{DATA:prefilter_policy}, InitiatorPackets: %{DATA:initiator_packets}, ResponderPackets: %{DATA:responder_packets}, InitiatorBytes: %{DATA:initiator_bytes}, ResponderBytes: %{DATA:responder_bytes}, NAPPolicy: %{DATA:net_analysis_policy}, DNSResponseType: %{DATA:dns_response_type}, Sinkhole: %{WORD:sinkhole}, SecIntMatchingIP: %{DATA:sec_int_match_IP}, IPReputationSICategory: %{DATA:reputation_IP_category}, URLCategory: %{DATA:url_category}, URLReputation: %{GREEDYDATA:url_reputation}", value: message_field, only_named_captures: true);
set_fields(fps0);
set_fields(fps1);
set_fields(fps2);
set_fields(fps3);
set_fields(fps4);
set_fields(fps5);
set_fields(fps6);
set_fields(fps7);
set_fields(fps8);
set_fields(fps9);
set_fields(fps10);
set_fields(fps11);
set_fields(fps12);
set_fields(fps13);
set_fields(fps14);
set_fields(fps15);
set_fields(fps16);
set_fields(fps17);
set_fields(fps18);
set_fields(fps19);
set_fields(fps20);
set_fields(fps21);
set_fields(fps22);
set_fields(fps23);
set_fields(fps24);
set_fields(fps25);
set_fields(fps26);
end