Collect Fortinet Firewall logs

Supported in:

Google secops Siem

This document explains how to export Fortinet Firewall logs by setting up the Bindplane agent and how log fields map to Google SecOps Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google SecOps overview.

A typical deployment consists of Fortinet Firewall and the Bindplane agent configured to send logs to Google SecOps. Each customer deployment can differ and might be more complex.

The deployment contains the following components:

Fortinet Firewall: The platform from which you collect logs.
Bindplane agent: The Bindplane agent fetches logs from Fortinet Firewall and sends logs to Google SecOps.
Google SecOps: Retains and analyzes the logs.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the FORTINET_FIREWALL label.

Install and configure the feed

Use FortiOS 7.6.2 or later and verify that you have set up your FortiGate for initial management access to the platform. For more information, see Set up Fortigate.
Make sure that all systems in the deployment architecture are configured in the UTC time zone.

Configure syslog on the Fortigate platform:

To configure syslog, use the following steps:

Log in to the FortiGate platform.
Select Log & Report to expand the menu.
Select Log Settings.
Turn on the Send Logs to Syslog toggle.
Enter the Syslog Collector IP address.
Select Apply. For information about configuration, see Configure Syslog on FortiGate From the GUI.

Forward logs to Google SecOps using the Bindplane agent

Install and set up a Linux Virtual Machine.
Install and configure the Bindplane agent on Linux to forward logs to Google SecOps. For more information about how to install and configure the Bindplane agent, see the Bindplane agent installation and configuration instructions.

If you encounter issues when you create feeds, contact Google SecOps support.

UDM Mapping Table

Field mapping reference: Fortinet_Firewall - Common Fields

The following table lists common fields of the Common Schema Field Mapping log type and their corresponding UDM fields.

Log field	UDM mapping	Logic
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Fortinet`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Fortigate`.
`filehash`	`about.file.sha256`	If the `filehash` log field value matches the regular expression pattern `(?<_hash>^[0-9a-f]+$)` then, `filehash` log field is mapped to the `about.file.sha256` UDM field. Else, `filehash` log field is mapped to the `about.file.full_path` UDM field.
`nat`	`about.nat_ip`
`pdstport`	`about.port`
`subject`	`about.process.command_line`
`process`	`about.process.product_specific_process_id`
`policy_id`	`about.resource.product_object_id`	The `about.resource.resource_type` UDM field is set to `FIREWALL_RULE`.
`policymode`	`about.resource.resource_subtype`
`psrcport`	`about.port`
`appact`	`additional.fields[appact]`
`appcat`	`additional.fields[appcat]`
`applist`	`additional.fields[applist]`
`apprisk`	`additional.fields[apprisk]`
`bandwidth`	`additional.fields[bandwidth]`
`bibandwidthavailable`	`additional.fields[bibandwidthavailable]`
`bibandwidthused`	`additional.fields[bibandwidthused]`
`cfgattr`	`additional.fields[cfgattr]`
`cfgpath`	`additional.fields[cfgpath]`
`column`	`additional.fields[column]`
`comment`	`additional.fields[comment]`
`core`	`additional.fields[core]`
`count`	`additional.fields[count]`
`cipher`	`additional.fields[cipher]`
`cpu`	`additional.fields[cpu]`
`crl`	`additional.fields[crl]`
`datarange`	`additional.fields[datarange]`
`devtype`	`additional.fields[devtype]`
`dintf`	`additional.fields[dint]`
`disk`	`additional.fields[disk]`
`disklograte`	`additional.fields[disklograte]`
`dlpextra`	`additional.fields[dlpextra]`
`docsource`	`additional.fields[docsource]`
`domainfilteridx`	`additional.fields[domainfilteridx]`
`domainfilterlist`	`additional.fields[domainfilterlist]`
`downbandwidthmeasured`	`additional.fields[downbandwidthmeasured]`
`ds`	`additional.fields[ds]`
`dst_int`	`additional.fields[dst_int]`
`dstdevtype`	`additional.fields[dstdevtype]`
`dstfamily`	`additional.fields[dstfamily]`
`dstssid`	`additional.fields[dstssid]`
`dstunauthusersource`	`additional.fields[dstunauthusersource]`
`deviceExternalId`	`additional.fields[deviceExternalId]`
`dtlexp`	`additional.fields[dtlexp]`
`espauth`	`additional.fields[espauth]`
`eapoltype`	`additional.fields[eapoltype]`
`emsconnection`	`additional.fields[emsconnection]`
`emstag`	`additional.fields[emstag]`
`emstag2`	`additional.fields[emstag2]`
`encrypt`	`additional.fields[encrypt]`
`encryption`	`additional.fields[encryption]`
`epoch`	`additional.fields[epoch]`
`error_num`	`additional.fields[error_num]`
`esptransform`	`additional.fields[esptransform]`
`eventId`	`additional.fields[eventId]`
`expiry`	`additional.fields[expiry]`
`extension`	`additional.fields[extension]`
`extinvalid`	`additional.fields[extinvalid]`
`exttotal`	`additional.fields[exttotal]`
`failuredev`	`additional.fields[failuredev]`
`fams_pause`	`additional.fields[fams_pause]`
`fazlograte`	`additional.fields[fazlograte]`
`fctemsname`	`additional.fields[fctemsname]`
`fctemssn`	`additional.fields[fctemssn]`
`fctuid`	`additional.fields[fctuid]`
`field`	`additional.fields[field]`
`frametype`	`additional.fields[frametype]`
`freediskstorage`	`additional.fields[freediskstorage]`
`from_vcluster`	`additional.fields[from_vcluster]`
`from6`	`additional.fields[from6]`
`ftlkintf`	`additional.fields[ftlkintf]`
`fwdsrv`	`additional.fields[fwdsrv]`
`fwserver_name`	`additional.fields[fwserver_name]`
`green`	`additional.fields[green]`
`handshake`	`additional.fields[handshake]`
`headerteid`	`additional.fields[headerteid]`
`hostkeystatus`	`additional.fields[headerteid]`
`healthcheck`	`additional.fields[healthcheck]`
`hseid`	`additional.fields[hseid]`
`iaid`	`additional.fields[iaid]`
`icmpcode`	`additional.fields[icmpcode]`
`icmpid`	`additional.fields[icmpid]`
`icmptype`	`additional.fields[icmptype]`
`identifier`	`additional.fields[identifier]`
`ietype`	`additional.fields[ietype]`
`interface`	`additional.fields[interface]`
`intf`	`additional.fields[intf]`
`invalidmac`	`additional.fields[invalidmac]`
`iptype`	`additional.fields[iptype]`
`itype`	`additional.fields[itype]`
`jitter`	`additional.fields[jitter]`
`keyword`	`additional.fields[keyword]`
`latency`	`additional.fields[latency]`
`limit`	`additional.fields[limit]`
`line`	`additional.fields[line]`
`linked-nsapi`	`additional.fields[linked-nsapi]`
`localdevcount`	`additional.fields[localdevcount]`
`log`	`additional.fields[log]`
`logid`	`additional.fields[logid]`
`logsrc`	`additional.fields[logsrc]`
`mastersrcmac`	`additional.fields[mastersrcmac]`
`masterdstmac`	`additional.fields[masterdstmac]`
`mem`	`additional.fields[mem]`
`member`	`additional.fields[member]`
`meshmode`	`additional.fields[meshmode]`
`messageid`	`additional.fields[messageid]`
`mitm`	`additional.fields[mitm]`
`model`	`additional.fields[model]`
`module`	`additional.fields[module]`
`moscodec`	`additional.fields[moscodec]`
`mosvalue`	`additional.fields[mosvalue]`
`mpsk`	`additional.fields[mpsk]`
`msg-type`	`additional.fields[msg-type]`
`msgtypename`	`additional.fields[msgtypename]`
`mtu`	`additional.fields[mtu]`
`nai`	`additional.fields[nai]`
`nsapi`	`additional.fields[nsapi]`
`policyname`	`additional.fields[policyname]`
`rcvdpkt`	`additional.fields[rcvdpkt]`
`red`	`additional.fields[red_conserve_mode]`
`srcserver`	`additional.fields[srcserver]`
`sysuptime`	`additional.fields[sysuptime]`
`trandisp`	`additional.fields[trandisp]`
`ui`	`additional.fields[ui]`
`vpntype`	`additional.fields[vpntype]`
`wanin`	`additional.fields[wanin]`
`waninfo`	`additional.fields[waninfo]`
`authserver`	`extensions.auth.auth_details`	If the `authserver` log field value is not empty then, `authserver` log field is mapped to the `extensions.auth.auth_details` UDM field. Else, if the `domainctrlauthstate` log field value is not empty then, `domainctrlauthstate` log field is mapped to the `extensions.auth.auth_details` UDM field.
`domainctrlauthstate`	`extensions.auth.auth_details`	If the `authserver` log field value is not empty then, `authserver` log field is mapped to the `extensions.auth.auth_details` UDM field. Else, if the `domainctrlauthstate` log field value is not empty then, `domainctrlauthstate` log field is mapped to the `extensions.auth.auth_details` UDM field.
	`extensions.auth.type`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and if the `action` log field value contain one of the following values `tunnel-down` `tunnel-up` `ssl-new-con` or the `action` log field value is equal to `negotiate` and the `locip` log field value is not empty or the `remip` log field value is not empty then, the `extensions.auth.type` UDM field is set to `VPN`. Else, if the `action` log field value is equal to `tunnel-stats` and the `locip` log field value is not empty or the `remip` log field value is not empty then, the `extensions.auth.type` UDM field is set to `VPN`. Else, if the `type` log field value is equal to `event` and the `ui` log field value is not empty or the `remip` log field value is not empty then, the `extensions.auth.type` UDM field is set to `VPN`. Else, if the `action` log field value is equal to `tunnel-stats` then, the `extensions.auth.type` UDM field is set to `VPN`. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `action` log field value matches the regular expression pattern `.SSO.` then, the `extensions.auth.type` UDM field is set to `SSO`. Else, the `extensions.auth.type` UDM field is set to `VPN`.
`gatewayid`	`intermediary.asset_id`	If the `gatewayid` log field value is not empty then, `gatewayid` log field is mapped to the `intermediary.asset_id` UDM field. Else, if the `domainctrlname` log field value is not empty then, `domainctrlname` log field is mapped to the `intermediary.asset_id` UDM field. Else, if the `devintfname` log field value is not empty then, `devintfname` log field is mapped to the `intermediary.asset_id` UDM field.
`domainctrlname`	`intermediary.asset_id`	If the `gatewayid` log field value is not empty then, `gatewayid` log field is mapped to the `intermediary.asset_id` UDM field. Else, if the `domainctrlname` log field value is not empty then, `domainctrlname` log field is mapped to the `intermediary.asset_id` UDM field. Else, if the `devintfname` log field value is not empty then, `devintfname` log field is mapped to the `intermediary.asset_id` UDM field.
`devintfname`	`intermediary.asset_id`	If the `gatewayid` log field value is not empty then, `gatewayid` log field is mapped to the `intermediary.asset_id` UDM field. Else, if the `domainctrlname` log field value is not empty then, `domainctrlname` log field is mapped to the `intermediary.asset_id` UDM field. Else, if the `devintfname` log field value is not empty then, `devintfname` log field is mapped to the `intermediary.asset_id` UDM field.
`ha_group`	`intermediary.asset.attribute.labels[ha_group]`
`ha-prio`	`intermediary.asset.attribute.labels[ha_prio]`
`ha_role`	`intermediary.asset.attribute.labels[ha_role]`
`monitor-type`	`intermediary.asset.attribute.labels[monitor-type]`
`monitor-name`	`intermediary.asset.hostname`
`old_value`	`intermediary.domain.name`
`domainctrldomain`	`intermediary.hostname`	If the `dvchost` log field value is not empty then, `dvchost` log field is mapped to the `intermediary.hostname` UDM field. Else, if the `devname` log field value is not empty then, `devname` log field is mapped to the `intermediary.hostname` UDM field. Else, if the `domainctrldomain` log field value is not empty then, `domainctrldomain` log field is mapped to the `intermediary.hostname` UDM field. Else, if the `temp_data` log field value is not empty then, The `ts` and `device_name` fields is extracted from `temp_data` log field using the Grok pattern. if the `device_name` log field value is not empty then, `device_name` log field is mapped to the `intermediary.hostname` UDM field.
`dvchost`	`intermediary.hostname`	If the `dvchost` log field value is not empty then, `dvchost` log field is mapped to the `intermediary.hostname` UDM field. Else, if the `devname` log field value is not empty then, `devname` log field is mapped to the `intermediary.hostname` UDM field. Else, if the `domainctrldomain` log field value is not empty then, `domainctrldomain` log field is mapped to the `intermediary.hostname` UDM field. Else, if the `temp_data` log field value is not empty then, The `ts` and `device_name` fields is extracted from `temp_data` log field using the Grok pattern. if the `device_name` log field value is not empty then, `device_name` log field is mapped to the `intermediary.hostname` UDM field.
`devname`	`intermediary.hostname`	If the `dvchost` log field value is not empty then, `dvchost` log field is mapped to the `intermediary.hostname` UDM field. Else, if the `devname` log field value is not empty then, `devname` log field is mapped to the `intermediary.hostname` UDM field. Else, if the `domainctrldomain` log field value is not empty then, `domainctrldomain` log field is mapped to the `intermediary.hostname` UDM field. Else, if the `temp_data` log field value is not empty then, The `ts` and `device_name` fields is extracted from `temp_data` log field using the Grok pattern. if the `device_name` log field value is not empty then, `device_name` log field is mapped to the `intermediary.hostname` UDM field.
	`intermediary.ip`	If the `fortihost` log field value is not empty then, The `fortihost_ip` field is extracted from `fortihost` log field using the Grok pattern. if the `fortihost_ip` log field value is not empty then, `fortihost_ip` extracted field is mapped to the `intermediary.ip` UDM field. If the `forwardedfor` log field value is not empty then, The `valid_forwardedfor` field is extracted from `forwardedfor` log field using the Grok pattern. if the `valid_forwardedfor` log field value is not empty then, `valid_forwardedfor` extracted field is mapped to the `intermediary.ip` UDM field. If the `gateway` log field value is not empty then, The `valid_gateway` field is extracted from `gateway` log field using the Grok pattern. if the `valid_gateway` log field value is not empty then, `valid_gateway` extracted field is mapped to the `intermediary.ip` UDM field. If the `domainctrlip` log field value is not empty then, The `valid_domainctrlip` field is extracted from `domainctrlip` log field using the Grok pattern. if the `valid_domainctrlip` log field value is not empty then, `valid_domainctrlip` extracted field is mapped to the `intermediary.ip` UDM field.
	`metadata.event_type`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` then, the `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`. if the `subtype` log field value is equal to `webfilter` and if the `service` log field value contain one of the following values `HTTPS` `HTTP` then, the `metadata.event_type` UDM field is set to `NETWORK_HTTP`. Else, if the `subtype` log field value is equal to `vpn` and if the `action` log field value is equal to `tunnel-stats` and the `locip` log field value is not empty or the `remip` log field value is not empty then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `type` log field value is equal to `event` then, the `metadata.event_type` UDM field is set to `STATUS_UPDATE`. Else, if the `action` log field value is equal to `tunnel-stats` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `subtype` log field value contain one of the following values `virus` `ips` `anomaly` or the `utmevent` log field value is equal to `appfirewall` and the `subtype` log field value is not equal to `system` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. If the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` then, the `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`. if the `subtype` log field value is equal to `webfilter` and if the `service` log field value contain one of the following values `HTTPS` `HTTP` then, the `metadata.event_type` UDM field is set to `NETWORK_HTTP`. Else, if the `subtype` log field value is equal to `vpn` and if the `action` log field value is equal to `tunnel-stats` and the `locip` log field value is not empty or the `remip` log field value is not empty then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `type` log field value is equal to `event` then, the `metadata.event_type` UDM field is set to `STATUS_UPDATE`. Else, if the `action` log field value is equal to `tunnel-stats` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `subtype` log field value contain one of the following values `virus` `ips` `anomaly` or the `utmevent` log field value is equal to `appfirewall` and the `subtype` log field value is not equal to `system` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. If the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` then, the `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`. if the `subtype` log field value is equal to `webfilter` and if the `service` log field value contain one of the following values `HTTPS` `HTTP` then, the `metadata.event_type` UDM field is set to `NETWORK_HTTP`. Else, if the `subtype` log field value is equal to `vpn` and if the `action` log field value is equal to `tunnel-stats` and the `locip` log field value is not empty or the `remip` log field value is not empty then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `type` log field value is equal to `event` then, the `metadata.event_type` UDM field is set to `STATUS_UPDATE`. Else, if the `action` log field value is equal to `tunnel-stats` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `subtype` log field value contain one of the following values `virus` `ips` `anomaly` or the `utmevent` log field value is equal to `appfirewall` and the `subtype` log field value is not equal to `system` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. If the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` then, the `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`. if the `subtype` log field value is equal to `webfilter` and if the `service` log field value contain one of the following values `HTTPS` `HTTP` then, the `metadata.event_type` UDM field is set to `NETWORK_HTTP`. Else, if the `subtype` log field value is equal to `vpn` and if the `action` log field value is equal to `tunnel-stats` and the `locip` log field value is not empty or the `remip` log field value is not empty then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `type` log field value is equal to `event` then, the `metadata.event_type` UDM field is set to `STATUS_UPDATE`. Else, if the `action` log field value is equal to `tunnel-stats` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `subtype` log field value contain one of the following values `virus` `ips` `anomaly` or the `utmevent` log field value is equal to `appfirewall` and the `subtype` log field value is not equal to `system` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. If the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` then, the `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`. if the `subtype` log field value is equal to `webfilter` and if the `service` log field value contain one of the following values `HTTPS` `HTTP` then, the `metadata.event_type` UDM field is set to `NETWORK_HTTP`. Else, if the `subtype` log field value is equal to `vpn` and if the `action` log field value is equal to `tunnel-stats` and the `locip` log field value is not empty or the `remip` log field value is not empty then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `type` log field value is equal to `event` then, the `metadata.event_type` UDM field is set to `STATUS_UPDATE`. Else, if the `action` log field value is equal to `tunnel-stats` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `subtype` log field value contain one of the following values `virus` `ips` `anomaly` or the `utmevent` log field value is equal to `appfirewall` and the `subtype` log field value is not equal to `system` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. If the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` then, the `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`. if the `subtype` log field value is equal to `webfilter` and if the `service` log field value contain one of the following values `HTTPS` `HTTP` then, the `metadata.event_type` UDM field is set to `NETWORK_HTTP`. Else, if the `subtype` log field value is equal to `vpn` and if the `action` log field value is equal to `tunnel-stats` and the `locip` log field value is not empty or the `remip` log field value is not empty then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `type` log field value is equal to `event` then, the `metadata.event_type` UDM field is set to `STATUS_UPDATE`. Else, if the `action` log field value is equal to `tunnel-stats` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `subtype` log field value contain one of the following values `virus` `ips` `anomaly` or the `utmevent` log field value is equal to `appfirewall` and the `subtype` log field value is not equal to `system` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. If the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` then, the `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`. if the `subtype` log field value is equal to `webfilter` and if the `service` log field value contain one of the following values `HTTPS` `HTTP` then, the `metadata.event_type` UDM field is set to `NETWORK_HTTP`. Else, if the `subtype` log field value is equal to `vpn` then, if the `action` log field value is equal to `tunnel-stats` and the `locip` log field value is not empty or the `remip` log field value is not empty then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `type` log field value is equal to `event` then, the `metadata.event_type` UDM field is set to `STATUS_UPDATE`. Else, if the `action` log field value is equal to `tunnel-stats` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `subtype` log field value contain one of the following values `virus` `ips` `anomaly` or the `utmevent` log field value is equal to `appfirewall` and the `subtype` log field value is not equal to `system` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. If the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` then, the `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`. if the `subtype` log field value is equal to `webfilter` and if the `service` log field value contain one of the following values `HTTPS` `HTTP` then, the `metadata.event_type` UDM field is set to `NETWORK_HTTP`. Else, if the `subtype` log field value is equal to `vpn` then, if the `action` log field value is equal to `tunnel-stats` and the `locip` log field value is not empty or the `remip` log field value is not empty then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `type` log field value is equal to `event` then, the `metadata.event_type` UDM field is set to `STATUS_UPDATE`. Else, if the `action` log field value is equal to `tunnel-stats` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `subtype` log field value contain one of the following values `virus` `ips` `anomaly` or the `utmevent` log field value is equal to `appfirewall` and the `subtype` log field value is not equal to `system` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. If the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` then, the `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`. if the `subtype` log field value is equal to `webfilter` and if the `service` log field value contain one of the following values `HTTPS` `HTTP` then, the `metadata.event_type` UDM field is set to `NETWORK_HTTP`. Else, if the `subtype` log field value is equal to `vpn` and if the `action` log field value is equal to `tunnel-stats` and the `locip` log field value is not empty or the `remip` log field value is not empty then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `type` log field value is equal to `event` then, the `metadata.event_type` UDM field is set to `STATUS_UPDATE`. Else, if the `action` log field value is equal to `tunnel-stats` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `subtype` log field value contain one of the following values `virus` `ips` `anomaly` or the `utmevent` log field value is equal to `appfirewall` and the `subtype` log field value is not equal to `system` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. If the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` then, the `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`. if the `subtype` log field value is equal to `webfilter` and if the `service` log field value contain one of the following values `HTTPS` `HTTP` then, the `metadata.event_type` UDM field is set to `NETWORK_HTTP`. Else, if the `subtype` log field value is equal to `vpn` and if the `action` log field value is equal to `tunnel-stats` and the `locip` log field value is not empty or the `remip` log field value is not empty then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `type` log field value is equal to `event` then, the `metadata.event_type` UDM field is set to `STATUS_UPDATE`. Else, if the `action` log field value is equal to `tunnel-stats` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `subtype` log field value contain one of the following values `virus` `ips` `anomaly` or the `utmevent` log field value is equal to `appfirewall` and the `subtype` log field value is not equal to `system` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. If the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` then, the `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`. if the `subtype` log field value is equal to `webfilter` and if the `service` log field value contain one of the following values `HTTPS` `HTTP` then, the `metadata.event_type` UDM field is set to `NETWORK_HTTP`. Else, if the `subtype` log field value is equal to `vpn` then, if the `action` log field value is equal to `tunnel-stats` and the `locip` log field value is not empty or the `remip` log field value is not empty then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `type` log field value is equal to `event` then, the `metadata.event_type` UDM field is set to `STATUS_UPDATE`. Else, if the `action` log field value is equal to `tunnel-stats` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `subtype` log field value contain one of the following values `virus` `ips` `anomaly` or the `utmevent` log field value is equal to `appfirewall` and the `subtype` log field value is not equal to `system` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. If the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` then, the `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`. if the `subtype` log field value is equal to `webfilter` and if the `service` log field value contain one of the following values `HTTPS` `HTTP` then, the `metadata.event_type` UDM field is set to `NETWORK_HTTP`. Else, if the `subtype` log field value is equal to `vpn` then, if the `action` log field value is equal to `tunnel-stats` and the `locip` log field value is not empty or the `remip` log field value is not empty then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `type` log field value is equal to `event` then, the `metadata.event_type` UDM field is set to `STATUS_UPDATE`. Else, if the `action` log field value is equal to `tunnel-stats` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `subtype` log field value contain one of the following values `virus` `ips` `anomaly` or the `utmevent` log field value is equal to `appfirewall` and the `subtype` log field value is not equal to `system` then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. If the `type` log field value is equal to `dns` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `dns` then, the `metadata.event_type` UDM field is set to `NETWORK_DNS`. Else, if the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, the `metadata.event_type` UDM field is set to `NETWORK_DHCP`. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `action` log field value matches the regular expression pattern `.logoff.` or the `action` log field value is equal to `authentication` and the `status` log field value is equal to `logout` or the `action` log field value is equal to `auth-logout` and the `status` log field value is equal to `logout` then, the `metadata.event_type` UDM field is set to `USER_LOGOUT`. if the `action` log field value matches the regular expression pattern `.logon.` or the `action` log field value is equal to `auth-logon` and the `status` log field value is equal to `logon` then, the `metadata.event_type` UDM field is set to `USER_LOGIN`. Else, if the `action` log field value is equal to `login` then, the `metadata.event_type` UDM field is set to `USER_LOGIN`. Else, if the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `user_id` log field value is not empty and the `user_email` log field value is not empty then, the `metadata.event_type` UDM field is set to `USER_CREATION`. Else, the `metadata.event_type` UDM field is set to `USER_UNCATEGORIZED`. If the `event_name` log field value contain one of the following values `LogSpyware` `LogPredictiveMachineLearning` or the `subtype` log field value contain one of the following values `LogSpyware` `LogPredictiveMachineLearning` `endpoint` `system` then, the `metadata.event_type` UDM field is set to `SCAN_UNCATEGORIZED`. If the `user` log field value does not contain one of the following values `Empty` `N/A` and if the `metadata.event_type` log field value is equal to `GENERIC_EVENT` then, if the `subtype` log field value is equal to `vpn` and the `type` log field value is equal to `event` then, the `metadata.event_type` UDM field is set to `STATUS_UPDATE`. Else, the `metadata.event_type` UDM field is set to `USER_UNCATEGORIZED`. If the `File_name` log field value is not empty or the `Object` log field value is not empty or the `Objekt` log field value is not empty or the `Infected_Resource` log field value is not empty then, the `metadata.event_type` UDM field is set to `PROCESS_UNCATEGORIZED`. If the `metadata.event_type` log field value matches the regular expression pattern `GENERIC_EVENT` and if the `srcip` log field value is not empty and the `dstip` log field value is not empty then, the `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`. Else, if the `srcip` log field value is not empty then, the `metadata.event_type` UDM field is set to `STATUS_UNCATEGORIZED`. Else, if the `action` log field value is equal to `Delete` then, the `metadata.event_type` UDM field is set to `USER_DELETION`. if the `action` log field value is equal to `Edit` then, the `metadata.event_type` UDM field is set to `DEVICE_CONFIG_UPDATE`.
`logdesc`	`metadata.description`	`Message Description` with related to `logid` log field is mapped to `metadata.description`. For more information, see the Fortinet Log Messages Reference.
`type`	`metadata.description`	`Message Description` with related to `logid` log field is mapped to `metadata.description`. For more information, see the Fortinet Log Messages Reference.
`subtype`	`metadata.description`	`Message Description` with related to `logid` log field is mapped to `metadata.description`. For more information, see the Fortinet Log Messages Reference.
`msg`	`metadata.description`	`Message Description` with related to `logid` log field is mapped to `metadata.description`. For more information, see the Fortinet Log Messages Reference.
`eventtime`	`metadata.event_timestamp`	If the `eventtime` log field value is not empty then, The `eventtime1` field is extracted from `eventtime` log field using the Grok pattern. if the `eventtime1` log field value is not empty then, `eventtime1` extracted field is mapped to the `metadata.event_timestamp` UDM field. Else, `eventtime` log field is mapped to the `metadata.event_timestamp` UDM field. Else, if the `timestamp` log field value is not empty then, `timestamp` log field is mapped to the `metadata.event_timestamp` UDM field. Else, if the `date` log field value is not empty and the `time` log field value is not empty then, `%{date} %{time}` log field is mapped to the `metadata.event_timestamp` UDM field.
`timestamp`	`metadata.event_timestamp`	If the `eventtime` log field value is not empty then, The `eventtime1` field is extracted from `eventtime` log field using the Grok pattern. if the `eventtime1` log field value is not empty then, `eventtime1` extracted field is mapped to the `metadata.event_timestamp` UDM field. Else, `eventtime` log field is mapped to the `metadata.event_timestamp` UDM field. Else, if the `timestamp` log field value is not empty then, `timestamp` log field is mapped to the `metadata.event_timestamp` UDM field. Else, if the `date` log field value is not empty and the `time` log field value is not empty then, `%{date} %{time}` log field is mapped to the `metadata.event_timestamp` UDM field.
`date`	`metadata.event_timestamp`	If the `eventtime` log field value is not empty then, The `eventtime1` field is extracted from `eventtime` log field using the Grok pattern. if the `eventtime1` log field value is not empty then, `eventtime1` extracted field is mapped to the `metadata.event_timestamp` UDM field. Else, `eventtime` log field is mapped to the `metadata.event_timestamp` UDM field. Else, if the `timestamp` log field value is not empty then, `timestamp` log field is mapped to the `metadata.event_timestamp` UDM field. Else, if the `date` log field value is not empty and the `time` log field value is not empty then, `%{date} %{time}` log field is mapped to the `metadata.event_timestamp` UDM field.
`time`	`metadata.event_timestamp`	If the `eventtime` log field value is not empty then, The `eventtime1` field is extracted from `eventtime` log field using the Grok pattern. if the `eventtime1` log field value is not empty then, `eventtime1` extracted field is mapped to the `metadata.event_timestamp` UDM field. Else, `eventtime` log field is mapped to the `metadata.event_timestamp` UDM field. Else, if the `timestamp` log field value is not empty then, `timestamp` log field is mapped to the `metadata.event_timestamp` UDM field. Else, if the `date` log field value is not empty and the `time` log field value is not empty then, `%{date} %{time}` log field is mapped to the `metadata.event_timestamp` UDM field.
`logtime`	`metadata.event_timestamp`	If the `eventtime` log field value is not empty then, The `eventtime1` field is extracted from `eventtime` log field using the Grok pattern. if the `eventtime1` log field value is not empty then, `eventtime1` extracted field is mapped to the `metadata.event_timestamp` UDM field. Else, `eventtime` log field is mapped to the `metadata.event_timestamp` UDM field. Else, if the `timestamp` log field value is not empty then, `timestamp` log field is mapped to the `metadata.event_timestamp` UDM field. Else, if the `date` log field value is not empty and the `time` log field value is not empty then, `%{date} %{time}` log field is mapped to the `metadata.event_timestamp` UDM field.
`time`	`metadata.ingested_timestamp`	If the `date` log field value is not empty and the `time` log field value is not empty and the `tz` log field value is not empty then, `%{date} %{time} %{tz}` log field is mapped to the `metadata.product_event_type` UDM field.
`date`	`metadata.ingested_timestamp`	If the `date` log field value is not empty and the `time` log field value is not empty and the `tz` log field value is not empty then, `%{date} %{time} %{tz}` log field is mapped to the `metadata.product_event_type` UDM field.
`tz`	`metadata.ingested_timestamp`	If the `date` log field value is not empty and the `time` log field value is not empty and the `tz` log field value is not empty then, `%{date} %{time} %{tz}` log field is mapped to the `metadata.product_event_type` UDM field.
`type`	`metadata.product_event_type`	If the `connection_type` log field value is not empty then, `%{type} - %{subtype} - %{connection_type}` log field is mapped to the `metadata.product_event_type` UDM field. Else, `%{type} - %{subtype}` log field is mapped to the `metadata.product_event_type` UDM field. If the `eventsubtype` log field value is not empty then, `eventsubtype` log field is mapped to the `metadata.product_event_type` UDM field.
`subtype`	`metadata.product_event_type`	If the `connection_type` log field value is not empty then, `%{type} - %{subtype} - %{connection_type}` log field is mapped to the `metadata.product_event_type` UDM field. Else, `%{type} - %{subtype}` log field is mapped to the `metadata.product_event_type` UDM field. If the `eventsubtype` log field value is not empty then, `eventsubtype` log field is mapped to the `metadata.product_event_type` UDM field.
`connection_type`	`metadata.product_event_type`	If the `connection_type` log field value is not empty then, `%{type} - %{subtype} - %{connection_type}` log field is mapped to the `metadata.product_event_type` UDM field. Else, `%{type} - %{subtype}` log field is mapped to the `metadata.product_event_type` UDM field. If the `eventsubtype` log field value is not empty then, `eventsubtype` log field is mapped to the `metadata.product_event_type` UDM field.
`eventsubtype`	`metadata.product_event_type`	If the `connection_type` log field value is not empty then, `%{type} - %{subtype} - %{connection_type}` log field is mapped to the `metadata.product_event_type` UDM field. Else, `%{type} - %{subtype}` log field is mapped to the `metadata.product_event_type` UDM field. If the `eventsubtype` log field value is not empty then, `eventsubtype` log field is mapped to the `metadata.product_event_type` UDM field.
`cat`	`metadata.product_event_type`	If the `connection_type` log field value is not empty then, `%{type} - %{subtype} - %{connection_type}` log field is mapped to the `metadata.product_event_type` UDM field. Else, `%{type} - %{subtype}` log field is mapped to the `metadata.product_event_type` UDM field. If the `eventsubtype` log field value is not empty then, `eventsubtype` log field is mapped to the `metadata.product_event_type` UDM field.
`logid`	`metadata.product_log_id`	If the `logid` log field value is not empty then, `logid` log field is mapped to the `metadata.product_log_id` UDM field. Else, if the `event_id` log field value is not empty then, `event_id` log field is mapped to the `metadata.product_log_id` UDM field.
`event_id`	`metadata.product_log_id`	If the `logid` log field value is not empty then, `logid` log field is mapped to the `metadata.product_log_id` UDM field. Else, if the `event_id` log field value is not empty then, `event_id` log field is mapped to the `metadata.product_log_id` UDM field.
`version`	`metadata.product_version`	If the `device_version` log field value is not empty then, `device_version` extracted field is mapped to the `metadata.product_version` UDM field. Else, `version` log field is mapped to the `metadata.product_version` UDM field.
`device_version`	`metadata.product_version`	If the `device_version` log field value is not empty then, `device_version` extracted field is mapped to the `metadata.product_version` UDM field. Else, `version` log field is mapped to the `metadata.product_version` UDM field.
	`metadata.log_type`	The `metadata.log_type` UDM field is set to `FORTINET_FIREWALL`.
`ref`	`metadata.url_back_to_product`
`authproto`	`network.application_protocol`
`service`	`network.application_protocol`
`protocol`	`network.application_protocol`
`proxyapptype`	`network.application_protocol`
`c-ggsn`	`network.carrier_name`
`attachment`	`network.dhcp.file`
`lease`	`network.dhcp.lease_time_seconds`
	`network.dhcp.type`	If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, the `network.dhcp.type` UDM field is set to `ACK` and the `network.application_protocol` UDM field is set to `DHCP`.
`ip`	`network.dhcp.yiaddr`	If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `ip` log field is mapped to the `network.dhcp.yiaddr` UDM field.
`assigned`	`network.dhcp.yiaddr`	If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `ip` log field is mapped to the `network.dhcp.yiaddr` UDM field.
`direction`	`security_result.detection_fields[direction]`
`dir`	`network.direction`	If the `direction` log field value contain one of the following values `incoming` `inbound` `response` then, the `network.direction` UDM field is set to `INBOUND`. Else, if the `direction` log field value contain one of the following values `outgoing` `outbound` `request` then, the `network.direction` UDM field is set to `OUTBOUND`.
`ddnsserver`	`network.dns.additional.name`
`ipaddr`	`network.dns.answers.data`	If the `ipaddr` log field value is not empty then, Iterate through log field `ipaddr`, then `ipaddr` log field is mapped to the `network.dns.answers.data` UDM field. If the `addr` log field value is not empty then, Iterate through log field `addr`, then `addr` log field is mapped to the `network.dns.answers.data` UDM field. If the `addrgrp` log field value is not empty then, `addrgrp` log field is mapped to the `network.dns.answers.data` UDM field.
`addr`	`network.dns.answers.data`	If the `ipaddr` log field value is not empty then, Iterate through log field `ipaddr`, then `ipaddr` log field is mapped to the `network.dns.answers.data` UDM field. If the `addr` log field value is not empty then, Iterate through log field `addr`, then `addr` log field is mapped to the `network.dns.answers.data` UDM field. If the `addrgrp` log field value is not empty then, `addrgrp` log field is mapped to the `network.dns.answers.data` UDM field.
`addrgrp`	`network.dns.answers.data`	If the `ipaddr` log field value is not empty then, Iterate through log field `ipaddr`, then `ipaddr` log field is mapped to the `network.dns.answers.data` UDM field. If the `addr` log field value is not empty then, Iterate through log field `addr`, then `addr` log field is mapped to the `network.dns.answers.data` UDM field. If the `addrgrp` log field value is not empty then, `addrgrp` log field is mapped to the `network.dns.answers.data` UDM field.
`addr_type`	`network.dns.answers.type`
`qclass`	`network.dns.questions.class`	If the `type` log field value is equal to `dns` and the `subtype` log field value contain one of the following values `dns-query` `dns-response` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `dns` and if the `qclass` log field value is equal to `IN` then, the `network.dns.questions.class` UDM field is set to `1`.
`qname`	`network.dns.questions.name`
`fqdn`	`network.dns.questions.name`
`qtypeval`	`network.dns.questions.type`
`from`	`network.email.from`
`recipient`	`network.email.mail_id`
`to`	`network.email.to`	If the `to` log field value matches the regular expression pattern `(^.+@.+$)` then, `to` log field is mapped to the `network.email.to` UDM field.
`httpmethod`	`network.http.method`	If the `httpmethod` log field value is not empty then, `httpmethod` log field is mapped to the `network.http.method` UDM field. Else, if the `message_type` log field value is not empty then, `message_type` log field is mapped to the `network.http.method` UDM field.
`message_type`	`network.http.method`	If the `httpmethod` log field value is not empty then, `httpmethod` log field is mapped to the `network.http.method` UDM field. Else, if the `message_type` log field value is not empty then, `message_type` log field is mapped to the `network.http.method` UDM field.
`agent`	`network.http.parsed_user_agent`
`referralurl`	`network.http.referral_url`
`httpcode`	`network.http.response_code`
`chgheaders`	`additional.fields[chgheaders]`
`agent`	`network.http.user_agent`	If the `agent` log field value is not empty then, `agent` log field is mapped to the `network.http.user_agent` UDM field. Else, if the `chgheaders` log field value is not empty then, `chgheaders` log field is mapped to the `network.http.user_agent` UDM field. Else, if the `method` log field value is not empty then, `method` log field is mapped to the `network.http.user_agent` UDM field.
`chgheaders`	`network.http.user_agent`	If the `agent` log field value is not empty then, `agent` log field is mapped to the `network.http.user_agent` UDM field. Else, if the `chgheaders` log field value is not empty then, `chgheaders` log field is mapped to the `network.http.user_agent` UDM field. Else, if the `method` log field value is not empty then, `method` log field is mapped to the `network.http.user_agent` UDM field.
`method`	`network.http.user_agent`	If the `agent` log field value is not empty then, `agent` log field is mapped to the `network.http.user_agent` UDM field. Else, if the `chgheaders` log field value is not empty then, `chgheaders` log field is mapped to the `network.http.user_agent` UDM field. Else, if the `method` log field value is not empty then, `method` log field is mapped to the `network.http.user_agent` UDM field.
`service`	`network.ip_protocol`
`proto`	`network.ip_protocol`
`protocol`	`network.ip_protocol`
`probeproto`	`network.ip_protocol`
`domainctrlprotocoltype`	`network.ip_protocol`
`ip_protocol`	`network.ip_protocol`
`poolname`	`network.ip_subnet_range`	If the `portbegin` log field value is not empty and the `portend` log field value is not empty then, `%{portbegin}/%{portend}` log field is mapped to the `network.ip_subnet_range` UDM field. Else, `poolname` log field is mapped to the `network.ip_subnet_range` UDM field.
`portbegin`	`network.ip_subnet_range`	If the `portbegin` log field value is not empty and the `portend` log field value is not empty then, `%{portbegin}/%{portend}` log field is mapped to the `network.ip_subnet_range` UDM field. Else, `poolname` log field is mapped to the `network.ip_subnet_range` UDM field.
`portend`	`network.ip_subnet_range`	If the `portbegin` log field value is not empty and the `portend` log field value is not empty then, `%{portbegin}/%{portend}` log field is mapped to the `network.ip_subnet_range` UDM field. Else, `poolname` log field is mapped to the `network.ip_subnet_range` UDM field.
`rcvdbyte`	`network.received_bytes`	If the `rcvdbyte` log field value is not empty then, `rcvdbyte` log field is mapped to the `network.received_bytes` UDM field. Else, if the `rcvddelta` log field value is not empty then, `rcvddelta` log field is mapped to the `network.received_bytes` UDM field. Else, if the `lanin` log field value is not empty then, `lanin` log field is mapped to the `network.received_bytes` UDM field.
`rcvddelta`	`network.received_bytes`	If the `rcvdbyte` log field value is not empty then, `rcvdbyte` log field is mapped to the `network.received_bytes` UDM field. Else, if the `rcvddelta` log field value is not empty then, `rcvddelta` log field is mapped to the `network.received_bytes` UDM field. Else, if the `lanin` log field value is not empty then, `lanin` log field is mapped to the `network.received_bytes` UDM field.
`lanin`	`network.received_bytes`	If the `rcvdbyte` log field value is not empty then, `rcvdbyte` log field is mapped to the `network.received_bytes` UDM field. Else, if the `rcvddelta` log field value is not empty then, `rcvddelta` log field is mapped to the `network.received_bytes` UDM field. Else, if the `lanin` log field value is not empty then, `lanin` log field is mapped to the `network.received_bytes` UDM field.
`rcvdpkt`	`network.received_packets`	If the `rcvdpkt` log field value is not empty then, `rcvdpkt` log field is mapped to the `network.received_packets` UDM field. Else, if the `rcvdpktdelta` log field value is not empty then, `rcvdpktdelta` log field is mapped to the `network.received_packets` UDM field.
`rcvdpktdelta`	`network.received_packets`	If the `rcvdpkt` log field value is not empty then, `rcvdpkt` log field is mapped to the `network.received_packets` UDM field. Else, if the `rcvdpktdelta` log field value is not empty then, `rcvdpktdelta` log field is mapped to the `network.received_packets` UDM field.
`c-bytes`	`network.sent_bytes`	If the `sentbyte` log field value is not empty then, `sentbyte` log field is mapped to the `network.sent_bytes` UDM field. Else, if the `c-bytes` log field value is not empty then, `c-bytes` log field is mapped to the `network.sent_bytes` UDM field. Else, `lanout` log field is mapped to the `network.sent_bytes` UDM field.
`sentbyte`	`network.sent_bytes`	If the `sentbyte` log field value is not empty then, `sentbyte` log field is mapped to the `network.sent_bytes` UDM field. Else, if the `c-bytes` log field value is not empty then, `c-bytes` log field is mapped to the `network.sent_bytes` UDM field. Else, `lanout` log field is mapped to the `network.sent_bytes` UDM field.
`lanout`	`network.sent_bytes`	If the `sentbyte` log field value is not empty then, `sentbyte` log field is mapped to the `network.sent_bytes` UDM field. Else, if the `c-bytes` log field value is not empty then, `c-bytes` log field is mapped to the `network.sent_bytes` UDM field. Else, `lanout` log field is mapped to the `network.sent_bytes` UDM field.
`sentpkt`	`network.sent_packets`	If the `sentpkt` log field value is not empty then, `sentpkt` log field is mapped to the `network.sent_packets` UDM field. Else, `eapolcnt` log field is mapped to the `network.sent_packets` UDM field.
`eapolcnt`	`network.sent_packets`	If the `sentpkt` log field value is not empty then, `sentpkt` log field is mapped to the `network.sent_packets` UDM field. Else, `eapolcnt` log field is mapped to the `network.sent_packets` UDM field.
`durationdelta`	`network.session_duration`	If the `duration` log field value does not contain one of the following values `Empty` `0` then, `duration` log field is mapped to the `network.session_duration` UDM field. Else, if the `durationdelta` log field value is not empty then, `durationdelta` log field is mapped to the `network.session_duration` UDM field. Else, if the `live` log field value is not empty then, `live` log field is mapped to the `network.session_duration` UDM field. Else, if the `totalsession` log field value is not empty then, `totalsession` log field is mapped to the `network.session_duration` UDM field.
`live`	`network.session_duration`	If the `duration` log field value does not contain one of the following values `Empty` `0` then, `duration` log field is mapped to the `network.session_duration` UDM field. Else, if the `durationdelta` log field value is not empty then, `durationdelta` log field is mapped to the `network.session_duration` UDM field. Else, if the `live` log field value is not empty then, `live` log field is mapped to the `network.session_duration` UDM field. Else, if the `totalsession` log field value is not empty then, `totalsession` log field is mapped to the `network.session_duration` UDM field.
`duration`	`network.session_duration`	If the `duration` log field value does not contain one of the following values `Empty` `0` then, `duration` log field is mapped to the `network.session_duration` UDM field. Else, if the `durationdelta` log field value is not empty then, `durationdelta` log field is mapped to the `network.session_duration` UDM field. Else, if the `live` log field value is not empty then, `live` log field is mapped to the `network.session_duration` UDM field. Else, if the `totalsession` log field value is not empty then, `totalsession` log field is mapped to the `network.session_duration` UDM field.
`totalsession`	`network.session_duration`	If the `duration` log field value does not contain one of the following values `Empty` `0` then, `duration` log field is mapped to the `network.session_duration` UDM field. Else, if the `durationdelta` log field value is not empty then, `durationdelta` log field is mapped to the `network.session_duration` UDM field. Else, if the `live` log field value is not empty then, `live` log field is mapped to the `network.session_duration` UDM field. Else, if the `totalsession` log field value is not empty then, `totalsession` log field is mapped to the `network.session_duration` UDM field.
`sessionid`	`network.session_id`	If the `sessionid` log field value is not empty then, `sessionid` log field is mapped to the `network.session_id` UDM field. Else, if the `session_id` log field value is not empty then, `session_id` log field is mapped to the `network.session_id` UDM field. Else, if the `netid` log field value is not empty then, `netid` log field is mapped to the `network.session_id` UDM field.
`session_id`	`network.session_id`	If the `sessionid` log field value is not empty then, `sessionid` log field is mapped to the `network.session_id` UDM field. Else, if the `session_id` log field value is not empty then, `session_id` log field is mapped to the `network.session_id` UDM field. Else, if the `netid` log field value is not empty then, `netid` log field is mapped to the `network.session_id` UDM field.
`netid`	`network.session_id`	If the `sessionid` log field value is not empty then, `sessionid` log field is mapped to the `network.session_id` UDM field. Else, if the `session_id` log field value is not empty then, `session_id` log field is mapped to the `network.session_id` UDM field. Else, if the `netid` log field value is not empty then, `netid` log field is mapped to the `network.session_id` UDM field.
`cipher`	`network.tls.cipher`
`scertissuer`	`network.tls.client.certificate.issuer`	If the `scertissuer` log field value is not empty then, `scertissuer` log field is mapped to the `network.tls.client.certificate.issuer` UDM field. Else, if the `issuer` log field value is not empty then, `issuer` log field is mapped to the `network.tls.client.certificate.issuer` UDM field.
`issuer`	`network.tls.client.certificate.issuer`	If the `scertissuer` log field value is not empty then, `scertissuer` log field is mapped to the `network.tls.client.certificate.issuer` UDM field. Else, if the `issuer` log field value is not empty then, `issuer` log field is mapped to the `network.tls.client.certificate.issuer` UDM field.
`incidentserialno`	`network.tls.client.certificate.serial`	If the `incidentserialno` log field value is not empty then, `incidentserialno` log field is mapped to the `network.tls.client.certificate.serial` UDM field. Else, if the `cert` log field value is not empty then, `cert` log field is mapped to the `network.tls.client.certificate.serial` UDM field.
`cert`	`network.tls.client.certificate.serial`	If the `incidentserialno` log field value is not empty then, `incidentserialno` log field is mapped to the `network.tls.client.certificate.serial` UDM field. Else, if the `cert` log field value is not empty then, `cert` log field is mapped to the `network.tls.client.certificate.serial` UDM field.
`certhash`	`network.tls.client.certificate.sha256`
`scertcname`	`network.tls.client.certificate.subject`	If the `scertcname` log field value is not empty then, `scertcname` log field is mapped to the `network.tls.client.certificate.subject` UDM field. Else, if the `certdesc` log field value is not empty then, `certdesc` log field is mapped to the `network.tls.client.certificate.subject` UDM field.
`certdesc`	`network.tls.client.certificate.subject`	If the `scertcname` log field value is not empty then, `scertcname` log field is mapped to the `network.tls.client.certificate.subject` UDM field. Else, if the `certdesc` log field value is not empty then, `certdesc` log field is mapped to the `network.tls.client.certificate.subject` UDM field.
`cert-type`	`network.tls.client.certificate.version`
`vd`	`principal.administrative_domain`	If the `admin` log field value is not empty then, `admin` log field is mapped to the `principal.administrative_domain` UDM field. Else, if the `vd` log field value is not empty then, `vd` log field is mapped to the `principal.administrative_domain` UDM field.
`admin`	`principal.administrative_domain`	If the `admin` log field value is not empty then, `admin` log field is mapped to the `principal.administrative_domain` UDM field. Else, if the `vd` log field value is not empty then, `vd` log field is mapped to the `principal.administrative_domain` UDM field.
`clientcert`	`principal.artifact.last_https_certificate`
`chassisid`	`principal.asset_id`	If the `clientdeviceid` log field value is not empty then, `Fortinet:%{clientdeviceid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `chassisid` log field value is not empty then, `Fortinet:%{chassisid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `deviceExternalId` log field value is not empty then, `Fortinet:%{deviceExternalId}` log field is mapped to the `principal.asset_id` UDM field.
`clientdeviceid`	`principal.asset_id`	If the `clientdeviceid` log field value is not empty then, `Fortinet:%{clientdeviceid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `chassisid` log field value is not empty then, `Fortinet:%{chassisid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `deviceExternalId` log field value is not empty then, `Fortinet:%{deviceExternalId}` log field is mapped to the `principal.asset_id` UDM field.
`deviceExternalId`	`principal.asset_id`	If the `clientdeviceid` log field value is not empty then, `Fortinet:%{clientdeviceid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `chassisid` log field value is not empty then, `Fortinet:%{chassisid}` log field is mapped to the `principal.asset_id` UDM field. Else, if the `deviceExternalId` log field value is not empty then, `Fortinet:%{deviceExternalId}` log field is mapped to the `principal.asset_id` UDM field.
`chassisid`	`principal.asset.asset_id`	If the `clientdeviceid` log field value is not empty then, `Fortinet:%{clientdeviceid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `chassisid` log field value is not empty then, `Fortinet:%{chassisid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `deviceExternalId` log field value is not empty then, `Fortinet:%{deviceExternalId}` log field is mapped to the `principal.asset.asset_id` UDM field.
`clientdeviceid`	`principal.asset.asset_id`	If the `clientdeviceid` log field value is not empty then, `Fortinet:%{clientdeviceid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `chassisid` log field value is not empty then, `Fortinet:%{chassisid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `deviceExternalId` log field value is not empty then, `Fortinet:%{deviceExternalId}` log field is mapped to the `principal.asset.asset_id` UDM field.
`deviceExternalId`	`principal.asset.asset_id`	If the `clientdeviceid` log field value is not empty then, `Fortinet:%{clientdeviceid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `chassisid` log field value is not empty then, `Fortinet:%{chassisid}` log field is mapped to the `principal.asset.asset_id` UDM field. Else, if the `deviceExternalId` log field value is not empty then, `Fortinet:%{deviceExternalId}` log field is mapped to the `principal.asset.asset_id` UDM field.
`clientdeviceems`	`principal.asset.attribute.labels[clientdeviceems]`
`clientdevicemanageable`	`principal.asset.attribute.labels[clientdevicemanageable]`
`clientdevicetags`	`principal.asset.attribute.labels[clientdevicetags]`
`clientdeviceowner`	`principal.asset.attribute.labels[clientdeviceowner]`
`manuf`	`principal.asset.attribute.labels[manuf]`
`versionmax`	`principal.asset.attribute.labels[versionmax]`
`versionmin`	`principal.asset.attribute.labels[versionmin]`
`srchwvendor`	`principal.asset.hardware.manufacturer`	If the `srchwvendor` log field value is not empty then, `srchwvendor` log field is mapped to the `principal.asset.hardware.manufacturer` UDM field. Else, if the `srcmacvendor` log field value is not empty then, `srcmacvendor` log field is mapped to the `principal.asset.hardware.manufacturer` UDM field.
`srcmacvendor`	`principal.asset.hardware.manufacturer`	If the `srchwvendor` log field value is not empty then, `srchwvendor` log field is mapped to the `principal.asset.hardware.manufacturer` UDM field. Else, if the `srcmacvendor` log field value is not empty then, `srcmacvendor` log field is mapped to the `principal.asset.hardware.manufacturer` UDM field.
`srcmacvendor`	`principal.asset.attribute.labels[srcmacvendor]`
`peer`	`principal.asset.hardware.model`
`srchwversion`	`principal.asset.hardware.serial_number`	If the `srchwversion` log field value is not empty then, `srchwversion` log field is mapped to the `principal.asset.hardware.serial_number` UDM field.
`devid`	`intermediary.asset.hardware.serial_number`	If the `devid` log field value is not empty and if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `system` then, `devid` log field is mapped to the `principal.asset.hardware.serial_number` UDM field. Else, `devid` log field is mapped to the `intermediary.asset.hardware.serial_number` UDM field.
`hostname`	`principal.asset.hostname`	If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `hostname` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `utmevent` log field value is not equal to `appfirewall` and the `subtype` log field value is equal to `system` and the `srcname` log field value is not empty then, `srcname` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `name` log field value is not empty and the `name` log field value is not equal to `N/A` and if the `logdesc` log field value does not match the regular expression pattern `(?i)user` then, `name` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `authserver` log field value does not contain one of the following values `Empty` `0` then, `authserver` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `client_addr` log field value is not empty then, `client_addr` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `shost` log field value is not empty then, `shost` log field is mapped to the `principal.asset.hostname` UDM field.
`srcname`	`principal.asset.hostname`	If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `hostname` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `utmevent` log field value is not equal to `appfirewall` and the `subtype` log field value is equal to `system` and the `srcname` log field value is not empty then, `srcname` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `name` log field value is not empty and the `name` log field value is not equal to `N/A` and if the `logdesc` log field value does not match the regular expression pattern `(?i)user` then, `name` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `authserver` log field value does not contain one of the following values `Empty` `0` then, `authserver` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `client_addr` log field value is not empty then, `client_addr` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `shost` log field value is not empty then, `shost` log field is mapped to the `principal.asset.hostname` UDM field.
`authserver`	`principal.asset.hostname`	If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `hostname` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `utmevent` log field value is not equal to `appfirewall` and the `subtype` log field value is equal to `system` and the `srcname` log field value is not empty then, `srcname` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `name` log field value is not empty and the `name` log field value is not equal to `N/A` and if the `logdesc` log field value does not match the regular expression pattern `(?i)user` then, `name` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `authserver` log field value does not contain one of the following values `Empty` `0` then, `authserver` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `client_addr` log field value is not empty then, `client_addr` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `shost` log field value is not empty then, `shost` log field is mapped to the `principal.asset.hostname` UDM field.
`name`	`principal.asset.hostname`	If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `hostname` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `utmevent` log field value is not equal to `appfirewall` and the `subtype` log field value is equal to `system` and the `srcname` log field value is not empty then, `srcname` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `name` log field value is not empty and the `name` log field value is not equal to `N/A` and if the `logdesc` log field value does not match the regular expression pattern `(?i)user` then, `name` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `authserver` log field value does not contain one of the following values `Empty` `0` then, `authserver` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `client_addr` log field value is not empty then, `client_addr` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `shost` log field value is not empty then, `shost` log field is mapped to the `principal.asset.hostname` UDM field.
`client_addr`	`principal.asset.hostname`	If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `hostname` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `utmevent` log field value is not equal to `appfirewall` and the `subtype` log field value is equal to `system` and the `srcname` log field value is not empty then, `srcname` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `name` log field value is not empty and the `name` log field value is not equal to `N/A` and if the `logdesc` log field value does not match the regular expression pattern `(?i)user` then, `name` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `authserver` log field value does not contain one of the following values `Empty` `0` then, `authserver` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `client_addr` log field value is not empty then, `client_addr` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `shost` log field value is not empty then, `shost` log field is mapped to the `principal.asset.hostname` UDM field.
`banned_src`	`principal.asset.ip`	If the `saddr` log field value is not empty then, The `saddr_ip` field is extracted from `saddr` log field using the Grok pattern. if the `saddr_ip` log field value is not empty then, `saddr_ip` log field is mapped to the `principal.asset.ip` UDM field. Else, if the `srcremote` log field value is not empty then, The `srcremote_ip` field is extracted from `srcremote` log field using the Grok pattern. if the `srcremote_ip` log field value is not empty then, `srcremote_ip` log field is mapped to the `principal.asset.ip` UDM field. Else, if the `shost` log field value is not empty then, The `valid_shost` field is extracted from `shost` log field using the Grok pattern. if the `valid_shost` log field value is not empty then, `valid_shost` log field is mapped to the `principal.asset.ip` UDM field. Else, if the `ui` log field value is not empty then, The `prin_ip` field is extracted from `ui` log field using the Grok pattern. The `prin_ip` and `desc1` fields is extracted from `ui` log field using the Grok pattern. if the `prin_ip` log field value is not empty and the `ip` log field value is not equal to `the prin_ip log field value` then, `prin_ip` extracted field is mapped to the `principal.asset.ip` UDM field. If the `user` log field value does not contain one of the following values `Empty` `N/A` then, The `user_ip` field is extracted from `user` log field using the Grok pattern. if the `user_ip` log field value is not empty then, `user_ip` extracted field is mapped to the `principal.asset.ip` UDM field. If the `subtype` log field value contain one of the following values `endpoint` `system` and if the `ip` log field value is not empty and the `ip` log field value is not equal to `N/A` then, The `valid_ip` field is extracted from `ip` log field using the Grok pattern. `valid_ip` extracted field is mapped to the `principal.asset.ip` UDM field. If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, The `valid_ip` field is extracted from `ip` log field using the Grok pattern. `valid_ip` extracted field is mapped to the `principal.asset.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and the `locip` log field value is not empty then, The `valid_locip` field is extracted from `locip` log field using the Grok pattern. `valid_locip` extracted field is mapped to the `principal.asset.ip` UDM field. If the `srcip` log field value is not empty then, The `src_ip` field is extracted from `srcip` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.asset.ip` UDM field. Else, if the `src` log field value is not empty then, The `src_ip` field is extracted from `src` log field using the Grok pattern. `src_ip` extracted field is mapped to the `principal.asset.ip` UDM field. If the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `msg` log field value is not empty then, The `user_email` field is extracted from `msg` log field using the Grok pattern. The `src_ip` and `user_id` fields is extracted from `msg` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.asset.ip` UDM field. If the `banned_src` log field value is not empty then, `banned_src` log field is mapped to the `principal.asset.ip` UDM field. If the `remote` log field value is not empty then, `remote` log field is mapped to the `principal.asset.ip` UDM field. `user_email` extracted fields are mapped to the `principal.asset.ip` UDM field.
`remote`	`principal.asset.ip`	If the `saddr` log field value is not empty then, The `saddr_ip` field is extracted from `saddr` log field using the Grok pattern. if the `saddr_ip` log field value is not empty then, `saddr_ip` log field is mapped to the `principal.asset.ip` UDM field. Else, if the `srcremote` log field value is not empty then, The `srcremote_ip` field is extracted from `srcremote` log field using the Grok pattern. if the `srcremote_ip` log field value is not empty then, `srcremote_ip` log field is mapped to the `principal.asset.ip` UDM field. Else, if the `shost` log field value is not empty then, The `valid_shost` field is extracted from `shost` log field using the Grok pattern. if the `valid_shost` log field value is not empty then, `valid_shost` log field is mapped to the `principal.asset.ip` UDM field. Else, if the `ui` log field value is not empty then, The `prin_ip` field is extracted from `ui` log field using the Grok pattern. The `prin_ip` and `desc1` fields is extracted from `ui` log field using the Grok pattern. if the `prin_ip` log field value is not empty and the `ip` log field value is not equal to `the prin_ip log field value` then, `prin_ip` extracted field is mapped to the `principal.asset.ip` UDM field. If the `user` log field value does not contain one of the following values `Empty` `N/A` then, The `user_ip` field is extracted from `user` log field using the Grok pattern. if the `user_ip` log field value is not empty then, `user_ip` extracted field is mapped to the `principal.asset.ip` UDM field. If the `subtype` log field value contain one of the following values `endpoint` `system` and if the `ip` log field value is not empty and the `ip` log field value is not equal to `N/A` then, The `valid_ip` field is extracted from `ip` log field using the Grok pattern. `valid_ip` extracted field is mapped to the `principal.asset.ip` UDM field. If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, The `valid_ip` field is extracted from `ip` log field using the Grok pattern. `valid_ip` extracted field is mapped to the `principal.asset.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and the `locip` log field value is not empty then, The `valid_locip` field is extracted from `locip` log field using the Grok pattern. `valid_locip` extracted field is mapped to the `principal.asset.ip` UDM field. If the `srcip` log field value is not empty then, The `src_ip` field is extracted from `srcip` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.asset.ip` UDM field. Else, if the `src` log field value is not empty then, The `src_ip` field is extracted from `src` log field using the Grok pattern. `src_ip` extracted field is mapped to the `principal.asset.ip` UDM field. If the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `msg` log field value is not empty then, The `user_email` field is extracted from `msg` log field using the Grok pattern. The `src_ip` and `user_id` fields is extracted from `msg` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.asset.ip` UDM field. If the `banned_src` log field value is not empty then, `banned_src` log field is mapped to the `principal.asset.ip` UDM field. If the `remote` log field value is not empty then, `remote` log field is mapped to the `principal.asset.ip` UDM field. `user_email` extracted fields are mapped to the `principal.asset.ip` UDM field.
`srcssid`	`principal.asset.attribute.labels[srcssid]`
`ssid`	`principal.asset.attribute.labels[ssid]`
`srcregion`	`principal.asset.location.country_or_region`
`tamac`	`principal.asset.mac`
`saasname`	`principal.asset.software.description`
`saasapp`	`principal.asset.software.name`
`new_value`	`principal.domain.name`
`sender`	`principal.email`
`file`	`principal.file.full_path`
`checksum`	`principal.file.sha256`
`filesize`	`principal.file.size`
`filetype`	`principal.file.mime_type`
`adgroup`	`principal.group.group_display_name`
`groupid`	`principal.group.product_object_id`
`hostname`	`principal.hostname`	If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `hostname` log field is mapped to the `principal.hostname` UDM field. Else, if the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `utmevent` log field value is not equal to `appfirewall` and the `subtype` log field value is equal to `system` and the `srcname` log field value is not empty then, `srcname` log field is mapped to the `principal.hostname` UDM field. Else, if the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `principal.hostname` UDM field. Else, if the `name` log field value is not empty and the `name` log field value is not equal to `N/A` and if the `logdesc` log field value does not match the regular expression pattern `(?i)user` then, `name` log field is mapped to the `principal.hostname` UDM field. Else, if the `authserver` log field value does not contain one of the following values `Empty` `0` then, `authserver` log field is mapped to the `principal.hostname` UDM field. Else, if the `client_addr` log field value is not empty then, `client_addr` log field is mapped to the `principal.hostname` UDM field. Else, if the `shost` log field value is not empty then, `shost` log field is mapped to the `principal.hostname` UDM field.
`srcname`	`principal.hostname`	If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `hostname` log field is mapped to the `principal.hostname` UDM field. Else, if the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `utmevent` log field value is not equal to `appfirewall` and the `subtype` log field value is equal to `system` and the `srcname` log field value is not empty then, `srcname` log field is mapped to the `principal.hostname` UDM field. Else, if the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `principal.hostname` UDM field. Else, if the `name` log field value is not empty and the `name` log field value is not equal to `N/A` and if the `logdesc` log field value does not match the regular expression pattern `(?i)user` then, `name` log field is mapped to the `principal.hostname` UDM field. Else, if the `authserver` log field value does not contain one of the following values `Empty` `0` then, `authserver` log field is mapped to the `principal.hostname` UDM field. Else, if the `client_addr` log field value is not empty then, `client_addr` log field is mapped to the `principal.hostname` UDM field. Else, if the `shost` log field value is not empty then, `shost` log field is mapped to the `principal.hostname` UDM field.
`authserver`	`principal.hostname`	If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `hostname` log field is mapped to the `principal.hostname` UDM field. Else, if the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `utmevent` log field value is not equal to `appfirewall` and the `subtype` log field value is equal to `system` and the `srcname` log field value is not empty then, `srcname` log field is mapped to the `principal.hostname` UDM field. Else, if the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `principal.hostname` UDM field. Else, if the `name` log field value is not empty and the `name` log field value is not equal to `N/A` and if the `logdesc` log field value does not match the regular expression pattern `(?i)user` then, `name` log field is mapped to the `principal.hostname` UDM field. Else, if the `authserver` log field value does not contain one of the following values `Empty` `0` then, `authserver` log field is mapped to the `principal.hostname` UDM field. Else, if the `client_addr` log field value is not empty then, `client_addr` log field is mapped to the `principal.hostname` UDM field. Else, if the `shost` log field value is not empty then, `shost` log field is mapped to the `principal.hostname` UDM field.
`name`	`principal.hostname`	If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `hostname` log field is mapped to the `principal.hostname` UDM field. Else, if the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `utmevent` log field value is not equal to `appfirewall` and the `subtype` log field value is equal to `system` and the `srcname` log field value is not empty then, `srcname` log field is mapped to the `principal.hostname` UDM field. Else, if the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `principal.hostname` UDM field. Else, if the `name` log field value is not empty and the `name` log field value is not equal to `N/A` and if the `logdesc` log field value does not match the regular expression pattern `(?i)user` then, `name` log field is mapped to the `principal.hostname` UDM field. Else, if the `authserver` log field value does not contain one of the following values `Empty` `0` then, `authserver` log field is mapped to the `principal.hostname` UDM field. Else, if the `client_addr` log field value is not empty then, `client_addr` log field is mapped to the `principal.hostname` UDM field. Else, if the `shost` log field value is not empty then, `shost` log field is mapped to the `principal.hostname` UDM field.
`client_addr`	`principal.hostname`	If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `hostname` log field is mapped to the `principal.hostname` UDM field. Else, if the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `utmevent` log field value is not equal to `appfirewall` and the `subtype` log field value is equal to `system` and the `srcname` log field value is not empty then, `srcname` log field is mapped to the `principal.hostname` UDM field. Else, if the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `principal.hostname` UDM field. Else, if the `name` log field value is not empty and the `name` log field value is not equal to `N/A` and if the `logdesc` log field value does not match the regular expression pattern `(?i)user` then, `name` log field is mapped to the `principal.hostname` UDM field. Else, if the `authserver` log field value does not contain one of the following values `Empty` `0` then, `authserver` log field is mapped to the `principal.hostname` UDM field. Else, if the `client_addr` log field value is not empty then, `client_addr` log field is mapped to the `principal.hostname` UDM field. Else, if the `shost` log field value is not empty then, `shost` log field is mapped to the `principal.hostname` UDM field.
`ip`	`principal.ip`	If the `saddr` log field value is not empty then, The `saddr_ip` field is extracted from `saddr` log field using the Grok pattern. if the `saddr_ip` log field value is not empty then, `saddr_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `srcremote` log field value is not empty then, The `valid_srcremote` field is extracted from `srcremote` log field using the Grok pattern. if the `valid_srcremote` log field value is not empty then, `valid_srcremote` extracted field is mapped to the `principal.ip` UDM field. Else, if the `shost` log field value is not empty then, The `valid_shost` field is extracted from `shost` log field using the Grok pattern. if the `valid_shost` log field value is not empty then, `valid_shost` extracted field is mapped to the `principal.ip` UDM field. Else, if the `user` log field value does not contain one of the following values `Empty` `N/A` then, The `user_ip` field is extracted from `user` log field using the Grok pattern. if the `user_ip` log field value is not empty then, `user_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `ui` log field value is not empty then, The `prin_ip` field is extracted from `ui` log field using the Grok pattern. if the `prin_ip` log field value is not empty then, `prin_ip` extracted field is mapped to the `principal.ip` UDM field. If the `subtype` log field value contain one of the following values `endpoint` `system` and if the `ip` log field value is not empty and the `ip` log field value is not equal to `N/A` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and the `locip` log field value is not empty then, `locip` log field is mapped to the `principal.ip` UDM field. If the `srcip` log field value is not empty then, The `src_ip` field is extracted from `srcip` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `src` log field value is not empty then, The `src_ip` field is extracted from `src` log field using the Grok pattern. `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `msg` log field value is not empty then, The `user_email` field is extracted from `msg` log field using the Grok pattern. The `src_ip` and `user_id` fields is extracted from `msg` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `banned_src` log field value is not empty then, `banned_src` log field is mapped to the `principal.ip` UDM field. If the `userfrom` log field value is not empty then, The `valid_ip` field is extracted from `userfrom` log field using the Grok pattern. `valid_ip` extracted field is mapped to the `principal.ip` UDM field. `user_email` extracted fields are mapped to the `principal.ip` UDM field.
`locip`	`principal.ip`	If the `saddr` log field value is not empty then, The `saddr_ip` field is extracted from `saddr` log field using the Grok pattern. if the `saddr_ip` log field value is not empty then, `saddr_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `srcremote` log field value is not empty then, The `valid_srcremote` field is extracted from `srcremote` log field using the Grok pattern. if the `valid_srcremote` log field value is not empty then, `valid_srcremote` extracted field is mapped to the `principal.ip` UDM field. Else, if the `shost` log field value is not empty then, The `valid_shost` field is extracted from `shost` log field using the Grok pattern. if the `valid_shost` log field value is not empty then, `valid_shost` extracted field is mapped to the `principal.ip` UDM field. Else, if the `user` log field value does not contain one of the following values `Empty` `N/A` then, The `user_ip` field is extracted from `user` log field using the Grok pattern. if the `user_ip` log field value is not empty then, `user_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `ui` log field value is not empty then, The `prin_ip` field is extracted from `ui` log field using the Grok pattern. if the `prin_ip` log field value is not empty then, `prin_ip` extracted field is mapped to the `principal.ip` UDM field. If the `subtype` log field value contain one of the following values `endpoint` `system` and if the `ip` log field value is not empty and the `ip` log field value is not equal to `N/A` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and the `locip` log field value is not empty then, `locip` log field is mapped to the `principal.ip` UDM field. If the `srcip` log field value is not empty then, The `src_ip` field is extracted from `srcip` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `src` log field value is not empty then, The `src_ip` field is extracted from `src` log field using the Grok pattern. `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `msg` log field value is not empty then, The `user_email` field is extracted from `msg` log field using the Grok pattern. The `src_ip` and `user_id` fields is extracted from `msg` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `banned_src` log field value is not empty then, `banned_src` log field is mapped to the `principal.ip` UDM field. If the `userfrom` log field value is not empty then, The `valid_ip` field is extracted from `userfrom` log field using the Grok pattern. `valid_ip` extracted field is mapped to the `principal.ip` UDM field. `user_email` extracted fields are mapped to the `principal.ip` UDM field.
`banned_src`	`principal.ip`	If the `saddr` log field value is not empty then, The `saddr_ip` field is extracted from `saddr` log field using the Grok pattern. if the `saddr_ip` log field value is not empty then, `saddr_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `srcremote` log field value is not empty then, The `valid_srcremote` field is extracted from `srcremote` log field using the Grok pattern. if the `valid_srcremote` log field value is not empty then, `valid_srcremote` extracted field is mapped to the `principal.ip` UDM field. Else, if the `shost` log field value is not empty then, The `valid_shost` field is extracted from `shost` log field using the Grok pattern. if the `valid_shost` log field value is not empty then, `valid_shost` extracted field is mapped to the `principal.ip` UDM field. Else, if the `user` log field value does not contain one of the following values `Empty` `N/A` then, The `user_ip` field is extracted from `user` log field using the Grok pattern. if the `user_ip` log field value is not empty then, `user_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `ui` log field value is not empty then, The `prin_ip` field is extracted from `ui` log field using the Grok pattern. if the `prin_ip` log field value is not empty then, `prin_ip` extracted field is mapped to the `principal.ip` UDM field. If the `subtype` log field value contain one of the following values `endpoint` `system` and if the `ip` log field value is not empty and the `ip` log field value is not equal to `N/A` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and the `locip` log field value is not empty then, `locip` log field is mapped to the `principal.ip` UDM field. If the `srcip` log field value is not empty then, The `src_ip` field is extracted from `srcip` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `src` log field value is not empty then, The `src_ip` field is extracted from `src` log field using the Grok pattern. `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `msg` log field value is not empty then, The `user_email` field is extracted from `msg` log field using the Grok pattern. The `src_ip` and `user_id` fields is extracted from `msg` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `banned_src` log field value is not empty then, `banned_src` log field is mapped to the `principal.ip` UDM field. If the `userfrom` log field value is not empty then, The `valid_ip` field is extracted from `userfrom` log field using the Grok pattern. `valid_ip` extracted field is mapped to the `principal.ip` UDM field. `user_email` extracted fields are mapped to the `principal.ip` UDM field.
`srccity`	`principal.ip_location.city`
`srccountry`	`principal.location.country_or_region`	If the `srccountry` log field value is not empty and the `srccountry` log field value is not equal to `Reserved` then, `srccountry` log field is mapped to the `principal.location.country_or_region` UDM field.
`uli`	`principal.location.name`
`mac`	`principal.mac`	If the `srcmac` log field value is not empty then, `srcmac` log field is mapped to the `principal.mac` UDM field and `srcmac` log field is mapped to the `principal.asset.mac` UDM field. Else, if the `mac` log field value is not empty then, `mac` log field is mapped to the `principal.mac` UDM field and `mac` log field is mapped to the `principal.asset.mac` UDM field.
`srcmac`	`principal.mac`	If the `srcmac` log field value is not empty then, `srcmac` log field is mapped to the `principal.mac` UDM field and `srcmac` log field is mapped to the `principal.asset.mac` UDM field. Else, if the `mac` log field value is not empty then, `mac` log field is mapped to the `principal.mac` UDM field and `mac` log field is mapped to the `principal.asset.mac` UDM field.
`transip`	`principal.nat_ip`
`transport`	`principal.nat_port`
	`principal.platform`	If the `osname` log field value matches the regular expression pattern `(?i)WINDOWS` then, the `principal.platform` UDM field is set to `WINDOWS`. Else, if the `osname` log field value matches the regular expression pattern `(?i)ANDROID` then, the `principal.platform` UDM field is set to `ANDROID`. Else, if the `osname` log field value matches the regular expression pattern `(?i)LINUX` then, the `principal.platform` UDM field is set to `LINUX`. Else, if the `osname` log field value matches the regular expression pattern `(?i)MAC` then, the `principal.platform` UDM field is set to `MAC`.
`srcswversion`	`principal.platform_version`	If the `osname` log field value matches the regular expression pattern `(?i)WINDOWS` and if the `osversion` log field value is not empty then, `osversion` log field is mapped to the `principal.platform_version` UDM field. If the `srcswversion` log field value is not empty then, `srcswversion` log field is mapped to the `principal.platform_version` UDM field. If the `os` log field value matches the regular expression pattern `.Windows.` then, The `os_version` field is extracted from `os` log field using the Grok pattern. `os_version` log field is mapped to the `principal.platform_version` UDM field.
`osversion`	`principal.platform_version`	If the `osname` log field value matches the regular expression pattern `(?i)WINDOWS` and if the `osversion` log field value is not empty then, `osversion` log field is mapped to the `principal.platform_version` UDM field. If the `srcswversion` log field value is not empty then, `srcswversion` log field is mapped to the `principal.platform_version` UDM field. If the `os` log field value matches the regular expression pattern `.Windows.` then, The `os_version` field is extracted from `os` log field using the Grok pattern. `os_version` log field is mapped to the `principal.platform_version` UDM field.
`src_port`	`principal.port`	If the `src_port` log field value is not empty then, `src_port` log field is mapped to the `principal.port` UDM field. Else, if the `remport` log field value is not empty then, `remport` log field is mapped to the `principal.port` UDM field. Else, if the `srcport` log field value is not empty then, `srcport` log field is mapped to the `principal.port` UDM field. Else, if the `port` log field value is not empty then, `port` log field is mapped to the `principal.port` UDM field.
`remport`	`principal.port`	If the `src_port` log field value is not empty then, `src_port` log field is mapped to the `principal.port` UDM field. Else, if the `remport` log field value is not empty then, `remport` log field is mapped to the `principal.port` UDM field. Else, if the `srcport` log field value is not empty then, `srcport` log field is mapped to the `principal.port` UDM field. Else, if the `port` log field value is not empty then, `port` log field is mapped to the `principal.port` UDM field.
`port`	`principal.port`	If the `src_port` log field value is not empty then, `src_port` log field is mapped to the `principal.port` UDM field. Else, if the `remport` log field value is not empty then, `remport` log field is mapped to the `principal.port` UDM field. Else, if the `srcport` log field value is not empty then, `srcport` log field is mapped to the `principal.port` UDM field. Else, if the `port` log field value is not empty then, `port` log field is mapped to the `principal.port` UDM field.
`srcport`	`principal.port`	If the `src_port` log field value is not empty then, `src_port` log field is mapped to the `principal.port` UDM field. Else, if the `remport` log field value is not empty then, `remport` log field is mapped to the `principal.port` UDM field. Else, if the `srcport` log field value is not empty then, `srcport` log field is mapped to the `principal.port` UDM field. Else, if the `port` log field value is not empty then, `port` log field is mapped to the `principal.port` UDM field.
`srcname`	`principal.process.command_line`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `utmevent` log field value is equal to `appfirewall` and the `subtype` log field value is not equal to `system` then, `srcname` log field is mapped to the `principal.process.command_line` UDM field.
`pid`	`principal.process.pid`
`advpnsc`	`principal.resource.attribute.labels[advpnsc]`
`assignip`	`principal.resource.attribute.labels[assignip]`
`cloudaction`	`principal.resource.attribute.labels[cloudaction]`
`cookies`	`principal.resource.attribute.labels[cookies]`
`init`	`principal.resource.attribute.labels[init]`
`nextstat`	`principal.resource.attribute.labels[nextstat]`
`outintf`	`principal.resource.attribute.labels[outintf]`
`ratemethod`	`principal.resource.attribute.labels[ratemethod]`
`rcvdbyte`	`principal.resource.attribute.labels[rcvdbyte]`
`reqtype`	`principal.resource.attribute.labels[reqtype]`
`role`	`principal.resource.attribute.labels[role]`
`serverresponsetime`	`principal.resource.attribute.labels[serverresponsetime]`
`serviceid`	`principal.resource.attribute.labels[serviceid]`
`stage`	`principal.resource.attribute.labels[stage]`
`tunnelid`	`principal.resource.attribute.labels[tunnelid]`
`tunneltype`	`principal.resource.attribute.labels[tunneltype]`
`useralt`	`principal.resource.attribute.labels[useralt]`
`vpntunnel`	`principal.resource.attribute.labels[vpntunnel]`
`xauthgroup`	`principal.resource.attribute.labels[xauthgroup]`
`xauthuser`	`principal.resource.attribute.labels[xauthuser]`
`srcfamily`	`principal.resource.attribute.labels[srcfamily]`
`srcreputation`	`principal.resource.attribute.labels[srcreputation]`
`srcthreatfeed`	`principal.resource.attribute.labels[srcthreatfeed]`
`clouddevice`	`principal.resource.name`	If the `clouddevice` log field value is not empty then, `clouddevice` log field is mapped to the `principal.resource.name` UDM field. Else, if the `servername` log field value is not empty then, `servername` log field is mapped to the `principal.resource.name` UDM field. Else, if the `src_int` log field value is not empty then, `src_int` log field is mapped to the `principal.resource.name` UDM field. Else, if the `srcdomain` log field value is not empty then, `srcdomain` log field is mapped to the `principal.resource.name` UDM field.
`servername`	`principal.resource.name`	If the `clouddevice` log field value is not empty then, `clouddevice` log field is mapped to the `principal.resource.name` UDM field. Else, if the `servername` log field value is not empty then, `servername` log field is mapped to the `principal.resource.name` UDM field. Else, if the `src_int` log field value is not empty then, `src_int` log field is mapped to the `principal.resource.name` UDM field. Else, if the `srcdomain` log field value is not empty then, `srcdomain` log field is mapped to the `principal.resource.name` UDM field.
`src_int`	`principal.resource.name`	If the `clouddevice` log field value is not empty then, `clouddevice` log field is mapped to the `principal.resource.name` UDM field. Else, if the `servername` log field value is not empty then, `servername` log field is mapped to the `principal.resource.name` UDM field. Else, if the `src_int` log field value is not empty then, `src_int` log field is mapped to the `principal.resource.name` UDM field. Else, if the `srcdomain` log field value is not empty then, `srcdomain` log field is mapped to the `principal.resource.name` UDM field.
`srcdomain`	`principal.resource.name`	If the `clouddevice` log field value is not empty then, `clouddevice` log field is mapped to the `principal.resource.name` UDM field. Else, if the `servername` log field value is not empty then, `servername` log field is mapped to the `principal.resource.name` UDM field. Else, if the `src_int` log field value is not empty then, `src_int` log field is mapped to the `principal.resource.name` UDM field. Else, if the `srcdomain` log field value is not empty then, `srcdomain` log field is mapped to the `principal.resource.name` UDM field.
`cldobjid`	`principal.resource.product_object_id`	If the `srcuuid` log field value is not empty then, `srcuuid` log field is mapped to the `principal.resource.product_object_id` UDM field. Else, if the `serveraddr` log field value is not empty then, `serveraddr` log field is mapped to the `principal.resource.product_object_id` UDM field. Else, if the `cldobjid` log field value is not empty then, `cldobjid` log field is mapped to the `principal.resource.product_object_id` UDM field. If the `cldobjid` log field value is not empty or the `serveraddr` log field value is not empty or the `srcuuid` log field value is not empty then, the `principal.resource.resource_type` UDM field is set to `CLOUD_PROJECT`.
`serveraddr`	`principal.resource.product_object_id`	If the `srcuuid` log field value is not empty then, `srcuuid` log field is mapped to the `principal.resource.product_object_id` UDM field. Else, if the `serveraddr` log field value is not empty then, `serveraddr` log field is mapped to the `principal.resource.product_object_id` UDM field. Else, if the `cldobjid` log field value is not empty then, `cldobjid` log field is mapped to the `principal.resource.product_object_id` UDM field. If the `cldobjid` log field value is not empty or the `serveraddr` log field value is not empty or the `srcuuid` log field value is not empty then, the `principal.resource.resource_type` UDM field is set to `CLOUD_PROJECT`.
`srcuuid`	`principal.resource.product_object_id`	If the `srcuuid` log field value is not empty then, `srcuuid` log field is mapped to the `principal.resource.product_object_id` UDM field. Else, if the `serveraddr` log field value is not empty then, `serveraddr` log field is mapped to the `principal.resource.product_object_id` UDM field. Else, if the `cldobjid` log field value is not empty then, `cldobjid` log field is mapped to the `principal.resource.product_object_id` UDM field. If the `cldobjid` log field value is not empty or the `serveraddr` log field value is not empty or the `srcuuid` log field value is not empty then, the `principal.resource.resource_type` UDM field is set to `CLOUD_PROJECT`.
`new_status`	`principal.user.attribute.labels[new_status]`
`old_status`	`principal.user.attribute.labels[old_status]`
`passwd`	`principal.user.attribute.labels[passwd]`
`peer_notif`	`principal.user.attribute.labels[peer_notif]`
`profiletype`	`principal.user.attribute.labels[profiletype]`
`ulimcc`	`principal.user.attribute.labels[ulimcc]`
`ulimnc`	`principal.user.attribute.labels[ulimnc]`
`user_data`	`principal.user.attribute.labels[user_data]`
`useractivity`	`principal.user.attribute.labels[useractivity]`
`group`	`principal.user.group_identifiers`	If the `group` log field value is not empty and the `group` log field value is not equal to `N/A` then, `group` log field is mapped to the `principal.user.group_identifiers` UDM field. Else, if the `community` log field value is not empty then, `community` log field is mapped to the `principal.user.group_identifiers` UDM field.
`community`	`principal.user.group_identifiers`	If the `group` log field value is not empty and the `group` log field value is not equal to `N/A` then, `group` log field is mapped to the `principal.user.group_identifiers` UDM field. Else, if the `community` log field value is not empty then, `community` log field is mapped to the `principal.user.group_identifiers` UDM field.
`msisdn`	`principal.user.phone_numbers`	If the `msisdn` log field value is not empty then, `msisdn` log field is mapped to the `principal.user.phone_numbers` UDM field. Else, if the `phone` log field value is not empty then, `phone` log field is mapped to the `principal.user.phone_numbers` UDM field.
`phone`	`principal.user.phone_numbers`	If the `msisdn` log field value is not empty then, `msisdn` log field is mapped to the `principal.user.phone_numbers` UDM field. Else, if the `phone` log field value is not empty then, `phone` log field is mapped to the `principal.user.phone_numbers` UDM field.
`user`	`principal.user.user_display_name`	If the `user` log field value does not contain one of the following values `Empty` `N/A` then, `user` log field is mapped to the `principal.user.user_display_name` UDM field. Else, if the `cn` log field value is not empty then, `cn` log field is mapped to the `principal.user.user_display_name` UDM field. If the `suser` log field value is not empty and the `suser` log field value does not match the regular expression pattern `^{` then, then, `%{suser}` log field is mapped to the `principal.user.user_display_name` UDM field.
`cn`	`principal.user.user_display_name`	If the `user` log field value does not contain one of the following values `Empty` `N/A` then, `user` log field is mapped to the `principal.user.user_display_name` UDM field. Else, if the `cn` log field value is not empty then, `cn` log field is mapped to the `principal.user.user_display_name` UDM field. If the `suser` log field value is not empty and the `suser` log field value does not match the regular expression pattern `^{` then, then, `%{suser}` log field is mapped to the `principal.user.user_display_name` UDM field.
`suser`	`principal.user.user_display_name`	If the `user` log field value does not contain one of the following values `Empty` `N/A` then, `user` log field is mapped to the `principal.user.user_display_name` UDM field. Else, if the `cn` log field value is not empty then, `cn` log field is mapped to the `principal.user.user_display_name` UDM field. If the `suser` log field value is not empty and the `suser` log field value does not match the regular expression pattern `^{` then, then, `%{suser}` log field is mapped to the `principal.user.user_display_name` UDM field.
`cn`	`principal.user.attribute.labels[cn]`	If the `user` log field value is not empty then, the `principal.user.attribute.labels.key` UDM field is set to `cn` and `cn` log field is mapped to the `principal.user.attribute.labels.value` UDM field.
`user`	`principal.user.userid`	If the `user` log field value is not empty and the `user` log field value is not equal to `N/A` then, `user` log field is mapped to the `principal.user.userid` UDM field. Else, if the `initiator` log field value is not empty then, `initiator` log field is mapped to the `principal.user.userid` UDM field. Else, if the `login` log field value is not empty then, `login` log field is mapped to the `principal.user.userid` UDM field. Else, if the `unauthuser` log field value is not empty then, `unauthuser` log field is mapped to the `principal.user.userid` UDM field. Else, if the `logdesc` log field value matches the regular expression pattern `GUI_ENTRY_DELETION` then, `vd` log field is mapped to the `principal.user.userid` UDM field.
`vd`	`principal.user.userid`	If the `user` log field value is not empty and the `user` log field value is not equal to `N/A` then, `user` log field is mapped to the `principal.user.userid` UDM field. Else, if the `initiator` log field value is not empty then, `initiator` log field is mapped to the `principal.user.userid` UDM field. Else, if the `login` log field value is not empty then, `login` log field is mapped to the `principal.user.userid` UDM field. Else, if the `unauthuser` log field value is not empty then, `unauthuser` log field is mapped to the `principal.user.userid` UDM field. Else, if the `logdesc` log field value matches the regular expression pattern `GUI_ENTRY_DELETION` then, `vd` log field is mapped to the `principal.user.userid` UDM field.
`clouduser`	`principal.user.userid`	If the `user` log field value is not empty and the `user` log field value is not equal to `N/A` then, `user` log field is mapped to the `principal.user.userid` UDM field. Else, if the `initiator` log field value is not empty then, `initiator` log field is mapped to the `principal.user.userid` UDM field. Else, if the `login` log field value is not empty then, `login` log field is mapped to the `principal.user.userid` UDM field. Else, if the `unauthuser` log field value is not empty then, `unauthuser` log field is mapped to the `principal.user.userid` UDM field. Else, if the `logdesc` log field value matches the regular expression pattern `GUI_ENTRY_DELETION` then, `vd` log field is mapped to the `principal.user.userid` UDM field.
`initiator`	`principal.user.userid`	If the `user` log field value is not empty and the `user` log field value is not equal to `N/A` then, `user` log field is mapped to the `principal.user.userid` UDM field. Else, if the `initiator` log field value is not empty then, `initiator` log field is mapped to the `principal.user.userid` UDM field. Else, if the `login` log field value is not empty then, `login` log field is mapped to the `principal.user.userid` UDM field. Else, if the `unauthuser` log field value is not empty then, `unauthuser` log field is mapped to the `principal.user.userid` UDM field. Else, if the `logdesc` log field value matches the regular expression pattern `GUI_ENTRY_DELETION` then, `vd` log field is mapped to the `principal.user.userid` UDM field.
`login`	`principal.user.userid`	If the `user` log field value is not empty and the `user` log field value is not equal to `N/A` then, `user` log field is mapped to the `principal.user.userid` UDM field. Else, if the `initiator` log field value is not empty then, `initiator` log field is mapped to the `principal.user.userid` UDM field. Else, if the `login` log field value is not empty then, `login` log field is mapped to the `principal.user.userid` UDM field. Else, if the `unauthuser` log field value is not empty then, `unauthuser` log field is mapped to the `principal.user.userid` UDM field. Else, if the `logdesc` log field value matches the regular expression pattern `GUI_ENTRY_DELETION` then, `vd` log field is mapped to the `principal.user.userid` UDM field.
`unauthuser`	`principal.user.userid`	If the `user` log field value is not empty and the `user` log field value is not equal to `N/A` then, `user` log field is mapped to the `principal.user.userid` UDM field. Else, if the `initiator` log field value is not empty then, `initiator` log field is mapped to the `principal.user.userid` UDM field. Else, if the `login` log field value is not empty then, `login` log field is mapped to the `principal.user.userid` UDM field. Else, if the `unauthuser` log field value is not empty then, `unauthuser` log field is mapped to the `principal.user.userid` UDM field. Else, if the `logdesc` log field value matches the regular expression pattern `GUI_ENTRY_DELETION` then, `vd` log field is mapped to the `principal.user.userid` UDM field.
`botnetdomain`	`security_result.about.hostname`
`botnetip`	`security_result.about.ip`
`craction`	`security_result.about.labels[craction]`
`incidentserialno`	`security_result.about.labels[incidentserialno]`
	`security_result.action`	If the `action` log field value contain one of the following values `accept` `passthrough` `pass` `permit` `detected` `close` `tunnel-down` `tunnel-stats` `tunnel-up` `ssl-new-con` `auth-logon` or the `utmaction` log field value contain one of the following values `accept` `allow` `passthrough` `pass` `detected` `permit` `close` `tunnel-down` `tunnel-stats` `tunnel-up` `ssl-new-con` or the `status` log field value is equal to `success` or the `outcome` log field value is equal to `REDIRECTED_USER_MAY_PROCEED` or the `categoryOutcome` log field value matches the regular expression pattern `(/Success\|Success)` or the `cs2` log field value matches the regular expression pattern `Allow` then, the `security_result.action` UDM field is set to `ALLOW`. Else, if the `action` log field value contain one of the following values `deny` `dropped` `blocked` `timeout` `negotiate` `ssl-login-fail` `clear_session` or the `utmaction` log field value contain one of the following values `deny` `dropped` `blocked` `timeout` `negotiate` `ssl-login-fail` `clear_session` `deny` `dropped` `blocked` `block` `timeout` `negotiate` or the `status` log field value is equal to `failure` or the `status` log field value is equal to `failed` or the `outcome` log field value is equal to `BLOCKED` or the `categoryOutcome` log field value matches the regular expression pattern `(/Failure\|Failed)` or the `cs2` log field value matches the regular expression pattern `Denied` then, the `security_result.action` UDM field is set to `BLOCK`. Else, if the `outcome` log field value matches the regular expression pattern `Failure` then, the `security_result.action` UDM field is set to `FAIL`. If the `operation` log field value is not empty and if the `operation` log field value contain one of the following values `accept` `passthrough` `pass` `permit` `detected` `close` `edit` then, the `security_result.action` UDM field is set to `ALLOW`. Else, if the `operation` log field value contain one of the following values `deny` `dropped` `blocked` then, the `security_result.action` UDM field is set to `BLOCK`. Else, if the `operation` log field value is equal to `timeout` then, the `security_result.action` UDM field is set to `FAIL`. Else, if the `icbaction` log field value is not empty then, if the `icbaction` log field value matches the regular expression pattern `allow` then, the `security_result.action` UDM field is set to `ALLOW`. Else, if the `icbaction` log field value matches the regular expression pattern `block` then, the `security_result.action` UDM field is set to `BLOCK`. Else, if the `icbaction` log field value matches the regular expression pattern `fail` then, the `security_result.action` UDM field is set to `BLOCK`.
`operation`	`security_result.action_details`	If the `action` log field value is not empty then, `action` log field is mapped to the `security_result.action_details` UDM field. Else, if the `utmaction` log field value is not empty then, `utmaction` log field is mapped to the `security_result.action_details` UDM field. Else, if the `operation` log field value is not empty then, `operation` log field is mapped to the `security_result.action_details` UDM field. Else, if the `icbaction` log field value is not empty then, `icbaction` log field is mapped to the `security_result.action_details` UDM field.
`icbaction`	`security_result.action_details`	If the `action` log field value is not empty then, `action` log field is mapped to the `security_result.action_details` UDM field. Else, if the `utmaction` log field value is not empty then, `utmaction` log field is mapped to the `security_result.action_details` UDM field. Else, if the `operation` log field value is not empty then, `operation` log field is mapped to the `security_result.action_details` UDM field. Else, if the `icbaction` log field value is not empty then, `icbaction` log field is mapped to the `security_result.action_details` UDM field.
`action`	`security_result.action_details`	If the `action` log field value is not empty then, `action` log field is mapped to the `security_result.action_details` UDM field. Else, if the `utmaction` log field value is not empty then, `utmaction` log field is mapped to the `security_result.action_details` UDM field. Else, if the `operation` log field value is not empty then, `operation` log field is mapped to the `security_result.action_details` UDM field. Else, if the `icbaction` log field value is not empty then, `icbaction` log field is mapped to the `security_result.action_details` UDM field.
`utmaction`	`security_result.action_details`	If the `action` log field value is not empty then, `action` log field is mapped to the `security_result.action_details` UDM field. Else, if the `utmaction` log field value is not empty then, `utmaction` log field is mapped to the `security_result.action_details` UDM field. Else, if the `operation` log field value is not empty then, `operation` log field is mapped to the `security_result.action_details` UDM field. Else, if the `icbaction` log field value is not empty then, `icbaction` log field is mapped to the `security_result.action_details` UDM field.
`attackid`	`security_result.attack_details.tactics.id`
`attack`	`security_result.attack_details.tactics.name`
`attackcontextid`	`security_result.attack_details.techniques.id`
`attackcontext`	`security_result.attack_details.techniques.name`
`dtype`	`security_result.category_details`	If the `catdesc` log field value is not empty then, `catdesc` log field is mapped to the `security_result.category_details` UDM field. Else, if the `category` log field value is not empty then, `category` log field is mapped to the `security_result.category_details` UDM field. Else, if the `filtercat` log field value is not empty then, `filtercat` log field is mapped to the `security_result.category_details` UDM field. Else, if the `dtype` log field value is not empty then, `dtype` log field is mapped to the `security_result.category_details` UDM field. Else, if the `attack` log field value is not empty then, `attack` log field is mapped to the `security_result.category_details` UDM field. Else, if the `icbverdict` log field value is not empty then, `icbverdict` log field is mapped to the `security_result.category_details` UDM field. Else, if the `infection` log field value is not empty then, `infection` log field is mapped to the `security_result.category_details` UDM field. Else, if the `cat` log field value is not empty then, `cat` log field is mapped to the `security_result.category_details` UDM field.
`category`	`security_result.category_details`	If the `catdesc` log field value is not empty then, `catdesc` log field is mapped to the `security_result.category_details` UDM field. Else, if the `category` log field value is not empty then, `category` log field is mapped to the `security_result.category_details` UDM field. Else, if the `filtercat` log field value is not empty then, `filtercat` log field is mapped to the `security_result.category_details` UDM field. Else, if the `dtype` log field value is not empty then, `dtype` log field is mapped to the `security_result.category_details` UDM field. Else, if the `attack` log field value is not empty then, `attack` log field is mapped to the `security_result.category_details` UDM field. Else, if the `icbverdict` log field value is not empty then, `icbverdict` log field is mapped to the `security_result.category_details` UDM field. Else, if the `infection` log field value is not empty then, `infection` log field is mapped to the `security_result.category_details` UDM field. Else, if the `cat` log field value is not empty then, `cat` log field is mapped to the `security_result.category_details` UDM field.
`cat`	`security_result.category_details`	If the `catdesc` log field value is not empty then, `catdesc` log field is mapped to the `security_result.category_details` UDM field. Else, if the `category` log field value is not empty then, `category` log field is mapped to the `security_result.category_details` UDM field. Else, if the `filtercat` log field value is not empty then, `filtercat` log field is mapped to the `security_result.category_details` UDM field. Else, if the `dtype` log field value is not empty then, `dtype` log field is mapped to the `security_result.category_details` UDM field. Else, if the `attack` log field value is not empty then, `attack` log field is mapped to the `security_result.category_details` UDM field. Else, if the `icbverdict` log field value is not empty then, `icbverdict` log field is mapped to the `security_result.category_details` UDM field. Else, if the `infection` log field value is not empty then, `infection` log field is mapped to the `security_result.category_details` UDM field. Else, if the `cat` log field value is not empty then, `cat` log field is mapped to the `security_result.category_details` UDM field.
`attack`	`security_result.category_details`	If the `catdesc` log field value is not empty then, `catdesc` log field is mapped to the `security_result.category_details` UDM field. Else, if the `category` log field value is not empty then, `category` log field is mapped to the `security_result.category_details` UDM field. Else, if the `filtercat` log field value is not empty then, `filtercat` log field is mapped to the `security_result.category_details` UDM field. Else, if the `dtype` log field value is not empty then, `dtype` log field is mapped to the `security_result.category_details` UDM field. Else, if the `attack` log field value is not empty then, `attack` log field is mapped to the `security_result.category_details` UDM field. Else, if the `icbverdict` log field value is not empty then, `icbverdict` log field is mapped to the `security_result.category_details` UDM field. Else, if the `infection` log field value is not empty then, `infection` log field is mapped to the `security_result.category_details` UDM field. Else, if the `cat` log field value is not empty then, `cat` log field is mapped to the `security_result.category_details` UDM field.
`catdesc`	`security_result.category_details`	If the `catdesc` log field value is not empty then, `catdesc` log field is mapped to the `security_result.category_details` UDM field. Else, if the `category` log field value is not empty then, `category` log field is mapped to the `security_result.category_details` UDM field. Else, if the `filtercat` log field value is not empty then, `filtercat` log field is mapped to the `security_result.category_details` UDM field. Else, if the `dtype` log field value is not empty then, `dtype` log field is mapped to the `security_result.category_details` UDM field. Else, if the `attack` log field value is not empty then, `attack` log field is mapped to the `security_result.category_details` UDM field. Else, if the `icbverdict` log field value is not empty then, `icbverdict` log field is mapped to the `security_result.category_details` UDM field. Else, if the `infection` log field value is not empty then, `infection` log field is mapped to the `security_result.category_details` UDM field. Else, if the `cat` log field value is not empty then, `cat` log field is mapped to the `security_result.category_details` UDM field.
`filtercat`	`security_result.category_details`	If the `catdesc` log field value is not empty then, `catdesc` log field is mapped to the `security_result.category_details` UDM field. Else, if the `category` log field value is not empty then, `category` log field is mapped to the `security_result.category_details` UDM field. Else, if the `filtercat` log field value is not empty then, `filtercat` log field is mapped to the `security_result.category_details` UDM field. Else, if the `dtype` log field value is not empty then, `dtype` log field is mapped to the `security_result.category_details` UDM field. Else, if the `attack` log field value is not empty then, `attack` log field is mapped to the `security_result.category_details` UDM field. Else, if the `icbverdict` log field value is not empty then, `icbverdict` log field is mapped to the `security_result.category_details` UDM field. Else, if the `infection` log field value is not empty then, `infection` log field is mapped to the `security_result.category_details` UDM field. Else, if the `cat` log field value is not empty then, `cat` log field is mapped to the `security_result.category_details` UDM field.
`icbverdict`	`security_result.category_details`	If the `catdesc` log field value is not empty then, `catdesc` log field is mapped to the `security_result.category_details` UDM field. Else, if the `category` log field value is not empty then, `category` log field is mapped to the `security_result.category_details` UDM field. Else, if the `filtercat` log field value is not empty then, `filtercat` log field is mapped to the `security_result.category_details` UDM field. Else, if the `dtype` log field value is not empty then, `dtype` log field is mapped to the `security_result.category_details` UDM field. Else, if the `attack` log field value is not empty then, `attack` log field is mapped to the `security_result.category_details` UDM field. Else, if the `icbverdict` log field value is not empty then, `icbverdict` log field is mapped to the `security_result.category_details` UDM field. Else, if the `infection` log field value is not empty then, `infection` log field is mapped to the `security_result.category_details` UDM field. Else, if the `cat` log field value is not empty then, `cat` log field is mapped to the `security_result.category_details` UDM field.
`infection`	`security_result.category_details`	If the `catdesc` log field value is not empty then, `catdesc` log field is mapped to the `security_result.category_details` UDM field. Else, if the `category` log field value is not empty then, `category` log field is mapped to the `security_result.category_details` UDM field. Else, if the `filtercat` log field value is not empty then, `filtercat` log field is mapped to the `security_result.category_details` UDM field. Else, if the `dtype` log field value is not empty then, `dtype` log field is mapped to the `security_result.category_details` UDM field. Else, if the `attack` log field value is not empty then, `attack` log field is mapped to the `security_result.category_details` UDM field. Else, if the `icbverdict` log field value is not empty then, `icbverdict` log field is mapped to the `security_result.category_details` UDM field. Else, if the `infection` log field value is not empty then, `infection` log field is mapped to the `security_result.category_details` UDM field. Else, if the `cat` log field value is not empty then, `cat` log field is mapped to the `security_result.category_details` UDM field.
`auditscore`	`security_result.confidence`	If the `auditscore` log field value is not empty and if the `auditscore` log field value <= 33 then, the `security_result.confidence` UDM field is set to `LOW_CONFIDENCE`. Else, if the `auditscore` log field value < 67 then, the `security_result.confidence` UDM field is set to `MEDIUM_CONFIDENCE`. Else, if the `auditscore` log field value >= 67 then, the `security_result.confidence` UDM field is set to `HIGH_CONFIDENCE`. Else, if the `icbconfidence` log field value is not empty then, `icbconfidence` log field is mapped to the `security_result.confidence` UDM field.
`icbconfidence`	`security_result.confidence`	If the `auditscore` log field value is not empty and if the `auditscore` log field value <= 33 then, the `security_result.confidence` UDM field is set to `LOW_CONFIDENCE`. Else, if the `auditscore` log field value < 67 then, the `security_result.confidence` UDM field is set to `MEDIUM_CONFIDENCE`. Else, if the `auditscore` log field value >= 67 then, the `security_result.confidence` UDM field is set to `HIGH_CONFIDENCE`. Else, if the `icbconfidence` log field value is not empty then, `icbconfidence` log field is mapped to the `security_result.confidence` UDM field.
`path`	`security_result.description`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `reason` log field value is not equal to `N/A` and the `reason` log field value is not empty then, `reason` log field is mapped to the `security_result.description` UDM field. if the `subtype` log field value is equal to `webfilter` and if the `catdesc` log field value is not empty then, `%{msg} - URL Category: %{catdesc}` log field is mapped to the `security_result.description` UDM field. Else, if the `type` log field value is equal to `dns` and the `subtype` log field value contain one of the following values `dns-query` `dns-response` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `dns` and if the `catdesc` log field value is not empty then, `%{msg} - URL Category: %{catdesc}` log field is mapped to the `security_result.description` UDM field. Else, if the `fortiguardresp` log field value is not empty then, `fortiguardresp` log field is mapped to the `security_result.description` UDM field. Else, if the `malform_desc` log field value is not empty then, `malform_desc` log field is mapped to the `security_result.description` UDM field. Else, if the `result` log field value does not contain one of the following values `Empty` `N/A` then, `result` log field is mapped to the `security_result.description` UDM field. Else, if the `path` log field value is not empty then, `path` log field is mapped to the `security_result.description` UDM field. Else, if the `action` log field value contain one of the following values `accept` `passthrough` `pass` `permit` `detected` `close` `tunnel-down` `tunnel-stats` `tunnel-up` `ssl-new-con` `auth-logon` or the `utmaction` log field value contain one of the following values `accept` `allow` `passthrough` `pass` `detected` `permit` `close` `tunnel-down` `tunnel-stats` `tunnel-up` `ssl-new-con` or the `status` log field value is equal to `success` or the `outcome` log field value is equal to `REDIRECTED_USER_MAY_PROCEED` or the `categoryOutcome` log field value matches the regular expression pattern `(/Success\|Success)` or the `cs2` log field value matches the regular expression pattern `Allow` then, the `security_result.description` UDM field is set to `Action: ALLOW`. Else, if the `action` log field value contain one of the following values `deny` `dropped` `blocked` `timeout` `negotiate` `ssl-login-fail` `clear_session` or the `utmaction` log field value contain one of the following values `deny` `dropped` `blocked` `timeout` `negotiate` `ssl-login-fail` `clear_session` `deny` `dropped` `blocked` `block` `timeout` `negotiate` or the `status` log field value is equal to `failure` or the `status` log field value is equal to `failed` or the `outcome` log field value is equal to `BLOCKED` or the `categoryOutcome` log field value matches the regular expression pattern `(/Failure\|Failed)` or the `cs2` log field value matches the regular expression pattern `Denied` then, the `security_result.description` UDM field is set to `Action: BLOCK`. Else, if the `outcome` log field value matches the regular expression pattern `Failure` then, the `security_result.description` UDM field is set to `Action: FAIL`.
`result`	`security_result.description`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `reason` log field value is not equal to `N/A` and the `reason` log field value is not empty then, `reason` log field is mapped to the `security_result.description` UDM field. if the `subtype` log field value is equal to `webfilter` and if the `catdesc` log field value is not empty then, `%{msg} - URL Category: %{catdesc}` log field is mapped to the `security_result.description` UDM field. Else, if the `type` log field value is equal to `dns` and the `subtype` log field value contain one of the following values `dns-query` `dns-response` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `dns` and if the `catdesc` log field value is not empty then, `%{msg} - URL Category: %{catdesc}` log field is mapped to the `security_result.description` UDM field. Else, if the `fortiguardresp` log field value is not empty then, `fortiguardresp` log field is mapped to the `security_result.description` UDM field. Else, if the `malform_desc` log field value is not empty then, `malform_desc` log field is mapped to the `security_result.description` UDM field. Else, if the `result` log field value does not contain one of the following values `Empty` `N/A` then, `result` log field is mapped to the `security_result.description` UDM field. Else, if the `path` log field value is not empty then, `path` log field is mapped to the `security_result.description` UDM field. Else, if the `action` log field value contain one of the following values `accept` `passthrough` `pass` `permit` `detected` `close` `tunnel-down` `tunnel-stats` `tunnel-up` `ssl-new-con` `auth-logon` or the `utmaction` log field value contain one of the following values `accept` `allow` `passthrough` `pass` `detected` `permit` `close` `tunnel-down` `tunnel-stats` `tunnel-up` `ssl-new-con` or the `status` log field value is equal to `success` or the `outcome` log field value is equal to `REDIRECTED_USER_MAY_PROCEED` or the `categoryOutcome` log field value matches the regular expression pattern `(/Success\|Success)` or the `cs2` log field value matches the regular expression pattern `Allow` then, the `security_result.description` UDM field is set to `Action: ALLOW`. Else, if the `action` log field value contain one of the following values `deny` `dropped` `blocked` `timeout` `negotiate` `ssl-login-fail` `clear_session` or the `utmaction` log field value contain one of the following values `deny` `dropped` `blocked` `timeout` `negotiate` `ssl-login-fail` `clear_session` `deny` `dropped` `blocked` `block` `timeout` `negotiate` or the `status` log field value is equal to `failure` or the `status` log field value is equal to `failed` or the `outcome` log field value is equal to `BLOCKED` or the `categoryOutcome` log field value matches the regular expression pattern `(/Failure\|Failed)` or the `cs2` log field value matches the regular expression pattern `Denied` then, the `security_result.description` UDM field is set to `Action: BLOCK`. Else, if the `outcome` log field value matches the regular expression pattern `Failure` then, the `security_result.description` UDM field is set to `Action: FAIL`.
`reason`	`security_result.description`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `reason` log field value is not equal to `N/A` and the `reason` log field value is not empty then, `reason` log field is mapped to the `security_result.description` UDM field. if the `subtype` log field value is equal to `webfilter` and if the `catdesc` log field value is not empty then, `%{msg} - URL Category: %{catdesc}` log field is mapped to the `security_result.description` UDM field. Else, if the `type` log field value is equal to `dns` and the `subtype` log field value contain one of the following values `dns-query` `dns-response` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `dns` and if the `catdesc` log field value is not empty then, `%{msg} - URL Category: %{catdesc}` log field is mapped to the `security_result.description` UDM field. Else, if the `fortiguardresp` log field value is not empty then, `fortiguardresp` log field is mapped to the `security_result.description` UDM field. Else, if the `malform_desc` log field value is not empty then, `malform_desc` log field is mapped to the `security_result.description` UDM field. Else, if the `result` log field value does not contain one of the following values `Empty` `N/A` then, `result` log field is mapped to the `security_result.description` UDM field. Else, if the `path` log field value is not empty then, `path` log field is mapped to the `security_result.description` UDM field. Else, if the `action` log field value contain one of the following values `accept` `passthrough` `pass` `permit` `detected` `close` `tunnel-down` `tunnel-stats` `tunnel-up` `ssl-new-con` `auth-logon` or the `utmaction` log field value contain one of the following values `accept` `allow` `passthrough` `pass` `detected` `permit` `close` `tunnel-down` `tunnel-stats` `tunnel-up` `ssl-new-con` or the `status` log field value is equal to `success` or the `outcome` log field value is equal to `REDIRECTED_USER_MAY_PROCEED` or the `categoryOutcome` log field value matches the regular expression pattern `(/Success\|Success)` or the `cs2` log field value matches the regular expression pattern `Allow` then, the `security_result.description` UDM field is set to `Action: ALLOW`. Else, if the `action` log field value contain one of the following values `deny` `dropped` `blocked` `timeout` `negotiate` `ssl-login-fail` `clear_session` or the `utmaction` log field value contain one of the following values `deny` `dropped` `blocked` `timeout` `negotiate` `ssl-login-fail` `clear_session` `deny` `dropped` `blocked` `block` `timeout` `negotiate` or the `status` log field value is equal to `failure` or the `status` log field value is equal to `failed` or the `outcome` log field value is equal to `BLOCKED` or the `categoryOutcome` log field value matches the regular expression pattern `(/Failure\|Failed)` or the `cs2` log field value matches the regular expression pattern `Denied` then, the `security_result.description` UDM field is set to `Action: BLOCK`. Else, if the `outcome` log field value matches the regular expression pattern `Failure` then, the `security_result.description` UDM field is set to `Action: FAIL`.
`fortiguardresp`	`security_result.description`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `reason` log field value is not equal to `N/A` and the `reason` log field value is not empty then, `reason` log field is mapped to the `security_result.description` UDM field. if the `subtype` log field value is equal to `webfilter` and if the `catdesc` log field value is not empty then, `%{msg} - URL Category: %{catdesc}` log field is mapped to the `security_result.description` UDM field. Else, if the `type` log field value is equal to `dns` and the `subtype` log field value contain one of the following values `dns-query` `dns-response` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `dns` and if the `catdesc` log field value is not empty then, `%{msg} - URL Category: %{catdesc}` log field is mapped to the `security_result.description` UDM field. Else, if the `fortiguardresp` log field value is not empty then, `fortiguardresp` log field is mapped to the `security_result.description` UDM field. Else, if the `malform_desc` log field value is not empty then, `malform_desc` log field is mapped to the `security_result.description` UDM field. Else, if the `result` log field value does not contain one of the following values `Empty` `N/A` then, `result` log field is mapped to the `security_result.description` UDM field. Else, if the `path` log field value is not empty then, `path` log field is mapped to the `security_result.description` UDM field. Else, if the `action` log field value contain one of the following values `accept` `passthrough` `pass` `permit` `detected` `close` `tunnel-down` `tunnel-stats` `tunnel-up` `ssl-new-con` `auth-logon` or the `utmaction` log field value contain one of the following values `accept` `allow` `passthrough` `pass` `detected` `permit` `close` `tunnel-down` `tunnel-stats` `tunnel-up` `ssl-new-con` or the `status` log field value is equal to `success` or the `outcome` log field value is equal to `REDIRECTED_USER_MAY_PROCEED` or the `categoryOutcome` log field value matches the regular expression pattern `(/Success\|Success)` or the `cs2` log field value matches the regular expression pattern `Allow` then, the `security_result.description` UDM field is set to `Action: ALLOW`. Else, if the `action` log field value contain one of the following values `deny` `dropped` `blocked` `timeout` `negotiate` `ssl-login-fail` `clear_session` or the `utmaction` log field value contain one of the following values `deny` `dropped` `blocked` `timeout` `negotiate` `ssl-login-fail` `clear_session` `deny` `dropped` `blocked` `block` `timeout` `negotiate` or the `status` log field value is equal to `failure` or the `status` log field value is equal to `failed` or the `outcome` log field value is equal to `BLOCKED` or the `categoryOutcome` log field value matches the regular expression pattern `(/Failure\|Failed)` or the `cs2` log field value matches the regular expression pattern `Denied` then, the `security_result.description` UDM field is set to `Action: BLOCK`. Else, if the `outcome` log field value matches the regular expression pattern `Failure` then, the `security_result.description` UDM field is set to `Action: FAIL`.
`malform_desc`	`security_result.description`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `reason` log field value is not equal to `N/A` and the `reason` log field value is not empty then, `reason` log field is mapped to the `security_result.description` UDM field. if the `subtype` log field value is equal to `webfilter` and if the `catdesc` log field value is not empty then, `%{msg} - URL Category: %{catdesc}` log field is mapped to the `security_result.description` UDM field. Else, if the `type` log field value is equal to `dns` and the `subtype` log field value contain one of the following values `dns-query` `dns-response` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `dns` and if the `catdesc` log field value is not empty then, `%{msg} - URL Category: %{catdesc}` log field is mapped to the `security_result.description` UDM field. Else, if the `fortiguardresp` log field value is not empty then, `fortiguardresp` log field is mapped to the `security_result.description` UDM field. Else, if the `malform_desc` log field value is not empty then, `malform_desc` log field is mapped to the `security_result.description` UDM field. Else, if the `result` log field value does not contain one of the following values `Empty` `N/A` then, `result` log field is mapped to the `security_result.description` UDM field. Else, if the `path` log field value is not empty then, `path` log field is mapped to the `security_result.description` UDM field. Else, if the `action` log field value contain one of the following values `accept` `passthrough` `pass` `permit` `detected` `close` `tunnel-down` `tunnel-stats` `tunnel-up` `ssl-new-con` `auth-logon` or the `utmaction` log field value contain one of the following values `accept` `allow` `passthrough` `pass` `detected` `permit` `close` `tunnel-down` `tunnel-stats` `tunnel-up` `ssl-new-con` or the `status` log field value is equal to `success` or the `outcome` log field value is equal to `REDIRECTED_USER_MAY_PROCEED` or the `categoryOutcome` log field value matches the regular expression pattern `(/Success\|Success)` or the `cs2` log field value matches the regular expression pattern `Allow` then, the `security_result.description` UDM field is set to `Action: ALLOW`. Else, if the `action` log field value contain one of the following values `deny` `dropped` `blocked` `timeout` `negotiate` `ssl-login-fail` `clear_session` or the `utmaction` log field value contain one of the following values `deny` `dropped` `blocked` `timeout` `negotiate` `ssl-login-fail` `clear_session` `deny` `dropped` `blocked` `block` `timeout` `negotiate` or the `status` log field value is equal to `failure` or the `status` log field value is equal to `failed` or the `outcome` log field value is equal to `BLOCKED` or the `categoryOutcome` log field value matches the regular expression pattern `(/Failure\|Failed)` or the `cs2` log field value matches the regular expression pattern `Denied` then, the `security_result.description` UDM field is set to `Action: BLOCK`. Else, if the `outcome` log field value matches the regular expression pattern `Failure` then, the `security_result.description` UDM field is set to `Action: FAIL`.
`msg`	`security_result.description`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `reason` log field value is not equal to `N/A` and the `reason` log field value is not empty then, `reason` log field is mapped to the `security_result.description` UDM field. if the `subtype` log field value is equal to `webfilter` and if the `catdesc` log field value is not empty then, `%{msg} - URL Category: %{catdesc}` log field is mapped to the `security_result.description` UDM field. Else, if the `type` log field value is equal to `dns` and the `subtype` log field value contain one of the following values `dns-query` `dns-response` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `dns` and if the `catdesc` log field value is not empty then, `%{msg} - URL Category: %{catdesc}` log field is mapped to the `security_result.description` UDM field. Else, if the `fortiguardresp` log field value is not empty then, `fortiguardresp` log field is mapped to the `security_result.description` UDM field. Else, if the `malform_desc` log field value is not empty then, `malform_desc` log field is mapped to the `security_result.description` UDM field. Else, if the `result` log field value does not contain one of the following values `Empty` `N/A` then, `result` log field is mapped to the `security_result.description` UDM field. Else, if the `path` log field value is not empty then, `path` log field is mapped to the `security_result.description` UDM field. Else, if the `action` log field value contain one of the following values `accept` `passthrough` `pass` `permit` `detected` `close` `tunnel-down` `tunnel-stats` `tunnel-up` `ssl-new-con` `auth-logon` or the `utmaction` log field value contain one of the following values `accept` `allow` `passthrough` `pass` `detected` `permit` `close` `tunnel-down` `tunnel-stats` `tunnel-up` `ssl-new-con` or the `status` log field value is equal to `success` or the `outcome` log field value is equal to `REDIRECTED_USER_MAY_PROCEED` or the `categoryOutcome` log field value matches the regular expression pattern `(/Success\|Success)` or the `cs2` log field value matches the regular expression pattern `Allow` then, the `security_result.description` UDM field is set to `Action: ALLOW`. Else, if the `action` log field value contain one of the following values `deny` `dropped` `blocked` `timeout` `negotiate` `ssl-login-fail` `clear_session` or the `utmaction` log field value contain one of the following values `deny` `dropped` `blocked` `timeout` `negotiate` `ssl-login-fail` `clear_session` `deny` `dropped` `blocked` `block` `timeout` `negotiate` or the `status` log field value is equal to `failure` or the `status` log field value is equal to `failed` or the `outcome` log field value is equal to `BLOCKED` or the `categoryOutcome` log field value matches the regular expression pattern `(/Failure\|Failed)` or the `cs2` log field value matches the regular expression pattern `Denied` then, the `security_result.description` UDM field is set to `Action: BLOCK`. Else, if the `outcome` log field value matches the regular expression pattern `Failure` then, the `security_result.description` UDM field is set to `Action: FAIL`.
`catdesc`	`security_result.description`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `reason` log field value is not equal to `N/A` and the `reason` log field value is not empty then, `reason` log field is mapped to the `security_result.description` UDM field. if the `subtype` log field value is equal to `webfilter` and if the `catdesc` log field value is not empty then, `%{msg} - URL Category: %{catdesc}` log field is mapped to the `security_result.description` UDM field. Else, if the `type` log field value is equal to `dns` and the `subtype` log field value contain one of the following values `dns-query` `dns-response` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `dns` and if the `catdesc` log field value is not empty then, `%{msg} - URL Category: %{catdesc}` log field is mapped to the `security_result.description` UDM field. Else, if the `fortiguardresp` log field value is not empty then, `fortiguardresp` log field is mapped to the `security_result.description` UDM field. Else, if the `malform_desc` log field value is not empty then, `malform_desc` log field is mapped to the `security_result.description` UDM field. Else, if the `result` log field value does not contain one of the following values `Empty` `N/A` then, `result` log field is mapped to the `security_result.description` UDM field. Else, if the `path` log field value is not empty then, `path` log field is mapped to the `security_result.description` UDM field. Else, if the `action` log field value contain one of the following values `accept` `passthrough` `pass` `permit` `detected` `close` `tunnel-down` `tunnel-stats` `tunnel-up` `ssl-new-con` `auth-logon` or the `utmaction` log field value contain one of the following values `accept` `allow` `passthrough` `pass` `detected` `permit` `close` `tunnel-down` `tunnel-stats` `tunnel-up` `ssl-new-con` or the `status` log field value is equal to `success` or the `outcome` log field value is equal to `REDIRECTED_USER_MAY_PROCEED` or the `categoryOutcome` log field value matches the regular expression pattern `(/Success\|Success)` or the `cs2` log field value matches the regular expression pattern `Allow` then, the `security_result.description` UDM field is set to `Action: ALLOW`. Else, if the `action` log field value contain one of the following values `deny` `dropped` `blocked` `timeout` `negotiate` `ssl-login-fail` `clear_session` or the `utmaction` log field value contain one of the following values `deny` `dropped` `blocked` `timeout` `negotiate` `ssl-login-fail` `clear_session` `deny` `dropped` `blocked` `block` `timeout` `negotiate` or the `status` log field value is equal to `failure` or the `status` log field value is equal to `failed` or the `outcome` log field value is equal to `BLOCKED` or the `categoryOutcome` log field value matches the regular expression pattern `(/Failure\|Failed)` or the `cs2` log field value matches the regular expression pattern `Denied` then, the `security_result.description` UDM field is set to `Action: BLOCK`. Else, if the `outcome` log field value matches the regular expression pattern `Failure` then, the `security_result.description` UDM field is set to `Action: FAIL`.
`domainctrlauthtype`	`security_result.detection_fields[domainctrlauthtype]`
`filehashsrc`	`security_result.detection_fields[filehashsrc]`
`deny_cause`	`security_result.detection_fields`
`accessctrl`	`security_result.detection_fields[accessctrl]`
`accessproxy`	`security_result.detection_fields[accessproxy]`
`acct_stat`	`security_result.detection_fields[acct_stat]`
`acktime`	`security_result.detection_fields[acktime]`
`activity`	`security_result.detection_fields[activity]`
`activitycategory`	`security_result.detection_fields[activitycategory]`
`age`	`security_result.detection_fields[age]`
`alarmid`	`security_result.detection_fields[alarmid]`
`antiphishdc`	`security_result.detection_fields[antiphishdc]`
`antiphishrule`	`security_result.detection_fields[antiphishrule]`
`ap`	`security_result.detection_fields[ap]`
`apn`	`security_result.detection_fields[apn]`
`app-type`	`security_result.detection_fields[app-type]`
`apperror`	`security_result.detection_fields[apperror]`
`apscan`	`security_result.detection_fields[apscan]`
`apsn`	`security_result.detection_fields[apsn]`
`apstatus`	`security_result.detection_fields[apstatus]`
`aptype`	`security_result.detection_fields[aptype]`
`auditid`	`security_result.detection_fields[auditid]`
`auditreporttype`	`security_result.detection_fields[auditreporttype]`
`audittime`	`security_result.detection_fields[audittime]`
`authalgo`	`security_result.detection_fields[authalgo]`
`authgrp`	`security_result.detection_fields[authgrp]`
`authid`	`security_result.detection_fields[authid]`
`banword`	`security_result.detection_fields[banword]`
`bssid`	`security_result.detection_fields[bssid]`
`c-ggsn-teid`	`security_result.detection_fields[c-ggsn-teid]`
`c-gsn`	`security_result.detection_fields[c-gsn]`
`c-pkts`	`security_result.detection_fields[c-pkts]`
`c-sgsn-teid`	`security_result.detection_fields[c-sgsn-teid]`
`c-sgsn`	`security_result.detection_fields[c-sgsn]`
`call_id`	`security_result.detection_fields[call_id]`
`carrier_ep`	`security_result.detection_fields[carrier_ep]`
`cat`	`security_result.detection_fields[cat]`
`cc`	`security_result.detection_fields[cc]`
`ccertissuer`	`security_result.detection_fields[ccertissuer]`
`cdrcontent`	`security_result.detection_fields[cdrcontent]`
`centralnatid`	`security_result.detection_fields[centralnatid]`
`cfgtid`	`security_result.detection_fields[cfgtid]`
`cfgtxpower`	`security_result.detection_fields[cfgtxpower]`
`cfseid`	`security_result.detection_fields[cfseid]`
`cfseidaddr`	`security_result.detection_fields[cfseidaddr]`
`cggsn6`	`security_result.detection_fields[cggsn6]`
`cgsn6`	`security_result.detection_fields[cgsn6]`
`channel`	`security_result.detection_fields[channel]`
`channeltype`	`security_result.detection_fields[channeltype]`
`clashtunnelidx`	`security_result.detection_fields[clashtunnelidx]`
`command`	`security_result.detection_fields[command]`
`configcountry`	`security_result.detection_fields[configcountry]`
`connector`	`security_result.detection_fields[connector]`
`conserve`	`security_result.detection_fields[conserve]`
`constraint`	`security_result.detection_fields[constraint]`
`contentdisarmed`	`security_result.detection_fields[contentdisarmed]`
`contentencoding`	`security_result.detection_fields[contentencoding]`
`contenttype`	`security_result.detection_fields[contenttype]`
`countapp`	`security_result.detection_fields[countapp]`
`countav`	`security_result.detection_fields[countav]`
`countcasb`	`security_result.detection_fields[countcasb]`
`countcifs`	`security_result.detection_fields[countcifs]`
`countdlp`	`security_result.detection_fields[countdlp]`
`countdns`	`security_result.detection_fields[countdns]`
`countemail`	`security_result.detection_fields[countemail]`
`countff`	`security_result.detection_fields[countff]`
`counticap`	`security_result.detection_fields[counticap]`
`countips`	`security_result.detection_fields[countips]`
`countsctpf`	`security_result.detection_fields[countsctpf]`
`countssh`	`security_result.detection_fields[countssh]`
`countssl`	`security_result.detection_fields[countssl]`
`countvpatch`	`security_result.detection_fields[countvpatch]`
`countwaf`	`security_result.detection_fields[countwaf]`
`countweb`	`security_result.detection_fields[countweb]`
`criticalcount`	`security_result.detection_fields[criticalcount]`
`csgsn6`	`security_result.detection_fields[csgsn6]`
`cveid`	`security_result.detection_fields[cveid]`
`daemon`	`security_result.detection_fields[daemon]`
`desc`	`security_result.detection_fields[desc]`
`dstcountry`	`security_result.detection_fields[dstcountry]`
`dstinetsvc`	`security_result.detection_fields[dstinetsvc]`
`dstintf`	`target.asset.attribute.labels[dstintf]`
`dstintfrole`	`target.asset.attribute.labels[dstintfrole]`
`eventtype`	`security_result.detection_fields[eventtype]`
`filtertype`	`security_result.detection_fields[filtertype]`
`highcount`	`security_result.detection_fields[highcount]`
`imei-sv`	`security_result.detection_fields[imei-sv]`
`imsi`	`security_result.detection_fields[imsi]`
`in_spi`	`security_result.detection_fields[in_spi]`
`inbandwidthavailable`	`security_result.detection_fields[inbandwidthavailable]`
`inbandwidthused`	`security_result.detection_fields[inbandwidthused]`
`informationsource`	`security_result.detection_fields[informationsource]`
`keyalgo`	`security_result.detection_fields[keyalgo]`
`keysize`	`security_result.detection_fields[keysize]`
`kind`	`security_result.detection_fields[kind]`
`kxcurve`	`security_result.detection_fields[kxcurve]`
`kxproto`	`security_result.detection_fields[kxproto]`
`lowcount`	`security_result.detection_fields[lowcount]`
`malform_data`	`security_result.detection_fields[malforn_data]`
`mediumcount`	`security_result.detection_fields[mediumcount]`
`mgmtcnt`	`security_result.detection_fields[mgmtcnt]`
`neighbor`	`security_result.detection_fields[neighbor]`
`networktransfertime`	`security_result.detection_fields[networktransfertime]`
`newchannel`	`security_result.detection_fields[newchannel]`
`newchassisid`	`security_result.detection_fields[newchassisid]`
`newslot`	`security_result.detection_fields[newslot]`
`newvalue`	`security_result.detection_fields[newvalue]`
`noise`	`security_result.detection_fields[noise]`
`notafter`	`security_result.detection_fields[notafter]`
`notbefore`	`security_result.detection_fields[notbefore]`
`numpassmember`	`security_result.detection_fields[numpassmember]`
`oldchannel`	`security_result.detection_fields[oldchannel]`
`oldchassisid`	`security_result.detection_fields[oldchassisid]`
`oldslot`	`security_result.detection_fields[oldslot]`
`oldvalue`	`security_result.detection_fields[oldvalue]`
`oldwprof`	`security_result.detection_fields[oldwprof]`
`onwire`	`security_result.detection_fields[onwire]`
`operdrmamode`	`security_result.detection_fields[operdrmamode]`
`opertxpower`	`security_result.detection_fields[opertxpower]`
`out_spi`	`security_result.detection_fields[out_spi]`
`outbandwidthavailable`	`security_result.detection_fields[outbandwidthavailable]`
`outbandwidthused`	`security_result.detection_fields[outbandwidthused]`
`packetloss`	`security_result.detection_fields[packetloss]`
`parameters`	`security_result.detection_fields[parameters]`
`passedcount`	`security_result.detection_fields[passedcount]`
`pathname`	`security_result.detection_fields[pathname]`
`phase2_name`	`security_result.detection_fields[phase2_name]`
`processtime`	`security_result.detection_fields[processtime]`
`qclass`	`security_result.detection_fields[qclass]`
`qtype`	`security_result.detection_fields[qtype]`
`qtypeval`	`security_result.detection_fields[qtypeval]`
`quarskip`	`security_result.detection_fields[quarskip]`
`quotaexceeded`	`security_result.detection_fields[quotaexceeded]`
`quotamax`	`security_result.detection_fields[quotamax]`
`quotatype`	`security_result.detection_fields[quotatype]`
`quotaused`	`security_result.detection_fields[quotaused]`
`radioband`	`security_result.detection_fields[radioband]`
`radioid`	`security_result.detection_fields[radioid]`
`radioidclosest`	`security_result.detection_fields[radioidclosest]`
`radioiddetected`	`security_result.detection_fields[radioiddetected]`
`rai`	`security_result.detection_fields[rai]`
`rat-type`	`security_result.detection_fields[rat-type]`
`rate`	`security_result.detection_fields[rate]`
`rawdata`	`security_result.detection_fields[rawdata]`
`rawdataid`	`security_result.detection_fields[rawdataid]`
`rcode`	`security_result.detection_fields[rcode]`
`remotetunnelid`	`security_result.detection_fields[remotetunnelid]`
`remotewtptime`	`security_result.detection_fields[remotewtptime]`
`replydstintf`	`security_result.detection_fields[replydstintf]`
`replysrcintf`	`security_result.detection_fields[replysrcintf]`
`reporttype`	`security_result.detection_fields[reporttype]`
`reqlength`	`security_result.detection_fields[reqlength]`
`reqtime`	`security_result.detection_fields[reqtime]`
`respfinishtime`	`security_result.detection_fields[respfinishtime]`
`san`	`security_result.detection_fields[san]`
`scantime`	`security_result.detection_fields[scantime]`
`scheme`	`security_result.detection_fields[scheme]`
`scope`	`security_result.detection_fields[scope]`
`security`	`security_result.detection_fields[security]`
`selection`	`security_result.detection_fields[selection]`
`sensitivity`	`security_result.detection_fields[sensitivity]`
`sentdelta`	`security_result.detection_fields[sentdelta]`
`sentpktdelta`	`security_result.detection_fields[sentpktdelta]`
`seq`	`security_result.detection_fields[seq]`
`seqnum`	`security_result.detection_fields[seqnum]`
`serial`	`security_result.detection_fields[serial]`
`serialno`	`security_result.detection_fields[serialno]`
`setuprate`	`security_result.detection_fields[setuprate]`
`shaperdroprcvdbyte`	`security_result.detection_fields[shaperdroprcvdbyte]`
`shaperdropsentbyte`	`security_result.detection_fields[shaperdropsentbyte]`
`shaperperipdropbyte`	`security_result.detection_fields[shaperperipdropbyte]`
`shaperperipname`	`security_result.detection_fields[shaperperipname]`
`shaperrcvdname`	`security_result.detection_fields[shaperrcvdname]`
`shapersentname`	`security_result.detection_fields[shapersentname]`
`shapingpolicyid`	`security_result.detection_fields[shapingpolicyid]`
`shapingpolicyname`	`security_result.detection_fields[shapingpolicyname]`
`sharename`	`security_result.detection_fields[sharename]`
`signal`	`security_result.detection_fields[signal]`
`size`	`security_result.detection_fields[size]`
`ski`	`security_result.detection_fields[ski]`
`slamap`	`security_result.detection_fields[slamap]`
`slatargetid`	`security_result.detection_fields[slatargetid]`
`slctdrmamode`	`security_result.detection_fields[slctdrmamode]`
`slot`	`security_result.detection_fields[slot]`
`sn`	`security_result.detection_fields[sn]`
`snclosest`	`security_result.detection_fields[snclosest]`
`sndetected`	`security_result.detection_fields[sndetected]`
`snetwork`	`security_result.detection_fields[snetwork]`
`sni`	`security_result.detection_fields[sni]`
`snmeshparent`	`security_result.detection_fields[snmeshparent]`
`snprev`	`security_result.detection_fields[snprev]`
`snr`	`security_result.detection_fields[snr]`
`source_mac`	`security_result.detection_fields[source_mac]`
`speedtestserver`	`security_result.detection_fields[speedtestserver]`
`spi`	`security_result.detection_fields[spi]`
`srccountry`	`security_result.detection_fields[srccountry]`
`srcinetsvc`	`security_result.detection_fields[srcinetsvc]`
`srcintf`	`security_result.detection_fields[srcintf]`
`srcintfrole`	`security_result.detection_fields[srcintfrole]`
`sscname`	`security_result.detection_fields[sscname]`
`sslaction`	`security_result.detection_fields[sslaction]`
`stacount`	`security_result.detection_fields[stacount]`
`stamac`	`security_result.detection_fields[stamac]`
`state`	`security_result.detection_fields[state]`
`status`	`security_result.detection_fields[status]`
`statuscode`	`security_result.detection_fields[statuscode]`
`stitch`	`security_result.detection_fields[stitch]`
`stitchaction`	`security_result.detection_fields[stitchaction]`
`subaction`	`security_result.detection_fields[subaction]`
`submodule`	`security_result.detection_fields[submodule]`
`subservice`	`security_result.detection_fields[subservice]`
`switchaclid`	`security_result.detection_fields[switchaclid]`
`switchautoip`	`security_result.detection_fields[switchautoip]`
`switchid`	`security_result.detection_fields[switchid]`
`switchinterface`	`security_result.detection_fields[switchinterface]`
`switchl2capacity`	`security_result.detection_fields[switchl2capacity]`
`switchl2count`	`security_result.detection_fields[switchl2count]`
`switchmirrorsession`	`security_result.detection_fields[switchmirrorsession]`
`switchphysicalport`	`security_result.detection_fields[switchphysicalport]`
`switchproto`	`security_result.detection_fields[switchproto]`
`switchsysteminterface`	`security_result.detection_fields[switchsysteminterface]`
`switchtrunk`	`security_result.detection_fields[switchtrunk]`
`switchtrunkinterface`	`security_result.detection_fields[switchtrunkinterface]`
`sync_status`	`security_result.detection_fields[sync_status]`
`sync_type`	`security_result.detection_fields[sync_type]`
`tcpnrt`	`security_result.detection_fields[tcpnrt]`
`tcporgrtrs`	`security_result.detection_fields[tcporgrtrs]`
`tcprplrtrs`	`security_result.detection_fields[tcprplrtrs]`
`tcprst`	`security_result.detection_fields[tcprst]`
`tcpsrt`	`security_result.detection_fields[tcpsrt]`
`tcpsynackrtrs`	`security_result.detection_fields[tcpsynackrtrs]`
`tcpsynrtrs`	`security_result.detection_fields[tcpsynrtrs]`
`tenantmatch`	`security_result.detection_fields[tenantmatch]`
`threattype`	`security_result.detection_fields[threattype]`
`ticket`	`security_result.detection_fields[ticket]`
`timeoutdelete`	`security_result.detection_fields[timeoutdelete]`
`tlsver`	`security_result.detection_fields[tlsver]`
`to6`	`security_result.detection_fields[to6]`
`total`	`security_result.detection_fields[total]`
`trace_id`	`security_result.detection_fields[trace_id]`
`transid`	`security_result.detection_fields[transid]`
`translationid`	`security_result.detection_fields[translationid]`
`trigger`	`security_result.detection_fields[trigger]`
`trueclntip`	`security_result.detection_fields[trueclntip]`
`u-bytes`	`security_result.detection_fields[u-bytes]`
`u-ggsn-teid`	`security_result.detection_fields[u-ggsn-teid]`
`u-ggsn`	`security_result.detection_fields[u-ggsn]`
`u-gsn`	`security_result.detection_fields[u-gsn]`
`u-pkts`	`security_result.detection_fields[u-pkts]`
`u-sgsn-teid`	`security_result.detection_fields[u-sgsn-teid]`
`u-sgsn`	`security_result.detection_fields[u-sgsn]`
`ufseid`	`security_result.detection_fields[ufseid]`
`ufseidaddr`	`security_result.detection_fields[ufseidaddr]`
`uggsn6`	`security_result.detection_fields[uggsn6]`
`ugsn6`	`security_result.detection_fields[ugsn6]`
`unauthusersource`	`security_result.detection_fields[unauthusersource]`
`upbandwidthmeasured`	`security_result.detection_fields[upbandwidthmeasured]`
`upgradedevice`	`security_result.detection_fields[upgradedevice]`
`upteid`	`security_result.detection_fields[upteid]`
`urlfilteridx`	`security_result.detection_fields[urlfilteridx]`
`urlfilterlist`	`security_result.detection_fields[urlfilterlist]`
`urlrisk`	`security_result.detection_fields[urlrisk]`
`urlsource`	`security_result.detection_fields[urlsource]`
`urltype`	`security_result.detection_fields[urltype]`
`used`	`security_result.detection_fields[used]`
`usgsn6`	`security_result.detection_fields[usgsn6]`
`vap`	`security_result.detection_fields[vap]`
`vapmode`	`security_result.detection_fields[vapmode]`
`vcluster_member`	`security_result.detection_fields[vcluster_member]`
`vcluster_state`	`security_result.detection_fields[vcluster_state]`
`vcluster`	`security_result.detection_fields[vcluster]`
`vdname`	`security_result.detection_fields[vdname]`
`vendor`	`security_result.detection_fields[vendor]`
`vendorurl`	`security_result.detection_fields[vendorurl]`
`videocategoryid`	`security_result.detection_fields[videocategoryid]`
`videocategoryname`	`security_result.detection_fields[videocategoryname]`
`videochannelid`	`security_result.detection_fields[videochannelid]`
`videodesc`	`security_result.detection_fields[videodesc]`
`videoid`	`security_result.detection_fields[videoid]`
`videoinfosource`	`security_result.detection_fields[videoinfosource]`
`videotitle`	`security_result.detection_fields[videotitle]`
`violations`	`security_result.detection_fields[violations]`
`vip`	`security_result.detection_fields[vip]`
`viruscat`	`security_result.detection_fields[viruscat]`
`vlan`	`security_result.detection_fields[vlan]`
`voip_proto`	`security_result.detection_fields[voip_proto]`
`vrf`	`security_result.detection_fields[vrf]`
`vulncat`	`security_result.detection_fields[vulncat]`
`vulncnt`	`security_result.detection_fields[vulncnt]`
`vulnid`	`security_result.detection_fields[vulnid]`
`vulnname`	`security_result.detection_fields[vulnname]`
`vulnresult`	`security_result.detection_fields[vulnresult]`
`vwlid`	`security_result.detection_fields[vwlid]`
`vwlname`	`security_result.detection_fields[vwlname]`
`vwlquality`	`security_result.detection_fields[vwlquality]`
`vwlservice`	`security_result.detection_fields[vwlservice]`
`vwpvlanid`	`security_result.detection_fields[vwpvlanid]`
`wanoptapptype`	`security_result.detection_fields[wanoptapptype]`
`wanout`	`security_result.detection_fields[wanout]`
`weakwepiv`	`security_result.detection_fields[weakwepiv]`
`webmailprovider`	`security_result.detection_fields[webmailprovider]`
`wscode`	`security_result.detection_fields[wscode]`
`xid`	`security_result.detection_fields[xid]`
`dstreputation`	`security_result.risk_score`
`attackid`	`security_result.rule_id`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `policyid` log field value is not empty then, `policyid` log field is mapped to the `security_result.rule_id` UDM field. if the `attackid` log field value is not empty then, `attackid` log field is mapped to the `security_result.rule_id` UDM field. if the `subtype` log field value is equal to `webfilter` and the `cat` log field value is not empty then, `cat` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `ruleid` log field value is not empty then, `ruleid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `appid` log field value is not empty then, `appid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `policyid` log field value is not empty then, `policyid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `poluuid` log field value is not empty then, `poluuid` log field is mapped to the `security_result.rule_id` UDM field.
`cat`	`security_result.rule_id`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `policyid` log field value is not empty then, `policyid` log field is mapped to the `security_result.rule_id` UDM field. if the `attackid` log field value is not empty then, `attackid` log field is mapped to the `security_result.rule_id` UDM field. if the `subtype` log field value is equal to `webfilter` and the `cat` log field value is not empty then, `cat` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `ruleid` log field value is not empty then, `ruleid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `appid` log field value is not empty then, `appid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `policyid` log field value is not empty then, `policyid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `poluuid` log field value is not empty then, `poluuid` log field is mapped to the `security_result.rule_id` UDM field.
`ruleid`	`security_result.rule_id`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `policyid` log field value is not empty then, `policyid` log field is mapped to the `security_result.rule_id` UDM field. if the `attackid` log field value is not empty then, `attackid` log field is mapped to the `security_result.rule_id` UDM field. if the `subtype` log field value is equal to `webfilter` and the `cat` log field value is not empty then, `cat` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `ruleid` log field value is not empty then, `ruleid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `appid` log field value is not empty then, `appid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `policyid` log field value is not empty then, `policyid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `poluuid` log field value is not empty then, `poluuid` log field is mapped to the `security_result.rule_id` UDM field.
`appid`	`security_result.rule_id`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `policyid` log field value is not empty then, `policyid` log field is mapped to the `security_result.rule_id` UDM field. if the `attackid` log field value is not empty then, `attackid` log field is mapped to the `security_result.rule_id` UDM field. if the `subtype` log field value is equal to `webfilter` and the `cat` log field value is not empty then, `cat` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `ruleid` log field value is not empty then, `ruleid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `appid` log field value is not empty then, `appid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `policyid` log field value is not empty then, `policyid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `poluuid` log field value is not empty then, `poluuid` log field is mapped to the `security_result.rule_id` UDM field.
`policyid`	`security_result.rule_id`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `policyid` log field value is not empty then, `policyid` log field is mapped to the `security_result.rule_id` UDM field. if the `attackid` log field value is not empty then, `attackid` log field is mapped to the `security_result.rule_id` UDM field. if the `subtype` log field value is equal to `webfilter` and the `cat` log field value is not empty then, `cat` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `ruleid` log field value is not empty then, `ruleid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `appid` log field value is not empty then, `appid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `policyid` log field value is not empty then, `policyid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `poluuid` log field value is not empty then, `poluuid` log field is mapped to the `security_result.rule_id` UDM field.
`poluuid`	`security_result.rule_id`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `policyid` log field value is not empty then, `policyid` log field is mapped to the `security_result.rule_id` UDM field. if the `attackid` log field value is not empty then, `attackid` log field is mapped to the `security_result.rule_id` UDM field. if the `subtype` log field value is equal to `webfilter` and the `cat` log field value is not empty then, `cat` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `ruleid` log field value is not empty then, `ruleid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `appid` log field value is not empty then, `appid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `policyid` log field value is not empty then, `policyid` log field is mapped to the `security_result.rule_id` UDM field. Else, if the `poluuid` log field value is not empty then, `poluuid` log field is mapped to the `security_result.rule_id` UDM field.
`policytype`	`security_result.rule_type`	If the `policytype` log field value is not empty then, `policytype` log field is mapped to the `security_result.rule_type` UDM field. Else, if the `eventtype` log field value is not empty then, `eventtype` log field is mapped to the `security_result.rule_type` UDM field. Else, if the `filtertype` log field value is not empty then, `filtertype` log field is mapped to the `security_result.rule_type` UDM field.
`eventtype`	`security_result.rule_type`	If the `policytype` log field value is not empty then, `policytype` log field is mapped to the `security_result.rule_type` UDM field. Else, if the `eventtype` log field value is not empty then, `eventtype` log field is mapped to the `security_result.rule_type` UDM field. Else, if the `filtertype` log field value is not empty then, `filtertype` log field is mapped to the `security_result.rule_type` UDM field.
`filtertype`	`security_result.rule_type`	If the `policytype` log field value is not empty then, `policytype` log field is mapped to the `security_result.rule_type` UDM field. Else, if the `eventtype` log field value is not empty then, `eventtype` log field is mapped to the `security_result.rule_type` UDM field. Else, if the `filtertype` log field value is not empty then, `filtertype` log field is mapped to the `security_result.rule_type` UDM field.
`crlevel`	`security_result.severity`	If the `severity` log field value is not empty and if the `severity` log field value contain one of the following values `0` `1` `2` `3` `LOW` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `severity` log field value contain one of the following values `4` `5` `6` `MEDIUM` `SUBSTANTIAL` `INFO` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `severity` log field value contain one of the following values `7` `8` `HIGH` `SEVERE` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `severity` log field value contain one of the following values `9` `10` `VERY-HIGH` `CRITICAL` then, the `security_result.severity` UDM field is set to `CRITICAL`. Else, if the `crlevel` log field value is not empty and if the `crlevel` log field value matches the regular expression pattern `(?i)Low` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `crlevel` log field value matches the regular expression pattern `(?i)Medium` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `crlevel` log field value matches the regular expression pattern `(?i)High` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `crlevel` log field value matches the regular expression pattern `(?i)Critical` then, the `security_result.severity` UDM field is set to `CRITICAL`. Else, if the `level` log field value is not empty and if the `level` log field value matches the regular expression pattern `(?i)(error\|warning)` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `level` log field value matches the regular expression pattern `(?i)notice` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `level` log field value matches the regular expression pattern `(?i)(information\|info)` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `deviceSeverity` log field value is not empty and if the `deviceSeverity` log field value is equal to `warning` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `deviceSeverity` log field value is equal to `notice` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `deviceSeverity` log field value contain one of the following values `information` `info` then, the `security_result.severity` UDM field is set to `LOW`. if the `deviceSeverity` log field value is equal to `error` then, the `security_result.severity` UDM field is set to `ERROR`. Else, if the `fsaverdict` log field value is not empty and if the `fsaverdict` log field value matches the regular expression pattern `low risk` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `fsaverdict` log field value matches the regular expression pattern `med risk` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `fsaverdict` log field value matches the regular expression pattern `high risk` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `fsaverdict` log field value matches the regular expression pattern `clear` then, the `security_result.severity` UDM field is set to `NONE`. Else, if the `infectedfilelevel` log field value is not empty and if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)Low` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)Medium` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)High` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)Critical` then, the `security_result.severity` UDM field is set to `CRITICAL`.
`level`	`security_result.severity`	If the `severity` log field value is not empty and if the `severity` log field value contain one of the following values `0` `1` `2` `3` `LOW` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `severity` log field value contain one of the following values `4` `5` `6` `MEDIUM` `SUBSTANTIAL` `INFO` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `severity` log field value contain one of the following values `7` `8` `HIGH` `SEVERE` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `severity` log field value contain one of the following values `9` `10` `VERY-HIGH` `CRITICAL` then, the `security_result.severity` UDM field is set to `CRITICAL`. Else, if the `crlevel` log field value is not empty and if the `crlevel` log field value matches the regular expression pattern `(?i)Low` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `crlevel` log field value matches the regular expression pattern `(?i)Medium` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `crlevel` log field value matches the regular expression pattern `(?i)High` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `crlevel` log field value matches the regular expression pattern `(?i)Critical` then, the `security_result.severity` UDM field is set to `CRITICAL`. Else, if the `level` log field value is not empty and if the `level` log field value matches the regular expression pattern `(?i)(error\|warning)` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `level` log field value matches the regular expression pattern `(?i)notice` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `level` log field value matches the regular expression pattern `(?i)(information\|info)` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `deviceSeverity` log field value is not empty and if the `deviceSeverity` log field value is equal to `warning` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `deviceSeverity` log field value is equal to `notice` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `deviceSeverity` log field value contain one of the following values `information` `info` then, the `security_result.severity` UDM field is set to `LOW`. if the `deviceSeverity` log field value is equal to `error` then, the `security_result.severity` UDM field is set to `ERROR`. Else, if the `fsaverdict` log field value is not empty and if the `fsaverdict` log field value matches the regular expression pattern `low risk` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `fsaverdict` log field value matches the regular expression pattern `med risk` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `fsaverdict` log field value matches the regular expression pattern `high risk` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `fsaverdict` log field value matches the regular expression pattern `clear` then, the `security_result.severity` UDM field is set to `NONE`. Else, if the `infectedfilelevel` log field value is not empty and if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)Low` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)Medium` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)High` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)Critical` then, the `security_result.severity` UDM field is set to `CRITICAL`.
`deviceSeverity`	`security_result.severity`	If the `severity` log field value is not empty and if the `severity` log field value contain one of the following values `0` `1` `2` `3` `LOW` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `severity` log field value contain one of the following values `4` `5` `6` `MEDIUM` `SUBSTANTIAL` `INFO` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `severity` log field value contain one of the following values `7` `8` `HIGH` `SEVERE` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `severity` log field value contain one of the following values `9` `10` `VERY-HIGH` `CRITICAL` then, the `security_result.severity` UDM field is set to `CRITICAL`. Else, if the `crlevel` log field value is not empty and if the `crlevel` log field value matches the regular expression pattern `(?i)Low` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `crlevel` log field value matches the regular expression pattern `(?i)Medium` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `crlevel` log field value matches the regular expression pattern `(?i)High` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `crlevel` log field value matches the regular expression pattern `(?i)Critical` then, the `security_result.severity` UDM field is set to `CRITICAL`. Else, if the `level` log field value is not empty and if the `level` log field value matches the regular expression pattern `(?i)(error\|warning)` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `level` log field value matches the regular expression pattern `(?i)notice` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `level` log field value matches the regular expression pattern `(?i)(information\|info)` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `deviceSeverity` log field value is not empty and if the `deviceSeverity` log field value is equal to `warning` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `deviceSeverity` log field value is equal to `notice` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `deviceSeverity` log field value contain one of the following values `information` `info` then, the `security_result.severity` UDM field is set to `LOW`. if the `deviceSeverity` log field value is equal to `error` then, the `security_result.severity` UDM field is set to `ERROR`. Else, if the `fsaverdict` log field value is not empty and if the `fsaverdict` log field value matches the regular expression pattern `low risk` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `fsaverdict` log field value matches the regular expression pattern `med risk` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `fsaverdict` log field value matches the regular expression pattern `high risk` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `fsaverdict` log field value matches the regular expression pattern `clear` then, the `security_result.severity` UDM field is set to `NONE`. Else, if the `infectedfilelevel` log field value is not empty and if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)Low` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)Medium` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)High` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)Critical` then, the `security_result.severity` UDM field is set to `CRITICAL`.
`fsaverdict`	`security_result.severity`	If the `severity` log field value is not empty and if the `severity` log field value contain one of the following values `0` `1` `2` `3` `LOW` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `severity` log field value contain one of the following values `4` `5` `6` `MEDIUM` `SUBSTANTIAL` `INFO` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `severity` log field value contain one of the following values `7` `8` `HIGH` `SEVERE` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `severity` log field value contain one of the following values `9` `10` `VERY-HIGH` `CRITICAL` then, the `security_result.severity` UDM field is set to `CRITICAL`. Else, if the `crlevel` log field value is not empty and if the `crlevel` log field value matches the regular expression pattern `(?i)Low` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `crlevel` log field value matches the regular expression pattern `(?i)Medium` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `crlevel` log field value matches the regular expression pattern `(?i)High` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `crlevel` log field value matches the regular expression pattern `(?i)Critical` then, the `security_result.severity` UDM field is set to `CRITICAL`. Else, if the `level` log field value is not empty and if the `level` log field value matches the regular expression pattern `(?i)(error\|warning)` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `level` log field value matches the regular expression pattern `(?i)notice` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `level` log field value matches the regular expression pattern `(?i)(information\|info)` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `deviceSeverity` log field value is not empty and if the `deviceSeverity` log field value is equal to `warning` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `deviceSeverity` log field value is equal to `notice` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `deviceSeverity` log field value contain one of the following values `information` `info` then, the `security_result.severity` UDM field is set to `LOW`. if the `deviceSeverity` log field value is equal to `error` then, the `security_result.severity` UDM field is set to `ERROR`. Else, if the `fsaverdict` log field value is not empty and if the `fsaverdict` log field value matches the regular expression pattern `low risk` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `fsaverdict` log field value matches the regular expression pattern `med risk` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `fsaverdict` log field value matches the regular expression pattern `high risk` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `fsaverdict` log field value matches the regular expression pattern `clear` then, the `security_result.severity` UDM field is set to `NONE`. Else, if the `infectedfilelevel` log field value is not empty and if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)Low` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)Medium` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)High` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)Critical` then, the `security_result.severity` UDM field is set to `CRITICAL`.
`infectedfilelevel`	`security_result.severity`	If the `severity` log field value is not empty and if the `severity` log field value contain one of the following values `0` `1` `2` `3` `LOW` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `severity` log field value contain one of the following values `4` `5` `6` `MEDIUM` `SUBSTANTIAL` `INFO` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `severity` log field value contain one of the following values `7` `8` `HIGH` `SEVERE` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `severity` log field value contain one of the following values `9` `10` `VERY-HIGH` `CRITICAL` then, the `security_result.severity` UDM field is set to `CRITICAL`. Else, if the `crlevel` log field value is not empty and if the `crlevel` log field value matches the regular expression pattern `(?i)Low` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `crlevel` log field value matches the regular expression pattern `(?i)Medium` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `crlevel` log field value matches the regular expression pattern `(?i)High` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `crlevel` log field value matches the regular expression pattern `(?i)Critical` then, the `security_result.severity` UDM field is set to `CRITICAL`. Else, if the `level` log field value is not empty and if the `level` log field value matches the regular expression pattern `(?i)(error\|warning)` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `level` log field value matches the regular expression pattern `(?i)notice` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `level` log field value matches the regular expression pattern `(?i)(information\|info)` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `deviceSeverity` log field value is not empty and if the `deviceSeverity` log field value is equal to `warning` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `deviceSeverity` log field value is equal to `notice` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `deviceSeverity` log field value contain one of the following values `information` `info` then, the `security_result.severity` UDM field is set to `LOW`. if the `deviceSeverity` log field value is equal to `error` then, the `security_result.severity` UDM field is set to `ERROR`. Else, if the `fsaverdict` log field value is not empty and if the `fsaverdict` log field value matches the regular expression pattern `low risk` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `fsaverdict` log field value matches the regular expression pattern `med risk` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `fsaverdict` log field value matches the regular expression pattern `high risk` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `fsaverdict` log field value matches the regular expression pattern `clear` then, the `security_result.severity` UDM field is set to `NONE`. Else, if the `infectedfilelevel` log field value is not empty and if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)Low` then, the `security_result.severity` UDM field is set to `LOW`. Else, if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)Medium` then, the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)High` then, the `security_result.severity` UDM field is set to `HIGH`. Else, if the `infectedfilelevel` log field value matches the regular expression pattern `(?i)Critical` then, the `security_result.severity` UDM field is set to `CRITICAL`.
`crscore`	`security_result.severity_details`	If the `level` log field value is not empty then, `level` log field is mapped to the `security_result.severity_details` UDM field. If the `crscore` log field value is not empty then, `crscore` log field is mapped to the `security_result.severity_details` UDM field. If the `deviceSeverity` log field value is not empty then, `deviceSeverity` log field is mapped to the `security_result.severity_details` UDM field. If the `level` log field value is not empty and if the `level` log field value is equal to `error` and the `error` log field value is not empty then, `error` log field is mapped to the `security_result.severity_details` UDM field. Else, `level: %{level}` log field is mapped to the `security_result.severity_details` UDM field. If the `icbseverity` log field value is not empty then, `icbseverity` log field is mapped to the `security_result.severity_details` UDM field.
`level`	`security_result.severity_details`	If the `level` log field value is not empty then, `level` log field is mapped to the `security_result.severity_details` UDM field. If the `crscore` log field value is not empty then, `crscore` log field is mapped to the `security_result.severity_details` UDM field. If the `deviceSeverity` log field value is not empty then, `deviceSeverity` log field is mapped to the `security_result.severity_details` UDM field. If the `level` log field value is not empty and if the `level` log field value is equal to `error` and the `error` log field value is not empty then, `error` log field is mapped to the `security_result.severity_details` UDM field. Else, `level: %{level}` log field is mapped to the `security_result.severity_details` UDM field. If the `icbseverity` log field value is not empty then, `icbseverity` log field is mapped to the `security_result.severity_details` UDM field.
`error`	`security_result.severity_details`	If the `level` log field value is not empty then, `level` log field is mapped to the `security_result.severity_details` UDM field. If the `crscore` log field value is not empty then, `crscore` log field is mapped to the `security_result.severity_details` UDM field. If the `deviceSeverity` log field value is not empty then, `deviceSeverity` log field is mapped to the `security_result.severity_details` UDM field. If the `level` log field value is not empty and if the `level` log field value is equal to `error` and the `error` log field value is not empty then, `error` log field is mapped to the `security_result.severity_details` UDM field. Else, `level: %{level}` log field is mapped to the `security_result.severity_details` UDM field. If the `icbseverity` log field value is not empty then, `icbseverity` log field is mapped to the `security_result.severity_details` UDM field.
`deviceSeverity`	`security_result.severity_details`	If the `level` log field value is not empty then, `level` log field is mapped to the `security_result.severity_details` UDM field. If the `crscore` log field value is not empty then, `crscore` log field is mapped to the `security_result.severity_details` UDM field. If the `deviceSeverity` log field value is not empty then, `deviceSeverity` log field is mapped to the `security_result.severity_details` UDM field. If the `level` log field value is not empty and if the `level` log field value is equal to `error` and the `error` log field value is not empty then, `error` log field is mapped to the `security_result.severity_details` UDM field. Else, `level: %{level}` log field is mapped to the `security_result.severity_details` UDM field. If the `icbseverity` log field value is not empty then, `icbseverity` log field is mapped to the `security_result.severity_details` UDM field.
`icbseverity`	`security_result.severity_details`	If the `level` log field value is not empty then, `level` log field is mapped to the `security_result.severity_details` UDM field. If the `crscore` log field value is not empty then, `crscore` log field is mapped to the `security_result.severity_details` UDM field. If the `deviceSeverity` log field value is not empty then, `deviceSeverity` log field is mapped to the `security_result.severity_details` UDM field. If the `level` log field value is not empty and if the `level` log field value is equal to `error` and the `error` log field value is not empty then, `error` log field is mapped to the `security_result.severity_details` UDM field. Else, `level: %{level}` log field is mapped to the `security_result.severity_details` UDM field. If the `icbseverity` log field value is not empty then, `icbseverity` log field is mapped to the `security_result.severity_details` UDM field.
`msg`	`security_result.summary`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `webfilter` and if the `eventtype` log field value is equal to `ftgd_blk` then, the `security_result.summary` UDM field is set to `Blocked URL`. `msg` log field is mapped to the `security_result.summary` UDM field. Else, if the `subtype` log field value is equal to `virus` and if the `msg` log field value is equal to `File is infected.` then, `%{msg}- %{virus}` log field is mapped to the `security_result.summary` UDM field. Else, if the `subtype` log field value is equal to `ips` or the `subtype` log field value is equal to `anomaly` then, `attack` log field is mapped to the `security_result.summary` UDM field. Else, if the `logdesc` log field value matches the regular expression pattern `GUI_ENTRY_DELETION` then, `msg` log field is mapped to the `security_result.summary` UDM field. Else, if the `mode` log field value is not empty then, `mode` log field is mapped to the `security_result.summary` UDM field. Else, if the `changes` log field value is not empty then, if the `mode` log field value is not empty then, `mode` log field is mapped to the `security_result.summary` UDM field. Else, if the `msg_data` log field value is not empty then, if the `reason` log field value is not empty then, `reason` log field is mapped to the `security_result.summary` UDM field. Else, if the `msg` log field value is not empty then, `msg` log field is mapped to the `security_result.summary` UDM field.
`attack`	`security_result.summary`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `webfilter` and if the `eventtype` log field value is equal to `ftgd_blk` then, the `security_result.summary` UDM field is set to `Blocked URL`. `msg` log field is mapped to the `security_result.summary` UDM field. Else, if the `subtype` log field value is equal to `virus` and if the `msg` log field value is equal to `File is infected.` then, `%{msg}- %{virus}` log field is mapped to the `security_result.summary` UDM field. Else, if the `subtype` log field value is equal to `ips` or the `subtype` log field value is equal to `anomaly` then, `attack` log field is mapped to the `security_result.summary` UDM field. Else, if the `logdesc` log field value matches the regular expression pattern `GUI_ENTRY_DELETION` then, `msg` log field is mapped to the `security_result.summary` UDM field. Else, if the `mode` log field value is not empty then, `mode` log field is mapped to the `security_result.summary` UDM field. Else, if the `changes` log field value is not empty then, if the `mode` log field value is not empty then, `mode` log field is mapped to the `security_result.summary` UDM field. Else, if the `msg_data` log field value is not empty then, if the `reason` log field value is not empty then, `reason` log field is mapped to the `security_result.summary` UDM field. Else, if the `msg` log field value is not empty then, `msg` log field is mapped to the `security_result.summary` UDM field.
`mode`	`security_result.summary`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `webfilter` and if the `eventtype` log field value is equal to `ftgd_blk` then, the `security_result.summary` UDM field is set to `Blocked URL`. `msg` log field is mapped to the `security_result.summary` UDM field. Else, if the `subtype` log field value is equal to `virus` and if the `msg` log field value is equal to `File is infected.` then, `%{msg}- %{virus}` log field is mapped to the `security_result.summary` UDM field. Else, if the `subtype` log field value is equal to `ips` or the `subtype` log field value is equal to `anomaly` then, `attack` log field is mapped to the `security_result.summary` UDM field. Else, if the `logdesc` log field value matches the regular expression pattern `GUI_ENTRY_DELETION` then, `msg` log field is mapped to the `security_result.summary` UDM field. Else, if the `mode` log field value is not empty then, `mode` log field is mapped to the `security_result.summary` UDM field. Else, if the `changes` log field value is not empty then, if the `mode` log field value is not empty then, `mode` log field is mapped to the `security_result.summary` UDM field. Else, if the `msg_data` log field value is not empty then, if the `reason` log field value is not empty then, `reason` log field is mapped to the `security_result.summary` UDM field. Else, if the `msg` log field value is not empty then, `msg` log field is mapped to the `security_result.summary` UDM field.
`reason`	`security_result.summary`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `webfilter` and if the `eventtype` log field value is equal to `ftgd_blk` then, the `security_result.summary` UDM field is set to `Blocked URL`. `msg` log field is mapped to the `security_result.summary` UDM field. Else, if the `subtype` log field value is equal to `virus` and if the `msg` log field value is equal to `File is infected.` then, `%{msg}- %{virus}` log field is mapped to the `security_result.summary` UDM field. Else, if the `subtype` log field value is equal to `ips` or the `subtype` log field value is equal to `anomaly` then, `attack` log field is mapped to the `security_result.summary` UDM field. Else, if the `logdesc` log field value matches the regular expression pattern `GUI_ENTRY_DELETION` then, `msg` log field is mapped to the `security_result.summary` UDM field. Else, if the `mode` log field value is not empty then, `mode` log field is mapped to the `security_result.summary` UDM field. Else, if the `changes` log field value is not empty then, if the `mode` log field value is not empty then, `mode` log field is mapped to the `security_result.summary` UDM field. Else, if the `msg_data` log field value is not empty then, if the `reason` log field value is not empty then, `reason` log field is mapped to the `security_result.summary` UDM field. Else, if the `msg` log field value is not empty then, `msg` log field is mapped to the `security_result.summary` UDM field.
`virus`	`security_result.summary`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `webfilter` and if the `eventtype` log field value is equal to `ftgd_blk` then, the `security_result.summary` UDM field is set to `Blocked URL`. `msg` log field is mapped to the `security_result.summary` UDM field. Else, if the `subtype` log field value is equal to `virus` and if the `msg` log field value is equal to `File is infected.` then, `%{msg}- %{virus}` log field is mapped to the `security_result.summary` UDM field. Else, if the `subtype` log field value is equal to `ips` or the `subtype` log field value is equal to `anomaly` then, `attack` log field is mapped to the `security_result.summary` UDM field. Else, if the `logdesc` log field value matches the regular expression pattern `GUI_ENTRY_DELETION` then, `msg` log field is mapped to the `security_result.summary` UDM field. Else, if the `mode` log field value is not empty then, `mode` log field is mapped to the `security_result.summary` UDM field. Else, if the `changes` log field value is not empty then, if the `mode` log field value is not empty then, `mode` log field is mapped to the `security_result.summary` UDM field. Else, if the `msg_data` log field value is not empty then, if the `reason` log field value is not empty then, `reason` log field is mapped to the `security_result.summary` UDM field. Else, if the `msg` log field value is not empty then, `msg` log field is mapped to the `security_result.summary` UDM field.
`catdesc`	`security_result.summary`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `webfilter` and if the `eventtype` log field value is equal to `ftgd_blk` then, the `security_result.summary` UDM field is set to `Blocked URL`. `msg` log field is mapped to the `security_result.summary` UDM field. Else, if the `subtype` log field value is equal to `virus` and if the `msg` log field value is equal to `File is infected.` then, `%{msg}- %{virus}` log field is mapped to the `security_result.summary` UDM field. Else, if the `subtype` log field value is equal to `ips` or the `subtype` log field value is equal to `anomaly` then, `attack` log field is mapped to the `security_result.summary` UDM field. Else, if the `logdesc` log field value matches the regular expression pattern `GUI_ENTRY_DELETION` then, `msg` log field is mapped to the `security_result.summary` UDM field. Else, if the `mode` log field value is not empty then, `mode` log field is mapped to the `security_result.summary` UDM field. Else, if the `changes` log field value is not empty then, if the `mode` log field value is not empty then, `mode` log field is mapped to the `security_result.summary` UDM field. Else, if the `msg_data` log field value is not empty then, if the `reason` log field value is not empty then, `reason` log field is mapped to the `security_result.summary` UDM field. Else, if the `msg` log field value is not empty then, `msg` log field is mapped to the `security_result.summary` UDM field.
`msg`	`security_result.rule_name`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `app-ctrl` then, `msg` log field is mapped to the `security_result.rule_name` UDM field. If the `policyname` log field value is not empty then, `policyname` log field is mapped to the `security_result.rule_name` UDM field.
`policyname`	`security_result.rule_name`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `app-ctrl` then, `msg` log field is mapped to the `security_result.rule_name` UDM field. If the `policyname` log field value is not empty then, `policyname` log field is mapped to the `security_result.rule_name` UDM field.
`dstthreatfeed`	`security_result.threat_feed_name`
`attackid`	`security_result.threat_id`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `virusid` log field value is not empty then, `virusid` log field is mapped to the `security_result.threat_id` UDM field. if the `subtype` log field value is equal to `ips` or the `subtype` log field value is equal to `anomaly` then, `attackid` log field is mapped to the `security_result.threat_id` UDM field.
`virusid`	`security_result.threat_id`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `virusid` log field value is not empty then, `virusid` log field is mapped to the `security_result.threat_id` UDM field. if the `subtype` log field value is equal to `ips` or the `subtype` log field value is equal to `anomaly` then, `attackid` log field is mapped to the `security_result.threat_id` UDM field.
`attack`	`security_result.threat_name`	If the `attack` log field value is not empty then, `attack` log field is mapped to the `security_result.threat_name` UDM field. Else, if the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `virus` then, `virus` log field is mapped to the `security_result.threat_name` UDM field.
`virus`	`security_result.threat_name`	If the `attack` log field value is not empty then, `attack` log field is mapped to the `security_result.threat_name` UDM field. Else, if the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `virus` then, `virus` log field is mapped to the `security_result.threat_name` UDM field.
`cpulteid`	`target.asset.asset_id`	If the `cpulteid` log field value is not empty then, the `target.asset.type` UDM field is set to `SERVER`.
`cpdlisrteid`	`target.asset.attribute.labels[cpdlisrteid]`
`cpdlteid`	`target.asset.attribute.labels[cpdlteid]`
`cpteid`	`target.asset.attribute.labels[cpteid]`
`dsthwversion`	`target.asset.hardware.model`
`oldsn`	`target.asset.hardware.serial_number`
`dstserver`	`target.asset.hostname`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` then, `devname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstserver` log field value does not contain one of the following values `Empty` `0` `1` then, `dstserver` log field is mapped to the `target.asset.hostname` UDM field. If the `dst_host` log field value does not contain one of the following values `Empty` `N/A` then, `dst_host` log field is mapped to the `target.asset.hostname` UDM field. If the `dhost` log field value is not empty then, `dhost` log field is mapped to the `target.asset.hostname` UDM field. If the `hostname` log field value is not empty then, `hostname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstauthserver` log field value is not empty then, `dstauthserver` log field is mapped to the `target.asset.hostname` UDM field. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `server` log field value is not empty then, `server` log field is mapped to the `target.asset.hostname` UDM field. Else, `devname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstname` log field value is not empty then, `dstname` log field is mapped to the `target.asset.hostname` UDM field. If the `host` log field value is not empty then, `host` log field is mapped to the `target.asset.hostname` UDM field. If the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.asset.hostname` UDM field.
`dst_host`	`target.asset.hostname`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` then, `devname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstserver` log field value does not contain one of the following values `Empty` `0` `1` then, `dstserver` log field is mapped to the `target.asset.hostname` UDM field. If the `dst_host` log field value does not contain one of the following values `Empty` `N/A` then, `dst_host` log field is mapped to the `target.asset.hostname` UDM field. If the `dhost` log field value is not empty then, `dhost` log field is mapped to the `target.asset.hostname` UDM field. If the `hostname` log field value is not empty then, `hostname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstauthserver` log field value is not empty then, `dstauthserver` log field is mapped to the `target.asset.hostname` UDM field. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `server` log field value is not empty then, `server` log field is mapped to the `target.asset.hostname` UDM field. Else, `devname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstname` log field value is not empty then, `dstname` log field is mapped to the `target.asset.hostname` UDM field. If the `host` log field value is not empty then, `host` log field is mapped to the `target.asset.hostname` UDM field. If the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.asset.hostname` UDM field.
`dhost`	`target.asset.hostname`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` then, `devname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstserver` log field value does not contain one of the following values `Empty` `0` `1` then, `dstserver` log field is mapped to the `target.asset.hostname` UDM field. If the `dst_host` log field value does not contain one of the following values `Empty` `N/A` then, `dst_host` log field is mapped to the `target.asset.hostname` UDM field. If the `dhost` log field value is not empty then, `dhost` log field is mapped to the `target.asset.hostname` UDM field. If the `hostname` log field value is not empty then, `hostname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstauthserver` log field value is not empty then, `dstauthserver` log field is mapped to the `target.asset.hostname` UDM field. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `server` log field value is not empty then, `server` log field is mapped to the `target.asset.hostname` UDM field. Else, `devname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstname` log field value is not empty then, `dstname` log field is mapped to the `target.asset.hostname` UDM field. If the `host` log field value is not empty then, `host` log field is mapped to the `target.asset.hostname` UDM field. If the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.asset.hostname` UDM field.
`hostname`	`target.asset.hostname`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` then, `devname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstserver` log field value does not contain one of the following values `Empty` `0` `1` then, `dstserver` log field is mapped to the `target.asset.hostname` UDM field. If the `dst_host` log field value does not contain one of the following values `Empty` `N/A` then, `dst_host` log field is mapped to the `target.asset.hostname` UDM field. If the `dhost` log field value is not empty then, `dhost` log field is mapped to the `target.asset.hostname` UDM field. If the `hostname` log field value is not empty then, `hostname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstauthserver` log field value is not empty then, `dstauthserver` log field is mapped to the `target.asset.hostname` UDM field. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `server` log field value is not empty then, `server` log field is mapped to the `target.asset.hostname` UDM field. Else, `devname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstname` log field value is not empty then, `dstname` log field is mapped to the `target.asset.hostname` UDM field. If the `host` log field value is not empty then, `host` log field is mapped to the `target.asset.hostname` UDM field. If the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.asset.hostname` UDM field.
`dstauthserver`	`target.asset.hostname`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` then, `devname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstserver` log field value does not contain one of the following values `Empty` `0` `1` then, `dstserver` log field is mapped to the `target.asset.hostname` UDM field. If the `dst_host` log field value does not contain one of the following values `Empty` `N/A` then, `dst_host` log field is mapped to the `target.asset.hostname` UDM field. If the `dhost` log field value is not empty then, `dhost` log field is mapped to the `target.asset.hostname` UDM field. If the `hostname` log field value is not empty then, `hostname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstauthserver` log field value is not empty then, `dstauthserver` log field is mapped to the `target.asset.hostname` UDM field. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `server` log field value is not empty then, `server` log field is mapped to the `target.asset.hostname` UDM field. Else, `devname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstname` log field value is not empty then, `dstname` log field is mapped to the `target.asset.hostname` UDM field. If the `host` log field value is not empty then, `host` log field is mapped to the `target.asset.hostname` UDM field. If the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.asset.hostname` UDM field.
`server`	`target.asset.hostname`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` then, `devname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstserver` log field value does not contain one of the following values `Empty` `0` `1` then, `dstserver` log field is mapped to the `target.asset.hostname` UDM field. If the `dst_host` log field value does not contain one of the following values `Empty` `N/A` then, `dst_host` log field is mapped to the `target.asset.hostname` UDM field. If the `dhost` log field value is not empty then, `dhost` log field is mapped to the `target.asset.hostname` UDM field. If the `hostname` log field value is not empty then, `hostname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstauthserver` log field value is not empty then, `dstauthserver` log field is mapped to the `target.asset.hostname` UDM field. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `server` log field value is not empty then, `server` log field is mapped to the `target.asset.hostname` UDM field. Else, `devname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstname` log field value is not empty then, `dstname` log field is mapped to the `target.asset.hostname` UDM field. If the `host` log field value is not empty then, `host` log field is mapped to the `target.asset.hostname` UDM field. If the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.asset.hostname` UDM field.
`devname`	`target.asset.hostname`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` then, `devname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstserver` log field value does not contain one of the following values `Empty` `0` `1` then, `dstserver` log field is mapped to the `target.asset.hostname` UDM field. If the `dst_host` log field value does not contain one of the following values `Empty` `N/A` then, `dst_host` log field is mapped to the `target.asset.hostname` UDM field. If the `dhost` log field value is not empty then, `dhost` log field is mapped to the `target.asset.hostname` UDM field. If the `hostname` log field value is not empty then, `hostname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstauthserver` log field value is not empty then, `dstauthserver` log field is mapped to the `target.asset.hostname` UDM field. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `server` log field value is not empty then, `server` log field is mapped to the `target.asset.hostname` UDM field. Else, `devname` log field is mapped to the `target.asset.hostname` UDM field. If the `dstname` log field value is not empty then, `dstname` log field is mapped to the `target.asset.hostname` UDM field. If the `host` log field value is not empty then, `host` log field is mapped to the `target.asset.hostname` UDM field. If the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.asset.hostname` UDM field.
`remip`	`target.asset.ip`	If the `dstip` log field value is not empty or the `dstip` log field value is not equal to `N/A` then, The `dst_ip` field is extracted from `dstip` log field using the Grok pattern. if the `dst_ip` log field value is not empty then, `dst_ip` extracted field is mapped to the `target.asset.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and if the `tunnelip` log field value does not contain one of the following values `Empty` `N/A` then, `tunnelip` log field is mapped to the `target.asset.ip` UDM field. if the `remip` log field value is not empty then, `remip` log field is mapped to the `target.asset.ip` UDM field.
`tunnelip`	`target.asset.ip`	If the `dstip` log field value is not empty or the `dstip` log field value is not equal to `N/A` then, The `dst_ip` field is extracted from `dstip` log field using the Grok pattern. if the `dst_ip` log field value is not empty then, `dst_ip` extracted field is mapped to the `target.asset.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and if the `tunnelip` log field value does not contain one of the following values `Empty` `N/A` then, `tunnelip` log field is mapped to the `target.asset.ip` UDM field. if the `remip` log field value is not empty then, `remip` log field is mapped to the `target.asset.ip` UDM field.
`cpaddr`	`target.asset.ip`	If the `dstip` log field value is not empty or the `dstip` log field value is not equal to `N/A` then, The `dst_ip` field is extracted from `dstip` log field using the Grok pattern. if the `dst_ip` log field value is not empty then, `dst_ip` extracted field is mapped to the `target.asset.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and if the `tunnelip` log field value does not contain one of the following values `Empty` `N/A` then, `tunnelip` log field is mapped to the `target.asset.ip` UDM field. if the `remip` log field value is not empty then, `remip` log field is mapped to the `target.asset.ip` UDM field.
`cpaddr6`	`target.asset.ip`	If the `dstip` log field value is not empty or the `dstip` log field value is not equal to `N/A` then, The `dst_ip` field is extracted from `dstip` log field using the Grok pattern. if the `dst_ip` log field value is not empty then, `dst_ip` extracted field is mapped to the `target.asset.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and if the `tunnelip` log field value does not contain one of the following values `Empty` `N/A` then, `tunnelip` log field is mapped to the `target.asset.ip` UDM field. if the `remip` log field value is not empty then, `remip` log field is mapped to the `target.asset.ip` UDM field.
`cpuladdr`	`target.asset.ip`	If the `dstip` log field value is not empty or the `dstip` log field value is not equal to `N/A` then, The `dst_ip` field is extracted from `dstip` log field using the Grok pattern. if the `dst_ip` log field value is not empty then, `dst_ip` extracted field is mapped to the `target.asset.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and if the `tunnelip` log field value does not contain one of the following values `Empty` `N/A` then, `tunnelip` log field is mapped to the `target.asset.ip` UDM field. if the `remip` log field value is not empty then, `remip` log field is mapped to the `target.asset.ip` UDM field.
`cpuladdr6`	`target.asset.ip`	If the `dstip` log field value is not empty or the `dstip` log field value is not equal to `N/A` then, The `dst_ip` field is extracted from `dstip` log field using the Grok pattern. if the `dst_ip` log field value is not empty then, `dst_ip` extracted field is mapped to the `target.asset.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and if the `tunnelip` log field value does not contain one of the following values `Empty` `N/A` then, `tunnelip` log field is mapped to the `target.asset.ip` UDM field. if the `remip` log field value is not empty then, `remip` log field is mapped to the `target.asset.ip` UDM field.
`cpdladdr`	`target.asset.ip`	If the `dstip` log field value is not empty or the `dstip` log field value is not equal to `N/A` then, The `dst_ip` field is extracted from `dstip` log field using the Grok pattern. if the `dst_ip` log field value is not empty then, `dst_ip` extracted field is mapped to the `target.asset.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and if the `tunnelip` log field value does not contain one of the following values `Empty` `N/A` then, `tunnelip` log field is mapped to the `target.asset.ip` UDM field. if the `remip` log field value is not empty then, `remip` log field is mapped to the `target.asset.ip` UDM field.
`cpdladdr6`	`target.asset.ip`	If the `dstip` log field value is not empty or the `dstip` log field value is not equal to `N/A` then, The `dst_ip` field is extracted from `dstip` log field using the Grok pattern. if the `dst_ip` log field value is not empty then, `dst_ip` extracted field is mapped to the `target.asset.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and if the `tunnelip` log field value does not contain one of the following values `Empty` `N/A` then, `tunnelip` log field is mapped to the `target.asset.ip` UDM field. if the `remip` log field value is not empty then, `remip` log field is mapped to the `target.asset.ip` UDM field.
`cpdlisraddr`	`target.asset.ip`	If the `dstip` log field value is not empty or the `dstip` log field value is not equal to `N/A` then, The `dst_ip` field is extracted from `dstip` log field using the Grok pattern. if the `dst_ip` log field value is not empty then, `dst_ip` extracted field is mapped to the `target.asset.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and if the `tunnelip` log field value does not contain one of the following values `Empty` `N/A` then, `tunnelip` log field is mapped to the `target.asset.ip` UDM field. if the `remip` log field value is not empty then, `remip` log field is mapped to the `target.asset.ip` UDM field.
`cpdlisraddr6`	`target.asset.ip`	If the `dstip` log field value is not empty or the `dstip` log field value is not equal to `N/A` then, The `dst_ip` field is extracted from `dstip` log field using the Grok pattern. if the `dst_ip` log field value is not empty then, `dst_ip` extracted field is mapped to the `target.asset.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and if the `tunnelip` log field value does not contain one of the following values `Empty` `N/A` then, `tunnelip` log field is mapped to the `target.asset.ip` UDM field. if the `remip` log field value is not empty then, `remip` log field is mapped to the `target.asset.ip` UDM field.
`filename`	`target.file.full_path`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `filename` log field value is not empty then, `filename` log field is mapped to the `target.file.full_path` UDM field.
`matchfiletype`	`target.file.mime_type`	If the `matchfiletype` log field value is not empty then, `matchfiletype` log field is mapped to the `target.file.mime_type` UDM field. Else, if the `icbfiletype` log field value is not empty then, `icbfiletype` log field is mapped to the `target.file.mime_type` UDM field. Else, if the `infectedfiletype` log field value is not empty then, `infectedfiletype` log field is mapped to the `target.file.mime_type` UDM field.
`icbfiletype`	`target.file.mime_type`	If the `matchfiletype` log field value is not empty then, `matchfiletype` log field is mapped to the `target.file.mime_type` UDM field. Else, if the `icbfiletype` log field value is not empty then, `icbfiletype` log field is mapped to the `target.file.mime_type` UDM field. Else, if the `infectedfiletype` log field value is not empty then, `infectedfiletype` log field is mapped to the `target.file.mime_type` UDM field.
`infectedfiletype`	`target.file.mime_type`	If the `matchfiletype` log field value is not empty then, `matchfiletype` log field is mapped to the `target.file.mime_type` UDM field. Else, if the `icbfiletype` log field value is not empty then, `icbfiletype` log field is mapped to the `target.file.mime_type` UDM field. Else, if the `infectedfiletype` log field value is not empty then, `infectedfiletype` log field is mapped to the `target.file.mime_type` UDM field.
`infectedfilename`	`target.file.names`	If the `infectedfilename` log field value is not empty then, `infectedfilename` log field is mapped to the `target.file.names` UDM field. If the `matchfilename` log field value is not empty then, `matchfilename` log field is mapped to the `target.file.names` UDM field. If the `icbfileid` log field value is not empty then, `icbfileid` log field is mapped to the `target.file.names` UDM field.
`matchfilename`	`target.file.names`	If the `infectedfilename` log field value is not empty then, `infectedfilename` log field is mapped to the `target.file.names` UDM field. If the `matchfilename` log field value is not empty then, `matchfilename` log field is mapped to the `target.file.names` UDM field. If the `icbfileid` log field value is not empty then, `icbfileid` log field is mapped to the `target.file.names` UDM field.
`icbfileid`	`target.file.names`	If the `infectedfilename` log field value is not empty then, `infectedfilename` log field is mapped to the `target.file.names` UDM field. If the `matchfilename` log field value is not empty then, `matchfilename` log field is mapped to the `target.file.names` UDM field. If the `icbfileid` log field value is not empty then, `icbfileid` log field is mapped to the `target.file.names` UDM field.
`hash`	`target.file.sha256`	If the `hash` log field value is not empty then, `hash` log field is mapped to the `target.file.sha256` UDM field. Else, if the `analyticscksum` log field value is not empty then, `analyticscksum` log field is mapped to the `target.file.sha256` UDM field.
`analyticscksum`	`target.file.sha256`	If the `hash` log field value is not empty then, `hash` log field is mapped to the `target.file.sha256` UDM field. Else, if the `analyticscksum` log field value is not empty then, `analyticscksum` log field is mapped to the `target.file.sha256` UDM field.
`infectedfilesize`	`target.file.size`
`analyticssubmit`	`target.file.tags`
`dstserver`	`target.hostname`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` then, `devname` log field is mapped to the `target.hostname` UDM field. Else, if the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.hostname` UDM field. If the `dstserver` log field value does not contain one of the following values `Empty` `0` `1` then, `dstserver` log field is mapped to the `target.hostname` UDM field. If the `dst_host` log field value does not contain one of the following values `Empty` `N/A` then, `dst_host` log field is mapped to the `target.hostname` UDM field. If the `dhost` log field value is not empty then, `dhost` log field is mapped to the `target.hostname` UDM field. If the `hostname` log field value is not empty then, `hostname` log field is mapped to the `target.hostname` UDM field. If the `dstauthserver` log field value is not empty then, `dstauthserver` log field is mapped to the `target.hostname` UDM field. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `server` log field value is not empty then, `server` log field is mapped to the `target.hostname` UDM field. Else, `devname` log field is mapped to the `target.hostname` UDM field. If the `dstname` log field value is not empty then, `dstname` log field is mapped to the `target.hostname` UDM field. If the `host` log field value is not empty then, `host` log field is mapped to the `target.hostname` UDM field. If the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.hostname` UDM field.
`dst_host`	`target.hostname`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` then, `devname` log field is mapped to the `target.hostname` UDM field. Else, if the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.hostname` UDM field. If the `dstserver` log field value does not contain one of the following values `Empty` `0` `1` then, `dstserver` log field is mapped to the `target.hostname` UDM field. If the `dst_host` log field value does not contain one of the following values `Empty` `N/A` then, `dst_host` log field is mapped to the `target.hostname` UDM field. If the `dhost` log field value is not empty then, `dhost` log field is mapped to the `target.hostname` UDM field. If the `hostname` log field value is not empty then, `hostname` log field is mapped to the `target.hostname` UDM field. If the `dstauthserver` log field value is not empty then, `dstauthserver` log field is mapped to the `target.hostname` UDM field. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `server` log field value is not empty then, `server` log field is mapped to the `target.hostname` UDM field. Else, `devname` log field is mapped to the `target.hostname` UDM field. If the `dstname` log field value is not empty then, `dstname` log field is mapped to the `target.hostname` UDM field. If the `host` log field value is not empty then, `host` log field is mapped to the `target.hostname` UDM field. If the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.hostname` UDM field.
`dhost`	`target.hostname`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` then, `devname` log field is mapped to the `target.hostname` UDM field. Else, if the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.hostname` UDM field. If the `dstserver` log field value does not contain one of the following values `Empty` `0` `1` then, `dstserver` log field is mapped to the `target.hostname` UDM field. If the `dst_host` log field value does not contain one of the following values `Empty` `N/A` then, `dst_host` log field is mapped to the `target.hostname` UDM field. If the `dhost` log field value is not empty then, `dhost` log field is mapped to the `target.hostname` UDM field. If the `hostname` log field value is not empty then, `hostname` log field is mapped to the `target.hostname` UDM field. If the `dstauthserver` log field value is not empty then, `dstauthserver` log field is mapped to the `target.hostname` UDM field. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `server` log field value is not empty then, `server` log field is mapped to the `target.hostname` UDM field. Else, `devname` log field is mapped to the `target.hostname` UDM field. If the `dstname` log field value is not empty then, `dstname` log field is mapped to the `target.hostname` UDM field. If the `host` log field value is not empty then, `host` log field is mapped to the `target.hostname` UDM field. If the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.hostname` UDM field.
`hostname`	`target.hostname`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` then, `devname` log field is mapped to the `target.hostname` UDM field. Else, if the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.hostname` UDM field. If the `dstserver` log field value does not contain one of the following values `Empty` `0` `1` then, `dstserver` log field is mapped to the `target.hostname` UDM field. If the `dst_host` log field value does not contain one of the following values `Empty` `N/A` then, `dst_host` log field is mapped to the `target.hostname` UDM field. If the `dhost` log field value is not empty then, `dhost` log field is mapped to the `target.hostname` UDM field. If the `hostname` log field value is not empty then, `hostname` log field is mapped to the `target.hostname` UDM field. If the `dstauthserver` log field value is not empty then, `dstauthserver` log field is mapped to the `target.hostname` UDM field. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `server` log field value is not empty then, `server` log field is mapped to the `target.hostname` UDM field. Else, `devname` log field is mapped to the `target.hostname` UDM field. If the `dstname` log field value is not empty then, `dstname` log field is mapped to the `target.hostname` UDM field. If the `host` log field value is not empty then, `host` log field is mapped to the `target.hostname` UDM field. If the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.hostname` UDM field.
`dstauthserver`	`target.hostname`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` then, `devname` log field is mapped to the `target.hostname` UDM field. Else, if the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.hostname` UDM field. If the `dstserver` log field value does not contain one of the following values `Empty` `0` `1` then, `dstserver` log field is mapped to the `target.hostname` UDM field. If the `dst_host` log field value does not contain one of the following values `Empty` `N/A` then, `dst_host` log field is mapped to the `target.hostname` UDM field. If the `dhost` log field value is not empty then, `dhost` log field is mapped to the `target.hostname` UDM field. If the `hostname` log field value is not empty then, `hostname` log field is mapped to the `target.hostname` UDM field. If the `dstauthserver` log field value is not empty then, `dstauthserver` log field is mapped to the `target.hostname` UDM field. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `server` log field value is not empty then, `server` log field is mapped to the `target.hostname` UDM field. Else, `devname` log field is mapped to the `target.hostname` UDM field. If the `dstname` log field value is not empty then, `dstname` log field is mapped to the `target.hostname` UDM field. If the `host` log field value is not empty then, `host` log field is mapped to the `target.hostname` UDM field. If the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.hostname` UDM field.
`server`	`target.hostname`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` then, `devname` log field is mapped to the `target.hostname` UDM field. Else, if the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.hostname` UDM field. If the `dstserver` log field value does not contain one of the following values `Empty` `0` `1` then, `dstserver` log field is mapped to the `target.hostname` UDM field. If the `dst_host` log field value does not contain one of the following values `Empty` `N/A` then, `dst_host` log field is mapped to the `target.hostname` UDM field. If the `dhost` log field value is not empty then, `dhost` log field is mapped to the `target.hostname` UDM field. If the `hostname` log field value is not empty then, `hostname` log field is mapped to the `target.hostname` UDM field. If the `dstauthserver` log field value is not empty then, `dstauthserver` log field is mapped to the `target.hostname` UDM field. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `server` log field value is not empty then, `server` log field is mapped to the `target.hostname` UDM field. Else, `devname` log field is mapped to the `target.hostname` UDM field. If the `dstname` log field value is not empty then, `dstname` log field is mapped to the `target.hostname` UDM field. If the `host` log field value is not empty then, `host` log field is mapped to the `target.hostname` UDM field. If the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.hostname` UDM field.
`dstname`	`target.hostname`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` then, `devname` log field is mapped to the `target.hostname` UDM field. Else, if the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.hostname` UDM field. If the `dstserver` log field value does not contain one of the following values `Empty` `0` `1` then, `dstserver` log field is mapped to the `target.hostname` UDM field. If the `dst_host` log field value does not contain one of the following values `Empty` `N/A` then, `dst_host` log field is mapped to the `target.hostname` UDM field. If the `dhost` log field value is not empty then, `dhost` log field is mapped to the `target.hostname` UDM field. If the `hostname` log field value is not empty then, `hostname` log field is mapped to the `target.hostname` UDM field. If the `dstauthserver` log field value is not empty then, `dstauthserver` log field is mapped to the `target.hostname` UDM field. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `server` log field value is not empty then, `server` log field is mapped to the `target.hostname` UDM field. Else, `devname` log field is mapped to the `target.hostname` UDM field. If the `dstname` log field value is not empty then, `dstname` log field is mapped to the `target.hostname` UDM field. If the `host` log field value is not empty then, `host` log field is mapped to the `target.hostname` UDM field. If the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.hostname` UDM field.
`host`	`target.hostname`	If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` then, `devname` log field is mapped to the `target.hostname` UDM field. Else, if the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.hostname` UDM field. If the `dstserver` log field value does not contain one of the following values `Empty` `0` `1` then, `dstserver` log field is mapped to the `target.hostname` UDM field. If the `dst_host` log field value does not contain one of the following values `Empty` `N/A` then, `dst_host` log field is mapped to the `target.hostname` UDM field. If the `dhost` log field value is not empty then, `dhost` log field is mapped to the `target.hostname` UDM field. If the `hostname` log field value is not empty then, `hostname` log field is mapped to the `target.hostname` UDM field. If the `dstauthserver` log field value is not empty then, `dstauthserver` log field is mapped to the `target.hostname` UDM field. Else, if the `type` log field value is equal to `event` and the `subtype` log field value is equal to `user` and if the `server` log field value is not empty then, `server` log field is mapped to the `target.hostname` UDM field. Else, `devname` log field is mapped to the `target.hostname` UDM field. If the `dstname` log field value is not empty then, `dstname` log field is mapped to the `target.hostname` UDM field. If the `host` log field value is not empty then, `host` log field is mapped to the `target.hostname` UDM field. If the `action` log field value is equal to `login` and if the `devname` log field value is not empty then, `devname` log field is mapped to the `target.hostname` UDM field.
`remip`	`target.ip`	If the `dstip` log field value is not empty or the `dstip` log field value is not equal to `N/A` then, The `dst_ip` field is extracted from `dstip` log field using the Grok pattern. if the `dst_ip` log field value is not empty then, `dst_ip` extracted field is mapped to the `target.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and if the `tunnelip` log field value does not contain one of the following values `Empty` `N/A` then, `tunnelip` log field is mapped to the `target.ip` UDM field. if the `remip` log field value is not empty then, `remip` log field is mapped to the `target.ip` UDM field.
`tunnelip`	`target.ip`	If the `dstip` log field value is not empty or the `dstip` log field value is not equal to `N/A` then, The `dst_ip` field is extracted from `dstip` log field using the Grok pattern. if the `dst_ip` log field value is not empty then, `dst_ip` extracted field is mapped to the `target.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and if the `tunnelip` log field value does not contain one of the following values `Empty` `N/A` then, `tunnelip` log field is mapped to the `target.ip` UDM field. if the `remip` log field value is not empty then, `remip` log field is mapped to the `target.ip` UDM field.
`daddr`	`target.ip`	If the `dstip` log field value is not empty or the `dstip` log field value is not equal to `N/A` then, The `dst_ip` field is extracted from `dstip` log field using the Grok pattern. if the `dst_ip` log field value is not empty then, `dst_ip` extracted field is mapped to the `target.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and if the `tunnelip` log field value does not contain one of the following values `Empty` `N/A` then, `tunnelip` log field is mapped to the `target.ip` UDM field. if the `remip` log field value is not empty then, `remip` log field is mapped to the `target.ip` UDM field.
`end-usr-address`	`target.ip`	If the `dstip` log field value is not empty or the `dstip` log field value is not equal to `N/A` then, The `dst_ip` field is extracted from `dstip` log field using the Grok pattern. if the `dst_ip` log field value is not empty then, `dst_ip` extracted field is mapped to the `target.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and if the `tunnelip` log field value does not contain one of the following values `Empty` `N/A` then, `tunnelip` log field is mapped to the `target.ip` UDM field. if the `remip` log field value is not empty then, `remip` log field is mapped to the `target.ip` UDM field.
`endusraddress6`	`target.ip`	If the `dstip` log field value is not empty or the `dstip` log field value is not equal to `N/A` then, The `dst_ip` field is extracted from `dstip` log field using the Grok pattern. if the `dst_ip` log field value is not empty then, `dst_ip` extracted field is mapped to the `target.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and if the `tunnelip` log field value does not contain one of the following values `Empty` `N/A` then, `tunnelip` log field is mapped to the `target.ip` UDM field. if the `remip` log field value is not empty then, `remip` log field is mapped to the `target.ip` UDM field.
`opercountry`	`target.ip_location.country_or_region`
`dstcity`	`target.location.city`
`dstcountry`	`target.location.country_or_region`	If the `dstcountry` log field value is not empty and the `dstcountry` log field value is not equal to `Reserved` then, `dstcountry` log field is mapped to the `target.location.country_or_region` UDM field. Else, if the `dstregion` log field value is not empty then, `dstregion` log field is mapped to the `target.location.country_or_region` UDM field.
`dstregion`	`target.location.country_or_region`	If the `dstcountry` log field value is not empty and the `dstcountry` log field value is not equal to `Reserved` then, `dstcountry` log field is mapped to the `target.location.country_or_region` UDM field. Else, if the `dstregion` log field value is not empty then, `dstregion` log field is mapped to the `target.location.country_or_region` UDM field.
`dstmacAddress`	`target.mac`	If the `dstmac` log field value is not empty then, The `dstmacAddress` field is extracted from `dstmac` log field using the Grok pattern. if the `dstmacAddress` log field value is not empty then, `dstmacAddress` extracted field is mapped to the `target.mac` UDM field and `dstmacAddress` extracted field is mapped to the `target.asset.mac` UDM field.
`tranip`	`target.nat_ip`
`tranport`	`target.nat_port`
	`target.platform`	If the `dstosname` log field value is equal to `WINDOWS` then, the `target.platform` UDM field is set to `WINDOWS`. If the `dstosname` log field value contain one of the following values `Debian` `DEBIAN` then, the `target.platform` UDM field is set to `LINUX`.
`dstswversion`	`target.platform_version`
`dst_port`	`target.port`	If the `dst_port` log field value does not contain one of the following values `Empty` `N/A` then, `dst_port` log field is mapped to the `target.port` UDM field. Else, if the `locport` log field value is not empty then, `locport` log field is mapped to the `target.port` UDM field. Else, if the `dstport` log field value is not empty then, `dstport` log field is mapped to the `target.port` UDM field.
`locport`	`target.port`	If the `dst_port` log field value does not contain one of the following values `Empty` `N/A` then, `dst_port` log field is mapped to the `target.port` UDM field. Else, if the `locport` log field value is not empty then, `locport` log field is mapped to the `target.port` UDM field. Else, if the `dstport` log field value is not empty then, `dstport` log field is mapped to the `target.port` UDM field.
`dstport`	`target.port`	If the `dst_port` log field value does not contain one of the following values `Empty` `N/A` then, `dst_port` log field is mapped to the `target.port` UDM field. Else, if the `locport` log field value is not empty then, `locport` log field is mapped to the `target.port` UDM field. Else, if the `dstport` log field value is not empty then, `dstport` log field is mapped to the `target.port` UDM field.
`dsthwvendor`	`target.resource.attribute.labels[dsthwvendor]`
`request_name`	`target.resource.attribute.labels[request_name]`
`resplength`	`target.resource.attribute.labels[resplength]`
`requesttype`	`target.resource.attribute.labels[requesttype]`
`resptime`	`target.resource.attribute.labels[resptime]`
`resptype`	`target.resource.attribute.labels[resptype]`
`rssi`	`target.resource.attribute.labels[rssi]`
`rsso_key`	`target.resource.attribute.labels[rsso_key]`
`to_vcluster`	`target.resource.attribute.labels[to_vcluster]`	If the `to_vcluster` log field value does not contain one of the following values `Empty` `N/A` then, the `target.resource.resource_type` UDM field is set to `CLUSTER` and the `target.resource.attribute.labels.key` UDM field is set to `to_vcluster` and `to_vcluster` log field is mapped to the `target.resource.attribute.labels.value` UDM field.
`profile`	`target.resource.name`	If the `profile` log field value is not empty then, `profile` log field is mapped to the `target.resource.name` UDM field and the `target.resource.resource_type` UDM field is set to `ACCESS_POLICY`.
`dstuuid`	`target.resource.product_object_id`	If the `dstuuid` log field value is not empty then, `dstuuid` log field is mapped to the `target.resource.product_object_id` UDM field. Else, if the `realserverid` log field value is not empty then, `realserverid` log field is mapped to the `target.resource.product_object_id` UDM field.
`realserverid`	`target.resource.product_object_id`	If the `dstuuid` log field value is not empty then, `dstuuid` log field is mapped to the `target.resource.product_object_id` UDM field. Else, if the `realserverid` log field value is not empty then, `realserverid` log field is mapped to the `target.resource.product_object_id` UDM field.
`url`	`target.url`	If the `url` log field value is not empty and the `url` log field value is not equal to `N/A` then, `url` log field is mapped to the `target.url` UDM field.
`dstunauthuser`	`target.user.user_display_name`	If the `dstunauthuser` log field value is not empty then, `dstunauthuser` log field is mapped to the `target.user.user_display_name` UDM field. Else, `to` log field is mapped to the `target.user.user_display_name` UDM field.
`to`	`target.user.user_display_name`	If the `dstunauthuser` log field value is not empty then, `dstunauthuser` log field is mapped to the `target.user.user_display_name` UDM field. Else, `to` log field is mapped to the `target.user.user_display_name` UDM field.
`dstuser`	`target.user.userid`	If the `duid` log field value is not empty then, The `temp_duid` field is extracted from `duid` log field using the Grok pattern. if the `temp_duid` log field value is not empty then, `temp_duid` extracted field is mapped to the `target.user.userid` UDM field. Else, if the `dstuser` log field value is not empty then, `dstuser` log field is mapped to the `target.user.userid` UDM field. Else, if the `request` log field value is not empty and the `request` log field value matches the regular expression pattern `duid` then, The `d_uid` field is extracted from `request` log field using the Grok pattern. if the `d_uid` log field value is not empty then, `d_uid` extracted field is mapped to the `target.user.userid` UDM field. Else, if the `name` log field value is not empty and the `name` log field value is not equal to `N/A` and if the `logdesc` log field value matches the regular expression pattern `(?i)user` then, `name` log field is mapped to the `target.user.userid` UDM field. Else, if the `cfgpath` log field value is equal to `system.admin` then, `cfgobj` log field is mapped to the `target.user.userid` UDM field. Else, if the `action` log field value is equal to `auth-logon` and the `status` log field value is equal to `logon` and if the `user` log field value is not empty and the `user` log field value is not equal to `N/A` then, `user` log field is mapped to the `target.user.userid` UDM field. Else, if the `action` log field value matches the regular expression pattern `.logon.` and if the `user` log field value is not empty and the `user` log field value is not equal to `N/A` then, `user` log field is mapped to the `target.user.userid` UDM field.
`cfgobj`	`target.user.userid`	If the `duid` log field value is not empty then, The `temp_duid` field is extracted from `duid` log field using the Grok pattern. if the `temp_duid` log field value is not empty then, `temp_duid` extracted field is mapped to the `target.user.userid` UDM field. Else, if the `dstuser` log field value is not empty then, `dstuser` log field is mapped to the `target.user.userid` UDM field. Else, if the `request` log field value is not empty and the `request` log field value matches the regular expression pattern `duid` then, The `d_uid` field is extracted from `request` log field using the Grok pattern. if the `d_uid` log field value is not empty then, `d_uid` extracted field is mapped to the `target.user.userid` UDM field. Else, if the `name` log field value is not empty and the `name` log field value is not equal to `N/A` and if the `logdesc` log field value matches the regular expression pattern `(?i)user` then, `name` log field is mapped to the `target.user.userid` UDM field. Else, if the `cfgpath` log field value is equal to `system.admin` then, `cfgobj` log field is mapped to the `target.user.userid` UDM field. Else, if the `action` log field value is equal to `auth-logon` and the `status` log field value is equal to `logon` and if the `user` log field value is not empty and the `user` log field value is not equal to `N/A` then, `user` log field is mapped to the `target.user.userid` UDM field. Else, if the `action` log field value matches the regular expression pattern `.logon.` and if the `user` log field value is not empty and the `user` log field value is not equal to `N/A` then, `user` log field is mapped to the `target.user.userid` UDM field.
`duid`	`target.user.userid`	If the `duid` log field value is not empty then, The `temp_duid` field is extracted from `duid` log field using the Grok pattern. if the `temp_duid` log field value is not empty then, `temp_duid` extracted field is mapped to the `target.user.userid` UDM field. Else, if the `dstuser` log field value is not empty then, `dstuser` log field is mapped to the `target.user.userid` UDM field. Else, if the `request` log field value is not empty and the `request` log field value matches the regular expression pattern `duid` then, The `d_uid` field is extracted from `request` log field using the Grok pattern. if the `d_uid` log field value is not empty then, `d_uid` extracted field is mapped to the `target.user.userid` UDM field. Else, if the `name` log field value is not empty and the `name` log field value is not equal to `N/A` and if the `logdesc` log field value matches the regular expression pattern `(?i)user` then, `name` log field is mapped to the `target.user.userid` UDM field. Else, if the `cfgpath` log field value is equal to `system.admin` then, `cfgobj` log field is mapped to the `target.user.userid` UDM field. Else, if the `action` log field value is equal to `auth-logon` and the `status` log field value is equal to `logon` and if the `user` log field value is not empty and the `user` log field value is not equal to `N/A` then, `user` log field is mapped to the `target.user.userid` UDM field. Else, if the `action` log field value matches the regular expression pattern `.logon.` and if the `user` log field value is not empty and the `user` log field value is not equal to `N/A` then, `user` log field is mapped to the `target.user.userid` UDM field.
`name`	`target.user.userid`	If the `duid` log field value is not empty then, The `temp_duid` field is extracted from `duid` log field using the Grok pattern. if the `temp_duid` log field value is not empty then, `temp_duid` extracted field is mapped to the `target.user.userid` UDM field. Else, if the `dstuser` log field value is not empty then, `dstuser` log field is mapped to the `target.user.userid` UDM field. Else, if the `request` log field value is not empty and the `request` log field value matches the regular expression pattern `duid` then, The `d_uid` field is extracted from `request` log field using the Grok pattern. if the `d_uid` log field value is not empty then, `d_uid` extracted field is mapped to the `target.user.userid` UDM field. Else, if the `name` log field value is not empty and the `name` log field value is not equal to `N/A` and if the `logdesc` log field value matches the regular expression pattern `(?i)user` then, `name` log field is mapped to the `target.user.userid` UDM field. Else, if the `cfgpath` log field value is equal to `system.admin` then, `cfgobj` log field is mapped to the `target.user.userid` UDM field. Else, if the `action` log field value is equal to `auth-logon` and the `status` log field value is equal to `logon` and if the `user` log field value is not empty and the `user` log field value is not equal to `N/A` then, `user` log field is mapped to the `target.user.userid` UDM field. Else, if the `action` log field value matches the regular expression pattern `.logon.` and if the `user` log field value is not empty and the `user` log field value is not equal to `N/A` then, `user` log field is mapped to the `target.user.userid` UDM field.
`deviceExternalId`	`about.asset.asset_id`	If the `deviceExternalId` log field value is not empty then, `%{device_vendor}.%{device_product}:%{deviceExternalId}` log field is mapped to the `about.asset.asset_id` UDM field.
`device_vendor`	`is_alert`	If the `crlevel` log field value is equal to `CRITICAL` or the `level` log field value is equal to `alert` then,The `is_alert` UDM field is set to `true`.
	`is_significant`	If the `crlevel` log field value is equal to `CRITICAL` or the `level` log field value is equal to `alert` then,The `is_significant` UDM field is set to `true`.

UDM Mapping Delta

UDM Mapping Delta reference: Fortinet_Firewall

The following table lists delta between Default parser of FORTINET FIREWALL and premium version of FORTINET FIREWALL.

Default UDM Mapping	Log Field	Premium Mapping Delta
`about.file.full_path`	`filehash`	If the `filehash` log field value matches the regular expression pattern `(?<_hash>^[0-9a-f]+$)` then, `filehash` log field is mapped to the `about.file.sha256` UDM field. Else, `filehash` log field is mapped to the `about.file.full_path` UDM field.
`about.file.sha256`	`filehash`	If the `filehash` log field value matches the regular expression pattern `(?<_hash>^[0-9a-f]+$)` then, `filehash` log field is mapped to the `about.file.sha256` UDM field. Else, `filehash` log field is mapped to the `about.file.full_path` UDM field.
`principal.resource.attribute.labels`	`init`	Updated one condition to remove the unnecessary value like "N/A".
`principal.resource.attribute.labels`	`vpntunnel`	Updated one condition to remove the unnecessary value like "N/A".
`principal.resource.attribute.labels`	`rcvdbyte`	Updated one condition to remove the unnecessary value like "N/A".
`security_result.description`	`utmaction`	Updated the mapping from `security_result.description` to `security_result.action` UDM field.
`security_result.detection_fields`	`dstinetsvc`	Updated one condition to remove the unnecessary value like "N/A".
`security_result.detection_fields`	`dstintf`	Updated the mapping from `security_result.detection_fields` to `target.asset.attribute.labels` UDM field.
`security_result.detection_fields`	`dstintfrole`	Updated the mapping from `security_result.detection_fields` to `target.asset.attribute.labels` UDM field.
`security_result.detection_fields`	`srcintf`	Updated the mapping from `security_result.detection_fields` to `principal.asset.attribute.labels` UDM field.
`security_result.detection_fields`	`srcintfrole`	Updated the mapping from `security_result.detection_fields` to `principal.asset.attribute.labels` UDM field.
`security_result.detection_fields`	`xid`	Updated one condition to remove the unnecessary value like "N/A".
`additional.fields`	`policyid`	Updated the mapping from `additional.fields` to `security_result.detection_fields` UDM field.
`additional.fields`	`poluuid`	Updated the mapping from `additional.fields` to `security_result.detection_fields` UDM field.
`principal.ip`	`shost`	If the `saddr` log field value is not empty then, The `saddr_ip` field is extracted from `saddr` log field using the Grok pattern. if the `saddr_ip` log field value is not empty then, `saddr_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `srcremote` log field value is not empty then, The `valid_srcremote` field is extracted from `srcremote` log field using the Grok pattern. if the `valid_srcremote` log field value is not empty then, `valid_srcremote` extracted field is mapped to the `principal.ip` UDM field. Else, if the `shost` log field value is not empty then, The `valid_shost` field is extracted from `shost` log field using the Grok pattern. if the `valid_shost` log field value is not empty then, `valid_shost` extracted field is mapped to the `principal.ip` UDM field. Else, if the `user` log field value does not contain one of the following values `Empty` `N/A` then, The `user_ip` field is extracted from `user` log field using the Grok pattern. if the `user_ip` log field value is not empty then, `user_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `ui` log field value is not empty then, The `prin_ip` field is extracted from `ui` log field using the Grok pattern. if the `prin_ip` log field value is not empty then, `prin_ip` extracted field is mapped to the `principal.ip` UDM field. If the `subtype` log field value contain one of the following values `endpoint` `system` and if the `ip` log field value is not empty and the `ip` log field value is not equal to `N/A` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and the `locip` log field value is not empty then, `locip` log field is mapped to the `principal.ip` UDM field. If the `srcip` log field value is not empty then, The `src_ip` field is extracted from `srcip` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `src` log field value is not empty then, The `src_ip` field is extracted from `src` log field using the Grok pattern. `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `msg` log field value is not empty then, The `user_email` field is extracted from `msg` log field using the Grok pattern. The `src_ip` and `user_id` fields is extracted from `msg` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `banned_src` log field value is not empty then, `banned_src` log field is mapped to the `principal.ip` UDM field. If the `userfrom` log field value is not empty then, The `valid_ip` field is extracted from `userfrom` log field using the Grok pattern. `valid_ip` extracted field is mapped to the `principal.ip` UDM field. `user_email` extracted fields are mapped to the `principal.ip` UDM field.
`principal.ip`	`srcip`	If the `saddr` log field value is not empty then, The `saddr_ip` field is extracted from `saddr` log field using the Grok pattern. if the `saddr_ip` log field value is not empty then, `saddr_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `srcremote` log field value is not empty then, The `valid_srcremote` field is extracted from `srcremote` log field using the Grok pattern. if the `valid_srcremote` log field value is not empty then, `valid_srcremote` extracted field is mapped to the `principal.ip` UDM field. Else, if the `shost` log field value is not empty then, The `valid_shost` field is extracted from `shost` log field using the Grok pattern. if the `valid_shost` log field value is not empty then, `valid_shost` extracted field is mapped to the `principal.ip` UDM field. Else, if the `user` log field value does not contain one of the following values `Empty` `N/A` then, The `user_ip` field is extracted from `user` log field using the Grok pattern. if the `user_ip` log field value is not empty then, `user_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `ui` log field value is not empty then, The `prin_ip` field is extracted from `ui` log field using the Grok pattern. if the `prin_ip` log field value is not empty then, `prin_ip` extracted field is mapped to the `principal.ip` UDM field. If the `subtype` log field value contain one of the following values `endpoint` `system` and if the `ip` log field value is not empty and the `ip` log field value is not equal to `N/A` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and the `locip` log field value is not empty then, `locip` log field is mapped to the `principal.ip` UDM field. If the `srcip` log field value is not empty then, The `src_ip` field is extracted from `srcip` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `src` log field value is not empty then, The `src_ip` field is extracted from `src` log field using the Grok pattern. `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `msg` log field value is not empty then, The `user_email` field is extracted from `msg` log field using the Grok pattern. The `src_ip` and `user_id` fields is extracted from `msg` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `banned_src` log field value is not empty then, `banned_src` log field is mapped to the `principal.ip` UDM field. If the `userfrom` log field value is not empty then, The `valid_ip` field is extracted from `userfrom` log field using the Grok pattern. `valid_ip` extracted field is mapped to the `principal.ip` UDM field. `user_email` extracted fields are mapped to the `principal.ip` UDM field.
`principal.ip`	`src_ip`	If the `saddr` log field value is not empty then, The `saddr_ip` field is extracted from `saddr` log field using the Grok pattern. if the `saddr_ip` log field value is not empty then, `saddr_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `srcremote` log field value is not empty then, The `valid_srcremote` field is extracted from `srcremote` log field using the Grok pattern. if the `valid_srcremote` log field value is not empty then, `valid_srcremote` extracted field is mapped to the `principal.ip` UDM field. Else, if the `shost` log field value is not empty then, The `valid_shost` field is extracted from `shost` log field using the Grok pattern. if the `valid_shost` log field value is not empty then, `valid_shost` extracted field is mapped to the `principal.ip` UDM field. Else, if the `user` log field value does not contain one of the following values `Empty` `N/A` then, The `user_ip` field is extracted from `user` log field using the Grok pattern. if the `user_ip` log field value is not empty then, `user_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `ui` log field value is not empty then, The `prin_ip` field is extracted from `ui` log field using the Grok pattern. if the `prin_ip` log field value is not empty then, `prin_ip` extracted field is mapped to the `principal.ip` UDM field. If the `subtype` log field value contain one of the following values `endpoint` `system` and if the `ip` log field value is not empty and the `ip` log field value is not equal to `N/A` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and the `locip` log field value is not empty then, `locip` log field is mapped to the `principal.ip` UDM field. If the `srcip` log field value is not empty then, The `src_ip` field is extracted from `srcip` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `src` log field value is not empty then, The `src_ip` field is extracted from `src` log field using the Grok pattern. `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `msg` log field value is not empty then, The `user_email` field is extracted from `msg` log field using the Grok pattern. The `src_ip` and `user_id` fields is extracted from `msg` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `banned_src` log field value is not empty then, `banned_src` log field is mapped to the `principal.ip` UDM field. If the `userfrom` log field value is not empty then, The `valid_ip` field is extracted from `userfrom` log field using the Grok pattern. `valid_ip` extracted field is mapped to the `principal.ip` UDM field. `user_email` extracted fields are mapped to the `principal.ip` UDM field.
`principal.ip`	`ip`	If the `saddr` log field value is not empty then, The `saddr_ip` field is extracted from `saddr` log field using the Grok pattern. if the `saddr_ip` log field value is not empty then, `saddr_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `srcremote` log field value is not empty then, The `valid_srcremote` field is extracted from `srcremote` log field using the Grok pattern. if the `valid_srcremote` log field value is not empty then, `valid_srcremote` extracted field is mapped to the `principal.ip` UDM field. Else, if the `shost` log field value is not empty then, The `valid_shost` field is extracted from `shost` log field using the Grok pattern. if the `valid_shost` log field value is not empty then, `valid_shost` extracted field is mapped to the `principal.ip` UDM field. Else, if the `user` log field value does not contain one of the following values `Empty` `N/A` then, The `user_ip` field is extracted from `user` log field using the Grok pattern. if the `user_ip` log field value is not empty then, `user_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `ui` log field value is not empty then, The `prin_ip` field is extracted from `ui` log field using the Grok pattern. if the `prin_ip` log field value is not empty then, `prin_ip` extracted field is mapped to the `principal.ip` UDM field. If the `subtype` log field value contain one of the following values `endpoint` `system` and if the `ip` log field value is not empty and the `ip` log field value is not equal to `N/A` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and the `locip` log field value is not empty then, `locip` log field is mapped to the `principal.ip` UDM field. If the `srcip` log field value is not empty then, The `src_ip` field is extracted from `srcip` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `src` log field value is not empty then, The `src_ip` field is extracted from `src` log field using the Grok pattern. `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `msg` log field value is not empty then, The `user_email` field is extracted from `msg` log field using the Grok pattern. The `src_ip` and `user_id` fields is extracted from `msg` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `banned_src` log field value is not empty then, `banned_src` log field is mapped to the `principal.ip` UDM field. If the `userfrom` log field value is not empty then, The `valid_ip` field is extracted from `userfrom` log field using the Grok pattern. `valid_ip` extracted field is mapped to the `principal.ip` UDM field. `user_email` extracted fields are mapped to the `principal.ip` UDM field.
`principal.asset.ip`	`srcip`	If the `saddr` log field value is not empty then, The `saddr_ip` field is extracted from `saddr` log field using the Grok pattern. if the `saddr_ip` log field value is not empty then, `saddr_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `srcremote` log field value is not empty then, The `valid_srcremote` field is extracted from `srcremote` log field using the Grok pattern. if the `valid_srcremote` log field value is not empty then, `valid_srcremote` extracted field is mapped to the `principal.ip` UDM field. Else, if the `shost` log field value is not empty then, The `valid_shost` field is extracted from `shost` log field using the Grok pattern. if the `valid_shost` log field value is not empty then, `valid_shost` extracted field is mapped to the `principal.ip` UDM field. Else, if the `user` log field value does not contain one of the following values `Empty` `N/A` then, The `user_ip` field is extracted from `user` log field using the Grok pattern. if the `user_ip` log field value is not empty then, `user_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `ui` log field value is not empty then, The `prin_ip` field is extracted from `ui` log field using the Grok pattern. if the `prin_ip` log field value is not empty then, `prin_ip` extracted field is mapped to the `principal.ip` UDM field. If the `subtype` log field value contain one of the following values `endpoint` `system` and if the `ip` log field value is not empty and the `ip` log field value is not equal to `N/A` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and the `locip` log field value is not empty then, `locip` log field is mapped to the `principal.ip` UDM field. If the `srcip` log field value is not empty then, The `src_ip` field is extracted from `srcip` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `src` log field value is not empty then, The `src_ip` field is extracted from `src` log field using the Grok pattern. `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `msg` log field value is not empty then, The `user_email` field is extracted from `msg` log field using the Grok pattern. The `src_ip` and `user_id` fields is extracted from `msg` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `banned_src` log field value is not empty then, `banned_src` log field is mapped to the `principal.ip` UDM field. If the `userfrom` log field value is not empty then, The `valid_ip` field is extracted from `userfrom` log field using the Grok pattern. `valid_ip` extracted field is mapped to the `principal.ip` UDM field. `user_email` extracted fields are mapped to the `principal.ip` UDM field.
`principal.asset.ip`	`src_ip`	If the `saddr` log field value is not empty then, The `saddr_ip` field is extracted from `saddr` log field using the Grok pattern. if the `saddr_ip` log field value is not empty then, `saddr_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `srcremote` log field value is not empty then, The `valid_srcremote` field is extracted from `srcremote` log field using the Grok pattern. if the `valid_srcremote` log field value is not empty then, `valid_srcremote` extracted field is mapped to the `principal.ip` UDM field. Else, if the `shost` log field value is not empty then, The `valid_shost` field is extracted from `shost` log field using the Grok pattern. if the `valid_shost` log field value is not empty then, `valid_shost` extracted field is mapped to the `principal.ip` UDM field. Else, if the `user` log field value does not contain one of the following values `Empty` `N/A` then, The `user_ip` field is extracted from `user` log field using the Grok pattern. if the `user_ip` log field value is not empty then, `user_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `ui` log field value is not empty then, The `prin_ip` field is extracted from `ui` log field using the Grok pattern. if the `prin_ip` log field value is not empty then, `prin_ip` extracted field is mapped to the `principal.ip` UDM field. If the `subtype` log field value contain one of the following values `endpoint` `system` and if the `ip` log field value is not empty and the `ip` log field value is not equal to `N/A` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and the `locip` log field value is not empty then, `locip` log field is mapped to the `principal.ip` UDM field. If the `srcip` log field value is not empty then, The `src_ip` field is extracted from `srcip` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `src` log field value is not empty then, The `src_ip` field is extracted from `src` log field using the Grok pattern. `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `msg` log field value is not empty then, The `user_email` field is extracted from `msg` log field using the Grok pattern. The `src_ip` and `user_id` fields is extracted from `msg` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `banned_src` log field value is not empty then, `banned_src` log field is mapped to the `principal.ip` UDM field. If the `userfrom` log field value is not empty then, The `valid_ip` field is extracted from `userfrom` log field using the Grok pattern. `valid_ip` extracted field is mapped to the `principal.ip` UDM field. `user_email` extracted fields are mapped to the `principal.ip` UDM field.
`principal.asset.ip`	`ip`	If the `saddr` log field value is not empty then, The `saddr_ip` field is extracted from `saddr` log field using the Grok pattern. if the `saddr_ip` log field value is not empty then, `saddr_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `srcremote` log field value is not empty then, The `valid_srcremote` field is extracted from `srcremote` log field using the Grok pattern. if the `valid_srcremote` log field value is not empty then, `valid_srcremote` extracted field is mapped to the `principal.ip` UDM field. Else, if the `shost` log field value is not empty then, The `valid_shost` field is extracted from `shost` log field using the Grok pattern. if the `valid_shost` log field value is not empty then, `valid_shost` extracted field is mapped to the `principal.ip` UDM field. Else, if the `user` log field value does not contain one of the following values `Empty` `N/A` then, The `user_ip` field is extracted from `user` log field using the Grok pattern. if the `user_ip` log field value is not empty then, `user_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `ui` log field value is not empty then, The `prin_ip` field is extracted from `ui` log field using the Grok pattern. if the `prin_ip` log field value is not empty then, `prin_ip` extracted field is mapped to the `principal.ip` UDM field. If the `subtype` log field value contain one of the following values `endpoint` `system` and if the `ip` log field value is not empty and the `ip` log field value is not equal to `N/A` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `event` and the `dhcp_msg` log field value is not empty and if the `dhcp_msg` log field value is equal to `Ack` then, `ip` log field is mapped to the `principal.ip` UDM field. If the `type` log field value is equal to `traffic` and the `subtype` log field value contain one of the following values `Empty` `forward` `local` `system` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `webfilter` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `app-ctrl` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `vpn` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `virus` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ssl` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `voip` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `ips` or the `type` log field value is equal to `event` and the `subtype` log field value is equal to `wad` or the `type` log field value is equal to `anomaly` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `anomaly` or the `type` log field value is equal to `utm` and the `subtype` log field value is equal to `waf` and if the `subtype` log field value is equal to `vpn` and the `locip` log field value is not empty then, `locip` log field is mapped to the `principal.ip` UDM field. If the `srcip` log field value is not empty then, The `src_ip` field is extracted from `srcip` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. Else, if the `src` log field value is not empty then, The `src_ip` field is extracted from `src` log field using the Grok pattern. `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `action` log field value is equal to `Add` and the `subtype` log field value is equal to `Admin` and if the `msg` log field value is not empty then, The `user_email` field is extracted from `msg` log field using the Grok pattern. The `src_ip` and `user_id` fields is extracted from `msg` log field using the Grok pattern. if the `src_ip` log field value is not empty then, `src_ip` extracted field is mapped to the `principal.ip` UDM field. If the `banned_src` log field value is not empty then, `banned_src` log field is mapped to the `principal.ip` UDM field. If the `userfrom` log field value is not empty then, The `valid_ip` field is extracted from `userfrom` log field using the Grok pattern. `valid_ip` extracted field is mapped to the `principal.ip` UDM field. `user_email` extracted fields are mapped to the `principal.ip` UDM field.

Need more help? Get answers from Community members and Google SecOps professionals.