BeyondTrust Privileged Remote Access Modeling Rule

Modeling Rule

Beyond Trust Privileged Remote Access

Details

IDBeyondTrust_PRA_ModelingRule
From Version6.10.0
TagsBeyondTrust

Rules (XIF)

[RULE: beyondtrust_pra_common_fields_modeling]
/* BeyondTrust PRA (Priviliged Remote Access) Generic Base Modeling. 
    The mappings in this rule apply to all BeyondTrust PRA event types.
    Message format documented at: 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/message-format.htm 
*/
alter  // extract message header fields 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\s*\w+"), 0)), 
    syslog_hostname = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\s*\w+\s+\S+\s+(\S+)"), 0),
    meta_sequence_id = arrayindex(regextract(_raw_log, "sequenceId=\"(\d+)"), 0), 
    site_id = arrayindex(regextract(_raw_log, "(\d+)\:\d+\:\d+\:"), 0),
    msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // extract message payload fields 
    event_type = arrayindex(regextract(msg_payload, "event\=([^;]+)"), 0), // The name of the event that occurred.
    site = arrayindex(regextract(msg_payload, "site\=(\S[^;]+)"), 0), // The hostname for which the BeyondTrust software was built.
    syslog_facility = floor(divide(syslog_priority, 8)), 
    who = arrayindex(regextract(msg_payload, "who\=(\S[^;]+)"), 0), // The username associated with this event.
    who_ip = arrayindex(regextract(msg_payload, "who_ip\=([^;]+)"), 0) // The IP address of the system that caused the event.
| alter // old/new nomenclature fields extractions: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/oldnew-nomenclature.htm
    properties_old_state = arraystring(regextract(msg_payload, "[^\=]*(old_\S[^;]+)"), ";"), // snapshot of current resource state before change
    properties_new_state = arraystring(regextract(msg_payload, "[^\=]*(new_\S[^;]+)"), ";") // current state of modified resource properties 
| alter // additional proccessing 
    authentication_method = arrayindex(regextract(who, "\susing\s+(\S+)"), 0),
    event_description = if(event_type="account_added", "A new account has been added and saved", event_type="account_changed", "An existing account has been modified and saved", event_type="account_removed", "An existing account has been deleted", event_type="account_group_added", "A new account group has been added and saved", event_type="account_group_changed", "An existing account group has been modified and saved", event_type="account_group_removed", "An existing account group has been deleted", event_type="account_jump_item_association_added", "An association with a Jump Item was added for the account", event_type="account_jump_item_association_changed", "An association with a Jump Item was changed for the account", event_type="account_jump_item_direct_association_added", "The account is allowed to be injected for the specific Jump Items", event_type="account_jump_item_direct_association_removed", "The account is removed from the allowed list to be injected for the specific Jump Items", event_type="accounts_changed", "The group of one or more accounts was modified", event_type="admin_password_reset_to_factory_default", "The Reset Admin Account button has been clicked, reverting a site's administrative account to its default credentials", event_type="api_account_added", "A new API account has been added and saved", event_type="api_account_changed", "An existing API account has been modified and saved", event_type="api_account_removed", "An existing API account has been deleted", event_type="backup_created", "A backup of the current software configuration has been saved", event_type="canned_script_added", "A new canned script has been added and saved", event_type="canned_script_category_added", "A canned script has been newly assigned to a category, and the script has been saved", event_type="canned_script_category_removed", "A previously assigned canned message has been unassigned from a category, and the script has been saved", event_type="canned_script_changed", "An existing canned script's name, description, or command sequence has been changed, and the change has been saved", event_type="canned_script_file_added", "A resource file has been newly associated with a canned script, and the script has been saved", event_type="canned_script_file_removed", "A previously associated resource file has been removed from a canned script, and the script has been saved", event_type="canned_script_removed", "An existing canned script has been deleted", event_type="canned_script_team_added", "A team has been newly assigned to a canned script, and the script has been saved", event_type="canned_script_team_removed", "A previously assigned team has been unassigned from a canned script, and the script has been saved", event_type="canned_scripts_category_added", "A new canned scripts category has been created", event_type="canned_scripts_category_removed", "An existing canned scripts category has been deleted", event_type="canned_scripts_file_added", "A new canned script resource file has been uploaded", event_type="canned_scripts_file_removed", "An existing canned script resource file has been deleted", event_type="certificate_export", "An SSL certificate has been exported from the B Series Appliance", event_type="change_display_name", "A user has attempted to change their display name", event_type="change_password", "A user has attempted to change their password", event_type="change_username", "A user has attempted to change their username", event_type="command_shell_filtering_regex_list", "The list of Shell Prompt patterns", event_type="custom_rep_link_added", "A new custom link has been added and saved", event_type="custom_rep_link_changed", "An existing custom link has been edited and saved", event_type="custom_rep_link_removed", "An existing custom link has been deleted", event_type="custom_session_attribute_added", "A new custom field for API integration has been added and saved", event_type="custom_session_attribute_changed", "An existing custom field for API integration has been edited and saved", event_type="custom_session_attribute_removed", "An existing custom field for API integration has been removed", event_type="custom_session_policy_added", "Custom session permissions have been added to a user account, and the user account has been saved", event_type="custom_session_policy_changed", "Existing custom session permissions have been edited, and the user account has been saved", event_type="custom_session_policy_removed", "Existing custom session permissions have been removed from a user account, and the user account has been saved", event_type="custom_special_action_added", "A new custom special action has been added and saved", event_type="custom_special_action_changed", "An existing custom special action has been edited and saved", event_type="custom_special_action_removed", "An existing custom special action has been removed", event_type="customizable_text_changed", "An existing login agreement has been changed", event_type="discovery_error_added", "A new Discovery job error has been added", event_type="discovery_error_changed", "A new Discovery job error has been changed", event_type="discovery_error_removed", "A new Discovery job error has been removed", event_type="domain_added", "A new vault domain has been added and saved", event_type="domain_changed", "An existing account has been modified and saved", event_type="domain_removed", "An existing vault domain has been deleted", event_type="downloaded_rep_client", "A user has clicked the link to download the access console", event_type="ecm_group_added", "An ECM Group has been added", event_type="ecm_group_changed", "An ECM Group has been changed", event_type="ecm_group_removed", "An ECM Group has been removed", event_type="endpoint_changed", "An existing endpoint has been modified and saved", event_type="endpoint_removed", "An existing endpoint has been deleted", event_type="eula_accepted", "The BeyondTrust PRA Cloud end user license agreement (EULA) has been accepted by a user, and the username has been recorded", event_type="fido2_credential_added", "A new FIDO2 Autheticator has been added and saved", event_type="fido2_credential_changed", "An existing FIDO2 Autheticator has been modified and saved", event_type="fido2_credential_removed", "An existing FIDO2 Autheticator has been deleted", event_type="file_removed_from_file_store", "A file has been deleted from the file store", event_type="file_uploaded_to_file_store", "A file has been added to the file store", event_type="group_policy_add_to_jump_group_added", "A Jump Group has been added to a group policy's Add To Jump Groups list", event_type="group_policy_add_to_jump_group_removed", "A Jump Group has been removed from a group policy's Add To Jump Groups list", event_type="group_policy_add_to_jumpoint_added", "A Jumpoint has been added to a group policy's Add To Jumpoints list", event_type="group_policy_add_to_jumpoint_removed", "A Jumpoint has been removed from a group policy's Add To Jumpoints list", event_type="group_policy_add_to_support_teams_added", "A team has been added to a group policy's Add To Teams list", event_type="group_policy_add_to_support_teams_removed", "A team has been removed from a group policy's Add To Teams list", event_type="group_policy_added", "A new group policy has been created and saved", event_type="group_policy_changed", "An existing group policy's priority level has changed, and the change has been saved", event_type="group_policy_member_added", "A new member has been added to a group policy, and the policy has been saved", event_type="group_policy_member_removed", "An existing member has been removed from a group policy, and the policy has been saved", event_type="group_policy_remove_from_jump_group_added", "A Jump Group has been added to a group policy's Remove From Jump Groups list", event_type="group_policy_remove_from_jump_group_removed", "A Jump Group has been removed from a group policy's Remove From Jump Groups list", event_type="group_policy_remove_from_jumpoint_added", "A Jumpoint has been added to a group policy's Remove From Jumpoints list", event_type="group_policy_remove_from_jumpoint_removed", "A Jumpoint has been removed from a group policy's Remove From Jumpoints list", event_type="group_policy_remove_from_support_teams_added", "A team has been added to a group policy's Remove From Teams list", event_type="group_policy_remove_from_support_teams_removed", "A team has been removed from a group policy's Remove From Teams list", event_type="group_policy_removed", "An existing group policy has been deleted", event_type="jump_item_role_added", "A new Jump Item Role has been created and saved", event_type="jump_item_role_changed", "An existing Jump Item Role has been modified and saved", event_type="jump_item_role_removed", "An existing Jump Item Role has been deleted", event_type="jump_policy:schedule_entry_added", "A new schedule entry has been added to a Jump Policy, and the policy has been saved", event_type="jump_policy:schedule_entry_removed", "An existing schedule entry has been removed from a Jump Policy, and the policy has been saved", event_type="jump_policy_added", "A new Jump Policy has been created and saved", event_type="jump_policy_changed", "An existing Jump Policy has been modified and saved", event_type="jump_policy_removed", "An existing Jump Policy has been deleted", event_type="jumpoint_cluster_added", "A new Jumpoint or Jumpoint cluster has been created and saved", event_type="jumpoint_cluster_changed", "An existing Jumpoint or Jumpoint cluster has been changed", event_type="jumpoint_cluster_removed", "An existing Jumpoint or Jumpoint cluster has been deleted", event_type="jumpoint_user_added", "A new member has been added to a Jumpoint, and the Jumpoint has been saved", event_type="jumpoint_user_removed", "An existing member has been removed from a Jumpoint, and the Jumpoint has been saved", event_type="kerberos_keytab_added", "A new Kerberos keytab has been uploaded", event_type="kerberos_keytab_removed", "An existing Kerberos keytab has been deleted", event_type="login", "A login attempt has been made", event_type="login_schedule_entry_added", "A new login schedule entry has been added to a user's group policy's login schedule, and the user account or group policy has been saved", event_type="login_schedule_entry_removed", "An existing login schedule entry has been removed from a user's group policy's login schedule, and the user group policy has been saved", event_type="logout", "A user has logged out of the access console, whether by deliberate action, by an administrator, or as the result of a lost connection to the B Series Appliance", event_type="management_account_added", "A new management account has been added and saved", event_type="management_account_changed", "An existing management account has been modified and saved", event_type="management_account_removed", "An existing management account has been deleted", event_type="msgraph_http_recipient_added", "A new service principal has been added and saved", event_type="msgraph_http_recipient_changed", "An existing service principal has been modified and saved", event_type="msgraph_http_recipient_removed", "An existing service principal has been deleted", event_type="network_address_added", "A new IP address has been added and saved", event_type="network_address_changed", "An existing IP address has been modified and saved", event_type="network_address_removed", "An existing IP address has been deleted. Note that you cannot delete the default route", event_type="network_changed", "The global network configuration has been changed, and the change has been saved", event_type="network_route_changed", "A static route has been added, modified, or removed", event_type="network_tunnel_jump_item_added", "A network tunnel Jump Item has been added", event_type="network_tunnel_jump_item_changed", "A network tunnel Jump Item has been changed and saved", event_type="network_tunnel_jump_item_removed", "A network tunnel Jump Item has been removed", event_type="outbound_event_email_recipient_added", "A new email outbound event has been added and saved", event_type="outbound_event_email_recipient_changed", "An existing email outbound event has been modified and saved", event_type="outbound_event_email_recipient_removed", "An existing email outbound event has been deleted", event_type="outbound_event_email_trigger_added", "A new trigger has been added for an email outbound event, and the event has been saved", event_type="outbound_event_email_trigger_removed", "An existing trigger for an email outbound event has been removed, and the event has been saved", event_type="outbound_event_http_recipient_added", "A new HTTP outbound event has been added and saved", event_type="outbound_event_http_recipient_changed", "An existing HTTP outbound event has been modified and saved", event_type="outbound_event_http_recipient_removed", "An existing HTTP outbound event has been deleted", event_type="outbound_event_http_trigger_added", "A new trigger has been added for an HTTP outbound event, and the event has been saved", event_type="outbound_event_http_trigger_removed", "An existing trigger for an HTTP outbound event has been removed, and the event has been saved", event_type="pending_user_added", "A pending user has been added and saved", event_type="pending_user_changed", "A pending user has been modified and saved", event_type="pending_user_removed", "A pending user was deleted", event_type="pending_vendor_user_added", "A vendor user registration request was made", event_type="pending_vendor_user_deleted", "A pending vendor user was deleted", event_type="perm_remote_shell_Allow list", "A command filtering option has been Allow listed or Deny listed. Or, all commands are allowed", event_type="perm_remote_shell_filter_commands", "The list of Allow listed or Deny listed command patterns", event_type="public_site_portal_logo_uploaded", "A new logo image for the public site has been uploaded", event_type="public_site_session_attribute_added", "A public site session attribute has been added", event_type="public_site_session_attribute_changed", "A public site session attribute has been changed", event_type="public_site_session_attribute_removed", "A public site session attribute has been removed", event_type="reboot", "The B Series Appliance has been rebooted", event_type="remote_rfb_jump_item_added", "A Remote RFB Jump Item has been added", event_type="remote_rfb_jump_item_removed", "A Remote RFB Jump Item has been removed", event_type="rep_client_connection_terminated", "An administrator has terminated a user's connection", event_type="rep_console_setting_added", "A managed access console setting has been defined for the first time, and the settings have been saved", event_type="rep_console_setting_changed", "A managed access console setting has been changed, and the settings have been saved", event_type="rep_console_setting_removed", "A managed access console setting has been marked as undefined, and the settings have been saved", event_type="rep_invite_added", "A session policy has been made available for access invites, and the session policy has been saved", event_type="rep_invite_removed", "A session policy has been made unavailable for access invites and has been saved, or a session policy available for access invites has been deleted", event_type="repinvite_setting_added", "An access invite setting has been added because a session policy has been made available for access invites, and the session policy has been saved", event_type="repinvite_setting_removed", "An access invite setting has been removed either because a session policy has been made unavailable for access invites and has been saved, or because a session policy available for access invites has been deleted", event_type="reporting_erasure", "Session reports have had representative or customer data anonymized", event_type="restored_from_backup", "The software configuration has been successfully restored from its backup file", event_type="restoring_from_backup", "The software configuration is in the process of restoring from its backup file", event_type="scheduled_discovery_job_added", "The domain scheduled discovery has been added", event_type="scheduled_discovery_job_changed", "The domain scheduled discovery has changed", event_type="security_provider_added", "A new security provider configuration has been added and saved", event_type="security_provider_changed", "An existing security provider configuration's priority level has changed, and the change has been saved", event_type="security_provider_removed", "An existing security provider configuration has been deleted", event_type="security_provider_setting_added", "A security provider setting has been added as part of the initial configuration, and the configuration has been saved", event_type="security_provider_setting_changed", "An existing security provider configuration has been modified and saved", event_type="security_provider_setting_removed", "A security provider setting has been removed as part of the deletion of a security provider configuration", event_type="server_software_restarted", "The BeyondTrust software has been restarted", event_type="session_policy_added", "A new session policy has been added and saved", event_type="session_policy_changed", "An existing session policy has been modified and saved", event_type="session_policy_removed", "An existing session policy has been deleted", event_type="setting_added", "A setting has been defined and saved for the first time", event_type="setting_changed", "A setting has been modified and saved", event_type="shared_jump_group_added", "A new Jump Group has been added and saved", event_type="shared_jump_group_changed", "An existing Jump Group has been modified and saved", event_type="shared_jump_group_removed", "An existing Jump Group has been deleted", event_type="SNMP_changed", "The SNMPv2 Server has been changed", event_type="ssh_account_added", "An SSH account has been added", event_type="ssh_account_changed", "An SSH account has been modified and saved", event_type="ssh_account_removed", "An SSH account has been removed", event_type="starting_support_tunnel", "A support tunnel has been initiated from the B Series Appliance", event_type="support_session_detail_generated", "A detailed report has been run for an access session", event_type="support_session_report_generated", "A report of access sessions has been run", event_type="support_session_summary_report_generated", "A summary report of support sessions has been run", event_type="support_team_added", "A team has been added", event_type="support_team_changed", "A team has been changed", event_type="support_team_member_added", "A new member has been added to a team, and the team has been saved", event_type="support_team_member_changed", "An existing member has been assigned a different role in a team, and the team has been saved", event_type="support_team_member_removed", "An existing member has been deleted from a team, and the team has been saved", event_type="support_team_removed", "An existing team has been deleted", event_type="syslog_server_changed", "The remote syslog server setting has been changed and saved", event_type="team_activity_report_generated", "A team activity report has been run", event_type="user_account_report_generated", "A user account report has been generated", event_type="user_added", "A new local user has been created and saved. Event fields differ between /login users and /appliance users", event_type="user_changed", "An existing local user has been modified and saved. Event fields differ between /login users and /appliance users", event_type="user_removed", "An existing local user has been deleted. Event fields differ between /login users and /appliance users", event_type="user_session_policy_added", "A session policy has been applied to a user account, and the user account has been saved", event_type="user_session_policy_removed", "A session policy has been removed from a user account, and the user account has been saved", event_type="vault_account_password_rotation", "Vault account password has been rotated", event_type="vendor_activity_report_generated", "A vendor report was generated", event_type="windows_service_changed", "A Windows service has been changed and saved", event_type="windows_service_removed", "A Windows service was removed", event_type),
    source_ipv4 = if(who_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", who_ip),
    source_ipv6 = if(who_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", who_ip),
    syslog_severity = to_string(subtract(syslog_priority, multiply(syslog_facility, 8))),
    user_name = arrayindex(regextract(who, "\(([^\)]+)"), 0),
    user_first_name = arrayindex(regextract(who, "((?:\S+\.\s+){0,1}\S+)"), 0),
    user_last_name = trim(arrayindex(regextract(who, "(?:\S+\.\s+){0,1}\S+\s(.+)\("), 0))
| alter // xdm mapping 
    xdm.alert.severity = syslog_severity,
    xdm.auth.auth_method = authentication_method, 
    xdm.auth.privilege_level = if(user_name = "admin", XDM_CONST.PRIVILEGE_LEVEL_ADMIN),
    xdm.source.user.first_name = user_first_name,
    xdm.source.user.last_name = user_last_name, 
    xdm.source.user.username = user_name, 
    xdm.event.id = meta_sequence_id,
    xdm.event.log_level = if(syslog_severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY, syslog_severity = "1", XDM_CONST.LOG_LEVEL_ALERT, syslog_severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, syslog_severity = "3", XDM_CONST.LOG_LEVEL_ERROR, syslog_severity = "4", XDM_CONST.LOG_LEVEL_WARNING, syslog_severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, syslog_severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, syslog_severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, syslog_severity),
    xdm.event.original_event_type = event_type, 
    xdm.event.description = event_description,
    xdm.intermediate.host.hostname = site,
    xdm.observer.name = syslog_hostname, 
    xdm.observer.unique_identifier = site_id,
    xdm.session_context_id = meta_sequence_id,
    xdm.source.ipv4 = source_ipv4,
    xdm.source.ipv6 = source_ipv6,
    xdm.target.resource.value = properties_new_state, 
    xdm.target.resource_before.value = properties_old_state;


[MODEL: dataset = beyondtrust_pra_raw]
/* Event Specific Modeling. 
    The following mappings apply to specific event types, according to the conditional filters applied. 
    The various fields for each event are described at: 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/index.htm */

/* Account Jump Item Association Events: 
    These mappings apply to the following events: account_jump_item_association_added, account_jump_item_association_removed. 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/account-jump-item-association.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("account_jump_item", "account_jump_item_association_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // account_jump_item", "account_jump_item_association_removed"
    account_group_id = arrayindex(regextract(msg_payload, "account_group_id\=(\S[^;]+)"), 0), // The unique identifier of the account group.
    account_id = arrayindex(regextract(msg_payload, "account_id\=(\S[^;]+)"), 0), // The unique identifier of the account.
    jump_item_association_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]+)"), 0) // The unique identifier of the association.
| alter 
    xdm.target.user.groups = if(account_group_id != null, arraycreate(account_group_id)),
    xdm.target.user.identifier = account_id,
    xdm.target.resource.id = jump_item_association_id, 
    xdm.target.resource.type = if(jump_item_association_id != null, "jump item association");

/* Account Modification, Group Modification & Group Membership Events Fields:
    These mappings apply to the following event types: "account_added", "account_changed", "accounts_changed", "account_removed", "account_group_added", "account_group_changed", "account_group_removed", "account_user_added", "account_user_removed */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("account_added", "account_changed", "accounts_changed", "account_removed", "account_group_added", "account_group_changed", "account_group_removed", "account_user_added", "account_user_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // Account Fields: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/account.htm
    vault_account_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of the vault account.
    vault_account_username = arrayindex(regextract(msg_payload, "username\=(\S[^;]+)"), 0), // The username of the vault account.
    account_group_id1 = arrayindex(regextract(msg_payload, "group\=(\S[^;]+)"), 0) // 	The unique identifier of the account group.
| alter // Account Group Fields: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/account-group.htm
    account_group_id2 = arrayindex(regextract(msg_payload, "id\=(\w[^;]+)"), 0), // The unique identifier of the account group.
    account_group_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0) // The name of the account group.
| alter // Account Group Membership Fields: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/account-group-membership.htm
    accounts_id = arrayindex(regextract(msg_payload, "accounts_id\=(\S[^;]+)"), 0), // The unique identifier of the vault accounts.
    new_account_group_id = arrayindex(regextract(msg_payload, "new_group\=(\S[^;]+)"), 0) // The unique identifier of the target account group.
| alter // Account User Fields: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/account-user.htm
    vault_account_id = arrayindex(regextract(msg_payload, "account\:id\=(\S[^;]+)"), 0), // The unique identifier of the vault account.
    vault_account_associated_role = arrayindex(regextract(msg_payload, "role\=(\S[^;]+)"), 0), // The role associated with the vault account. The two possible options are Inject and Inject and Checkout.
    vault_account_associated_user_id = arrayindex(regextract(msg_payload, "user\:id\=(\S[^;]+)"), 0) // The unique identifier of the user associated with this vault account.
| alter target_group = coalesce(account_group_name, new_account_group_id, account_group_id1, account_group_id2, vault_account_associated_role)
| alter 
    xdm.target.resource.name = vault_account_name, 
    xdm.target.resource.type = if(vault_account_name != null, "vault account name"),
    xdm.target.user.identifier = coalesce(accounts_id, vault_account_id, vault_account_associated_user_id),
    xdm.target.user.username = coalesce(vault_account_username, vault_account_name),
    xdm.target.user.groups = if(target_group != null, arraycreate(target_group));

/* API Account Events: 
    These mappings apply to the following events: api_account_added, api_account_changed & api_account_removed. 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/api-account-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("api_account_added", "api_account_changed", "api_account_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    api_ip_addresses = arrayindex(regextract(msg_payload, "ip_addresses\=(\S[^;]+)"), 0), // Comma-delimited list of network address prefixes from which this account can authenticate.
    api_account_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of the API account.
    api_account_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]+)"), 0), // The unique identifier of the API account.
    api_ecm_group = arrayindex(regextract(msg_payload, "ecm_group\=(\S[^;]+)"), 0), // The ID of the ECM (Endpoint Credentials Manager) Group that the account belongs to.
    is_enabled =  arrayindex(regextract(msg_payload, "enabled\=(0|1)"), 0)  // 1: This API account is enabled, 0: This API account is disable
| alter 
    is_api_account_disabled = if(is_enabled = "0", to_boolean("TRUE"), is_enabled = "1", to_boolean("FALSE")),
    permitted_ip_addresses = arraymap(regextract(api_ip_addresses, "([^,]+)"), trim("@element"))
| alter
    permitted_ipv4_addresses = arrayfilter(permitted_ip_addresses, "@element" ~= "\."),
    permitted_ipv6_addresses = arrayfilter(permitted_ip_addresses, "@element" ~= ":")
| alter
    xdm.target.host.ipv4_addresses = permitted_ipv4_addresses,
    xdm.target.host.ipv6_addresses = permitted_ipv6_addresses,
    xdm.target.subnet = api_ip_addresses,
    xdm.target.user.username = api_account_name, 
    xdm.target.user.identifier = api_account_id, 
    xdm.target.user.user_type = XDM_CONST.USER_TYPE_SERVICE_ACCOUNT, 
    xdm.target.user.is_disabled = is_api_account_disabled,
    xdm.target.user.groups = if(api_ecm_group != null, arraycreate(api_ecm_group));
    
/* Canned Script Events: 
    These mappings apply to the following events: "canned_script_category_added", "canned_script_category_removed", "canned_script_added", "canned_script_changed", "canned_script_removed", "canned_script_file_added", "canned_script_file_removed", "canned_script_team_added", "canned_script_team_removed", "canned_scripts_category_added", "canned_scripts_category_removed", "canned_scripts_file_added", "canned_scripts_file_removed"
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/canned-script-category-fields.htm
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/canned-script-fields.htm
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/canned-script-file-fields.htm
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/canned-script-team-fields.htm
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/canned-scripts-category-fields.htm
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/canned-scripts-file-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("canned_script_category_added", "canned_script_category_removed", "canned_script_added", "canned_script_changed", "canned_script_removed", "canned_script_file_added", "canned_script_file_removed", "canned_script_team_added", "canned_script_team_removed", "canned_scripts_category_added", "canned_scripts_category_removed", "canned_scripts_file_added", "canned_scripts_file_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    canned_script_id1 = arrayindex(regextract(msg_payload, "canned_script\:id\=(\S[^;]+)"), 0),
    canned_script_id2 = arrayindex(regextract(msg_payload, "id\=(\w[^;]*);"), 0),
    canned_script_name1 = arrayindex(regextract(msg_payload, "canned_script\:name\=(\S[^;]+)"), 0),
    canned_script_name2 = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0),
    canned_script_commands = arrayindex(regextract(msg_payload, "commands\=(\S.+?)\;\s*[\w\:]+\="), 0),
    canned_script_filename = arrayindex(regextract(msg_payload, "filename\=(\S[^;]+)"), 0),
    canned_script_team_id = arrayindex(regextract(msg_payload, "team\:id\=(\S[^;]+)"), 0),
    canned_script_team_name = arrayindex(regextract(msg_payload, "team\:name\=(\S[^;]+)"), 0),
    canned_script_category = arrayindex(regextract(msg_payload, "category\=(\S[^;]+)"), 0)
| alter 
    xdm.target.process.command_line = canned_script_commands,
    xdm.target.file.filename = canned_script_filename, 
    xdm.target.resource.id = coalesce(canned_script_id1, canned_script_id2),
    xdm.target.resource.name = coalesce(canned_script_name1, canned_script_name2),
    xdm.target.resource.type = canned_script_category,
    xdm.target.user.groups = if(canned_script_team_id != null or canned_script_team_name != null, arrayconcat(arraycreate(canned_script_team_id), arraycreate(canned_script_team_name)));

/* Certificate Export Event: 
    These mappings apply to the certificate_export event. 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/certificate-export-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("certificate_export")
| call beyondtrust_pra_common_fields_modeling
| alter 
    certificate_friendly_name = arrayindex(regextract(_raw_log, "friendly_name\=(\S[^;]+)"), 0), // The friendly name of the certificate being exported.
    exported_with_private_key = arrayindex(regextract(_raw_log, "exported_with_private_key\=(0|1)"), 0) // 1: The private key is included in this export, 0: The private key is not included in this export.
| alter operation = if(exported_with_private_key = "0", "Certificate exported, private key was not included.", exported_with_private_key="1", "Certificate exported, private key was included.")
| alter 
    xdm.event.operation_sub_type = operation,
    xdm.target.resource.name = certificate_friendly_name, 
    xdm.target.resource.type = "certificate";

/* Custom Rep Link Events : 
    These mappings apply to the following events: custom_rep_link_added, custom_rep_link_changed, custom_rep_link_removed. 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/custom_rep_link.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("custom_rep_link_added", "custom_rep_link_changed", "custom_rep_link_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    custom_link_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier of the custom link.
    custom_link_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of the custom link.
    custom_link_url = arrayindex(regextract(msg_payload, "url\=(\S[^;]+)"), 0) // The URL of the custom link.
| alter 
    xdm.target.resource.id = custom_link_id, 
    xdm.target.resource.name = custom_link_name,
    xdm.target.resource.type = if(custom_link_id != null, "custom link URL"),
    xdm.target.url = custom_link_url;

/* Custom Special Action Events:
    These mappings apply to the following events: custom_special_action_added, custom_special_action_changed, custom_special_action_removed. 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/custom-special-action-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("custom_special_action_added", "custom_special_action_changed", "custom_special_action_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    custom_special_action_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier of this custom special action.
    custom_special_action_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of this custom special action.
    custom_special_action_command = arrayindex(regextract(msg_payload, "command\=(\S[^;]+)"), 0), // The full path of the application to run.
    custom_special_action_arguments = arrayindex(regextract(msg_payload, "arguments\=([^;]+)"), 0) // Command line arguments to apply the command.	
| alter 
    xdm.target.resource.id = custom_special_action_id, 
    xdm.target.resource.name = custom_special_action_name,
    xdm.target.resource.type = if(custom_special_action_id != null, "custom special action"),
    xdm.target.process.command_line = concat(custom_special_action_command, " ", custom_special_action_arguments);

/*  Custom & User Session Policy Events: 
    These mappings apply to the following events: custom_session_policy_added, custom_session_policy_changed, custom_session_policy_removed, user_session_policy_added, user_session_policy_removed. 
    Custom session policy events also include the Support Permissions Fields. */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("custom_session_policy_added", "custom_session_policy_changed", "custom_session_policy_removed", "user_session_policy_added", "user_session_policy_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // custom sessions policy: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/custom-session-policy-fields.htm
    object_description = arrayindex(regextract(msg_payload, "description\=(\S[^;]+)"), 0), // The description of the object to which this custom session policy is applied in the form of object(type):name. The object may be one of users or policies. A users object is followed by @ and the ID of its security provider. The type is either attended or unattended. The name is the name of the object.
    custom_session_policy_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]+)"), 0),  // The unique identifier of this custom session policy.
    custom_session_policy_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of this custom session policy. This name is assigned by the B Series Appliance and cannot be modified.
    custom_session_policy_code_name = arrayindex(regextract(msg_payload, "code_name\=(\S[^;]+)"), 0) // The code name of this custom session policy.
| alter // user sessions policy: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/user-session-policy-fields.htm
    user_id = arrayindex(regextract(msg_payload, "user\:id\=([^;]+)"), 0), //The unique identifier of the user with whom the session policy is associated.
    user_name = arrayindex(regextract(msg_payload, "user\:username\=(\S[^;]+)"), 0), // The username of the user with whom the session policy is associated.
    user_session_policy_name = arrayindex(regextract(msg_payload, "session_policy\:name\=(\S[^;]+)"), 0) // The name of the session policy associated with this user.
| alter 
    user_object = arrayindex(regextract(object_description, "([^\@]+)\@"), 0)
| alter 
    xdm.network.rule = coalesce(custom_session_policy_code_name, user_session_policy_name),
    xdm.target.resource.id = custom_session_policy_id, 
    xdm.target.resource.name = custom_session_policy_name,
    xdm.target.resource.type = if(custom_session_policy_id != null, "custom session policy"),
    xdm.target.user.identifier = user_id,
    xdm.target.user.username = coalesce(user_object, user_name);

/* Custom Session Attribute Events: 
    These fields apply to the following events: custom_session_attribute_added, custom_session_attribute_changed, and custom_session_attribute_removed. 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/custom-session-attribute-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("custom_session_attribute_added", "custom_session_attribute_changed", "custom_session_attribute_removed")
| call beyondtrust_pra_common_fields_modeling
| alter 
    custom_session_attribute_id = arrayindex(regextract(_raw_log, "id\=(\w[^;]+)"), 0),  // The unique identifier of the custom session attribute.
    custom_session_attribute_name = arrayindex(regextract(_raw_log, "name\=(\S[^;]+)"), 0) // The display name of the custom session attribute.
| alter 
    xdm.target.resource.id = custom_session_attribute_id, 
    xdm.target.resource.name = custom_session_attribute_name,
    xdm.target.resource.type = if(custom_session_attribute_id != null, "custom session attribute");

/* Discovery Error Events : 
    These mappings apply to the following events: discovery_error_added, discovery_error_changed, discovery_error_removed. 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/discovery-error.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("discovery_error_added", "discovery_error_changed", "discovery_error_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    system_name = arrayindex(regextract(msg_payload, "system_name\=(\w[^;]*)"), 0), // The hostname or computer name which this error belongs.
    discovery_job_id = arrayindex(regextract(msg_payload, "discovery_job_id\=(\S[^;]+)"), 0), // The unique identifier of the Discovery job to which this error belongs.
    error_type = arrayindex(regextract(msg_payload, "type\=(\d+)"), 0), // The type of error.
    user_error_description = arrayindex(regextract(msg_payload, "user_error\=(\S[^;]+)"), 0) // The error description.
| alter 
    xdm.alert.subcategory = to_string(error_type), 
    xdm.alert.description = user_error_description,
    xdm.target.host.hostname = system_name, 
    xdm.target.resource.id = discovery_job_id, 
    xdm.target.resource.type = if(discovery_job_id != null, "discovery job");

/* ECM (Endpoint Credential Manager) Group Events : 
    These mappings apply to the following events: ecm_group_added, ecm_group_changed, ecm_group_removed. 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/ecm-group-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("ecm_group_added", "ecm_group_changed", "ecm_group_removed")
| call beyondtrust_pra_common_fields_modeling
| alter 
    ecm_group_id = arrayindex(regextract(_raw_log, "id\=(\w[^;]*)"), 0), // The unique identifier of the ECM Group.
    ecm_group_name = arrayindex(regextract(_raw_log, "name\=([^;]+)"), 0) //The name of the ECM Group.
| alter 
    xdm.target.user.groups = arrayconcat(arraycreate(ecm_group_id), arraycreate(ecm_group_name)),
    xdm.target.resource.id = ecm_group_id,
    xdm.target.resource.name = ecm_group_name, 
    xdm.target.resource.type = if(ecm_group_id != null or ecm_group_name != null, "ecm group");

/* Endpoint Events: 
    These fields apply to the following event types: endpoint_changed, endpoint_removed.
    Full documentation: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/endpoint.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("endpoint_changed", "endpoint_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    endpoint_hostname = arrayindex(regextract(msg_payload, "hostname\=([^;]+)"), 0), // The hostname of the endpoint.
    endpoint_fqdn = arrayindex(regextract(msg_payload, "distinguished_name\=([^;]+)"), 0), // The distinguished name of the endpoint.
    endpoint_domain_id = arrayindex(regextract(msg_payload, "domain_id\=([^;]+)"), 0), // The unique identifier of the Domain to which this endpoint belongs.
    endpoint_unique_id = arrayindex(regextract(msg_payload, "unique_id\=([^;]+)"), 0), // The unique identifier of the endpoint.
    endpoint_name = arrayindex(regextract(msg_payload, "name\=([^;]+)"), 0), // The name of the endpoint.
    endpoint_is_domain_controller = arrayindex(regextract(msg_payload, "is_domain_controller\=(0|1)"), 0), //1: The endpoint is a domain controller. 0: The endpoint is not a domain controller.
    endpoint_os = arrayindex(regextract(msg_payload, "operating_system\=([^;]+)"), 0) // The operating system of the endpoint.
| alter os = lowercase(endpoint_os)
| alter 
    xdm.target.domain = endpoint_domain_id,
    xdm.target.host.hostname = endpoint_hostname, 
    xdm.target.host.fqdn = endpoint_fqdn, 
    xdm.target.host.device_id = endpoint_unique_id, 
    xdm.target.host.device_category = if(endpoint_is_domain_controller = "1", "Domain Controller"),
    xdm.target.host.os = endpoint_os,
    xdm.target.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA, to_string(endpoint_os)),
    xdm.target.resource.name = endpoint_name,
    xdm.target.resource.id = endpoint_unique_id,
    xdm.target.resource.type = if(endpoint_unique_id != null, "endpoint machine");

/* File Store Events : 
    These mappings apply to the following events: file_removed_from_file_store, file_uploaded_to_file_store. 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/file-store-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("file_removed_from_file_store", "file_uploaded_to_file_store")
| call beyondtrust_pra_common_fields_modeling
| alter 
    file_name = arrayindex(regextract(_raw_log, "filename\=([^;]+)"), 0), // The name of the file being uploaded to or removed from the file store.
    file_size = arrayindex(regextract(_raw_log, "size\*?\=(\d+)"), 0) // The size in bytes of the file being uploaded to the file store.
| alter 
    xdm.target.file.filename = file_name, 
    xdm.target.file.size = to_integer(file_size);

/* Group Policy Events: 
    These mappings apply to the following events: 
        group_policy_add_to_jump_group_added, group_policy_add_to_jump_group_removed, group_policy_add_to_jumpoint_added, group_policy_add_to_jumpoint_removed, 
        group_policy_add_to_support_teams_added, group_policy_add_to_support_teams_removed, group_policy_added, group_policy_changed, group_policy_removed,
        group_policy_member_added, group_policy_member_removed, group_policy_remove_from_jump_group_added, group_policy_remove_from_jumpoint_added, 
        group_policy_remove_from_jumpoint_removed, group_policy_remove_from_support_teams_added, group_policy_remove_from_support_teams_removed
            https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-add-to-jump-group-fields.htm 
            https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-remove-from-jump-group-fields.htm
            https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-add-to-jumpoint-fields.htm
            https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-remove-from-jumpoint-fields.htm
            https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-add-to-support-teams-fields.htm
            https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-add-to-support-teams-fields.htm
            https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-member-fields.htm
            https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-remove-from-jumpoint-fields.htm
            https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-remove-from-support-teams-fields.htm
            */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("group_policy_add_to_jump_group_added", "group_policy_add_to_jump_group_removed", "group_policy_add_to_jumpoint_added", "group_policy_add_to_jumpoint_removed", "group_policy_add_to_support_teams_added", "group_policy_add_to_support_teams_removed", "group_policy_added", "group_policy_changed", "group_policy_removed", "group_policy_member_added", "group_policy_member_removed", "group_policy_remove_from_jump_group_added", "group_policy_remove_from_jump_group_removed", "group_policy_remove_from_jumpoint_added", "group_policy_remove_from_jumpoint_removed", "group_policy_remove_from_support_teams_added", "group_policy_remove_from_support_teams_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // Group Policy Add/Remove to/from Jump Group:
    group_policy_id1 = arrayindex(regextract(msg_payload, "group_policy\:id\=(\w[^;]*)"), 0), // The unique identifier of this group policy.
    group_policy_name1 = arrayindex(regextract(msg_payload, "group_policy\:name\=([^;]+)"), 0), // The name of this group policy.
    jump_group_id = arrayindex(regextract(msg_payload, "jump_group\:id\=(\w[^;]*)"), 0), // The unique identifier of the Jump Group to which members of this group policy should be added.
    jump_group_name = arrayindex(regextract(msg_payload, "jump_group\:name\=([^;]+)"), 0), // The name of the Jump Group to which members of this group policy should be added.
    jump_item_role_id = arrayindex(regextract(msg_payload, "jump_item_role\:id\=(\w[^;]*)"), 0), // The unique identifier of the Jump Item Role to assign to members of this group policy specific to this Jump Group.
    jump_item_role_name = arrayindex(regextract(msg_payload, "jump_item_role\:name\=([^;]+)"), 0), //The name of the Jump Item Role to assign to members of this group policy specific to this Jump Group.
    jump_policy_id = arrayindex(regextract(msg_payload, "jump_policy\:id\=(\w[^;]*)"), 0), // The unique identifier of the Jump Policy to assign to members of this group policy specific to this Jump Group.
    jump_policy_name = arrayindex(regextract(msg_payload, "jump_policy\:name\=([^;]+)"), 0) // The name of the Jump Policy to assign to members of this group policy specific to this Jump Group.
| alter // Group Policy Add/Remove to/from Jumpoint:
    jumpoint_id = arrayindex(regextract(msg_payload, "jumpoint\:id\=(\w[^;]*)"), 0), // The unique identifier of the Jumpoint to which members of this group policy should be added.
    jumpoint_name = arrayindex(regextract(msg_payload, "jumpoint\:name\=([^;]+)"), 0) // The name of the Jumpoint to which members of this group policy should be added.
| alter // Group Policy Add/Remove to/from Support to Teams:
    role = arrayindex(regextract(msg_payload, "role\=([^;]+)"), 0), // The role assigned to members of this group policy specific to the team (member, lead or manager)
    support_team_id = arrayindex(regextract(msg_payload, "support_team\:id\=(\w[^;]*)"), 0), // The unique identifier of the team to which members of this group policy should be added.
    support_team_name = arrayindex(regextract(msg_payload, "support_team\:name\=([^;]+)"), 0) // The name of the team to which members of this group policy should be added.
| alter // Group Policy:
    is_account_disabled = arrayindex(regextract(msg_payload, "account\:disabled\=(0|1)"), 0), // 1: The accounts associated with this group policy are disabled. 0: The accounts associated with this group policy are active.
    is_login_code_enabled = arrayindex(regextract(msg_payload, "login_code\:enabled\=(0|1)"), 0), // 1: Users must enter an emailed login code to log in. 0: Users may log in without an emailed login code.
    group_policy_id2 = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier of this group policy.
    group_policy_name2 = arrayindex(regextract(msg_payload, "name\=([^;]+)"), 0), // The name of this group policy.
    policy_id = arrayindex(regextract(msg_payload, "policy\:id\=([^;]+)"), 0), // The name of this group policy.
    policy_name = arrayindex(regextract(msg_payload, "policy\:name\=([^;]+)"), 0), // The name of the group policy for which this setting is configured.
    jumpoints = arrayindex(regextract(msg_payload, "jumpoints\=([^;]+)"), 0) //The group's Jumpoint access in the form of permission:id:name, where permission is one of added, removed, or unknown; id is the unique identifier of the Jumpoint; and name is the name of the Jumpoint.
| alter // Group Policy Member Fields:
    security_provider_id = arrayindex(regextract(msg_payload, "provider\:id\=([^;]*)"), 0), // The unique identifier of the security provider against which this member authenticates.
    security_provider_name = arrayindex(regextract(msg_payload, "provider\:name\=([^;]*)"), 0), // The name of the security provider against which this member authenticates.
    user_external_id = arrayindex(regextract(msg_payload, "user\:external_id\=(\w[^;]*)"), 0) // The unique identifier of this group policy member.
| alter // additional proccessing 
    group_policy_id = coalesce(group_policy_id1, group_policy_id2),
    group_policy_name = coalesce(group_policy_name1, group_policy_name2),
    groups_and_roles = arrayfilter(arrayconcat(arraycreate(jump_group_id), arraycreate(jump_group_name), arraycreate(jump_item_role_id), arraycreate(jump_item_role_name), arraycreate(role), arraycreate(support_team_id), arraycreate(support_team_name), arraycreate(jumpoints)), len("@element") > 0)
| alter 
    policy = if(policy_id != null, concat(policy_id, "(", policy_name, ")")),
    group_policy = if(group_policy_id != null, concat(group_policy_id, "(", group_policy_name, ")")),
    jump_policy = if(jump_policy_id != null, concat(jump_policy_id, "(", jump_policy_name, ")")),
    security_provider = if(security_provider_id != null, concat(security_provider_id, "(", security_provider_name, ")"))
| alter 
    xdm.auth.mfa.provider = security_provider,
    xdm.auth.is_mfa_needed = if(is_login_code_enabled = "1", to_boolean("TRUE"), is_login_code_enabled = "0",  to_boolean("FALSE")),
    xdm.network.rule = coalesce(policy, group_policy, jump_policy),
    xdm.target.resource.id = coalesce(policy_id, group_policy_id, jump_policy_id, jumpoint_id),
    xdm.target.resource.name = coalesce(policy_name, group_policy_name, jump_policy_name, jumpoint_name),
    xdm.target.resource.type = if(policy_id != null, "group policy", group_policy_id != null, "group policy", jump_policy_id != null, "jump policy", jumpoint_name != null, "jumppoint"),
    xdm.target.user.is_disabled = if(is_account_disabled = "1", to_boolean("TRUE"), is_account_disabled = "0",  to_boolean("FALSE")),
    xdm.target.user.identifier = user_external_id,
    xdm.target.user.groups = groups_and_roles;

/* Jumpoint User & Domain Events : 
    These mappings apply to the following events: jumpoint_user_added, jumpoint_user_removed, domain_added, domain_changed, domain_removed  
    Docs: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/jumpoint-user-fields.htm 
          https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/domain.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("jumpoint_user_added", "jumpoint_user_removed", "domain_added", "domain_changed", "domain_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    jumppoint_id = arrayindex(regextract(msg_payload, "jumpoint\:id\=(\w[^;]*)"), 0), // The unique identifier of the Jumpoint to which this user/domain is being added or removed.
    jumppoint_name = arrayindex(regextract(msg_payload, "jumpoint\:name\=(\S[^;]+)"), 0), // The name of the Jumpoint to which this user is being added or removed.
    jumppoint_associated_user_id = arrayindex(regextract(msg_payload, "user\:id\=(\S[^;]*)"), 0), // The unique identifier of the user being added or removed. 
    jumppoint_associated_username = arrayindex(regextract(msg_payload, "user\:username\=(\S[^;]+)"), 0), // The name of the user being added or removed.
    jumppoint_associated_vault_domain_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0) // The name of the vault account domain added, changed or remoed.
| alter 
    xdm.target.domain = jumppoint_associated_vault_domain_name,
    xdm.target.resource.id = jumppoint_id, 
    xdm.target.resource.name = jumppoint_name,
    xdm.target.resource.type = if(jumppoint_id != null, "jumppoint"),
    xdm.target.user.identifier = jumppoint_associated_user_id,
    xdm.target.user.username = jumppoint_associated_username;

/* Login, Logout, User Properties Modifications, & Vacult Account rotation Events:
    These mappings appliy to the following event types: "login", "logout", "change_display_name", "change_password", "change_username", "vault_account_password_rotation". 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/login-fields.htm
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/change-display-name.htm
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/change-password-fields.htm
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/change-username-fields.htm  
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/vault-account-password-rotation.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("login", "logout", "change_display_name", "change_password", "change_username", "vault_account_password_rotation")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    reason = arrayindex(regextract(msg_payload, "reason\=(\S[^;]+)"), 0), // Indicates the reason for failure / action
    status = arrayindex(regextract(msg_payload, "status\=(\S[^;]+)"), 0), // Whether the login/change/rotation attempt succeeded or failed.
    target_interface = arrayindex(regextract(msg_payload, "target\=(\S[^;]+)"), 0), // The authentication area from which the activity change attempt was made (web/api, web/appliance, web/login)
    vault_rotated_account = arrayindex(regextract(msg_payload, "account\=(\S[^;]+)"), 0) // The account username rotated.
| alter
    xdm.source.user.is_disabled = if(reason ~= "account disabled|account expired", to_boolean("TRUE")),
    xdm.source.user.is_password_expired = if(reason ~= "change password", to_boolean("TRUE")),
    xdm.event.outcome = if(status = "success", XDM_CONST.OUTCOME_SUCCESS, status ~= "fail", XDM_CONST.OUTCOME_FAILED),
    xdm.event.outcome_reason = reason, 
    xdm.logon.type = target_interface,
    xdm.target.user.username = vault_rotated_account;

/*  Network Address Events:
    These mappings apply to the following events: network_address_added, network_address_changed, network_address_removed, network_changed 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/network-address-fields.htm 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/network-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("network_address_added", "network_address_changed", "network_address_removed", "network_changed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // Network Address:
    interface = arrayindex(regextract(msg_payload, "interface=(\S[^;]+)"), 0), // The NIC to use as the interface.
    ip = arrayindex(regextract(msg_payload, ";ip\=([^;]+)"), 0), // The IP address of the interface.
    netmask = arrayindex(regextract(msg_payload, "netmask\=([^;]+)"), 0) // The netmask for this IP address.
| alter // Network Fields: 
    dns_server_ip_addresses = regextract(msg_payload, "dns\:\d=([^;]+)"), // The IP addresses of the DNS servers.
    gateway_interface = arrayindex(regextract(msg_payload, "gateway\:interface\=([^;]+)"), 0), // The interface to use as the default gateway.
    gateway_ip = arrayindex(regextract(msg_payload, "gateway\:ip\=([^;]+)"), 0), // The IP address of the default gateway.
    ntp_server_ip = arrayindex(regextract(msg_payload, "ntp_server\=([^;]+)"), 0), // The IP address of the  NTP server.
    hostname =  arrayindex(regextract(msg_payload, "hostname\=([^;]+)"), 0), // The hostname of the B Series Appliance.
    ssl_ciphers = arrayindex(regextract(msg_payload, "ssl\:ciphers\=([^;]+)"), 0) // The set of ciphersuites supported by the B Series Appliance for HTTPS/SSL traffic.
| alter 
    ip_addresses = arrayconcat(dns_server_ip_addresses, arraycreate(ip), arraycreate(gateway_ip), arraycreate(ntp_server_ip)),
    interface = coalesce(interface, gateway_interface),
    ip_address = coalesce(ip, gateway_ip)
| alter 
    ipv4_address = if(ip_address ~= "\.", ip_address),
    ipv6_address = if(ip_address ~= "\:", ip_address),
    ipv4_addresses = arrayfilter(ip_addresses, "@element" ~= "\."),
    ipv6_addresses = arrayfilter(ip_addresses, "@element" ~= "\:")
| alter 
    xdm.network.dhcp.dns_server = dns_server_ip_addresses,
    xdm.network.tls.cipher = ssl_ciphers,
    xdm.target.interface = interface,
    xdm.target.ipv4 = ipv4_address,
    xdm.target.ipv6 = ipv6_address,
    xdm.target.host.ipv4_addresses = ipv4_addresses,
    xdm.target.host.ipv6_addresses = ipv6_addresses,
    xdm.target.host.hostname = hostname,
    xdm.target.subnet = netmask;

/* Management Account Events: 
    These mappings apply to the following events: management_account_added, management_account_changed, management_account_removed. 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/management-account.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("management_account_added", "management_account_changed", "management_account_removed")
| call beyondtrust_pra_common_fields_modeling
| alter 
    domain_account_id = arrayindex(regextract(_raw_log, "domain_account\:id\=(\S[^;]+)"), 0), // The unique identifier of the domain account.
    domain_id = arrayindex(regextract(_raw_log, "domain\:id\=(\w[^;]*)"), 0) // The unique identifier of the domain.
| alter 
    xdm.target.domain = domain_id,
    xdm.target.user.identifier = domain_account_id,
    xdm.target.resource.id = domain_id, 
    xdm.target.resource.type = if(domain_id != null, "domain");

/* Pending User Events: 
    These mappings apply to the following events: pending_user_added, pending_user_changed, pending_user_removed. 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/pending-user-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("pending_user_added", "pending_user_changed", "pending_user_removed")
| call beyondtrust_pra_common_fields_modeling
| alter 
    user_display_name = split(arrayindex(regextract(msg_payload, "name\=([^;]+)"), 0)), // The name of this user.
    user_username = arrayindex(regextract(_raw_log, "username\=(\S[^;]+)"), 0), // The user username.
    user_id = arrayindex(regextract(_raw_log, ";id\=(\S[^;]+)"), 0) // The user id.
| alter 
    xdm.target.user.identifier = user_id,
    xdm.target.user.username = user_username,
    xdm.target.user.first_name = arrayindex(user_display_name, 0),
    xdm.target.user.last_name = arrayindex(user_display_name, 1);

/* Report Events: 
    These fields apply to the following event types: 
    support_session_report_generated, support_session_detail_generated, support_session_summary_report_generated, and team_activity_report_generated events. 
    Full documentation: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/report-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("support_session_report_generated", "support_session_detail_generated", "support_session_summary_report_generated", "team_activity_report_generated")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    computer_name = arrayindex(regextract(msg_payload, "computer_name\=(\S[^;]+)"), 0), // The computer name filter used in the query, if specified.
    lsid = arrayindex(regextract(msg_payload, "lsid\=(\S[^;]+)"), 0), // The unique session identifier used to query for a detailed session report, if specified.
    lsids = arrayindex(regextract(msg_payload, "lsids\=(\S[^;]+)"), 0), // A comma-separated list of unique session identifiers used to query for multiple detailed session reports, if specified.
    start_timestamp = arrayindex(regextract(msg_payload, "start_timestamp\=(\S[^;]+)"), 0), // The exact timestamp of the first date to be included in the report, if any date filters were used.
    end_timestamp = arrayindex(regextract(msg_payload, "end_timestamp\=(\S[^;]+)"), 0), // The exact timestamp of the last date to be included in the report, if date filters were specified.
    private_ip = arrayindex(regextract(msg_payload, "private_ip\=(\S[^;]+)"), 0), // The private IP address filter used in the query, if specified.
    public_ip = arrayindex(regextract(msg_payload, "public_ip\=(\S[^;]+)"), 0), // The public IP address filter used in the query, if specified.
    rep_id = arrayindex(regextract(msg_payload, "rep_id\=([^;]+)"), 0), // The user filter value, if specified. The value is either a unique user identifier, the string any, or the string none.
    rep_name = arrayindex(regextract(msg_payload, "rep_name\=(\S[^;]+)"), 0) // The display name of the representative specified by rep_id, when applicable.
| alter 
    private_ipv4 = if(private_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", private_ip),
    private_ipv6 = if(private_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", private_ip),
    public_ipv4 = if(public_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", public_ip),
    public_ipv6 = if(public_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", public_ip),
    start = to_integer(start_timestamp),
    end = to_integer(end_timestamp),
    filtered_user = coalesce(arrayindex(regextract(rep_id, "\(([^\)]+)"), 0), arrayindex(regextract(rep_name, "\(([^\)]+)"), 0))
| alter 
    xdm.event.duration = to_integer(multiply(subtract(end, start), 1000)),
    xdm.network.session_id = coalesce(lsids, lsid),
    xdm.target.host.hostname = computer_name, 
    xdm.target.ipv4 = coalesce(public_ipv4, private_ipv4),
    xdm.target.ipv6 = coalesce(public_ipv6, private_ipv6),
    xdm.target.host.ipv4_addresses = if(private_ipv4 != null and public_ipv4 != null, arrayconcat(arraycreate(private_ipv4), arraycreate(public_ipv4)), private_ipv4 != null, arraycreate(private_ipv4), public_ipv4 !=  null, arraycreate(public_ipv4)),
    xdm.target.host.ipv6_addresses = if(private_ipv6 != null and public_ipv6 != null, arrayconcat(arraycreate(private_ipv6), arraycreate(public_ipv6)), private_ipv6 != null, arraycreate(private_ipv6), public_ipv6 !=  null, arraycreate(public_ipv6)),
    xdm.target.resource.id = rep_id, 
    xdm.target.resource.name = rep_name,
    xdm.target.resource.type = if(rep_id != null, "rep id display name"), 
    xdm.target.user.username = filtered_user; 

/* Shared Jump Group Events: 
    These mappings apply to the following events: shared_jump_group_added, shared_jump_group_changed & shared_jump_group_removed. 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/shared-jump-group-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("shared_jump_group_added", "shared_jump_group_changed", "shared_jump_group_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    jump_group_code_name = arrayindex(regextract(msg_payload, "code_name\=([^;]+)"), 0), // The code name of this Jump Group.
    jump_group_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier of the Jump Group.
    jump_group_name = arrayindex(regextract(msg_payload, "name\=([^;]+)"), 0), // The name of the Jump Group.
    assigned_ecm_group = arrayindex(regextract(msg_payload, "ecm_group\=([^;]+)"), 0) // The ID of the ECM Group assigned to the group.
| alter
    xdm.target.user.groups = arrayconcat(arraycreate(jump_group_code_name), arraycreate(jump_group_id), arraycreate(jump_group_name), arraycreate(assigned_ecm_group));

/* SSH Account Events: 
    These mappings apply to the following events: ssh_account_added, ssh_account_changed, ssh_account_removed. 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/ssh-account-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("ssh_account_added", "ssh_account_changed", "ssh_account_removed")
| call beyondtrust_pra_common_fields_modeling
| alter public_cert_signing_ca = arrayindex(regextract(_raw_log, "public_cert_signing_ca\=([^;]+)"), 0) // The public certificate signing ca.
| alter xdm.network.tls.client_certificate.issuer = public_cert_signing_ca;

/* Support Team Events: 
    These mappings apply to the following events: support_team_added, support_team_changed, support_team_removed, support_team_member_added, support_team_member_changed. */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("support_team_added", "support_team_changed", "support_team_removed", "support_team_member_added", "support_team_member_changed", "support_team_member_changed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // Support Team: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/support-team-fields.htm
    support_team_id1 = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier of the team.
    support_team_name1 = arrayindex(regextract(msg_payload, "name\=(\w[^;]+)"), 0) // The name of the team.
| alter // Support Team Member: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/support-team-member-fields.htm
    support_team_id2 = arrayindex(regextract(msg_payload, "team\:id\=(\w[^;]*)"), 0), //The unique identifier of the team to which this user belongs.
    support_team_name2 = arrayindex(regextract(msg_payload, "team\:name\=(\w[^;]+)"), 0), // The name of the team to which this user belongs.
    support_user_id = arrayindex(regextract(msg_payload, "user\:id\=(\w[^;]+)"), 0), // The unique identifier of the user being added to or removed from this team.
    support_user_name = arrayindex(regextract(msg_payload, "user\:name\=(\w[^;]+)"), 0) // The name of the user being added to or removed from this team.
| alter 
    support_team_id = coalesce(support_team_id1, support_team_id2),
    support_team_name = coalesce(support_team_name1, support_team_name2)
| alter
    xdm.target.user.username = support_user_name, 
    xdm.target.user.identifier = support_user_id, 
    xdm.target.user.groups = arrayconcat(arraycreate(support_team_id), arraycreate(support_team_name));

/* Windows Service Events: 
    These mappings apply to the following events: windows_service_removed, windows_service_changed. 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/windows-service-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("windows_service_removed", "windows_service_changed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    account_id = arrayindex(regextract(msg_payload, "account_id\=([^;]+)"), 0), // The unique identifier of the account.
    service_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of the Windows service.
    service_display_name = arrayindex(regextract(msg_payload, "display_name\=(\S[^;]+)"), 0), // The display name of the Windows service.
    endpoint_id = arrayindex(regextract(msg_payload, "endpoint_id\=([^;]+)"), 0) //	The unique identifier of the endpoint.
| alter 
    xdm.target.host.device_id = endpoint_id,
    xdm.target.process.name = concat(service_name, "(", service_display_name, ")"),
    xdm.target.user.identifier = account_id;

/* /appliance & /login Local Users Events: 
    These mappings apply to the following events: user_added, user_changed, user_removed. 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/user-fields.htm 
    https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/user-fields-appliance.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("user_added", "user_changed", "user_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    is_account_disabled = arrayindex(regextract(msg_payload, "account\:disabled\=(0|1)"), 0), // 1: This local user account is disabled, 0: This local user account is active.
    is_mfa_required = arrayindex(regextract(msg_payload, "two_factor_auth\:required\=(0|1)"), 0), // 1: This user is required to use two-factor authentication. 0: This user is not required to use two-factor authentication.
    security_provider = arrayindex(regextract(msg_payload, "provider\:name\=([^;]*)"), 0), // The name of the security provider against which this user last authenticated.
    user_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier for this user.
    user_external_id = arrayindex(regextract(msg_payload, "external_id\=(\S[^;]+)"), 0), // An internal representation of a remote user's identifying information, such as an LDAP attribute, RADIUS username, or Kerberos principal name.
    username = arrayindex(regextract(msg_payload, "username\=([^;]+)"), 0), // The username the user last used to authenticate to BeyondTrust. Not necessarily unique.
    user_displayname = split(arrayindex(regextract(msg_payload, "displayname\=([^;]+)"), 0)) // The display name of this user.
| alter 
    xdm.auth.is_mfa_needed = if(is_mfa_required = "1", to_boolean("TRUE"), is_mfa_required = "0", to_boolean("FALSE")),
    xdm.auth.mfa.provider = security_provider,
    xdm.target.user.identifier = user_id,
    xdm.target.user.is_disabled = if(is_account_disabled = "1", to_boolean("TRUE"), is_account_disabled = "0", to_boolean("FALSE")),
    xdm.target.user.upn = user_external_id,
    xdm.target.user.first_name = arrayindex(user_displayname, 0),
    xdm.target.user.last_name = arrayindex(user_displayname, 1),
    xdm.target.user.username = username;

/* General Fallback Mapping: 
    This filter applies to all other events which weren't mapped explicitly by any other filter. */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type not in("login", "logout", "change_display_name", "change_password", "change_username", "account_added", "account_changed", "accounts_changed", "account_removed", "account_group_added", "account_group_changed", "account_group_removed", "account_user_added", "account_user_removed", "support_session_report_generated", "support_session_detail_generated", "support_session_summary_report_generated", "team_activity_report_generated", "custom_session_policy_added", "custom_session_policy_changed", "custom_session_policy_removed", "account_jump_item", "account_jump_item_association_removed", "api_account_added", "api_account_changed", "api_account_removed", "canned_script_category_added", "canned_script_category_removed", "canned_script_added", "canned_script_changed", "canned_script_removed", "canned_script_file_added", "canned_script_file_removed", "canned_script_team_added", "canned_script_team_removed", "canned_scripts_category_added", "canned_scripts_category_removed", "canned_scripts_file_added", "canned_scripts_file_removed", "certificate_export", "custom_session_attribute_added", "custom_session_attribute_changed", "custom_session_attribute_removed", "custom_special_action_added", "custom_special_action_changed", "custom_special_action_removed", "custom_rep_link_added", "custom_rep_link_changed", "custom_rep_link_removed", "windows_service_removed", "windows_service_changed", "vault_account_password_rotation", "user_session_policy_added", "user_session_policy_removed", "user_added", "user_changed", "user_removed", "support_team_added", "support_team_changed", "support_team_removed", "support_team_member_added", "support_team_member_changed", "support_team_member_changed", "ssh_account_added", "ssh_account_changed", "ssh_account_removed", "shared_jump_group_added", "shared_jump_group_changed", "shared_jump_group_removed", "endpoint_changed", "endpoint_removed", "jumpoint_user_added", "jumpoint_user_removed", "domain_added", "domain_changed", "domain_removed", "discovery_error_added", "discovery_error_changed", "discovery_error_removed", "ecm_group_added", "ecm_group_changed", "ecm_group_removed", "file_removed_from_file_store", "file_uploaded_to_file_store", "group_policy_add_to_jump_group_added", "group_policy_add_to_jump_group_removed", "group_policy_add_to_jumpoint_added", "group_policy_add_to_jumpoint_removed", "group_policy_add_to_support_teams_added", "group_policy_add_to_support_teams_removed", "group_policy_added", "group_policy_changed", "group_policy_removed", "group_policy_member_added", "group_policy_member_removed", "group_policy_remove_from_jump_group_added", "group_policy_remove_from_jump_group_removed", "group_policy_remove_from_jumpoint_added", "group_policy_remove_from_jumpoint_removed", "group_policy_remove_from_support_teams_added", "group_policy_remove_from_support_teams_removed", "management_account_added", "management_account_changed", "management_account_removed", "pending_user_added", "pending_user_changed", "pending_user_removed", "network_address_added", "network_address_changed", "network_address_removed", "network_changed")
| call beyondtrust_pra_common_fields_modeling
| alter 
    policy_id = arrayindex(regextract(_raw_log, "policy_id\=(\w[^;]*)"), 0),
    target_user_id = arrayindex(regextract(_raw_log, "user\:id\=(\w[^;]*)"), 0),
    target_username = arrayindex(regextract(_raw_log, "user[_]*name\=([^;]+)"), 0),
    target_computer_name = arrayindex(regextract(_raw_log, "computer_name\=([^;]+)"), 0),
    target_resource_owner = arrayindex(regextract(_raw_log, "credential_owner_id\=([^;]+)"), 0),
    target_resource_id = arrayindex(regextract(_raw_log, "[\;\:]id\=(\w[^;]*)"), 0),
    target_resource_name = arrayindex(regextract(_raw_log, "[\:\;]name\=([^;]+)"), 0)
| alter 
    xdm.network.rule = policy_id,
    xdm.target.host.hostname = target_computer_name,
    xdm.target.resource.id = target_resource_id,
    xdm.target.resource.name = target_resource_name,
    xdm.target.resource.parent_id = target_resource_owner,
    xdm.target.user.identifier = target_user_id,
    xdm.target.user.username = target_username;

Schema

beyondtrust_pra_raw

Field Type Array?
_raw_log string
Raw JSON
{
    "beyondtrust_pra_raw": {
      "_raw_log": {
        "type": "string",
        "is_array": false
      }
    }
  }