BeyondTrust Remote Support Modeling Rule

Modeling Rule

Beyond Trust Remote Support

Details

IDBeyondTrust_Remote_Support_ModelingRule
From Version8.4.0
TagsBeyondTrust

Rules (XIF)

[RULE: beyondtrust_rs_common_fields_modeling]
/* BeyondTrust RS (Remote Support) Generic Base Modeling. 
    The mappings in this rule apply to all BeyondTrust RS event types.
    Message format documented at: 
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/message-format.htm
*/
alter  // extract message header fields 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\s*\w+"), 0)), 
    syslog_hostname = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\s*\w+\s+\S+\s+(\S+)"), 0),
    meta_sequence_id = arrayindex(regextract(_raw_log, "sequenceId=\"(\d+)"), 0), 
    site_id = arrayindex(regextract(_raw_log, "(\d+)\:\d+\:\d+\:"), 0),
    msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // extract message payload fields 
    pool_type = arrayindex(regextract(msg_payload, "license_type\=(\w[^;]+)"), 0), //the type of license in this pool - for license pool events
    event_type = arrayindex(regextract(msg_payload, "event\=([^;]+)"), 0), // The name of the event that occurred.
    site = arrayindex(regextract(msg_payload, "site\=(\S[^;]+)"), 0), // The hostname for which the BeyondTrust software was built.
    syslog_facility = floor(divide(syslog_priority, 8)), 
    who = arrayindex(regextract(msg_payload, "who\=(\S[^;]+)"), 0), // The username associated with this event.
    who_ip = arrayindex(regextract(msg_payload, "who_ip\=([^;]+)"), 0) // The IP address of the system that caused the event.
| alter // old/new nomenclature fields extractions: https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/oldnew-nomenclature.htm
    properties_old_state = arraystring(regextract(msg_payload, "[^\=]*(old_\S[^;]+)"), ";"), // snapshot of current resource state before change
    properties_new_state = arraystring(regextract(msg_payload, "[^\=]*(new_\S[^;]+)"), ";") // current state of modified resource properties 
| alter // additional proccessing 
    authentication_method = arrayindex(regextract(who, "\susing\s+(\S+)"), 0),
    event_description = if(event_type="access_sponsor_group_added","A new access sponsor group has been defined and saved.",event_type="access_sponsor_group_changed","An existing access sponsor group’s name or description has been changed, and the change has been saved.",event_type="access_sponsor_group_member_added","A new member has been added to an access sponsor group, and the group has been saved.",event_type="access_sponsor_group_member_changed","An existing member has been assigned to a different role in an access sponsor group, and the group has been saved.",event_type="access_sponsor_group_member_removed","An existing member has been deleted from an access sponsor group, and the group has been saved.",event_type="access_sponsor_group_removed","An existing access sponsor group has been deleted.",event_type="account_added","A new account has been added and saved.",event_type="account_changed","An existing account has been modified and saved.",event_type="account_group_added","A new account group has been added and saved.",event_type="account_group_changed","An existing account group has been modified and saved.",event_type="account_group_removed","An existing account group has been deleted.",event_type="account_jump_item_association_added","An association with a Jump Item was added for the account.",event_type="account_jump_item_association_changed","An association with a Jump Item was changed for the account.",event_type="account_jump_item_direct_association_added","The account is allowed to be injected for the specific Jump Items.",event_type="account_jump_item_direct_association_removed","The account is removed from the allowed list to be injected for the specific Jump Items.",event_type="account_removed","An existing account has been deleted.",event_type="accounts_changed","A group of one or more accounts was modified.",event_type="admin_password_reset_to_factory_default","The Reset Admin Account button has been clicked, reverting a site’s administrative account to its default credentials.",event_type="api_account_added","A new API account has been added and saved.",event_type="api_account_changed","An existing API account has been modified and saved.",event_type="api_account_removed","An existing API account has been deleted.",event_type="backup_created","A backup of the current software configuration has been saved.",event_type="canned_message_added","A new canned message has been added and saved.",event_type="canned_message_category_added","A new canned message category has been added and saved.",event_type="canned_message_category_removed","An existing canned message category has been deleted.",event_type="canned_message_cateogry_changed","An existing canned message category has been modified and saved.",event_type="canned_message_changed","An existing canned message has been modified and saved.",event_type="canned_message_removed","An existing canned message has been deleted.",event_type="canned_message_team_added","A canned message has been newly assigned to a team, and the message has been saved.",event_type="canned_message_team_changed","A canned message has been edited, and this team has neither been added nor removed.",event_type="canned_message_team_removed","A previously assigned canned message has been unassigned from a team, and the message has been saved.",event_type="canned_script_added","A new canned script has been added and saved.",event_type="canned_script_category_added","A canned script has been newly assigned to a category, and the script has been saved.",event_type="canned_script_category_removed","A previously assigned canned message has been unassigned from a category, and the script has been saved.",event_type="canned_script_changed","An existing canned script’s name, description, or command sequence has been changed, and the change has been saved.",event_type="canned_script_file_added","A resource file has been newly associated with a canned script, and the script has been saved.",event_type="canned_script_file_removed","A previously associated resource file has been removed from a canned script, and the script has been saved.",event_type="canned_script_removed","An existing canned script has been deleted.",event_type="canned_script_team_added","A support team has been newly assigned to a canned script, and the script has been saved.",event_type="canned_script_team_removed","A previously assigned support team has been unassigned from a canned script, and the script has been saved.",event_type="canned_scripts_category_added","A new canned scripts category has been created.",event_type="canned_scripts_category_removed","An existing canned scripts category has been deleted.",event_type="canned_scripts_file_added","A new canned script resource file has been uploaded.",event_type="canned_scripts_file_removed","An existing canned script resource file has been deleted.",event_type="certificate_export","An SSL certificate has been exported from the BeyondTrust Appliance B Series.",event_type="change_display_name","A user has attempted to change their display name.",event_type="change_password","A user has attempted to change their password.",event_type="change_username","A user has attempted to change their username.",event_type="cust_exit_survey_question_added","A new customer exit survey question has been added and saved.",event_type="cust_exit_survey_question_changed","An existing customer exit survey question has been edited and saved.",event_type="cust_exit_survey_question_option_added","A new option, such as a radio button, check box, or menu item, has been added to a customer exit survey question, and the question has been saved.",event_type="cust_exit_survey_question_option_changed","An existing option for a customer exit survey question, such as a radio button, check box, or menu item, has been edited, and the question has been saved.",event_type="cust_exit_survey_question_option_removed","An existing option for a customer exit survey question, such as a radio button, check box, or menu item, has been removed, and the question has been saved.",event_type="cust_exit_survey_question_removed","An existing customer exit survey question has been deleted.",event_type="custom_rep_link_added","A new custom link has been added and saved.",event_type="custom_rep_link_changed","An existing custom link has been edited and saved.",event_type="custom_rep_link_removed","An existing custom link has been deleted.",event_type="custom_session_attribute_added","A new custom field for API integration has been added and saved.",event_type="custom_session_attribute_changed","An existing custom field for API integration has been edited and saved.",event_type="custom_session_attribute_removed","An existing custom field for API integration has been removed.",event_type="custom_session_policy_added","Custom session permissions have been added to a user account, and the user account has been saved.",event_type="custom_session_policy_changed","Existing custom session permissions have been edited, and the user account has been saved.",event_type="custom_session_policy_removed","Existing custom session permissions have been removed from a user account, and the user account has been saved.",event_type="custom_special_action_added","A new custom special action has been added and saved.",event_type="custom_special_action_changed","An existing custom special action has been edited and saved.",event_type="custom_special_action_removed","An existing custom special action has been removed.",event_type="customer_notice_added","A new customer notice has been added and saved.",event_type="customer_notice_changed","An existing customer notice has been edited and saved.",event_type="customer_notice_public_site_added","A customer notice has been enabled for a public site, and the customer notice has been saved.",event_type="customer_notice_public_site_removed","A customer notice has been disabled for a public site, and the customer notice has been saved.",event_type="customer_notice_removed","An existing customer notice has been removed.",event_type="customizable_text_changed","An existing customer greeting, on-hold message, or login agreement has been changed.",event_type="default_site_changed","The default support site for this B Series Appliance has been changed to another site, and the change has been saved.",event_type="discovery_error_added","A new Discovery job error has been added.",event_type="discovery_error_changed","A new Discovery job error has been changed.",event_type="discovery_error_removed","A new Discovery job error has been removed.",event_type="domain_added","A new Vault domain has been added and saved.",event_type="domain_changed","An existing Vault domain has been modified and saved.",event_type="domain_removed","An existing Vault domain has been deleted.",event_type="downloaded_rep_client","A user has clicked the link to download the representative console.",event_type="endpoint_changed","An existing endpoint has been modified and saved.",event_type="endpoint_removed","An existing endpoint has been deleted.",event_type="eula_accepted","The BeyondTrust Cloud end-user license agreement (EULA) has been accepted by a user, and the username has been recorded.",event_type="fido2_credential_added","A new FIDO2 Autheticator has been added and saved.",event_type="fido2_credential_changed","An existing FIDO2 Autheticator has been modified and saved.",event_type="fido2_credential_removed","An existing FIDO2 Autheticator has been deleted.",event_type="file_removed_from_file_store","A file has been deleted from the file store.",event_type="file_uploaded_to_file_store","A file has been added to the file store.",event_type="group_policy_added","A new group policy has been created and saved.",event_type="group_policy_changed","An existing group policy’s priority level has changed, and the change has been saved.",event_type="group_policy_member_added","A new member has been added to a group policy, and the policy has been saved.",event_type="group_policy_member_removed","An existing member has been removed from a group policy, and the policy has been saved.",event_type="group_policy_removed","An existing group policy has been deleted.",event_type="group_policy_setting_added","A group policy setting has been designated as defined in this policy, and the policy has been saved.",event_type="group_policy_setting_changed","An existing group policy setting or override status has been changed, and the policy has been saved.",event_type="group_policy_setting_removed","A group policy setting previously defined in this policy has been removed, and the policy has been saved.",event_type="ios_content_item_added","A new iOS configuration profile has been created and saved.",event_type="ios_content_item_changed","An existing iOS configuration profile has had a new file uploaded or has had its public availability changed, and the profile has been saved.",event_type="ios_content_item_removed","An existing iOS configuration profile has been deleted.",event_type="jump_item_role_added","A new Jump Item Role has been created and saved.",event_type="jump_item_role_changed","An existing Jump Item Role has been modified and saved.",event_type="jump_item_role_removed","An existing Jump Item Role has been deleted.",event_type="jump_policy_added","A new Jump Policy has been created and saved.",event_type="jump_policy_changed","An existing Jump Policy has been modified and saved.",event_type="jump_policy_removed","An existing Jump Policy has been deleted.",event_type="jump_policy:schedule_entry_added","A new schedule entry has been added to a Jump Policy, and the policy has been saved.",event_type="jump_policy:schedule_entry_removed","An existing schedule entry has been removed from a Jump Policy, and the policy has been saved.",event_type="jumpoint_cluster_added","A new Jumpoint or Jumpoint cluster has been created and saved.",event_type="jumpoint_cluster_changed","An existing Jumpoint or Jumpoint cluster has been changed.",event_type="jumpoint_cluster_removed","An existing Jumpoint or Jumpoint cluster has been deleted.",event_type="jumpoint_user_added","A new member has been added to a Jumpoint, and the Jumpoint has been saved.",event_type="jumpoint_user_removed","An existing member has been removed from a Jumpoint, and the Jumpoint has been saved.",event_type="kerberos_keytab_added","A new Kerberos keytab has been uploaded.",event_type="kerberos_keytab_removed","An existing Kerberos keytab has been deleted.",event_type="license_pool_added","A new license pool has been created and saved.",event_type="license_pool_changed","An existing license pool has been changed, and the license pool has been saved.",event_type="license_pool_removed","An existing license pool has been deleted.",event_type="license_usage_report_generated","A report of peak license usage has been run.",event_type="login","A login attempt has been made.",event_type="login_schedule_entry_added","A new login schedule entry has been added to a user's, or group policy's login schedule, and the user account or group policy has been saved.",event_type="login_schedule_entry_removed","An existing login schedule entry has been removed from a user's, or group policy's login schedule, and the user or group policy has been saved.",event_type="logout","A user has logged out of the representative console, whether by deliberate action, by an administrator, or as the result of a lost connection to the BeyondTrust Appliance B Series.",event_type="management_account_added","A new management account has been added and saved.",event_type="management_account_changed","An existing management account has been modified and saved.",event_type="management_account_removed","An existing management account has been deleted.",event_type="msgraph_http_recipient_added","A new service principal has been added and saved.",event_type="msgraph_http_recipient_changed","An existing service principal has been modified and saved.",event_type="msgraph_http_recipient_removed","An existing service principal has been deleted.",event_type="network_address_added","A new IP address has been added and saved.",event_type="network_address_changed","An existing IP address has been modified and saved.",event_type="network_address_removed","An existing IP address has been deleted",event_type="network_changed","The global network configuration has been changed, and the change has been saved.",event_type="network_route_changed","A static route has been added, modified, or removed.",event_type="network_tunnel_jump_item_added","A network tunnel Jump Item has been added.",event_type="network_tunnel_jump_item_changed","A network tunnel Jump Item has been changed and saved.",event_type="network_tunnel_jump_item_removed","A network tunnel Jump Item has been removed.",event_type="outbound_event_email_recipient_added","A new email outbound event has been added and saved.",event_type="outbound_event_email_recipient_changed","An existing email outbound event has been modified and saved.",event_type="outbound_event_email_recipient_removed","An existing email outbound event has been deleted.",event_type="outbound_event_email_trigger_added","A new trigger has been added for an email outbound event, and the event has been saved.",event_type="outbound_event_email_trigger_removed","An existing trigger for an email outbound event has been removed, and the event has been saved.",event_type="outbound_event_http_recipient_added","A new HTTP outbound event has been added and saved.",event_type="outbound_event_http_recipient_changed","An existing HTTP outbound event has been modified and saved.",event_type="outbound_event_http_recipient_removed","An existing HTTP outbound event has been deleted.",event_type="outbound_event_http_trigger_added","A new trigger has been added for an HTTP outbound event, and the event has been saved.",event_type="outbound_event_http_trigger_removed","An existing trigger for an HTTP outbound event has been removed, and the event has been saved.",event_type="pdcust_banner_reverted_to_factory_default","The banner image for the presentation attendee client has been reverted to the default image.",event_type="pdcust_banner_uploaded","A new banner image for the presentation attendee client has been uploaded to the site.",event_type="presentation_session_detail_generated","A detailed report has been run for a presentation session.",event_type="presentation_session_report_generated","A report of presentation sessions has been run.",event_type="public_site_added","A new public site has been created and saved.",event_type="public_site_address_added","A hostname has been added to a public site, and the site has been saved.",event_type="public_site_address_removed","A hostname has been removed from a public site, and the site has been saved.",event_type="public_site_changed","An existing public site has been changed.",event_type="public_site_customer_banner_reverted_to_factory_default","The banner image for the customer client has been reverted to the default image.",event_type="public_site_customer_banner_uploaded","A new banner image for the customer client has been uploaded to the site.",event_type="public_site_exit_survey_added","A question has been added to a public site’s customer or representative survey, and the site has been saved.",event_type="public_site_exit_survey_removed","A question has been removed from a public site’s customer or representative survey, and the site has been saved.",event_type="public_site_removed","An existing public site has been deleted.",event_type="public_site_session_attribute_added","A public site session attribute has been added.",event_type="public_site_session_attribute_changed","A public site session attribute has been changed.",event_type="public_site_session_attribute_removed","A public site session attribute has been removed.",event_type="public_site_setting_added","A public site setting has been defined for the first time, and the site has been saved.",event_type="public_site_setting_changed","A public site setting has been modified, and the site has been saved.",event_type="public_site_team_added","A support team’s issues have been added to a public site’s front-end survey, and the site has been saved.",event_type="public_site_team_removed","A support team’s issues have been removed from a public site’s front-end survey, and the site has been saved.",event_type="public_site_template_asset_reverted","An HTML template asset file has been reverted to the default.",event_type="public_site_template_asset_uploaded","A new HTML asset file has been uploaded to the site.",event_type="public_template_deleted","An HTML template has been removed.",event_type="public_template_written","An HTML template has been modified and saved.",event_type="reboot","The BeyondTrust Appliance B Series has been rebooted.",event_type="remote_rfb_jump_item_added","A Remote RFB Jump Item has been added.",event_type="remote_rfb_jump_item_removed","A Remote RFB Jump Item has been removed.",event_type="rep_client_connection_terminated","An administrator has terminated a representative’s connection.",event_type="rep_console_setting_added","A managed representative console setting has been defined for the first time, and the settings have been saved.",event_type="rep_console_setting_changed","A managed representative console setting has been changed, and the settings have been saved.",event_type="rep_console_setting_removed","A managed representative console setting has been marked as undefined, and the settings have been saved.",event_type="rep_exit_survey_question_added","A new representative survey question has been added and saved.",event_type="rep_exit_survey_question_changed","A representative survey question has been edited and saved.",event_type="rep_exit_survey_question_option_added","A new option, such as a radio button, check box, or menu item, has been added to a representative survey question, and the question has been saved.",event_type="rep_exit_survey_question_option_changed","An existing option for a representative survey question, such as a radio button, check box, or menu item, has been edited, and the question has been saved.",event_type="rep_exit_survey_question_option_removed","An existing option, such as a radio button, check box, or menu item, has been removed from a representative survey question, and the question has been saved.",event_type="rep_exit_survey_question_removed","An existing representative survey question has been deleted.",event_type="rep_invite_added","A session policy has been made available for rep invites, and the session policy has been saved.",event_type="rep_invite_removed","A session policy has been made unavailable for rep invites and has been saved, or a session policy available for rep invites has been deleted.",event_type="repinvite_setting_added","A rep invite setting has been added because a session policy has been made available for rep invites, and the session policy has been saved.",event_type="repinvite_setting_removed","A rep invite setting has been removed either because a session policy has been made unavailable for rep invites and has been saved, or because a session policy available for rep invites has been deleted.",event_type="reporting_erasure","Session reports have had representative or customer data anonymized.",event_type="restored_from_backup","The software configuration has been successfully restored from its backup file.",event_type="restoring_from_backup","The software configuration is in the process of restoring from its backup file.",event_type="scheduled_discovery_job_added","The domain scheduled discovery has been added.",event_type="scheduled_discovery_job_changed","The domain scheduled discovery has been changed.",event_type="sdcust_exit_survey_report_generated","A report of customer exit survey results has been run.",event_type="sdrep_exit_survey_report_generated","A report of representative survey results has been run.",event_type="security_provider_added","A new security provider configuration has been added and saved.",event_type="security_provider_changed","An existing security provider configuration’s priority level has changed, and the change has been saved.",event_type="security_provider_removed","An existing security provider configuration has been deleted.",event_type="security_provider_setting_added","A security provider setting has been added as part of the initial configuration, and the configuration has been saved.",event_type="security_provider_setting_changed","An existing security provider configuration has been modified and saved.",event_type="security_provider_setting_removed","A security provider setting has been removed as part of the deletion of a security provider configuration.",event_type="server_software_restarted","The BeyondTrust software has been restarted.",event_type="session_policy_added","A new session policy has been added and saved.",event_type="session_policy_changed","An existing session policy has been modified and saved.",event_type="session_policy_removed","An existing session policy has been deleted.",event_type="setting_added","A setting has been defined and saved for the first time.",event_type="setting_changed","A setting has been modified and saved.",event_type="skill_added","A new skill has been added and saved.",event_type="skill_changed","An existing skill has been modified and saved.",event_type="skill_removed","An existing skill has been deleted.",event_type="SNMP_changed","The SNMPv2 Server has been changed.",event_type="ssh_account_added","An SSH account has been added.",event_type="ssh_account_changed","An SSH account has been modified and saved.",event_type="ssh_account_removed","An SSH account has been removed.",event_type="starting_support_tunnel","A support tunnel has been initiated from the BeyondTrust Appliance B Series.",event_type="support_button_profile_added","A new Support Button profile has been added and saved.",event_type="support_button_profile_changed","An existing Support Button profile has been changed and saved.",event_type="support_button_profile_icon_uploaded","A new icon has been uploaded to a Support Button profile.",event_type="support_button_profile_removed","An existing Support Button profile has been deleted.",event_type="support_issue_added","A new support issue has been added and saved.",event_type="support_issue_changed","An existing support issue has been modified and saved.",event_type="support_issue_removed","An existing support issue has been deleted.",event_type="support_issue_skill_added","A new skill has been assigned to a support issue, and the issue has been saved.",event_type="support_issue_skill_removed","An existing skill has been removed from a support issue, and the issue has been saved.",event_type="support_session_detail_generated","A detailed report has been run for a support session.",event_type="support_session_report_generated","A report of support sessions has been run.",event_type="support_session_summary_report_generated","A summary report of support sessions has been run.",event_type="support_team_added","A support team has been added.",event_type="support_team_changed","A support team has been changed.",event_type="support_team_issue_added","A support team has added an issue.",event_type="support_team_issue_removed","A support team has removed an issue.",event_type="support_team_jump_access_added","A team has been granted access to another team's Jump Clients, and the change has been saved.",event_type="support_team_jump_access_removed","A team's access to another team's Jump Clients has been removed, and the change has been saved.",event_type="support_team_member_added","A new member has been added to a team, and the team has been saved.",event_type="support_team_member_changed","An existing member has been assigned a different role in a team, and the team has been saved.",event_type="support_team_member_removed","An existing member has been deleted from a team, and the team has been saved.",event_type="support_team_removed","An existing support team has been deleted.",event_type="syslog_server_changed","The remote syslog server setting has been changed and saved.",event_type="team_activity_report_generated","A team activity report has been run.",event_type="user_account_report_generated","A user account report has been generated.",event_type="user_added","A new local user has been created and saved. Event fields differ between /login users and /appliance users.",event_type="user_changed","An existing local user has been modified and saved. Event fields differ between /login users and /appliance users.",event_type="user_removed","An existing local user has been deleted. Event fields differ between /login users and /appliance users.",event_type="user_session_policy_added","A session policy has been applied to a user account, and the user account has been saved.",event_type="user_session_policy_removed","A session policy has been removed from a user account, and the user account has been saved.",event_type="user_skill_added","A new skill has been assigned to a user, and the user account has been saved.",event_type="user_skill_removed","An existing skill has been removed from a user, and the user account has been saved.",event_type="vault_account_password_rotation","Vault account password has been rotated.",event_type),
    source_ipv4 = if(who_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", who_ip),
    source_ipv6 = if(who_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", who_ip),
    syslog_severity = to_string(subtract(syslog_priority, multiply(syslog_facility, 8))),
    user_name = arrayindex(regextract(who, "\(([^\)]+)"), 0),
    user_first_name = arrayindex(regextract(who, "((?:\S+\.\s+){0,1}\S+)"), 0),
    user_last_name = trim(arrayindex(regextract(who, "(?:\S+\.\s+){0,1}\S+\s(.+)\("), 0))
| alter // xdm mapping 
    xdm.alert.severity = syslog_severity,
    xdm.auth.auth_method = authentication_method, 
    xdm.auth.privilege_level = if(user_name = "admin", XDM_CONST.PRIVILEGE_LEVEL_ADMIN),
    xdm.source.user.first_name = user_first_name,
    xdm.source.user.last_name = user_last_name, 
    xdm.source.user.username = user_name, 
    xdm.event.id = meta_sequence_id,
    xdm.event.log_level = if(syslog_severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY, syslog_severity = "1", XDM_CONST.LOG_LEVEL_ALERT, syslog_severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, syslog_severity = "3", XDM_CONST.LOG_LEVEL_ERROR, syslog_severity = "4", XDM_CONST.LOG_LEVEL_WARNING, syslog_severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, syslog_severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, syslog_severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, syslog_severity),
    xdm.event.original_event_type = event_type, 
    xdm.event.description = event_description,
    xdm.intermediate.host.hostname = site,
    xdm.observer.name = syslog_hostname, 
    xdm.observer.unique_identifier = site_id,
    xdm.session_context_id = meta_sequence_id,
    xdm.source.ipv4 = source_ipv4,
    xdm.source.ipv6 = source_ipv6,
    xdm.target.resource.value = if(pool_type ~= "\S", pool_type, properties_new_state), 
    xdm.target.resource_before.value = properties_old_state;

[MODEL: dataset = beyondtrust_remote_support_raw]
/* Event Specific Modeling. 
    The following mappings apply to specific event types, according to the conditional filters applied. 
    The various fields for each event are described at: 
   https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/events.htm
    Access Sponsor Group Events:
    These mapping apply to the following events: access_sponsor_group_added, access_sponsor_group_changed, access_sponsor_group_removed.
        https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/access-sponsor-group-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("access_sponsor_group_added", "access_sponsor_group_changed", "access_sponsor_group_removed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // access_sponsor_group
    sponsor_id = arrayindex(regextract(msg_payload,"id\=(\d+);"), 0),
    sponsor_group_name = arrayindex(regextract(msg_payload,"name\=([^;]+);"), 0)
| alter
    xdm.target.user.identifier = sponsor_id,
    xdm.target.user.groups = if(sponsor_group_name != null, arraycreate(sponsor_group_name));

/* Access Sponsor Group Member Events:
    These mapping apply to the following events: access_sponsor_group_member_added, access_sponsor_group_member_changed, access_sponsor_group_member_removed.
        https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/access-sponsor-group-member-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("access_sponsor_group_member_*")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // access_sponsor_group_member
    sponsor_id = arrayindex(regextract(msg_payload,"user:id\=(\d+);"),0),
    sponsor_group_name = arrayindex(regextract(msg_payload,"name\=([^;]+);"), 0),
    sponser_group_user = arrayindex(regextract(msg_payload, "username\=([^;]+);"), 0)
| alter
    xdm.target.user.identifier = sponsor_id,
    xdm.target.user.groups = if(sponsor_group_name != null, arraycreate(sponsor_group_name)),
    xdm.target.user.username = sponser_group_user;

/* Account Modification, Group Modification & Group Membership Events Fields:
    These mappings apply to the following event types: "account_added", "account_changed", "account_removed", "accounts_changed", "account_group_added", "account_group_changed", "account_group_removed", "accounts_changed" */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("account_added", "account_changed", "accounts_changed", "account_removed", "account_group_added", "account_group_changed", "account_group_removed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // Account Fields: https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/account-fields.htm
    account_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of the account.
    account_username = arrayindex(regextract(msg_payload, "username\=(\S[^;]+)"), 0), // The username of the account.
    account_group_id1 = arrayindex(regextract(msg_payload, "group\=(\S[^;]+)"), 0) // The unique identifier of the account group.
| alter // Account Group Fields: https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/account-group-fields.htm
    account_group_id2 = arrayindex(regextract(msg_payload, "id\=(\w[^;]+)"), 0), // The unique identifier of the account group.
    account_group_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0) // The name of the account group.
| alter // Account Group Membership Fields: https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/account-group-membership-fields.htm
    accounts_id = arrayindex(regextract(msg_payload, "accounts_id\=(\S[^;]+)"), 0), // The unique identifier of the vault accounts.
    new_account_group_id = arrayindex(regextract(msg_payload, "new_group\=(\S[^;]+)"), 0) // The unique identifier of the target account group.
| alter target_group = coalesce(account_group_name, new_account_group_id, account_group_id1, account_group_id2)
| alter 
    xdm.target.resource.name = account_name, 
    xdm.target.resource.type = if(account_name != null, "account name"),
    xdm.target.user.identifier = accounts_id,
    xdm.target.user.username = coalesce(account_username, account_name),
    xdm.target.user.groups = if(target_group != null, arraycreate(target_group));

/* Account Jump Item Association Events: 
    These mappings apply to the following events: account_jump_item_association_added, account_jump_item_association_removed. 
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/account-jump-item-association.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("aaccount_jump_item_association_added", "account_jump_item_association_removed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // "account_jump_item_association"
    account_group_id = arrayindex(regextract(msg_payload, "account_group_id\=(\S[^;]+)"), 0), // The unique identifier of the account group.
    account_id = arrayindex(regextract(msg_payload, "account_id\=(\S[^;]+)"), 0), // The unique identifier of the account.
    jump_item_association_id = arrayindex(regextract(msg_payload, ";id\=(\w[^;]+)"), 0) // The unique identifier of the association.
| alter 
    xdm.target.user.groups = if(account_group_id != null, arraycreate(account_group_id)),
    xdm.target.user.identifier = account_id,
    xdm.target.resource.id = jump_item_association_id, 
    xdm.target.resource.type = if(jump_item_association_id != null, "jump item association");


/* API Account Events: 
    These mappings apply to the following events: api_account_added, api_account_changed, api_account_removed. 
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/api-account-fields.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("api_account_added", "api_account_changed", "api_account_removed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    api_account_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of the API account.
    api_ip_addresses = arrayindex(regextract(msg_payload, "ip_addresses\=(\S[^;]+)"), 0), // Comma-delimited list of network address prefixes from which this account can authenticate.
    api_account_id = arrayindex(regextract(msg_payload, ";id\=(\w[^;]+)"), 0), // The unique identifier of the API account.
    is_enabled =  arrayindex(regextract(msg_payload, "enabled\=(0|1)"), 0)  // 1: This API account is enabled, 0: This API account is disable
| alter 
    is_api_account_disabled = if(is_enabled = "0", to_boolean("TRUE"), is_enabled = "1", to_boolean("FALSE")),
    permitted_ip_addresses = arraymap(regextract(api_ip_addresses, "([^,]+)"), trim("@element"))
| alter
    permitted_ipv4_addresses = arrayfilter(permitted_ip_addresses, "@element" ~= "\."),
    permitted_ipv6_addresses = arrayfilter(permitted_ip_addresses, "@element" ~= ":")
| alter
    xdm.target.host.ipv4_addresses = permitted_ipv4_addresses,
    xdm.target.host.ipv6_addresses = permitted_ipv6_addresses,
    xdm.target.subnet = api_ip_addresses,
    xdm.target.user.username = api_account_name, 
    xdm.target.user.identifier = api_account_id, 
    xdm.target.user.user_type = XDM_CONST.USER_TYPE_SERVICE_ACCOUNT, 
    xdm.target.user.is_disabled = is_api_account_disabled;

/* Canned Message Category Events:
    These mapping applay to the following events: canned_message_category_added, canned_message_category_changed, canned_message_category_removed, canned_message_added, canned_message_changed, canned_message_removed, canned_message_team_added, canned_message_team_changed, canned_message_team_removed.
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/canned-message-category-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/canned-message-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/canned-message-team-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("canned_message_*")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter //canned message category fields
    canned_id = arrayindex(regextract(msg_payload, ";id\=(\w[^;]*);"), 0), //unique identifier of this canned message category
    canned_category = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), //unique identifier of this canned message category
    canned_parent_id1 = arrayindex(regextract(msg_payload, "parent\:id\=(\w[^;]*);"), 0),
    canned_parent_id2 = arrayindex(regextract(msg_payload, "category\:id\=(\w[^;]*);"), 0),
    canned_message = arrayindex(regextract(msg_payload,"message\=(\w[^;]*);"), 0),
    canned_title = arrayindex(regextract(msg_payload,"title\=(\w[^;]*);"), 0)
| alter // canned message team fields
    canned_team_name = arrayindex(regextract(msg_payload,"team\:name\=(\w[^;]*);"), 0),
    canned_team_id = arrayindex(regextract(msg_payload,"team\:id\=(\w[^;]*);"), 0)
| alter
    xdm.target.resource.id = canned_id,
    xdm.target.resource.type = canned_category,
    xdm.target.resource.parent_id = coalesce(canned_parent_id1,canned_parent_id2),
    xdm.alert.description = canned_message,
    xdm.target.resource.name = canned_title,
    xdm.target.user.groups = if(canned_team_id != null or canned_team_name != null, arrayconcat(arraycreate(canned_team_id), arraycreate(canned_team_name)));


/* Canned Script Events: 
    These mappings apply to the following events: "canned_script_category_added", "canned_script_category_removed", "canned_script_added", "canned_script_changed", "canned_script_removed", "canned_script_file_added", "canned_script_file_removed", "canned_script_team_added", "canned_script_team_removed", "canned_scripts_category_added", "canned_scripts_category_removed", "canned_scripts_file_added", "canned_scripts_file_removed"
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/canned-script-category-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/canned-script-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/canned-script-file-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/canned-script-team-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/canned-scripts-category-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/canned-scripts-file-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("canned_script_*","canned_scripts_*")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    canned_script_id1 = arrayindex(regextract(msg_payload, "canned_script\:id\=(\S[^;]+)"), 0),
    canned_script_id2 = arrayindex(regextract(msg_payload, "id\=(\w[^;]*);"), 0),
    canned_script_name1 = arrayindex(regextract(msg_payload, "canned_script\:name\=(\S[^;]+)"), 0),
    canned_script_name2 = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0),
    canned_script_commands = arrayindex(regextract(msg_payload, "commands\=(\S.+?)\;\s*[\w\:]+\="), 0),
    canned_script_filename = arrayindex(regextract(msg_payload, "filename\=(\S[^;]+)"), 0),
    canned_script_team_id = arrayindex(regextract(msg_payload, "team\:id\=(\S[^;]+)"), 0),
    canned_script_team_name = arrayindex(regextract(msg_payload, "team\:name\=(\S[^;]+)"), 0),
    canned_script_category = arrayindex(regextract(msg_payload, "category\=(\S[^;]+)"), 0)
| alter 
    xdm.target.process.command_line = canned_script_commands,
    xdm.target.file.filename = canned_script_filename, 
    xdm.target.resource.id = coalesce(canned_script_id1, canned_script_id2),
    xdm.target.resource.name = coalesce(canned_script_name1, canned_script_name2),
    xdm.target.resource.type = canned_script_category,
    xdm.target.user.groups = if(canned_script_team_id != null or canned_script_team_name != null, arrayconcat(arraycreate(canned_script_team_id), arraycreate(canned_script_team_name)));

/* Certificate Export Event: 
    These mappings apply to the certificate_export event. 
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/certificate-export-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("certificate_export")
| call beyondtrust_rs_common_fields_modeling
| alter 
    certificate_friendly_name = arrayindex(regextract(_raw_log, "friendly_name\=(\S[^;]+)"), 0), // The friendly name of the certificate being exported.
    exported_with_private_key = arrayindex(regextract(_raw_log, "exported_with_private_key\=(0|1)"), 0) // 1: The private key is included in this export, 0: The private key is not included in this export.
| alter operation = if(exported_with_private_key = "0", "Certificate exported, private key was not included.", exported_with_private_key="1", "Certificate exported, private key was included.")
| alter 
    xdm.event.operation_sub_type = operation,
    xdm.target.resource.name = certificate_friendly_name, 
    xdm.target.resource.type = "certificate";

/* Custom Rep Link Events : 
    These mappings apply to the following events: custom_rep_link_added, custom_rep_link_changed, custom_rep_link_removed. 
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/custom_rep_link.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("custom_rep_link_added", "custom_rep_link_changed", "custom_rep_link_removed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    custom_link_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier of the custom link.
    custom_link_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of the custom link.
    custom_link_url = arrayindex(regextract(msg_payload, "url\=(\S[^;]+)"), 0) // The URL of the custom link.
| alter 
    xdm.target.resource.id = custom_link_id, 
    xdm.target.resource.name = custom_link_name,
    xdm.target.resource.type = if(custom_link_id != null, "custom link URL"),
    xdm.target.url = custom_link_url;

/* Custom Session Attribute Events: 
    These fields apply to the following events: custom_session_attribute_added, custom_session_attribute_changed, and custom_session_attribute_removed. 
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/custom-session-attribute-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("custom_session_attribute_added", "custom_session_attribute_changed", "custom_session_attribute_removed")
| call beyondtrust_rs_common_fields_modeling
| alter 
    custom_session_attribute_id = arrayindex(regextract(_raw_log, "id\=(\w[^;]+)"), 0),  // The unique identifier of the custom session attribute.
    custom_session_attribute_name = arrayindex(regextract(_raw_log, "display_name\=(\S[^;]+)"), 0) // The display name of the custom session attribute.
| alter 
    xdm.target.resource.id = custom_session_attribute_id, 
    xdm.target.resource.name = custom_session_attribute_name,
    xdm.target.resource.type = if(custom_session_attribute_id != null, "custom session attribute");


/* Custom Special Action Events:
    These mappings apply to the following events: custom_special_action_added, custom_special_action_changed, custom_special_action_removed. 
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/custom-special-action-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("custom_special_action_added", "custom_special_action_changed", "custom_special_action_removed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    custom_special_action_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier of this custom special action.
    custom_special_action_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of this custom special action.
    custom_special_action_command = arrayindex(regextract(msg_payload, "command\=(\S[^;]+)"), 0), // The full path of the application to run.
    custom_special_action_arguments = arrayindex(regextract(msg_payload, "arguments\=([^;]+)"), 0) // Command line arguments to apply the command.  
| alter 
    xdm.target.resource.id = custom_special_action_id, 
    xdm.target.resource.name = custom_special_action_name,
    xdm.target.resource.type = if(custom_special_action_id != null, "custom special action"), 
    xdm.target.process.command_line = concat(custom_special_action_command, " ", custom_special_action_arguments);

/*  Custom & User Session Policy Events: 
    These mappings apply to the following events: custom_session_policy_added, custom_session_policy_changed, custom_session_policy_removed, user_session_policy_added, user_session_policy_removed. 
    Custom session policy events also include the Support Permissions Fields. */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("custom_session_policy_added", "custom_session_policy_changed", "custom_session_policy_removed", "user_session_policy_added", "user_session_policy_removed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // custom sessions policy: https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/custom-session-policy-fields.htm
    object_description = arrayindex(regextract(msg_payload, "description\=(\S[^;]+)"), 0), // The description of the object to which this custom session policy is applied in the form of object(type):name. The object may be one of users or policies. A users object is followed by @ and the ID of its security provider. The type is either attended or unattended. The name is the name of the object.
    custom_session_policy_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]+)"), 0),  // The unique identifier of this custom session policy.
    custom_session_policy_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of this custom session policy. This name is assigned by the B Series Appliance and cannot be modified.
    custom_session_policy_code_name = arrayindex(regextract(msg_payload, "code_name\=(\S[^;]+)"), 0) // The code name of this custom session policy.
| alter // user sessions policy: https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/user-session-policy-fields.htm
    user_id = arrayindex(regextract(msg_payload, "user\:id\=([^;]+)"), 0), //The unique identifier of the user with whom the session policy is associated.
    user_name = arrayindex(regextract(msg_payload, "user\:username\=(\S[^;]+)"), 0), // The username of the user with whom the session policy is associated.
    user_session_policy_name = arrayindex(regextract(msg_payload, "session_policy\:name\=(\S[^;]+)"), 0) // The name of the session policy associated with this user.
| alter 
    user_object = arrayindex(regextract(object_description, "([^\@]+)\@"), 0)
| alter 
    xdm.network.rule = coalesce(custom_session_policy_code_name, user_session_policy_name),
    xdm.target.resource.id = custom_session_policy_id, 
    xdm.target.resource.name = custom_session_policy_name,
    xdm.target.resource.type = if(custom_session_policy_id != null, "custom session policy"),
    xdm.target.user.identifier = user_id,
    xdm.target.user.username = coalesce(user_object, user_name);

/* Customer Notice and Cutomer Notice Public Site Fields Events:
    These mapping applay to the following events: customer_notice_added, customer_notice_changed, customer_notice_removed, customer_notice_public_site_added, customer_notice_public_site_removed.
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/customer-notice-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/customer-notice-public-site-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("dcustomer_notice_added", "customer_notice_changed", "customer_notice_removed", "customer_notice_public_site_added", "customer_notice_public_site_removed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter //customer notice fields
    notice_id = arrayindex(regextract(msg_payload, "id\=(\S[^;]+)"), 0),
    notice_message = arrayindex(regextract(msg_payload, "message\=(\S[^;]+)"), 0), //Text message of the customer notice
    notice_name1 = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0) //Name of this customer notice
| alter // customer notice public site fields
    notice_name2 = arrayindex(regextract(msg_payload, "customer_notice\:name\=(\S[^;]+)"), 0), //Name of this customer notice
    site_name = arrayindex(regextract(msg_payload, "public_site\:name\=(\S[^;]+)"), 0)
| alter 
    xdm.target.resource.id = notice_id, 
    xdm.target.resource.type = if(notice_id != null, "customer notice"),
    xdm.target.resource.name = coalesce(notice_name2, notice_name1),
    xdm.target.interface = site_name,
    xdm.alert.description = notice_message;

/* Discovery Error Events : 
    These mappings apply to the following events: discovery_error_added, discovery_error_changed, discovery_error_removed. 
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/discovery-error-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("discovery_error_added", "discovery_error_changed", "discovery_error_removed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    system_name = arrayindex(regextract(msg_payload, "system_name\=(\w[^;]*)"), 0), // The hostname or computer name which this error belongs.
    discovery_job_id = arrayindex(regextract(msg_payload, "discovery_job_id\=(\S[^;]+)"), 0), // The unique identifier of the Discovery job to which this error belongs.
    error_type = arrayindex(regextract(msg_payload, "type\=(\d+)"), 0), // The type of error.
    user_error_description = arrayindex(regextract(msg_payload, "user_error\=(\S[^;]+)"), 0) // The error description.
| alter 
    xdm.alert.subcategory = to_string(error_type), 
    xdm.alert.description = user_error_description,
    xdm.target.host.hostname = system_name, 
    xdm.target.resource.id = discovery_job_id, 
    xdm.target.resource.type = if(discovery_job_id != null, "discovery job");

/* Endpoint Events: 
    These fields apply to the following event types: endpoint_changed, endpoint_removed.
    Full documentation: https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/endpoint-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("endpoint_changed", "endpoint_removed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    endpoint_hostname = arrayindex(regextract(msg_payload, "hostname\=([^;]+)"), 0), // The hostname of the endpoint.
    endpoint_fqdn = arrayindex(regextract(msg_payload, "distinguished_name\=([^;]+)"), 0), // The distinguished name of the endpoint.
    endpoint_domain_id = arrayindex(regextract(msg_payload, "domain_id\=([^;]+)"), 0), // The unique identifier of the Domain to which this endpoint belongs.
    endpoint_unique_id = arrayindex(regextract(msg_payload, "unique_id\=([^;]+)"), 0), // The unique identifier of the endpoint.
    endpoint_name = arrayindex(regextract(msg_payload, "name\=([^;]+)"), 0), // The name of the endpoint.
    endpoint_is_domain_controller = arrayindex(regextract(msg_payload, "is_domain_controller\=(0|1)"), 0), //1: The endpoint is a domain controller. 0: The endpoint is not a domain controller.
    endpoint_os = arrayindex(regextract(msg_payload, "operating_system\=([^;]+)"), 0) // The operating system of the endpoint.
| alter os = lowercase(endpoint_os)
| alter 
    xdm.target.domain = endpoint_domain_id,
    xdm.target.host.hostname = endpoint_hostname, 
    xdm.target.host.fqdn = endpoint_fqdn, 
    xdm.target.host.device_id = endpoint_unique_id, 
    xdm.target.host.device_category = if(endpoint_is_domain_controller = "1", "Domain Controller"),
    xdm.target.host.os = endpoint_os,
    xdm.target.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA, to_string(endpoint_os)),
    xdm.target.resource.name = endpoint_name,
    xdm.target.resource.id = endpoint_unique_id,
    xdm.target.resource.type = if(endpoint_unique_id != null, "endpoint machine");

/* File Store Events : 
    These mappings apply to the following events: file_removed_from_file_store, file_uploaded_to_file_store. 
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/file-store-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("file_removed_from_file_store", "file_uploaded_to_file_store")
| call beyondtrust_rs_common_fields_modeling
| alter 
    file_name = arrayindex(regextract(_raw_log, "filename\=([^;]+)"), 0), // The name of the file being uploaded to or removed from the file store.
    file_size = arrayindex(regextract(_raw_log, "size\*?\=(\d+)"), 0) // The size in bytes of the file being uploaded to the file store.
| alter 
    xdm.target.file.filename = file_name, 
    xdm.target.file.size = to_integer(file_size);

/* Group Policy Events: 
    These mappings apply to the following events: 
        group_policy_added, group_policy_changed, group_policy_removed,group_policy_member_added, group_policy_member_removed, group_policy_setting_added, group_policy_setting_changed, group_policy_setting_removed.
            https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/group-policy-fields.htm
            https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/group-policy-member-fields.htm
            https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/group-policy-setting-fields.htm    
            */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("group_policy_added", "group_policy_changed", "group_policy_removed", "group_policy_member_added", "group_policy_member_removed", "group_policy_setting_added", "group_policy_setting_changed", "group_policy_setting_removed"
    , "group_policy_add_to_jump_group_removed", "group_policy_add_to_jumpoint_added", "group_policy_add_to_jumpoint_removed", "group_policy_add_to_support_teams_added", "group_policy_add_to_support_teams_removed", "group_policy_added", "group_policy_changed", "group_policy_removed", "group_policy_member_added", "group_policy_member_removed", "group_policy_remove_from_jump_group_added", "group_policy_remove_from_jump_group_removed", "group_policy_remove_from_jumpoint_added", "group_policy_remove_from_jumpoint_removed", "group_policy_remove_from_support_teams_added", "group_policy_remove_from_support_teams_removed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // Group Policy:
    group_policy_id1 = arrayindex(regextract(msg_payload, "group_policy\:id\=(\w[^;]*)"), 0), // The unique identifier of this group policy.
    is_account_disabled = arrayindex(regextract(msg_payload, "account\:disabled\=(0|1)"), 0), // 1: The accounts associated with this group policy are disabled. 0: The accounts associated with this group policy are active.
    is_login_code_enabled = arrayindex(regextract(msg_payload, "login_code\:enabled\=(0|1)"), 0), // 1: Users must enter an emailed login code to log in. 0: Users may log in without an emailed login code.
    group_policy_id2 = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier of this group policy.
    group_policy_name1 = arrayindex(regextract(msg_payload, "group_policy\:name\=([^;]+)"), 0), // The name of this group policy.
    group_policy_name2 = arrayindex(regextract(msg_payload, "name\=([^;]+)"), 0), // The name of this group policy.
    policy_id = arrayindex(regextract(msg_payload, "policy\:id\=([^;]+)"), 0), // The name of this group policy.
    policy_name = arrayindex(regextract(msg_payload, "policy\:name\=([^;]+)"), 0), // The name of the group policy for which this setting is configured.
    jumpoints = arrayindex(regextract(msg_payload, "jumpoints\=([^;]+)"), 0) //The group's Jumpoint access in the form of permission:id:name, where permission is one of added, removed, or unknown; id is the unique identifier of the Jumpoint; and name is the name of the Jumpoint.
| alter // Group Policy Member Fields:
    security_provider_id = arrayindex(regextract(msg_payload, "provider\:id\=([^;]*)"), 0), // The unique identifier of the security provider against which this member authenticates.
    security_provider_name = arrayindex(regextract(msg_payload, "provider\:name\=([^;]*)"), 0), // The name of the security provider against which this member authenticates.
    user_external_id = arrayindex(regextract(msg_payload, "user\:external_id\=(\w[^;]*)"), 0) // The unique identifier of this group policy member.
| alter // additional proccessing 
    group_policy_id = coalesce(group_policy_id1, group_policy_id2),
    group_policy_name = coalesce(group_policy_name1, group_policy_name2),
    groups_and_roles = arraycreate(jumpoints)
| alter
    policy = if(policy_id != null, concat(policy_id, "(", policy_name, ")")),
    group_policy = if(group_policy_id != null, concat(group_policy_id, "(", group_policy_name, ")")),
    security_provider = if(security_provider_id != null, concat(security_provider_id, "(", security_provider_name, ")"))
| alter 
    xdm.auth.mfa.provider = security_provider,
    xdm.auth.is_mfa_needed = if(is_login_code_enabled = "1", to_boolean("TRUE"), is_login_code_enabled = "0",  to_boolean("FALSE")),
    xdm.network.rule = coalesce(policy, group_policy),
    xdm.target.resource.id = coalesce(policy_id, group_policy_id),
    xdm.target.resource.name = coalesce(policy_name, group_policy_name),
    xdm.target.resource.type = if(policy_id != null, "group policy", group_policy_id != null, "group policy"),
    xdm.target.user.is_disabled = if(is_account_disabled = "1", to_boolean("TRUE"), is_account_disabled = "0",  to_boolean("FALSE")),
    xdm.target.user.identifier = user_external_id,
    xdm.target.user.groups = groups_and_roles;

/* iOS Content Item Events:
    These mapping applay to the followinf events: ios_content_item_added, ios_content_item_changed, ios_content_item_removed.
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/ios-content-item-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("jios_content_item_added", "ios_content_item_changed", "ios_content_item_removed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    profile_name =  arrayindex(regextract(msg_payload, "name\:\[languague\]\=(\S[^;]+)"), 0),
    profile_id = arrayindex(regextract(msg_payload, "id\=(\S[^;]+)"), 0),
    file_name = arrayindex(regextract(msg_payload, "file_name\=(\S[^;]+)"), 0)
| alter
    xdm.target.resource.name = profile_name,
    xdm.target.resource.id = profile_id,
    xdm.target.file.filename = file_name,
    xdm.target.resource.type = if(profile_id != null, "iOS configuration profile");

/* Jumpoint User & Domain Events : 
    These mappings apply to the following events: jumpoint_user_added, jumpoint_user_removed, domain_added, domain_changed, domain_removed  
    Docs: https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/jumpoint-user-fields.htm 
          https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/domain-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("jumpoint_user_added", "jumpoint_user_removed", "domain_added", "domain_changed", "domain_removed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    jumppoint_id = arrayindex(regextract(msg_payload, "jumpoint\:id\=(\w[^;]*)"), 0), // The unique identifier of the Jumpoint to which this user/domain is being added or removed.
    jumppoint_name = arrayindex(regextract(msg_payload, "jumpoint\:name\=(\S[^;]+)"), 0), // The name of the Jumpoint to which this user is being added or removed.
    jumppoint_associated_user_id = arrayindex(regextract(msg_payload, "user\:id\=(\S[^;]*)"), 0), // The unique identifier of the user being added or removed. 
    jumppoint_associated_username = arrayindex(regextract(msg_payload, "user\:username\=(\S[^;]+)"), 0), // The name of the user being added or removed.
    jumppoint_associated_vault_domain_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0) // The name of the vault account domain added, changed or remvoed.
| alter 
    xdm.target.domain = jumppoint_associated_vault_domain_name,
    xdm.target.resource.id = jumppoint_id, 
    xdm.target.resource.name = jumppoint_name,
    xdm.target.resource.type = if(jumppoint_id != null, "jumppoint"),
    xdm.target.user.identifier = jumppoint_associated_user_id,
    xdm.target.user.username = jumppoint_associated_username;

/* Login, Logout, User Properties Modifications, & Vacult Account rotation Events:
    These mappings appliy to the following event types: "login", "logout", "change_display_name", "change_password", "change_username", "vault_account_password_rotation". 
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/login-fields.htm    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/change-display-name.htm 
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/change-password-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/change-username-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/vault-account-password-rotation-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("login", "logout", "change_display_name", "change_password", "change_username", "vault_account_password_rotation")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    reason = arrayindex(regextract(msg_payload, "reason\=(\S[^;]+)"), 0), // Indicates the reason for failure / action
    status = arrayindex(regextract(msg_payload, "status\=(\S[^;]+)"), 0), // Whether the login/change/rotation attempt succeeded or failed.
    target_interface = arrayindex(regextract(msg_payload, "target\=(\S[^;]+)"), 0), // The authentication area from which the activity change attempt was made (web/api, web/appliance, web/login)
    vault_rotated_account = arrayindex(regextract(msg_payload, "account\=(\S[^;]+)"), 0) // The account username rotated.
| alter
    xdm.source.user.is_disabled = if(reason ~= "account disabled|account expired", to_boolean("TRUE")),
    xdm.source.user.is_password_expired = if(reason ~= "change password", to_boolean("TRUE")),
    xdm.event.outcome = if(status = "success", XDM_CONST.OUTCOME_SUCCESS, status ~= "fail", XDM_CONST.OUTCOME_FAILED),
    xdm.event.outcome_reason = reason, 
    xdm.logon.type = target_interface,
    xdm.target.user.username = vault_rotated_account;

/* License Pool Events:
    These mapping applay to the following events: license_pool_added, license_pool_changed, license_pool_removed.
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/license-pool-fields.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0) // Here is an error
| filter event_type in("license_pool_added", "license_pool_changed", "license_pool_removed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter
    pool_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0),
    pool_name = arrayindex(regextract(msg_payload, "name\=(\w[^;]+)"), 0)
| alter
    xdm.target.resource.id = pool_id,
    xdm.target.resource.name = pool_name,
    xdm.target.resource.type = if(pool_id != null, "license pool");

/*  Network Address Events:
    These mappings apply to the following events: network_address_added, network_address_changed, network_address_removed, network_changed.
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/network-address-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/network-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("network_address_added", "network_address_changed", "network_address_removed", "network_changed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // Network Address:
    interface = arrayindex(regextract(msg_payload, "interface=(\S[^;]+)"), 0), // The NIC to use as the interface.
    ip = arrayindex(regextract(msg_payload, ";ip\=([^;]+)"), 0), // The IP address of the interface.
    netmask = arrayindex(regextract(msg_payload, "netmask\=([^;]+)"), 0) // The netmask for this IP address.
| alter // Network Fields: 
    dns_server_ip_addresses = regextract(msg_payload, "dns\:\d=([^;]+)"), // The IP addresses of the DNS servers.
    gateway_interface = arrayindex(regextract(msg_payload, "gateway\:interface\=([^;]+)"), 0), // The interface to use as the default gateway.
    gateway_ip = arrayindex(regextract(msg_payload, "gateway\:ip\=([^;]+)"), 0), // The IP address of the default gateway.
    ntp_server_ip = arrayindex(regextract(msg_payload, "ntp_server\=([^;]+)"), 0), // The IP address of the  NTP server.
    hostname =  arrayindex(regextract(msg_payload, "hostname\=([^;]+)"), 0), // The hostname of the B Series Appliance.
    ssl_ciphers = arrayindex(regextract(msg_payload, "ssl\:ciphers\=([^;]+)"), 0) // The set of ciphersuites supported by the B Series Appliance for HTTPS/SSL traffic.
| alter 
    ip_addresses = arrayconcat(dns_server_ip_addresses, arraycreate(ip), arraycreate(gateway_ip), arraycreate(ntp_server_ip)),
    interface = coalesce(interface, gateway_interface),
    ip_address = coalesce(ip, gateway_ip)
| alter 
    ipv4_address = if(ip_address ~= "\.", ip_address),
    ipv6_address = if(ip_address ~= "\:", ip_address),
    ipv4_addresses = arrayfilter(ip_addresses, "@element" ~= "\."),
    ipv6_addresses = arrayfilter(ip_addresses, "@element" ~= "\:")
| alter 
    xdm.network.dhcp.dns_server = dns_server_ip_addresses,
    xdm.network.tls.cipher = ssl_ciphers,
    xdm.target.interface = interface,
    xdm.target.ipv4 = ipv4_address,
    xdm.target.ipv6 = ipv6_address,
    xdm.target.host.ipv4_addresses = ipv4_addresses,
    xdm.target.host.ipv6_addresses = ipv6_addresses,
    xdm.target.host.hostname = hostname,
    xdm.target.subnet = netmask;

/* Management Account Events: 
    These mappings apply to the following events: management_account_added, management_account_changed, management_account_removed. 
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/management-account-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("management_account_added", "management_account_changed", "management_account_removed")
| call beyondtrust_rs_common_fields_modeling
| alter 
    domain_account_id = arrayindex(regextract(_raw_log, "domain_account\:id\=(\S[^;]+)"), 0), // The unique identifier of the domain account.
    domain_id = arrayindex(regextract(_raw_log, "domain\:id\=(\w[^;]*)"), 0) // The unique identifier of the domain.
| alter 
    xdm.target.domain = domain_id,
    xdm.target.user.identifier = domain_account_id,
    xdm.target.resource.id = domain_id, 
    xdm.target.resource.type = if(domain_id != null, "domain");

/* Public Site related Events: 
    These fields applay to the following events: public_site_address_added, public_site_address_removed,
    public_site_customer_banner_reverted_to_factory_default, public_site_customer_banner_uploaded,
    public_site_added, public_site_changed, and public_site_removed, public_site_setting_added, public_site_setting_changed, public_site_team_added, public_site_team_removed, public_site_template_asset_uploaded, public_site_template_asset_reverted, public_site_template_asset_uploaded, public_template_deleted, public_template_written.
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/public-site-address-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/public-site-customer-banner-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/public-site-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/public-site-setting-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/public-site-team-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/public-site-template-asset-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/public-template-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("public_site_address_added", "public_site_address_removed", "public_site_customer_banner_reverted_to_factory_default", "public_site_customer_banner_uploaded", "public_site_setting_added", "public_site_setting_changed","public_site_team_added", "public_site_team_removed","public_site_template_asset_uploaded", "public_site_template_asset_reverted", "public_site_template_asset_uploaded", "public_template_deleted", "public_template_written")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter //
    site_id = arrayindex(regextract(msg_payload, "site\:id\=(\w[^;]*)"), 0),
    site_name = arrayindex(regextract(msg_payload, "site\:name\=(\w[^;]+)"), 0),
    site_address = arrayindex(regextract(msg_payload, "address\=(\w[^;]+)"), 0)
| alter //Public Site Fields
    template_id1 =arrayindex(regextract(msg_payload, "template\:id\=(\w[^;]*)"), 0),
    template_name = arrayindex(regextract(msg_payload, "template\:name\=(\w[^;]+)"), 0)
| alter //Public Site Setting fields
    email_sender = arrayindex(regextract(msg_payload, "support\:invite\:email\:from_address\=(\w[^;]+)"), 0),
    url = arrayindex(regextract(msg_payload, "support\:landing_page\:chat\:download\=(\w[^;]+)"), 0)
| alter //Public Site Team fields
    team_name = arrayindex(regextract(msg_payload, "team\:name\=(\w[^;]+)"), 0)
| alter //public site template asset
    asset_id = arrayindex(regextract(msg_payload, "asset\:id\=(\w[^;]*)"), 0),
    template_id2 = arrayindex(regextract(msg_payload, "template\:name\=(\w[^;]+)"), 0)

| alter
    xdm.target.resource.id = coalesce(site_id, asset_id),
    xdm.target.resource.name = site_name,
    xdm.target.resource.type = if(site_id != null, "Public site"),
    xdm.target.url = coalesce(url,site_address),
    xdm.target.process.name = coalesce(template_name,template_id2),
    xdm.target.process.identifier = coalesce(asset_id, template_id1),
    xdm.email.sender = if(email_sender != null, email_sender),
    xdm.target.user.groups = if(team_name != null, arraycreate(team_name));

/* Report Events: 
    These fields apply to the following event types: 
    license_usage_report_generated, presentation_session_report_generated, presentation_session_detail_generated, sdcust_exit_survey_report_generated, sdrep_exit_survey_report_generated, support_session_report_generated, support_session_detail_generated, support_session_summary_report_generated, and team_activity_report_generated events. 
    Full documentation: https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/report-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("license_usage_report_generated", "presentation_session_report_generated", "presentation_session_detail_generated", "sdcust_exit_survey_report_generated", "sdrep_exit_survey_report_generated","support_session_report_generated", "support_session_detail_generated", "support_session_summary_report_generated", "team_activity_report_generated")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    computer_name = arrayindex(regextract(msg_payload, "computer_name\=(\S[^;]+)"), 0), // The computer name filter used in the query, if specified.
    lsid = arrayindex(regextract(msg_payload, "lsid\=(\S[^;]+)"), 0), // The unique session identifier used to query for a detailed session report, if specified.
    lsids = arrayindex(regextract(msg_payload, "lsids\=(\S[^;]+)"), 0), // A comma-separated list of unique session identifiers used to query for multiple detailed session reports, if specified.
    start_timestamp = arrayindex(regextract(msg_payload, "start_timestamp\=(\S[^;]+)"), 0), // The exact timestamp of the first date to be included in the report, if any date filters were used.
    end_timestamp = arrayindex(regextract(msg_payload, "end_timestamp\=(\S[^;]+)"), 0), // The exact timestamp of the last date to be included in the report, if date filters were specified.
    private_ip = arrayindex(regextract(msg_payload, "private_ip\=(\S[^;]+)"), 0), // The private IP address filter used in the query, if specified.
    public_ip = arrayindex(regextract(msg_payload, "public_ip\=(\S[^;]+)"), 0), // The public IP address filter used in the query, if specified.
    rep_id = arrayindex(regextract(msg_payload, "rep_id\=([^;]+)"), 0), // The user filter value, if specified. The value is either a unique user identifier, the string any, or the string none.
    rep_name = arrayindex(regextract(msg_payload, "rep_name\=(\S[^;]+)"), 0) // The display name of the representative specified by rep_id, when applicable.
| alter 
    private_ipv4 = if(private_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", private_ip),
    private_ipv6 = if(private_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", private_ip),
    public_ipv4 = if(public_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", public_ip),
    public_ipv6 = if(public_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", public_ip),
    start = to_integer(start_timestamp),
    end = to_integer(end_timestamp),
    filtered_user = coalesce(arrayindex(regextract(rep_id, "\(([^\)]+)"), 0), arrayindex(regextract(rep_name, "\(([^\)]+)"), 0))
| alter 
    xdm.event.duration = to_integer(multiply(subtract(end, start), 1000)),
    xdm.network.session_id = coalesce(lsids, lsid),
    xdm.target.host.hostname = computer_name, 
    xdm.target.ipv4 = coalesce(public_ipv4, private_ipv4),
    xdm.target.ipv6 = coalesce(public_ipv6, private_ipv6),
    xdm.target.host.ipv4_addresses = if(private_ipv4 != null and public_ipv4 != null, arrayconcat(arraycreate(private_ipv4), arraycreate(public_ipv4)), private_ipv4 != null, arraycreate(private_ipv4), public_ipv4 !=  null, arraycreate(public_ipv4)),
    xdm.target.host.ipv6_addresses = if(private_ipv6 != null and public_ipv6 != null, arrayconcat(arraycreate(private_ipv6), arraycreate(public_ipv6)), private_ipv6 != null, arraycreate(private_ipv6), public_ipv6 !=  null, arraycreate(public_ipv6)),
    xdm.target.resource.id = rep_id, 
    xdm.target.resource.name = rep_name,
    xdm.target.resource.type = if(rep_id != null, "rep id display name"), 
    xdm.target.user.username = filtered_user; 

/* SSH Account Events: 
    These mappings apply to the following events: ssh_account_added, ssh_account_changed, ssh_account_removed. 
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/ssh-account-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("ssh_account_added", "ssh_account_changed", "ssh_account_removed")
| call beyondtrust_rs_common_fields_modeling
| alter public_cert_signing_ca = arrayindex(regextract(_raw_log, "public_cert_signing_ca\=([^;]+)"), 0) // The public certificate signing ca.
| alter xdm.network.tls.client_certificate.issuer = public_cert_signing_ca;

/* Support Team Events: 
    These mappings apply to the following events: support_team_added, support_team_changed, support_team_removed, support_team_member_added, support_team_member_changed. */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("support_team_added", "support_team_changed", "support_team_removed", "support_team_member_added", "support_team_member_changed", "support_team_member_changed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // Support Team: https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/support-team-fields.htm
    support_team_id1 = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier of the team.
    support_team_name1 = arrayindex(regextract(msg_payload, "name\=(\w[^;]+)"), 0) // The name of the team.
| alter // Support Team Member: https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/support-team-member-fields.htm 
    support_team_id2 = arrayindex(regextract(msg_payload, "team\:id\=(\w[^;]*)"), 0), //The unique identifier of the team to which this user belongs.
    support_team_name2 = arrayindex(regextract(msg_payload, "team\:name\=(\w[^;]+)"), 0), // The name of the team to which this user belongs.
    support_user_id = arrayindex(regextract(msg_payload, "user\:id\=(\w[^;]+)"), 0), // The unique identifier of the user being added to or removed from this team.
    support_user_name = arrayindex(regextract(msg_payload, "user\:name\=(\w[^;]+)"), 0) // The name of the user being added to or removed from this team.
| alter 
    support_team_id = coalesce(support_team_id1, support_team_id2),
    support_team_name = coalesce(support_team_name1, support_team_name2)
| alter
    xdm.target.user.username = support_user_name, 
    xdm.target.user.identifier = support_user_id, 
    xdm.target.user.groups = arrayconcat(arraycreate(support_team_id), arraycreate(support_team_name));

/* Support Issue, Support Team Issue, Support Team Jump Access Events:
    These mapping apply to the following events: support_issue_added, support_issue_changed, support_issue_removed, support_issue_skill_added, support_issue_skill_removed, support_team_issue_added, support_team_issue_removed,
    support_team_jump_access_added, support_team_jump_access_removed.
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/support-issue-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/support-team-issue-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/support-team-jump-access-fields.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("support_issue_added", "support_issue_changed", "support_issue_removed", "support_issue_skill_added", "support_issue_skill_removed","support_team_issue_added", "support_team_issue_removed","support_team_jump_access_added", "support_team_jump_access_removed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter //Support Issue & Support team issue events
    issue_id = arrayindex(regextract(msg_payload,"id\=(\d+);"),0),
    team_name = arrayindex(regextract(msg_payload,"team\:name\=([^;]+);"), 0),
    team_id = arrayindex(regextract(msg_payload,"team\:id\=(\d+);"),0),
    issue_code_name = arrayindex(regextract(msg_payload,"code_name\=([^;]+);"), 0),
    issue_description = arrayindex(regextract(msg_payload,"issue_desc\=([^;]+);"), 0)
| alter //Support team jump access evetns: 
    jump_id = arrayindex(regextract(msg_payload,"team_with_access\:id\=(\d+);"),0),
    jump_name = arrayindex(regextract(msg_payload,"team_with_access\:name\=([^;]+);"), 0)
| alter
    xdm.target.resource.type = if(jump_id != null, "Support team jump access", issue_id != null, "Support issue"),
    xdm.target.resource.id = coalesce(jump_id, issue_id),
    xdm.target.resource.name = coalesce(jump_name,issue_code_name),
    xdm.alert.description = issue_description,
    xdm.target.user.groups = if(team_name != null,arrayconcat(arraycreate(team_name), arraycreate(team_id)));

/* /appliance & /login Local Users Events: 
    These mappings apply to the following events: user_added, user_changed, user_removed. 
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/user-fields.htm
    https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/fields/user-fields-appliance.htm */
alter  event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("user_added", "user_changed", "user_removed")
| call beyondtrust_rs_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter 
    is_account_disabled = arrayindex(regextract(msg_payload, "account\:disabled\=(0|1)"), 0), // 1: This local user account is disabled, 0: This local user account is active.
    is_mfa_required = arrayindex(regextract(msg_payload, "two_factor_auth\:required\=(0|1)"), 0), // 1: This user is required to use two-factor authentication. 0: This user is not required to use two-factor authentication.
    security_provider = arrayindex(regextract(msg_payload, "provider\:name\=([^;]*)"), 0), // The name of the security provider against which this user last authenticated.
    user_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier for this user.
    user_external_id = arrayindex(regextract(msg_payload, "external_id\=(\S[^;]+)"), 0), // An internal representation of a remote user's identifying information, such as an LDAP attribute, RADIUS username, or Kerberos principal name.
    username = arrayindex(regextract(msg_payload, "username\=([^;]+)"), 0), // The username the user last used to authenticate to BeyondTrust. Not necessarily unique.
    user_displayname = split(arrayindex(regextract(msg_payload, "displayname\=([^;]+)"), 0)), // The display name of this user.
    pool_id = arrayindex(regextract(msg_payload, "license_pool\:id\=(\w[^;]*)"), 0), //The name of the license pool to which the user belongs.
    pool_name = arrayindex(regextract(msg_payload, "license_pool\:name\=([^;]*)"), 0) //The name of the license pool to which the user belongs.
| alter 
    xdm.auth.is_mfa_needed = if(is_mfa_required = "1", to_boolean("TRUE"), is_mfa_required = "0", to_boolean("FALSE")),
    xdm.auth.mfa.provider = security_provider,
    xdm.target.user.identifier = user_id,
    xdm.target.user.is_disabled = if(is_account_disabled = "1", to_boolean("TRUE"), is_account_disabled = "0", to_boolean("FALSE")),
    xdm.target.user.upn = user_external_id,
    xdm.target.user.first_name = arrayindex(user_displayname, 0),
    xdm.target.user.last_name = arrayindex(user_displayname, 1),
    xdm.target.user.username = username,
    xdm.target.resource.id = pool_id,
    xdm.target.resource.name = pool_name;

/* General Fallback Mapping: 
    This filter applies to all other events which weren't mapped explicitly by any other filter. */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type not in("access_sponsor_group_added","access_sponsor_group_changed","access_sponsor_group_member_added","access_sponsor_group_member_changed","access_sponsor_group_member_removed","access_sponsor_group_removed","account_added","account_changed","account_group_added","account_group_changed","account_group_removed","account_jump_item_association_added","account_jump_item_association_changed","account_removed","accounts_changed","api_account_added","api_account_changed","api_account_removed","canned_message_added","canned_message_category_added","canned_message_category_removed","canned_message_cateogry_changed","canned_message_changed","canned_message_removed","canned_message_team_added","canned_message_team_changed","canned_message_team_removed","canned_script_added","canned_script_category_added","canned_script_category_removed","canned_script_changed","canned_script_file_added","canned_script_file_removed","canned_script_removed","canned_script_team_added","canned_script_team_removed","canned_scripts_category_added","canned_scripts_category_removed","canned_scripts_file_added","canned_scripts_file_removed","certificate_export","change_display_name","change_password","change_username","custom_rep_link_added","custom_rep_link_changed","custom_rep_link_removed","custom_session_attribute_added","custom_session_attribute_changed","custom_session_attribute_removed","custom_session_policy_added","custom_session_policy_changed","custom_session_policy_removed","custom_special_action_added","custom_special_action_changed","custom_special_action_removed","customer_notice_added","customer_notice_changed","customer_notice_public_site_added","customer_notice_public_site_removed","customer_notice_removed","discovery_error_added","discovery_error_changed","discovery_error_removed","domain_added","domain_changed","domain_removed","endpoint_changed","endpoint_removed","file_removed_from_file_store","file_uploaded_to_file_store","group_policy_added","group_policy_changed","group_policy_member_added","group_policy_member_removed","group_policy_removed","group_policy_setting_added","group_policy_setting_changed","group_policy_setting_removed","ios_content_item_added","ios_content_item_changed","ios_content_item_removed","jumpoint_user_added","jumpoint_user_removed","license_pool_added","license_pool_changed","license_pool_removed","license_usage_report_generated","login","logout","management_account_added","management_account_changed","management_account_removed","network_address_added","network_address_changed","network_address_removed","network_changed","presentation_session_detail_generated","presentation_session_report_generated","public_site_added","public_site_address_added","public_site_address_removed","public_site_changed","public_site_customer_banner_reverted_to_factory_default","public_site_customer_banner_uploaded","public_site_removed","public_site_setting_added","public_site_setting_changed","public_site_team_added","public_site_team_removed","public_site_template_asset_reverted","public_site_template_asset_uploaded","public_template_deleted","public_template_written","sdcust_exit_survey_report_generated","sdrep_exit_survey_report_generated","ssh_account_added","ssh_account_changed","ssh_account_removed","support_issue_added","support_issue_changed","support_issue_removed","support_session_detail_generated","support_session_report_generated","support_session_summary_report_generated","support_team_added","support_team_changed","support_team_issue_added","support_team_issue_removed","support_team_jump_access_added","support_team_jump_access_removed","support_team_member_added","support_team_member_changed","support_team_member_removed","support_team_removed","team_activity_report_generated","user_added","user_changed","user_removed","user_session_policy_added","user_session_policy_removed","vault_account_password_rotation")
| call beyondtrust_rs_common_fields_modeling
| alter 
    policy_id = arrayindex(regextract(_raw_log, "policy_id\=(\w[^;]*)"), 0),
    target_user_id = arrayindex(regextract(_raw_log, "user\:id\=(\w[^;]*)"), 0),
    target_username = arrayindex(regextract(_raw_log, "user[_]*name\=([^;]+)"), 0),
    target_computer_name = arrayindex(regextract(_raw_log, "computer_name\=([^;]+)"), 0),
    target_resource_owner = arrayindex(regextract(_raw_log, "credential_owner_id\=([^;]+)"), 0),
    target_resource_id = arrayindex(regextract(_raw_log, "[\;\:]id\=(\w[^;]*)"), 0),
    target_resource_name = arrayindex(regextract(_raw_log, "[\:\;]name\=([^;]+)"), 0)
| alter 
    xdm.network.rule = policy_id,
    xdm.target.host.hostname = target_computer_name,
    xdm.target.resource.id = target_resource_id,
    xdm.target.resource.name = target_resource_name,
    xdm.target.resource.parent_id = target_resource_owner,
    xdm.target.user.identifier = target_user_id,
    xdm.target.user.username = target_username;

Schema

beyondtrust_remote_support_raw

Field Type Array?
_raw_log string
Raw JSON
{
    "beyondtrust_remote_support_raw": {
      "_raw_log": {
        "type": "string",
        "is_array": false
      }
    }
  }