Rules (XIF)
[MODEL: dataset = fortinet_fortimail_raw]
alter
forti_device_id = parsed_fields -> device_id,
event_type = parsed_fields -> type,
subtype_v2 = parsed_fields -> subtype,
url_v2 = parsed_fields -> url,
context_session_id = parsed_fields -> session_id,
hostname = parsed_fields -> client_name,
client_ip_v2 = parsed_fields -> client_ip,
client_cc = parsed_fields -> client_cc,
dst_ip_v2 = parsed_fields -> dst_ip,
from_v2 = parsed_fields -> from,
to_v2 = parsed_fields -> to,
domain_v2 = parsed_fields -> domain,
disposition_v2 = parsed_fields -> disposition,
classifier_v2 = parsed_fields -> classifier,
subject_v2 = parsed_fields -> subject,
message_id_v2 = parsed_fields -> message_id,
src_ip_v4 = if(Client_IP !~= ":", Client_IP, null),
src_ip_v6 = if(Client_IP ~= ":", Client_IP, null),
tar_ip_v4 = if(Destination_IP !~= ":", Destination_IP, null),
tar_ip_v6 = if(Destination_IP ~= ":", Destination_IP, null),
raw_message_v2 = arrayindex(regextract(_raw_log ,"\w+\=\d{4}\-\d{2}\-\d{2}\s\w+\=\d{2}\:\d{2}\:\d{2}\.\d+\s\w+\=[A-Za-z0-9]+\s(.*)"),0),
get_policy_global_access_control = arraystring(regextract(Policy_ID, "^([^\:]+)\:[^\:]+\:[^\:]+\:[^\:]+"), ""),
get_policy_ip_based = arraystring(regextract(Policy_ID, "^[^\:]+\:([^\:]+)\:[^\:]+\:[^\:]+"), ""),
get_policy_recipient_based = arraystring(regextract(Policy_ID, "^[^\:]+\:[^\:]+\:([^\:]+)\:[^\:]+"), ""),
get_spf_detail_protocol = if(message ~= "SPF\=SOFTFAIL\:", arraystring(regextract(message, "indicates\s+that\s+(\S+)"),""), null),
get_spf_detail_int_server = if(message ~= "SPF\=SOFTFAIL\:", arraystring(regextract(message, "indicates\s+that\s+\S+\s+\(([^\)]+)\)"),""), null),
get_spf_detail_domain = if(message ~= "SPF\=SOFTFAIL\:", arraystring(regextract(message, "may\s+not\s+be\s+permitted\s+to\s+send\s+email\s+for\s+(\S+)"),""), null),
get_dmarc_domain = if(message ~= "DMARC Check:", arraystring(regextract(message, "No\s+DMARC\s+record\s+found\s+for\s+(\S+)"),""), null),
get_webfilter_category = if(message ~= "FortiGuard\-WebFilter\s+identified\s+URL", uppercase(arraystring(regextract(message, "FortiGuard\-WebFilter\s+identified\s+URL\(category\:\s+([^\,]+)"),"")), null),
get_webfilter_url = if(message ~= "FortiGuard\-WebFilter\s+identified\s+URL", arraystring(regextract(message, "FortiGuard\-WebFilter\s+identified\s+URL\(category\:\s+[^\)]+\)\:\s+(\S+)"),""), null),
get_fortiisolator_origin_url = if(message ~= "FortiIsolator:", arraystring(regextract(message, "FortiIsolator:\s+Original\s+URL:\s+(\S+)"),""), null),
get_fortiisolator_written_url = if(message ~= "FortiIsolator:", arraystring(regextract(message, "Rewritten\s+URL:\s+(\S+)"),""), null),
get_filename_filename = if(message ~= "File\s+name:", arraystring(regextract(message, "File\s+name\:\s+([^\.]+\.[^\W]+)"),""), null),
get_filename_observers_actions = if(message ~= "File\s+name:", arraystring(regextract(message, "scanned\s+by\s+(.*)")," | "), null),
get_dkim_key_file = if(message ~= "DK\/DKIM", arraystring(regextract(message, "key\s+could\s+not\s+be\s+retrieved\s+from\s+\'([^\']+)"),""), null),
get_dkim_key_error = if(message ~= "DK\/DKIM", arraystring(regextract(message, "key\s+could\s+not\s+be\s+retrieved\s+from\s+\'[^\']+\'\s+(error.*)"),""), null),
get_dkim_key_des = if(message ~= "DK\/DKIM", arraystring(regextract(message, "(key\s+could\s+not\s+be\s+retrieved)\s+from\s+\'[^\']+\'\s+error.*"),""), null),
get_antispam_ip = if(message ~= "FortiGuard\-AntiSpam", arraystring(regextract(message, "identified\s+spam\s+IP:\s+([^\,]+)"),""), null),
get_antispam_score = if(message ~= "FortiGuard\-AntiSpam", arraystring(regextract(message, "score:\s+(\d+)"),""), null),
get_remove_url_name = if(message ~= "Remove\s+URL:", "Removed URL", null),
get_remove_url_value = if(message ~= "Remove\s+URL:", arraystring(regextract(message, "Remove\s+URL:\s+(\S+)"),""), null),
get_mailevent_from = if(message ~= "from=\<\S\>", arraystring(regextract(message, "from=\<([^\>]+)\>"),""), null),
get_mailevent_sender = if(message ~= "sender=\<\S\>", arraystring(regextract(message, "sender=\<([^\>]+)\>"),""), null),
get_mailevent_proto = arraystring(regextract(message, "proto=\<([^\>]+)\>"),""),
get_mailevent_daemon = arraystring(regextract(message, "daemon=([^\,]+)"),""),
get_mailevent_relay_name = arraystring(regextract(message, "relay=(\S+[a-zA-Z0-9])[\.\,\s]+"),""),
get_mailevent_relay_ip = arraystring(regextract(message, "relay=[^\s]+\s+\[([^\]]+)\]"),""),
get_mailevent_msgid = arraystring(regextract(message, "msgid=\<([^\<]+)\>"),""),
get_mailevent_to = arraystring(regextract(message, "\bto=([^,]+)"),""),
get_mailevent_reply = arraystring(regextract(message, "reply=([^\,]+)"),""),
get_mailevent_stat = arraystring(regextract(message, "stat=([^\,]+)"),""),
get_dstip = arraystring(regextract(message, "dstip\s*=\s*(\S+)"),""),
get_dstport = arraystring(regextract(message, "dstport\s*=\s*(\S+)"),""),
get_action = arraystring(regextract(message, "action\s*=\s*(\S+)"),""),
get_status = arraystring(regextract(message, "status\s*=\s*(\S+)"),""),
get_reason = arraystring(regextract(message, "reason\s*=\s*([\S\s]+)"),""),
get_gui_src_ip = arraystring(regextract(message, "\s+from\s+GUI\(([^\)]+)\)"),""),
get_gui_login_outcome = arraystring(regextract(message, "(\S+)\s+from\s+GUI\([^\)]+\)"),""),
get_gui_username = arraystring(regextract(message, "^User\s+(\S+).*\s+\S+\s+from\s+GUI\([^\)]+\)"),""),
get_accesslog_username = arraystring(regextract(message, "\S+\s+logs\s+accessed\s+\(user:\s+([^\,]+)\,"),""),
get_accesslog_ip = arraystring(regextract(message, "\S+\s+logs\s+accessed\s+\(user:\s+[^\,]+\,\s+from:\s+[^\(]+\(([^\)]+)"),"")
| alter
int_ip_v4 = if(get_spf_detail_int_server !~= ":", get_spf_detail_int_server, null),
int_ip_v6 = if(get_spf_detail_int_server ~= ":", get_spf_detail_int_server, null),
int_ip2_v4 = if(get_antispam_ip !~= ":", get_antispam_ip, null),
int_ip2_v6 = if(get_antispam_ip ~= ":", get_antispam_ip, null),
int_ip3_v4 = if(get_mailevent_relay_ip !~= ":", get_mailevent_relay_ip, null),
int_ip3_v6 = if(get_mailevent_relay_ip ~= ":", get_mailevent_relay_ip, null),
tar_ip2_v4 = if(get_dstip !~= ":", get_dstip, null),
tar_ip2_v6 = if(get_dstip ~= ":", get_dstip, null),
src_ip2_v4 = if(get_gui_src_ip !~= ":", get_gui_src_ip, null),
src_ip2_v6 = if(get_gui_src_ip ~= ":", get_gui_src_ip, null),
src_ip3_v4 = if(get_accesslog_ip !~= ":", get_accesslog_ip, null),
src_ip3_v6 = if(get_accesslog_ip ~= ":", get_accesslog_ip, null),
get_dkim_key_des = concat(get_dkim_key_des, ", ", get_dkim_key_error),
check_gui_login_outcome = if(get_gui_login_outcome ~= "success", "success", get_gui_login_outcome ~= "fail", "failed")
| alter
xdm.source.user.username = coalesce(get_gui_username, get_accesslog_username),
xdm.target.port = to_integer(get_dstport),
xdm.intermediate.host.hostname = get_mailevent_relay_name,
xdm.intermediate.application.name = get_mailevent_daemon,
xdm.alert.severity = get_antispam_score,
xdm.observer.action = coalesce(get_filename_observers_actions, get_remove_url_name),
xdm.target.file.filename = coalesce(get_filename_filename, get_dkim_key_file),
xdm.target.resource_before.type = if(get_fortiisolator_origin_url != null, "URL", null),
xdm.target.resource_before.value = get_fortiisolator_origin_url,
xdm.target.resource.type = if(get_fortiisolator_written_url != null, "URL", null),
xdm.target.resource.value = get_fortiisolator_written_url,
xdm.network.http.url = coalesce(get_webfilter_url, get_fortiisolator_written_url, get_remove_url_value,url_v2),
xdm.network.http.url_category = if(get_webfilter_category ~= "ABORTION", XDM_CONST.URL_CATEGORY_ABORTION, get_webfilter_category ~= "ABUSED_DRUGS", XDM_CONST.URL_CATEGORY_ABUSED_DRUGS, get_webfilter_category ~= "ADULT", XDM_CONST.URL_CATEGORY_ADULT, get_webfilter_category ~= "ALCOHOL_AND_TOBACCO", XDM_CONST.URL_CATEGORY_ALCOHOL_AND_TOBACCO, get_webfilter_category ~= "AUCTIONS", XDM_CONST.URL_CATEGORY_AUCTIONS, get_webfilter_category ~= "BUSINESS_AND_ECONOMY", XDM_CONST.URL_CATEGORY_BUSINESS_AND_ECONOMY, get_webfilter_category ~= "COMMAND_AND_CONTROL", XDM_CONST.URL_CATEGORY_COMMAND_AND_CONTROL, get_webfilter_category ~= "COMPUTER_AND_INTERNET_INFO", XDM_CONST.URL_CATEGORY_COMPUTER_AND_INTERNET_INFO, get_webfilter_category ~= "CONTENT_DELIVERY_NETWORKS", XDM_CONST.URL_CATEGORY_CONTENT_DELIVERY_NETWORKS, get_webfilter_category ~= "COPYRIGHT_INFRINGEMENT", XDM_CONST.URL_CATEGORY_COPYRIGHT_INFRINGEMENT, get_webfilter_category ~= "CRYPTOCURRENCY", XDM_CONST.URL_CATEGORY_CRYPTOCURRENCY, get_webfilter_category ~= "DATING", XDM_CONST.URL_CATEGORY_DATING, get_webfilter_category ~= "DYNAMIC_DNS", XDM_CONST.URL_CATEGORY_DYNAMIC_DNS, get_webfilter_category ~= "EDUCATIONAL_INSTITUTIONS", XDM_CONST.URL_CATEGORY_EDUCATIONAL_INSTITUTIONS, get_webfilter_category ~= "ENTERTAINMENT_AND_ARTS", XDM_CONST.URL_CATEGORY_ENTERTAINMENT_AND_ARTS, get_webfilter_category ~= "EXTREMISM", XDM_CONST.URL_CATEGORY_EXTREMISM, get_webfilter_category ~= "FINANCIAL_SERVICES", XDM_CONST.URL_CATEGORY_FINANCIAL_SERVICES, get_webfilter_category ~= "GAMBLING", XDM_CONST.URL_CATEGORY_GAMBLING, get_webfilter_category ~= "GAMES", XDM_CONST.URL_CATEGORY_GAMES, get_webfilter_category ~= "GOVERNMENT", XDM_CONST.URL_CATEGORY_GOVERNMENT, get_webfilter_category ~= "GRAYWARE", XDM_CONST.URL_CATEGORY_GRAYWARE, get_webfilter_category ~= "HACKING", XDM_CONST.URL_CATEGORY_HACKING, get_webfilter_category ~= "HEALTH_AND_MEDICINE", XDM_CONST.URL_CATEGORY_HEALTH_AND_MEDICINE, get_webfilter_category ~= "HOME_AND_GARDEN", XDM_CONST.URL_CATEGORY_HOME_AND_GARDEN, get_webfilter_category ~= "HUNTING_AND_FISHING", XDM_CONST.URL_CATEGORY_HUNTING_AND_FISHING, get_webfilter_category ~= "INSUFFICIENT_CONTENT", XDM_CONST.URL_CATEGORY_INSUFFICIENT_CONTENT, get_webfilter_category ~= "INTERNET_COMMUNICATIONS_AND_TELEPHONY", XDM_CONST.URL_CATEGORY_INTERNET_COMMUNICATIONS_AND_TELEPHONY, get_webfilter_category ~= "INTERNET_PORTALS", XDM_CONST.URL_CATEGORY_INTERNET_PORTALS, get_webfilter_category ~= "JOB_SEARCH", XDM_CONST.URL_CATEGORY_JOB_SEARCH, get_webfilter_category ~= "LEGAL", XDM_CONST.URL_CATEGORY_LEGAL, get_webfilter_category ~= "MALWARE", XDM_CONST.URL_CATEGORY_MALWARE, get_webfilter_category ~= "MILITARY", XDM_CONST.URL_CATEGORY_MILITARY, get_webfilter_category ~= "MOTOR_VEHICLES", XDM_CONST.URL_CATEGORY_MOTOR_VEHICLES, get_webfilter_category ~= "MUSIC", XDM_CONST.URL_CATEGORY_MUSIC, get_webfilter_category ~= "NEWLY_REGISTERED_DOMAIN", XDM_CONST.URL_CATEGORY_NEWLY_REGISTERED_DOMAIN, get_webfilter_category ~= "NEWS", XDM_CONST.URL_CATEGORY_NEWS, get_webfilter_category ~= "NOT_RESOLVED", XDM_CONST.URL_CATEGORY_NOT_RESOLVED, get_webfilter_category ~= "NUDITY", XDM_CONST.URL_CATEGORY_NUDITY, get_webfilter_category ~= "ONLINE_STORAGE_AND_BACKUP", XDM_CONST.URL_CATEGORY_ONLINE_STORAGE_AND_BACKUP, get_webfilter_category ~= "PARKED", XDM_CONST.URL_CATEGORY_PARKED, get_webfilter_category ~= "PEER_TO_PEER", XDM_CONST.URL_CATEGORY_PEER_TO_PEER, get_webfilter_category ~= "PERSONAL_SITES_AND_BLOGS", XDM_CONST.URL_CATEGORY_PERSONAL_SITES_AND_BLOGS, get_webfilter_category ~= "PHILOSOPHY_AND_POLITICAL_ADVOCACY", XDM_CONST.URL_CATEGORY_PHILOSOPHY_AND_POLITICAL_ADVOCACY, get_webfilter_category ~= "PHISHING", XDM_CONST.URL_CATEGORY_PHISHING, get_webfilter_category ~= "PRIVATE_IP_ADDRESSES", XDM_CONST.URL_CATEGORY_PRIVATE_IP_ADDRESSES, get_webfilter_category ~= "PROXY_AVOIDANCE_AND_ANONYMIZERS", XDM_CONST.URL_CATEGORY_PROXY_AVOIDANCE_AND_ANONYMIZERS, get_webfilter_category ~= "QUESTIONABLE", XDM_CONST.URL_CATEGORY_QUESTIONABLE, get_webfilter_category ~= "REAL_ESTATE", XDM_CONST.URL_CATEGORY_REAL_ESTATE, get_webfilter_category ~= "RECREATION_AND_HOBBIES", XDM_CONST.URL_CATEGORY_RECREATION_AND_HOBBIES, get_webfilter_category ~= "REFERENCE_AND_RESEARCH", XDM_CONST.URL_CATEGORY_REFERENCE_AND_RESEARCH, get_webfilter_category ~= "RELIGION", XDM_CONST.URL_CATEGORY_RELIGION, get_webfilter_category ~= "SEARCH_ENGINES", XDM_CONST.URL_CATEGORY_SEARCH_ENGINES, get_webfilter_category ~= "SEX_EDUCATION", XDM_CONST.URL_CATEGORY_SEX_EDUCATION, get_webfilter_category ~= "SHAREWARE_AND_FREEWARE", XDM_CONST.URL_CATEGORY_SHAREWARE_AND_FREEWARE, get_webfilter_category ~= "SHOPPING", XDM_CONST.URL_CATEGORY_SHOPPING, get_webfilter_category ~= "SOCIAL_NETWORKING", XDM_CONST.URL_CATEGORY_SOCIAL_NETWORKING, get_webfilter_category ~= "SOCIETY", XDM_CONST.URL_CATEGORY_SOCIETY, get_webfilter_category ~= "SPORTS", XDM_CONST.URL_CATEGORY_SPORTS, get_webfilter_category ~= "STOCK_ADVICE_AND_TOOLS", XDM_CONST.URL_CATEGORY_STOCK_ADVICE_AND_TOOLS, get_webfilter_category ~= "STREAMING_MEDIA", XDM_CONST.URL_CATEGORY_STREAMING_MEDIA, get_webfilter_category ~= "SWIMSUITS_AND_INTIMATE_APPAREL", XDM_CONST.URL_CATEGORY_SWIMSUITS_AND_INTIMATE_APPAREL, get_webfilter_category ~= "TRAINING_AND_TOOLS", XDM_CONST.URL_CATEGORY_TRAINING_AND_TOOLS, get_webfilter_category ~= "TRANSLATION", XDM_CONST.URL_CATEGORY_TRANSLATION, get_webfilter_category ~= "TRAVEL", XDM_CONST.URL_CATEGORY_TRAVEL, get_webfilter_category ~= "UNKNOWN", XDM_CONST.URL_CATEGORY_UNKNOWN, get_webfilter_category ~= "WEAPONS", XDM_CONST.URL_CATEGORY_WEAPONS, get_webfilter_category ~= "WEB_ADVERTISEMENTS", XDM_CONST.URL_CATEGORY_WEB_ADVERTISEMENTS, get_webfilter_category ~= "WEB_HOSTING", XDM_CONST.URL_CATEGORY_WEB_HOSTING, get_webfilter_category ~= "WEB_BASED_EMAIL", XDM_CONST.URL_CATEGORY_WEB_BASED_EMAIL, get_webfilter_category = null, null, to_string(get_webfilter_category)),
xdm.source.user.domain = coalesce(get_dmarc_domain, get_spf_detail_domain),
xdm.intermediate.ipv4 = coalesce(int_ip_v4, int_ip2_v4, int_ip3_v4),
xdm.intermediate.ipv6 = coalesce(int_ip_v6, int_ip2_v6, int_ip3_v6),
xdm.network.application_protocol = coalesce(get_spf_detail_protocol, get_mailevent_proto),
xdm.observer.type = coalesce(Classifier,classifier_v2),
xdm.event.outcome_reason = coalesce(Disposition, get_reason),
xdm.email.sender = coalesce(From, Header_From, get_mailevent_from, get_mailevent_sender,from_v2),
xdm.email.recipients = arraycreate(coalesce(To, get_mailevent_to,to_v2)),
xdm.email.subject = coalesce(Subject,subject_v2),
xdm.email.message_id = coalesce(Message_ID, get_mailevent_msgid,message_id_v2),
xdm.session_context_id = coalesce(Session_ID,context_session_id),
xdm.source.ipv4 = coalesce(src_ip_v4, src_ip2_v4, src_ip3_v4,client_ip_v2),
xdm.source.ipv6 = coalesce(src_ip_v6, src_ip2_v6, src_ip3_v6),
xdm.source.location.country = coalesce(Location,client_cc),
xdm.source.host.hostname = coalesce(Client_Name, Endpoint,hostname),
xdm.event.operation_sub_type = coalesce(Direction, get_mailevent_reply, get_action),
xdm.network.rule = to_string(object_create("GlobalAccessControl", get_policy_global_access_control, "IP_Based", get_policy_ip_based, "RecipientBased", get_policy_recipient_based)),
xdm.target.domain = coalesce(Domain,domain_v2),
xdm.target.ipv4 = coalesce(tar_ip_v4, tar_ip2_v4,dst_ip_v2),
xdm.target.ipv6 = coalesce(tar_ip_v6, tar_ip2_v6),
xdm.event.id = to_string(Log_ID),
xdm.event.description = coalesce(Message,raw_message_v2),
xdm.alert.description = coalesce(get_dkim_key_des, get_mailevent_stat),
xdm.event.type = coalesce(Subtype,subtype_v2),
xdm.source.host.device_id = forti_device_id,
xdm.event.original_event_type = if(Subtype ~= "admin|config|dns|ha|system|update", "kevent", Subtype ~= "imap|pop3|smtp|webmail", "event", Subtype ~= "infected|malware|file", "virus", Subtype ~= "default|admin|user", "spam", event_type),
xdm.event.outcome = if(check_gui_login_outcome = "failed", XDM_CONST.OUTCOME_FAILED, check_gui_login_outcome = "success", XDM_CONST.OUTCOME_SUCCESS, get_status = "failed", XDM_CONST.OUTCOME_FAILED, get_status = "success", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Undefined", XDM_CONST.OUTCOME_UNKNOWN, Disposition ~= "Reject", XDM_CONST.OUTCOME_FAILED, Disposition ~= "Block", XDM_CONST.OUTCOME_FAILED, Disposition ~= "[qQ]uarantine", XDM_CONST.OUTCOME_PARTIAL, Disposition ~= "Encrypt", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Accept", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Decrypt", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Alternate Host", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Add Header", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "BCC", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Modify Subject", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Archive", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Customized repackage", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Insert Disclaimer", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Repackage", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Notification", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Replace", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Sign", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Delay", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Defer", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Forward", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "HTML to Text", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Disclaimer Body", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Sanitize HTML", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Disclaimer Header", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Remove URLs", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Defer", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Deliver to Original Host", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Content Reconstruction", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "Treat as Spam", XDM_CONST.OUTCOME_SUCCESS, Disposition ~= "URL Click Protection", XDM_CONST.OUTCOME_SUCCESS,disposition_v2 ~= "Undefined", XDM_CONST.OUTCOME_UNKNOWN, disposition_v2 ~= "Reject", XDM_CONST.OUTCOME_FAILED, disposition_v2 ~= "Block", XDM_CONST.OUTCOME_FAILED, disposition_v2 ~= "[qQ]uarantine", XDM_CONST.OUTCOME_PARTIAL, disposition_v2 ~= "Encrypt", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Accept", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Decrypt", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Alternate Host", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Add Header", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "BCC", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Modify Subject", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Archive", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Customized repackage", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Insert Disclaimer", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Repackage", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Notification", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Replace", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Sign", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Delay", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Defer", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Forward", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "HTML to Text", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Disclaimer Body", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Sanitize HTML", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Disclaimer Header", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Remove URLs", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Defer", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Deliver to Original Host", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Content Reconstruction", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "Treat as Spam", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 ~= "URL Click Protection", XDM_CONST.OUTCOME_SUCCESS, disposition_v2 = null, null, to_string(coalesce(Disposition,disposition_v2))),
xdm.event.log_level = if(Level ~= "emerg", XDM_CONST.LOG_LEVEL_EMERGENCY, Level ~= "alert", XDM_CONST.LOG_LEVEL_ALERT, Level ~= "crit", XDM_CONST.LOG_LEVEL_CRITICAL, Level ~= "error", XDM_CONST.LOG_LEVEL_ERROR, Level ~= "warning", XDM_CONST.LOG_LEVEL_WARNING, Level ~= "notice", XDM_CONST.LOG_LEVEL_NOTICE, Level ~= "info", XDM_CONST.LOG_LEVEL_INFORMATIONAL, Level ~= "bug", XDM_CONST.LOG_LEVEL_DEBUG, Level = null, null, to_string(Level));