Rules (XIF)
[MODEL: dataset="radware_access_logs_raw"]
// Extract fields
alter
source_ip = json_extract_scalar(_raw_log, "$.source_ip"),
source_port = to_integer(json_extract_scalar(_raw_log, "$.source_port")),
destination_ip = json_extract_scalar(_raw_log, "$.destination_ip"),
destination_port = to_integer(json_extract_scalar(_raw_log, "$.destination_port")),
protocol = json_extract_scalar(_raw_log, "$.protocol"),
http_method = json_extract_scalar(_raw_log, "$.http_method"),
host = json_extract_scalar(_raw_log, "$.host"),
request = json_extract_scalar(_raw_log, "$.request"),
user_agent = json_extract_scalar(_raw_log, "$.user_agent"),
referrer = json_extract_scalar(_raw_log, "$.referrer"),
request_time= json_extract_scalar(_raw_log, "$.request_time"),
response_code = json_extract_scalar(_raw_log, "$.response_code"),
action = json_extract_scalar(_raw_log, "$.action"),
application_name = json_extract_scalar(_raw_log, "$.application_name"),
country_code = json_extract_scalar(_raw_log, "$.country_code")
// Map fields
| alter
xdm.source.ipv4 = if(source_ip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", source_ip, null),
xdm.source.ipv6 = if(source_ip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", source_ip, null),
xdm.source.port = source_port,
xdm.target.ipv4 = if(destination_ip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", destination_ip, null),
xdm.target.ipv6 = if(destination_ip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", destination_ip, null),
xdm.target.port = destination_port,
xdm.network.application_protocol = protocol,
xdm.network.http.method = if(http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_method)),
xdm.network.http.domain = host,
xdm.network.http.url = concat(protocol, "://", host, to_string(arrayindex(regextract(request, "[\S]+\s([\S]+)"), 0))),
xdm.source.user_agent = user_agent,
xdm.network.http.referrer = referrer,
xdm.event.duration = to_integer(multiply(to_float(request_time), 1000)),
xdm.network.http.response_code = if(response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, response_code = null, null, to_string(response_code)),
xdm.source.location.country = country_code,
xdm.observer.action = action,
xdm.source.application.name = application_name;
[MODEL: dataset = "radware_appwall_raw"]
filter _raw_log contains "AppWallAttackSysLogMessage"
| alter // Extract Fields
action = arrayindex(regextract(_raw_log, "action=\"([^\"]+)"), 0), // The action taken on the transaction: Report, Modified, or Block.
awVersion = arrayindex(regextract(_raw_log, "awVersion=\"([^\"]+)"), 0), // WAF security engine version number.
awClusterManagerIp = arrayindex(regextract(_raw_log, "ClusterManagerIp=\"([^\"]+)"), 0), // AppWall device Management IP address
destinationIp = arrayindex(regextract(_raw_log, "destinationIp=\"([^\"]+)"), 0), // Network parameters of the destination of the attack. Can be a single IP address or multiple addresses.
destinationPort = arrayindex(regextract(_raw_log, "destinationPort=\"(\d+)"), 0), // TCP port number of the Web service to which the user sent the request.
details = arrayindex(regextract(_raw_log, "details=\"([^\"]+)"), 0), // Detailed information about the security violation.
devType = arrayindex(regextract(_raw_log, "devType=\"([^\"]+)"), 0), // The device type used by Cloud WAF.
directory = arrayindex(regextract(_raw_log, "directory=\"([^\"]+)"), 0), // The HTTP request folder.
enrichmentContainer = arrayindex(regextract(_raw_log, "enrichmentContainer=\"([^\"]+)"), 0),
externalIp = arrayindex(regextract(_raw_log, "externalIp=\"([^\"]+)"), 0),
eventId = arrayindex(regextract(_raw_log, "eventId=\"([^\"]+)"), 0),
request_host = arrayindex(regextract(_raw_log, "host=\"([^\"]+)"), 0), // The host header in the HTTP request that triggered the security violation.
aw_hostIP = arrayindex(regextract(_raw_log, "hostIP=\"([^\"]+)"), 0),
aw_hostName = arrayindex(regextract(_raw_log, "hostName=\"([^\"]+)"), 0),
http_method = arrayindex(regextract(_raw_log, "method=\"(\w+)\""), 0), // HTTP Method name in the Request.
paramName = arrayindex(regextract(_raw_log, "paramName=\"([^\"]+)"), 0), // HTTP parameter name that triggered the security violation.
paramType = arrayindex(regextract(_raw_log, "paramType=\"([^\"]+)"), 0), // Type of parameter: Query/Path/Body URL Encoded
paramValue = arrayindex(regextract(_raw_log, "paramValue=\"([^\"]+)"), 0), // HTTP parameter value that triggered the security violation.
isPassive = arrayindex(regextract(_raw_log, "(?i)passive=\"([^\"]+)"), 0), // Whether there were any actions applied to the violating request or response, or it is passive-mode detection only.
protocol = arrayindex(regextract(_raw_log, "protocol=\"([^\"]+)"), 0), // HTTP or HTTPS.
request = arrayindex(regextract(_raw_log, "request=\"([^\"]+)"), 0), // The actual HTTP/S request as received by Cloud WAF.
role = arrayindex(regextract(_raw_log, "role=\"([^\"]+)"), 0), // Web user role. If no web roles are defined and mapped to LDAP server, “Public” role will be used. Within Cloud WAF, this field should always be Public.
ruleId = arrayindex(regextract(_raw_log, "ruleId=\"([^\"]+)"), 0), // In the context of attacks signatures-based security modules, the Rule ID represents the ID of the signature rule ID.
severity = arrayindex(regextract(_raw_log, "severity=\"([^\"]+)"), 0), // Security violation severity: Very Low, Low, Medium, High, Critical
sourceIp = arrayindex(regextract(_raw_log, "sourceIp=\"([^\"]+)"), 0), // IP address of the user who sent the request.
sourcePort = arrayindex(regextract(_raw_log, "sourcePort=\"(\d+)"), 0), // TCP port number of the user connection that sent the request.
targetModule = arrayindex(regextract(_raw_log, "targetModule=\"([^\"]+)"), 0), // The security module that triggered the security event.
title = arrayindex(regextract(_raw_log, "title=\"([^\"]+)"), 0), // Event short description.
transId = arrayindex(regextract(_raw_log, "transId=\"([^\"]+)"), 0), // HTTP/S unique transaction ID.
tunnel = arrayindex(regextract(_raw_log, "tunnel=\"([^\"]+)"), 0), // The network object name in the configuration.
tunnelListenIP = arrayindex(regextract(_raw_log, "tunnelListenIP=\"([^\"]+)"), 0),
tunnelListenPort = arrayindex(regextract(_raw_log, "tunnelListenPort=\"(\d{1,5})"), 0), // The network object name in the configuration.
uri = arrayindex(regextract(_raw_log, "uri=\"([^\"]+)"), 0), // User HTTP/S request URI.
user = arrayindex(regextract(_raw_log, "user=\"([^\"]+)"), 0), // The name of the user who logged in to the web application. A name will be presented when either Authentication server was defined (LDAP, RADIUS) or when Successful login detection was configured. In the context of Cloud WAF, should always be Public.
vhost = arrayindex(regextract(_raw_log, "vhost=\"([^\"]+)"), 0), // The name of the host in the security policy. In a scenario where there is a group of hosts under the same policy, Vhost contains the group name.
violationCategory = arrayindex(regextract(_raw_log, "violationCategory=\"([^\"]+)"), 0), // The category of the security violation
violationType = arrayindex(regextract(_raw_log, "violationType=\"([^\"]+)"), 0), // The type of the security violation, for example: SQL Injection, LDAP Injection, Code Injection.
webApp = arrayindex(regextract(_raw_log, "webApp=\"([^\"]+)"), 0) // Web application name (in the security policy).
| alter
vhost = replace(replace(vhost, "<", "<"), ">", ">"), //reformat vhost
is_passive_mode = to_boolean(uppercase(isPassive)) // an event log is generated for any security policy violation. In passive mode these events will indicate a violation which was allowed while in active mode the log will indicate that an attack was blocked.
| alter // Extract HTTP request header fields
http_method = if(http_method != null, http_method, arrayindex(regextract(request, "(\w+)"), 0)),
user_agent = arrayindex(regextract(request, "(?i)User-Agent:\s*(.+?)\\n"), 0),
content_type = arrayindex(regextract(request, "(?i)Content-Type:\s*(.+?)\\n"), 0),
referrer = arrayindex(regextract(request, "(?i)Referer:\s*([^\\n]+)"), 0),
x_forwarded_for = arrayindex(regextract(request, "(?i)X-Forwarded-For:\s*(.+?)\\n"), 0),
x_ms_forwarded_client_app = arrayindex(regextract(request, "(?i)X-MS-Client-Application:\s*(.+?)\\n"), 0),
x_ms_forwarded_client_ip = arrayindex(regextract(request, "(?i)X-MS-Forwarded-Client-IP:\s*(.+?)\\n"), 0),
x_radware_ip = arrayindex(regextract(request, "X-RDWR-IP:\s*(.+?)\\n"), 0), // client originating IP. see https://support.radware.com/app/answers/answer_view/a_id/19026/loc/en_US
x_radware_port = arrayindex(regextract(request, "X-RDWR-PORT:\s*(.+?)\\n"), 0), // X-RDWR-PORT-Specifies the TCP port of the incoming transaction. Example: 15234. see https://support.radware.com/app/search/kw/X-RDWR-PORT/okcsSearchSession/10886275347f7e-9e5a-4e7f-8841-ebe6f258e5ea/page/1/priorTransactionID/1809232382/transactionID/1809232382
x_radware_app_id = arrayindex(regextract(request, "X-RDWR-APP-ID:\s*(.+?)\\n"), 0),
full_url = concat(lowercase(protocol), "://", request_host, uri)
| alter // Extract Cloud WAF originated information from the enrichmentContainer
tenant = arrayindex(regextract(enrichmentContainer, "tenant=([a-fA-F\d\-]+)"), 0),
applicationId = arrayindex(regextract(enrichmentContainer, "applicationId=([a-fA-F\d\-]+)"), 0)
| alter // Extract additional details
http_response_code = arrayindex(regextract(details, "HTTP Status code:\s*(\d+)"), 0),
details_rule_id = arrayindex(regextract(details, "Rule ID:\s*(.+?)\\n"), 0)
// Additional processing for IP addresses
| alter xff_address_chain = arraymap(split(x_forwarded_for, ","), trim("@element"))
| alter xff_left_most_address = arrayindex(xff_address_chain, 0)
| alter xff_intermediate_address_chain = arrayrange(xff_address_chain, 1, array_length(xff_address_chain))
| alter
all_src_ip_addresses = arraydistinct(arrayconcat(xff_address_chain, arraycreate(x_radware_ip, xff_left_most_address,externalIp, x_ms_forwarded_client_ip, sourceIp))),
all_intermediate_ip_addresses = arraydistinct(arrayconcat(arraycreate(tunnelListenIP, aw_hostIP, awClusterManagerIp), xff_intermediate_address_chain)),
all_target_ip_addresses = arraydistinct(arraycreate(request_host, destinationIp))
| alter
src_ipv4_addresses = arrayfilter(all_src_ip_addresses, "@element" ~= "(?:\d{1,3}\.){3}\d{1,3}"),
src_ipv6_addresses = arrayfilter(all_src_ip_addresses, "@element" ~= "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"),
intermediate_ipv4_addresses = arrayfilter(all_intermediate_ip_addresses, "@element" ~= "(?:\d{1,3}\.){3}\d{1,3}"),
intermediate_ipv6_addresses = arrayfilter(all_intermediate_ip_addresses, "@element" ~= "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"),
target_ipv4_addresses = arrayfilter(all_target_ip_addresses, "@element" ~= "(?:\d{1,3}\.){3}\d{1,3}"),
target_ipv6_addresses = arrayfilter(all_target_ip_addresses, "@element" ~= "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})")
| alter // XDM Mappings
xdm.alert.name = title,
xdm.alert.description = details,
xdm.alert.category = if(violationCategory = "Information Leakage", XDM_CONST.THREAT_CATEGORY_INFO_LEAK, violationType = "SQL Injection", XDM_CONST.THREAT_CATEGORY_SQL_INJECTION, violationCategory),
xdm.alert.subcategory = violationType,
xdm.alert.severity = severity,
xdm.alert.original_alert_id = eventId,
xdm.event.id = eventId,
xdm.event.outcome = if(is_passive_mode, XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_FAILED),
xdm.event.outcome_reason = if(is_passive_mode, "passive mode (detection only)", "active mode"),
xdm.event.original_event_type = "WAF",
xdm.intermediate.agent.identifier = tunnel,
xdm.intermediate.application.name = coalesce(applicationId, x_radware_app_id),
xdm.intermediate.host.device_id = tenant,
xdm.intermediate.host.device_category = devType,
xdm.intermediate.host.hostname = aw_hostName,
xdm.intermediate.ipv4 = arrayindex(intermediate_ipv4_addresses, 0),
xdm.intermediate.ipv6 = arrayindex(intermediate_ipv6_addresses, 0),
xdm.intermediate.host.ipv4_addresses = intermediate_ipv4_addresses,
xdm.intermediate.host.ipv6_addresses = intermediate_ipv6_addresses,
xdm.intermediate.port = to_integer(tunnelListenPort),
xdm.network.application_protocol = protocol,
xdm.network.http.domain = request_host,
xdm.network.http.method = if(http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "POST", XDM_CONST.HTTP_METHOD_POST,http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_method)),
xdm.network.http.response_code = if(http_response_code = null, null, http_response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_response_code),
xdm.network.http.url = full_url,
xdm.network.http.content_type = content_type,
xdm.network.http.referrer = referrer,
xdm.network.http.http_header.header = if(x_forwarded_for != null, "X-Forwarded-For"),
xdm.network.http.http_header.value = x_forwarded_for,
xdm.network.rule = coalesce(ruleId, details_rule_id),
xdm.observer.action = action,
xdm.observer.name = aw_hostName,
xdm.observer.unique_identifier = tenant,
xdm.observer.type = targetModule,
xdm.observer.version = awVersion,
xdm.session_context_id = transId,
xdm.source.application.name = x_ms_forwarded_client_app,
xdm.source.ipv4 = arrayindex(src_ipv4_addresses, 0),
xdm.source.ipv6 = arrayindex(src_ipv6_addresses, 0),
xdm.source.host.ipv4_addresses = src_ipv4_addresses,
xdm.source.host.ipv6_addresses = src_ipv6_addresses,
xdm.source.port = to_integer(coalesce(x_radware_port, sourcePort)),
xdm.source.user_agent = user_agent,
xdm.source.user.groups = if(role != null, arraycreate(role)),
xdm.source.user.username = user,
xdm.target.application.name = webApp,
xdm.target.file.directory = directory,
xdm.target.host.hostname = vhost,
xdm.target.host.ipv4_addresses = target_ipv4_addresses,
xdm.target.host.ipv6_addresses = target_ipv6_addresses,
xdm.target.ipv4 = arrayindex(target_ipv4_addresses, 0),
xdm.target.ipv6 = arrayindex(target_ipv6_addresses, 0),
xdm.target.resource.id = uri,
xdm.target.resource.type = paramType,
xdm.target.resource.name = paramName,
xdm.target.resource.value = paramValue,
xdm.target.port = to_integer(destinationPort),
xdm.target.url = full_url;