Rules (XIF)
[MODEL: dataset = synopsys_coverity_raw]
alter event_type = _raw_log -> ["@type"],
log_level = _raw_log -> level,
src_ip = _raw_log -> remoteHost,
src_username = coalesce(_raw_log -> username, _raw_log -> userName, _raw_log -> clientUserName),
src_hostname = _raw_log -> hostname
| alter xdm.event.type = event_type,
xdm.event.id = _raw_log -> id,
xdm.event.duration = to_integer(_raw_log -> duration),
xdm.event.description = _raw_log -> details,
xdm.event.operation = coalesce(_raw_log -> method, _raw_log -> action, _raw_log -> eventType),
xdm.event.operation_sub_type = coalesce(to_string(_raw_log -> viewId), to_string(_raw_log -> protocol), to_string(_raw_log -> queueType)),
xdm.event.outcome_reason = _raw_log -> failureReason,
xdm.event.outcome = if(_raw_log -> logInSucceeded = "true", XDM_CONST.OUTCOME_SUCCESS),
xdm.event.log_level = if(log_level in ("CRITICAL"), XDM_CONST.LOG_LEVEL_CRITICAL, log_level in ("ERROR"), XDM_CONST.LOG_LEVEL_ERROR, log_level in ("WARNING"), XDM_CONST.LOG_LEVEL_WARNING, log_level in ("INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL, to_string(log_level)),
xdm.source.user.username = src_username,
xdm.source.user.identifier = _raw_log -> userId,
xdm.source.host.hostname = src_hostname,
xdm.source.ipv4 = arrayindex(regextract(src_ip, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 0),
xdm.source.ipv6 = arrayindex(regextract(src_ip, "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}"), 0),
xdm.source.user_agent = _raw_log -> userAgent,
xdm.source.application.name = _raw_log -> endpoint,
xdm.source.application.version = _raw_log -> version,
xdm.session_context_id = to_string(_raw_log -> sessionId),
xdm.target.file.path = _raw_log -> filename,
xdm.target.resource.parent_id = to_string(_raw_log -> projectId),
xdm.target.resource.name = coalesce(_raw_log -> projectName, _raw_log -> stream),
xdm.target.user.identifier = to_string(_raw_log -> targetId),
xdm.target.resource.id = coalesce(to_string(_raw_log -> cid), to_string(_raw_log -> issueInstanceId)),
xdm.target.url = _raw_log -> url,
xdm.auth.service = _raw_log -> authenticationSource;