[hostInformation]
external_type = kvstore
collection = hostInformation_collection
fields_list = host, Cluster, Clustered, Site, HubTransport, CAS, EdgeTransport, Mailbox, UMServer, ProductVersion, WindowsVersion, time, ms_exchange_host

[ExchangeVersion]
filename = exchange-version.csv
max_matches = 1

[dbInformation]
external_type = kvstore
collection = dbInformation_collection
fields_list = host, Database, Active, MasterType

[event_id_to_action_lookup]
filename = event_id_to_action.csv

[useragent]
python.version = python3
external_cmd = useragent.py cs_user_agent os osvariant osversion browser browserversion
external_type = python
fields_list = cs_user_agent,os,osvariant,osversion,browser,browserversion

[ad_username]
python.version = python3
external_cmd = ad_username.py cs_username user_subject
external_type = python
fields_list = cs_username user_subject

[domain_alias]
external_type = kvstore
collection = ExchangeDomainAliasMappings
fields_list = _key, domain

[windows_severity_lookup]
filename = windows_severities.csv
case_sensitive_match = false 

[windows_signature_lookup]
filename = windows_signatures.csv

[xmlsecurity_eventcode_errorcode_action_lookup]
filename = xmlsecurity_eventcode_errorcode_action.csv
case_sensitive_match = false

[mswin_2003_iis_fields]
FIELDS = "date","time","s_sitename","s_ip","cs_method","cs_uri_stem","cs_uri_query","s_port","cs_username","c_ip","cs_User_Agent","sc_status","sc_substatus","sc_win32_status"
DELIMS = " "
MV_ADD = false

[mswin_2008r2_iis_fields]
FIELDS = "date","time","s_ip","cs_method","cs_uri_stem","cs_uri_query","s_port","cs_username","c_ip","cs_User_Agent","sc_status","sc_substatus","sc_win32_status","time_taken"
DELIMS = " "
MV_ADD = false

[mswin_2012_iis_fields]
FIELDS = "date","time","s_ip","cs_method","cs_uri_stem","cs_uri_query","s_port","cs_username","c_ip","cs_User_Agent","cs_Referer","sc_status","sc_substatus","sc_win32_status","time_taken"
DELIMS = " "
MV_ADD = false

[mswindows2010ews_fields]
FIELDS ="DateTime","AuthenticationType","IsAuthenticated","user_subject","Organization","cs_user_agent","c_ip","ServerHostName","SoapAction","HttpStatus","ErrorCode","ImpersonatedUser","Cookie","BeginBudgetConnections","EndBudgetConnections","BeginBudgetHangingConnections","EndBudgetHangingConnections","BeginBudgetAD","EndBudgetAD","BeginBudgetCAS","EndBudgetCAS","BeginBudgetRPC","EndBudgetRPC","BeginBudgetFindCount","EndBudgetFindCount","BeginBudgetSubscriptions","EndBudgetSubscriptions","DCResource","DCHealth","DCHistoricalLoad","MDBResource","MDBHealth","MDBHistoricalLoad","ThrottlingPolicy","ThrottlingDelay","ThrottlingRequestType","TotalDCRequestCount","TotalDCRequestLatency","MailboxRPCRequests","TotalMBXRequestLatency","TotalRequestTime","GenericInfo","AuthenticationErrors","GenericErrors"
DELIMS = ,

[mswindows2013ews_fields]
FIELDS = "DateTime","RequestId","MajorVersion","MinorVersion","BuildVersion","RevisionVersion","Ring","ClientRequestId","AuthenticationType","IsAuthenticated","user_subject","Organization","cs_user_agent","VersionInfo","c_ip","ServerHostName","FrontEndServer","SoapAction","HttpStatus","RequestSize","ResponseSize","ErrorCode","ImpersonatedUser","ProxyAsUser","ActAsUser","Cookie","CorrelationGuid","PrimaryOrProxyServer","TaskType","RemoteBackendCount","LocalMailboxCount","RemoteMailboxCount","LocalIdCount","RemoteIdCount","BeginBudgetConnections","EndBudgetConnections","BeginBudgetHangingConnections","EndBudgetHangingConnections","BeginBudgetAD","EndBudgetAD","BeginBudgetCAS","EndBudgetCAS","BeginBudgetRPC","EndBudgetRPC","BeginBudgetFindCount","EndBudgetFindCount","BeginBudgetSubscriptions","EndBudgetSubscriptions","MDBResource","MDBHealth","MDBHistoricalLoad","ThrottlingPolicy","ThrottlingDelay","ThrottlingRequestType","TotalDCRequestCount","TotalDCRequestLatency","MailboxRPCRequests","TotalMBXRequestLatency","RecipientLookupLatency","ExchangePrincipalLatency","HttpPipelineLatency","CheckAccessCoreLatency","AuthModuleLatency","CallContextInitLatency","PreExecutionLatency","CoreExecutionLatency","TotalRequestTime","DetailedExchangePrincipalLatency","ClientStatistics","GenericInfo","AuthenticationErrors","GenericErrors","Puid","StartTime","ProcessId","TimeInGC","StartTotalMemory","EndTotalMemory","StartGCCounts","EndGCCounts","TokenBasedThrottlingPolicy","BudgetKey","CoinsCharged","CoinsChargedMethod","SidBudgetInfo","AppBudgetInfo","TenantBudgetInfo","ResourceAccessed","ResourceHealthBasedThreshold","ThrottledBy","BackoffHint","WorkClassification"
DELIMS = ,

[extract_webapp]
SOURCE_KEY = cs_uri_stem
REGEX = ^/(?<WebApplication>[^/]+)

[userSubjectInformation]
external_type = kvstore
collection = userSubjectInformation_collection
fields_list = user_subject, time, _key

[msexchange2007msgtrack-fields]
FIELDS = "date_time","cs_ip","client_hostname","ss_ip","server_hostname","source_context","connector_id","source_id","event_id","internal_message_id","message_id","recipients","recipient_status","total_bytes","recipient_count","related_recipient_address","reference","message_subject","sender","return_path","message_info"
DELIMS = ,

[msexchange2010msgtrack-fields]
FIELDS = "date_time","cs_ip","client_hostname","ss_ip","server_hostname","source_context","connector_id","source_id","event_id","internal_message_id","message_id","recipients","recipient_status","total_bytes","recipient_count","related_recipient_address","reference","message_subject","sender","return_path","message_info","directionality","tenant_id","original_client_ip","original_server_ip","custom_data"
DELIMS = ,

[msexchange2013msgtrack-fields]
FIELDS = "date_time","cs_ip","client_hostname","ss_ip","server_hostname","source_context","connector_id","source_id","event_id","internal_message_id","message_id","network_message_id","recipients","recipient_status","total_bytes","recipient_count","related_recipient_address","reference","message_subject","sender","return_path","message_info","directionality","tenant_id","original_client_ip","original_server_ip","custom_data"
DELIMS = ,

[msgtrack-recipient]
SOURCE_KEY = recipient
REGEX = (?<recipient_username>[^@]+)@(?<recipient_domain>[^\s]*)
MV_ADD = true

[msgtrack-recipients]
SOURCE_KEY = recipients
REGEX=(?<recipient>[^;]+);*
MV_ADD = true

[msgtrack-sender]
SOURCE_KEY = sender
REGEX = (?<sender_username>[^@]+)@(?<sender_domain>[^\s]*)

[msgtrack-extract-psender]
REGEX = PurportedSender\=([^;]*)
SOURCE_KEY = custom_data
FORMAT = psender::$1

[msgtrack-psender]
SOURCE_KEY = psender
REGEX = (?<psender_username>[^@]+)@(?<psender_domain>[^\s]*)

[GroupType]
filename=group-type.csv
max_matches=1

[extract_client]
SOURCE_KEY = cs_User_Agent
REGEX = (?<raw_client>[^\(]+)

[windows_update_status_lookup]
filename = windows_update_statii.csv

[file_path-file_name_for_windows]
SOURCE_KEY = Image_File_Name
REGEX = ^(.*[\\/]+)*(.*)$
FORMAT = file_path::$1 file_name::$2

[AdminAudit_ExtractParam]
REGEX = Param="(?<CmdletParam>[^"].*?')"
MV_ADD = true

[AdminAudit_ExtractError]
REGEX = Error="(?<CmdletError>[^"]*)"
MV_ADD = true

[ComputerName_as_dest]
SOURCE_KEY = ComputerName
REGEX = (?:[\\]+)?([^-].*)
FORMAT = dest::"$1"

[ComputerName_as_src]
SOURCE_KEY = ComputerName
REGEX = (?:[\\]+)?([^-].*)
FORMAT = src::"$1"

[package_title_for_windows_system_update]
REGEX = Windows successfully installed the following update:\s+(.*)
FORMAT = package_title::"$1"

[package_title_for_windowsupdatelog]
REGEX = Content\s+Install\s+(Installation\s+(?:Successful|Failure)):\s+Windows.*the\s+following\s+update.*?:\s+(.*)
FORMAT = vendor_status::"$1" package_title::"$2"

[package_title_for_windowsupdatelog_restartrequired]
REGEX = Content\s+Install\s+(Installation\s+successful\s+and\s+restart\s+required)\s+for\s+the\s+following\s+update:\s+(.*)
FORMAT = vendor_status::"$1" package_title::"$2"

[package_title_for_windowsupdatelog_package_message]
SOURCE_KEY = package_message
REGEX = \-\s+([^\)]+\)(?:\,\s+\d+\-[bB]it\s+Edition)?)
FORMAT = package_title::"$1"
MV_ADD = True

[package_message_for_windowsupdatelog]
REGEX = (Content\s+Install\s+((?:Restart\s+Required)|(?:Installation\s+Ready)).*)
FORMAT = package_message::"$1" vendor_status::"$2"

[user_for_windows_system_ias]
REGEX = Message\=User\s+(?:[^\/\\]+[\/\\])?([^.]+).*?was
FORMAT = user::"$1"

[package_for_windowsupdatelog]
SOURCE_KEY = package_title
REGEX = (KB\d+)
FORMAT = package::$1
MV_ADD = True

[ignore_comments]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue

[ignore_header]
REGEX = ^DateTime.*
DEST_KEY = queue
FORMAT = nullQueue

[pid-tid-component_for_windowsupdatelog]
REGEX = ^\S+\s+\S+\s+(\S+)\s+(\S+)\s+(\S+)
FORMAT = pid::$1 tid::$2 component::$3

[exch_audit_user_extraction]
SOURCE_KEY = Accessing_User
REGEX = /cn=Recipients/cn=(?<User>.*)