Splunk_deploy/deployment-apps/Splunk_TA_juniper/default/props.conf

##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##

###### Globals ######
## Apply the following properties to juniper data
[juniper]
SHOULD_LINEMERGE = false
# For load balancing on UF
EVENT_BREAKER_ENABLE = true
TRANSFORMS-force_info_for_juniper = force_host_for_netscreen_firewall,force_sourcetype_for_netscreen_firewall,force_sourcetype_for_junos_idp_structured,force_sourcetype_for_junos_idp,force_sourcetype_for_junos_aamw,force_sourcetype_for_junos_secintel,force_sourcetype_for_junos_firewall_structured,force_sourcetype_for_junos_firewall, force_sourcetype_for_junos_snmp,force_sourcetype_for_junos_firewall_rpd


###### Juniper Firewall (Netscreen Firewall) ######
[source::....netscreen_firewall]
sourcetype=netscreen:firewall
EVENT_BREAKER_ENABLE = true

[netscreen:firewall]
SHOULD_LINEMERGE = false

REPORT-dest_translated_for_netscreen_firewall = dest_translated_for_netscreen_firewall
REPORT-dvc_for_netscreen_firewall = dvc_for_netscreen_firewall
REPORT-src_translated_for_netscreen_firewall = src_translated_for_netscreen_firewall
REPORT-zone_for_netscreen_firewall = zone_for_netscreen_firewall

FIELDALIAS-bytes_in_for_netscreen_firewall = rcvd as bytes_in
FIELDALIAS-bytes_out_for_netscreen_firewall = sent as bytes_out
FIELDALIAS-dvc_dns_for_netscreen_firewall = device_id as dvc_dns
FIELDALIAS-rule_for_netscreen_firewall = policy_id as rule_id
FIELDALIAS-transport_id_for_netscreen_firewall = proto as transport_id

EVAL-action_type = if(isnotnull(action) AND (action=="failure" OR action=="created"), "communicate", "other")
EVAL-bytes = bytes_in + bytes_out
EVAL-dvc = coalesce(dvc, host)
EVAL-dest = coalesce(dst, dest, dest_ip, host)
EVAL-dest_ip = coalesce(dst, dest_ip)
EVAL-dest_port = coalesce(dest_port, dst_port)
EVAL-src = coalesce(src, src_ip)
EVAL-src_ip = if(match(src, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), src, src_ip)
EVAL-vendor_action = coalesce(vendor_action, action)
EVAL-vendor_product = "Juniper Netscreen Firewall"

LOOKUP-action_for_netscreen_firewall = juniper_netscreen_firewall_action_lookup vendor_action, action_type OUTPUT action, status
LOOKUP-transport_for_netscreen_firewall = juniper_transport_protocols_lookup transport_id as proto OUTPUT protocol, transport

## Netscreen Authentication Extractions
REPORT-app_for_netscreen_firewall = app_for_netscreen_firewall
REPORT-local_admin_auth_for_netscreen_firewall = local_admin_auth_for_netscreen_firewall
REPORT-login_refused_for_netscreen_firewall = login_refused_for_netscreen_firewall
REPORT-password_auth_for_netscreen_firewall = password_auth_for_netscreen_firewall

EVAL-app = case(isnotnull(app), lower(app), isnotnull(service), service)

## Netscreen Network Change Extractions
REPORT-firewall_change_for_netscreen_firewall = firewall_change_for_netscreen_firewall

EVAL-change_type = case(isnotnull(command), "policy", vendor_action == "reboot", "restart", true(), change_type)
EVAL-object_attrs = if(isnotnull(command), "services", object_attrs)
EVAL-object_category = if(isnotnull(command), "policy", object_category)

## Netscreen Restarts
REPORT-change_src_dest_for_netscreen_firewall= change_src_dest_for_netscreen_firewall
REPORT-login_failed_for_netscreen_firewall = login_failed_for_netscreen_firewall
REPORT-netscreen_restart = juniper_restart_field
REPORT-policy_id_for_netscreen_firewall = policy_id_for_netscreen_firewall
REPORT-translation_log_for_netscreen_firewall = translation_log_for_netscreen_firewall
REPORT-user_for_netscreen_firewall_restart = user_for_netscreen_firewall_restart

## Netscreen alerts
REPORT-alert_first_part_for_netscreen_firewall = alert_first_part_for_netscreen_firewall
REPORT-alert_rest_part_for_netscreen_firewall = alert_rest_part_for_netscreen_firewall

FIELDALIAS-signature_id_for_netscreen_firewall = alert_id as signature_id
FIELDALIAS-user_for_netscreen_firewall = netscreen_user as user
FIELDALIAS-object_id_for_netscreen_firewall = policy_id as object_id

EVAL-object = if(isnotnull(policy_id), "policy "+policy_id, object)
EVAL-severity = if(isnotnull(alert_id), "high", severity)
EVAL-type= if(isnotnull(alert_id), "alert", type)

LOOKUP-netscreen_firewall_ids_info_lookup = juniper_netscreen_firewall_ids_info_lookup alert_id OUTPUT ids_type,signature


###### JUNOS IDP ######

[source::....junos_idp]
TRANSFORMS-force_info_for_juniper = force_sourcetype_for_junos_idp_structured,force_sourcetype_for_junos_idp
EVENT_BREAKER_ENABLE = true

[juniper:junos:idp]
SHOULD_LINEMERGE = false
KV_MODE = auto

REPORT-message_tag = message_tag_for_junos_idp
REPORT-dvc = dvc_for_junos_idp
REPORT-auto_kv_for_junos_idp = auto_kv_for_junos_idp

FIELDALIAS-category = message_type AS category
FIELDALIAS-dest = dest_ip AS dest
FIELDALIAS-src = src_ip AS src
FIELDALIAS-user = username AS user
FIELDALIAS-vendor_action = action AS vendor_action

EVAL-action = case(action == "TRAFFIC_IPACTION_NOTIFY" OR action == "NONE" OR action == "IGNORE", "allowed", action == "TRAFFIC_IPACTION_DROP" OR action == "DROP", "blocked")
EVAL-app = "junos_idp"
EVAL-dvc = coalesce(dvc, host)
EVAL-ids_type = "network"
EVAL-severity = case(threat_severity == "CRITICAL", "critical", threat_severity == "HIGH", "high", threat_severity == "MEDIUM", "medium", threat_severity == "LOW", "low", threat_severity == "INFO" OR message_tag == "IDP_ATTACK_LOG_EVENT", "informational")
EVAL-signature = if(name=="_", "unknown", name)
EVAL-transport = lower(protocol)
EVAL-vendor_product = "Juniper IDP"

[juniper:junos:idp:structured]
SHOULD_LINEMERGE = false
KV_MODE = auto

REPORT-message_tag = message_tag_for_junos_idp
REPORT-dvc = dvc_for_junos_idp

FIELDALIAS-user = username AS user
FIELDALIAS-src = source_address AS src
FIELDALIAS-category = message_type AS category
FIELDALIAS-dest = destination_address AS dest
FIELDALIAS-dest_ip = destination_address AS dest_ip
FIELDALIAS-src_ip = source_address AS src_ip
FIELDALIAS-dest_port = destination_port AS dest_port
FIELDALIAS-vendor_action = action AS vendor_action

EVAL-action = case(action == "TRAFFIC_IPACTION_NOTIFY" OR action == "NONE" OR action == "IGNORE", "allowed", action == "TRAFFIC_IPACTION_DROP" OR action == "DROP", "blocked")
EVAL-app = "junos_idp"
EVAL-dvc = coalesce(dvc, host)
EVAL-ids_type = "network"
EVAL-severity = case(threat_severity == "CRITICAL", "critical", threat_severity == "HIGH", "high", threat_severity == "MEDIUM", "medium", threat_severity == "LOW", "low", threat_severity == "INFO" OR message_tag == "IDP_ATTACK_LOG_EVENT", "informational")
EVAL-signature = if(attack_name=="_", "unknown", attack_name)
EVAL-transport = lower(protocol_name)
EVAL-vendor_product = "Juniper IDP"
EVAL-src_port = coalesce(source_port, src_port)

###### JUNOS FW ######

[source::....junos_fw]
TRANSFORMS-force_info_for_juniper = force_sourcetype_for_junos_firewall_structured,force_sourcetype_for_junos_firewall
EVENT_BREAKER_ENABLE = true

[juniper:junos:firewall]
SHOULD_LINEMERGE = false
KV_MODE = auto

REPORT-message_tag = message_tag_for_junos_fw
REPORT-dvc = dvc_for_junos_fw
REPORT-auto_kv_for_junos_firewall = auto_kv_for_rt_screen,auto_kv_for_rt_flow_session_create,auto_kv_for_rt_flow_session_close,auto_kv_for_rt_flow_session_deny,auto_kv_for_apptrack_session_create,auto_kv_for_apptrack_session_vol_update,auto_kv_for_apptrack_session_close,auto_kv_for_rt_utm_webfilter,auto_kv_for_eswd_dai_failed,auto_kv_for_fw_eth_ip,auto_kv_for_eswd_stp_state_change_info,auto_kv_for_up_down,auto_kv_for_rt_alg_wrn_cfg_need_ls

FIELDALIAS-bytes_in = bytes_from_server AS bytes_in
FIELDALIAS-bytes_out = bytes_from_client AS bytes_out
FIELDALIAS-duration = elapsed_time AS duration
FIELDALIAS-packets_in = packets_from_server AS packets_in
FIELDALIAS-packets_out = packets_from_client AS packets_out
FIELDALIAS-service = service_name AS service
FIELDALIAS-src = src_ip AS src
FIELDALIAS-uri_path = OBJ AS uri_path
FIELDALIAS-url = URL AS url

EVAL-app = case(isnotnull(APPLICATION) AND isnotnull(NESTED_APPLICATION), APPLICATION + " " + NESTED_APPLICATION, isnotnull(vendor_app) AND isnotnull(nested_vendor_app), vendor_app + " " + nested_vendor_app, isnotnull(APPLICATION), APPLICATION, isnotnull(vendor_app), vendor_app, message_tag == "RT_FLOW_SESSION_CREATE" OR message_tag == "RT_FLOW_SESSION_CLOSE" OR message_tag == "RT_FLOW_SESSION_DENY" OR message_tag == "APPTRACK_SESSION_CREATE" OR message_tag == "APPTRACK_SESSION_CLOSE" OR message_tag == "APPTRACK_SESSION_VOL_UPDATE", case(isnotnull(service_name), service_name, true(), "other"))
EVAL-action = case(message_tag == "RT_FLOW_SESSION_CREATE" OR message_tag == "APPTRACK_SESSION_CREATE" OR message_tag == "APPTRACK_SESSION_VOL_UPDATE" OR message_tag == "WEBFILTER_URL_PERMITTED" OR lower(action_name) == "a", "allowed", message_tag == "RT_FLOW_SESSION_DENY" OR message_tag == "WEBFILTER_URL_BLOCKED" OR message_tag == "ESWD_DAI_FAILED" OR action == "drop" OR lower(action_name) == "d" OR lower(action_name) == "r", "blocked", message_tag == "RT_FLOW_SESSION_CLOSE" OR message_tag == "RT_FLOW_SESSION_CLOSE_LS" OR message_tag == "APPTRACK_SESSION_CLOSE", "teardown", message_tag == "ESWD_STP_STATE_CHANGE_INFO", "modified", isnotnull(action), lower(action))
EVAL-bytes = bytes_in + bytes_out
EVAL-category = case(message_tag == "RT_SCREEN_ICMP", "DOS", message_tag == "RT_SCREEN_TCP" OR message_tag == "RT_SCREEN_UDP", "Reconnaissance", isnotnull(vendor_app_sub_category), CATEGORY + " " + vendor_app_sub_category, true(), CATEGORY)
EVAL-dest_zone = coalesce(dest_zone, destination_zone, zone_name)
EVAL-dvc = coalesce(dvc, host)
EVAL-dvc_zone = case(message_tag != "RT_SCREEN_TCP" AND message_tag != "RT_SCREEN_UDP", zone_name)
EVAL-ids_type = case(message_tag == "RT_SCREEN_ICMP" OR message_tag == "RT_SCREEN_TCP" OR message_tag == "RT_SCREEN_UDP", "network", true(), ids_type)
EVAL-packets = coalesce(packets_in + packets_out, packets)
EVAL-protocol_id = case(service_name == "icmp" OR message_tag == "RT_SCREEN_ICMP", 1, message_tag == "RT_SCREEN_TCP" , 6, message_tag == "RT_SCREEN_UDP", 17, true(), protocol_id)
EVAL-rule = case(isnotnull(src_translated_rule_name) AND isnotnull(dest_translated_rule_name), case(isnotnull(rule_name), src_translated_rule_name + " " + dest_translated_rule_name + " " + rule_name, isnotnull(policy_name), src_translated_rule_name + " " + dest_translated_rule_name + " " + policy_name), isnotnull(src_translated_rule_name), case(isnotnull(rule_name), src_translated_rule_name + " " + rule_name, isnotnull(policy_name), src_translated_rule_name + " " + policy_name), isnotnull(dest_translated_rule_name), case(isnotnull(rule_name), dest_translated_rule_name + " " + rule_name, isnotnull(policy_name), dest_translated_rule_name + " " + policy_name), isnotnull(rule_name), rule_name, isnotnull(policy_name), policy_name, message_tag == "ESWD_DAI_FAILED", "ESWD_DAI_FAILED", message_tag == "PFE_FW_SYSLOG_ETH_IP", "PFE_FW_SYSLOG_ETH_IP")
EVAL-session_id = coalesce(SESSION_ID, session_id_32)
EVAL-severity = case(isnull(severity) AND (message_tag == "RT_SCREEN_ICMP" OR message_tag == "RT_SCREEN_TCP" OR message_tag == "RT_SCREEN_UDP"), "informational", true(), severity)
EVAL-src_interface = coalesce(src_interface, inbound_interface, uplink_incoming_interface)
EVAL-src_zone = coalesce(src_zone, source_zone, zone_name)
EVAL-user = coalesce(user, USERNAME)
EVAL-vendor_product = case(message_tag == "WEBFILTER_URL_PERMITTED" OR message_tag == "WEBFILTER_URL_BLOCKED", "Juniper Unified Threat Management", message_tag == "ESWD_DAI_FAILED" OR message_tag == "ESWD_STP_STATE_CHANGE_INFO" OR message_tag == "PFE_FW_SYSLOG_ETH_IP" OR service_name == "rpd", "Juniper JunOS", message_tag == "RT_SCREEN_ICMP" OR message_tag == "RT_SCREEN_TCP" OR message_tag == "RT_SCREEN_UDP", "Juniper IDS", true(), "Juniper SRX")
EVAL-vendor_action = case(lower(action_name) == "a", "allowed", lower(action_name) == "d" OR lower(action_name) == "r", "blocked", true(), action)
EVAL-object_id = case(message_tag == "ESWD_STP_STATE_CHANGE_INFO", interface_name, service_name == "rpd", interface_name, true(), object_id)
EVAL-dest = case(message_tag == "ESWD_STP_STATE_CHANGE_INFO" OR service_name == "rpd", host, true(), dest_ip)
EVAL-object = case(message_tag == "ESWD_STP_STATE_CHANGE_INFO", interface_name, service_name == "rpd", interface_name, true(), object)

LOOKUP-transport_for_junos_firewall = juniper_transport_protocols_lookup transport_id AS protocol_id OUTPUTNEW protocol, transport

[juniper:junos:firewall:structured]
SHOULD_LINEMERGE = false
KV_MODE = auto

REPORT-message_tag = message_tag_for_junos_fw
REPORT-dvc = dvc_for_junos_fw
REPORT-file_name = file_name_for_junos_fw

FIELDALIAS-bytes_in = bytes_from_server AS bytes_in
FIELDALIAS-bytes_out = bytes_from_client AS bytes_out
FIELDALIAS-dest = destination_address AS dest
FIELDALIAS-dest_ip = destination_address AS dest_ip
FIELDALIAS-dest_port = destination_port AS dest_port
FIELDALIAS-dest_translated_ip = nat_destination_address AS dest_translated_ip
FIELDALIAS-dest_translated_port = nat_destination_port AS dest_translated_port
FIELDALIAS-duration = elapsed_time AS duration
FIELDALIAS-file_path = filename AS file_path
FIELDALIAS-packets_in = packets_from_server AS packets_in
FIELDALIAS-packets_out = packets_from_client AS packets_out
FIELDALIAS-src = source_address AS src
FIELDALIAS-src_ip = source_address AS src_ip
FIELDALIAS-src_port = source_port AS src_port
FIELDALIAS-src_translated_ip = nat_source_address AS src_translated_ip
FIELDALIAS-src_translated_port = nat_source_port AS src_translated_port
FIELDALIAS-uri_path = obj AS uri_path
FIELDALIAS-user = username AS user
FIELDALIAS-vendor_action = action AS vendor_action

EVAL-action = case(message_tag == "RT_FLOW_SESSION_CREATE" OR message_tag == "APPTRACK_SESSION_CREATE" OR message_tag == "APPTRACK_SESSION_VOL_UPDATE" OR message_tag == "WEBFILTER_URL_PERMITTED" OR message_tag == "AV_VIRUS_DETECTED_MT", "allowed", message_tag == "RT_FLOW_SESSION_DENY" OR message_tag == "WEBFILTER_URL_BLOCKED", "blocked", message_tag == "RT_FLOW_SESSION_CLOSE" OR message_tag == "APPTRACK_SESSION_CLOSE", "teardown", isnotnull(action), lower(action))
EVAL-app = case(isnotnull(nested_application) AND isnotnull(application_category) AND isnotnull(application_sub_category), application + " " + nested_application + " " + application_category + " " + application_sub_category, isnotnull(nested_application), application + " " + nested_application, isnotnull(application), application, isnotnull(argument), argument, message_tag == "RT_FLOW_SESSION_CREATE" OR message_tag == "RT_FLOW_SESSION_CLOSE" OR message_tag == "RT_FLOW_SESSION_DENY" OR message_tag == "APPTRACK_SESSION_CREATE" OR message_tag == "APPTRACK_SESSION_CLOSE" OR message_tag == "APPTRACK_SESSION_VOL_UPDATE", case(isnotnull(service_name), service_name, true(), "other"))
EVAL-bytes = bytes_in + bytes_out
EVAL-category = case(message_tag == "CONTENT_FILTERING_BLOCKED_MT", "malware", isnotnull(category), category, isnotnull(reason), reason, message_tag == "AV_VIRUS_DETECTED_MT" and isnull(category), "virus")
EVAL-dest_interface = coalesce(destination_interface_name, packet_incoming_interface)
EVAL-dest_zone = coalesce(destination_zone_name, destination_zone)
EVAL-dvc = coalesce(dvc, host)
EVAL-ids_type = case(message_tag == "AV_VIRUS_DETECTED_MT" OR message_tag == "CONTENT_FILTERING_BLOCKED_MT", "network", true(), ids_type)
EVAL-packets = packets_in + packets_out
EVAL-protocol_id = case(message_tag == "AV_VIRUS_DETECTED_MT" OR message_tag == "CONTENT_FILTERING_BLOCKED_MT", 6, true(), protocol_id)
EVAL-rule = case(isnotnull(src_nat_rule_name) AND isnotnull(dst_nat_rule_name), case(isnotnull(rule_name), src_nat_rule_name + " " + dst_nat_rule_name + " " + rule_name, isnotnull(policy_name), src_nat_rule_name + " " + dst_nat_rule_name + " " + policy_name), isnotnull(src_nat_rule_name), case(isnotnull(rule_name), src_nat_rule_name + " " + rule_name, isnotnull(policy_name), src_nat_rule_name + " " + policy_name), isnotnull(dst_nat_rule_name), case(isnotnull(rule_name), dst_nat_rule_name + " " + rule_name, isnotnull(policy_name), dst_nat_rule_name + " " + policy_name), isnotnull(rule_name), rule_name, isnotnull(policy_name), policy_name)
EVAL-session_id = coalesce(session_id, session_id_32)
EVAL-severity = case(isnull(severity) AND (message_tag == "AV_VIRUS_DETECTED_MT" OR message_tag == "CONTENT_FILTERING_BLOCKED_MT"), "informational", true(), severity)
EVAL-signature = if(message_tag == "CONTENT_FILTERING_BLOCKED_MT", reason, name)
EVAL-src_zone = coalesce(source_zone_name, source_zone)
EVAL-vendor_product = if(message_tag == "WEBFILTER_URL_PERMITTED" OR message_tag == "WEBFILTER_URL_BLOCKED" OR message_tag == "AV_VIRUS_DETECTED_MT" OR message_tag == "CONTENT_FILTERING_BLOCKED_MT", "Juniper Unified Threat Management", "Juniper SRX")

LOOKUP-transport_for_junos_firewall_structured = juniper_transport_protocols_lookup transport_id AS protocol_id OUTPUT protocol, transport

###### JUNOS AAMW ######
[source::....junos_aamw]
sourcetype = juniper:junos:aamw:structured
EVENT_BREAKER_ENABLE = true

[juniper:junos:aamw:structured]
SHOULD_LINEMERGE = false
KV_MODE = auto

REPORT-message_tag = message_tag_for_junos_aamw
REPORT-dvc = dvc_for_junos_aamw
REPORT-score_for_severity = score_for_severity_junos_aamw

FIELDALIAS-file_hash = sample_sha256 AS file_hash
FIELDALIAS-session_id = session_id_32 AS session_id
FIELDALIAS-src = source_address AS src
FIELDALIAS-src_ip = source_address AS src_ip
FIELDALIAS-src_host = hostname AS src_host
FIELDALIAS-src_port = source_port AS src_port
FIELDALIAS-user = username AS user
FIELDALIAS-vendor_action = action AS vendor_action

EVAL-action = case(action=="PERMIT" OR action=="ALLOW" OR message_tag=="AAMW_HOST_INFECTED_EVENT_LOG", "allowed", action=="BLOCK" OR action=="DENY", "blocked", true(), action)
EVAL-app = "junos_aamw"
EVAL-category = coalesce(file_category, reason)
EVAL-dest = case(message_tag == "AAMW_ACTION_LOG", destination_address, message_tag == "AAMW_HOST_INFECTED_EVENT_LOG", source_address)
EVAL-dest_ip = case(message_tag == "AAMW_ACTION_LOG", destination_address, message_tag == "AAMW_HOST_INFECTED_EVENT_LOG", source_address)
EVAL-dest_port = case(message_tag == "AAMW_ACTION_LOG", destination_port, message_tag == "AAMW_HOST_INFECTED_EVENT_LOG", source_port)
EVAL-dvc = coalesce(dvc, host)
EVAL-ids_type = "network"
EVAL-protocol_id = case(message_tag == "AAMW_HOST_INFECTED_EVENT_LOG", 6, true(), protocol_id)
EVAL-severity = case((verdict_number >= 2 AND verdict_number < 4) OR (score >= 1 AND score < 4), "low", (verdict_number >= 4 AND verdict_number < 6) OR (score >= 4 AND score < 7), "medium", (verdict_number >= 6 AND verdict_number < 9) OR (score >= 7 AND score < 9), "high", (verdict_number >= 9 AND verdict_number <= 10) OR (score >= 9 AND score <= 10), "critical", (verdict_number > 0 AND verdict_number < 2) OR true(), "informational")
EVAL-signature = coalesce(malware_info, reason)
EVAL-vendor_product = "Juniper Advanced Anti-malware"

LOOKUP-transport_for_junos_aamw_structured = juniper_transport_protocols_lookup transport_id AS protocol_id OUTPUT transport

###### JUNOS SECINTEL ######
[source::....junos_secintel]
sourcetype = juniper:junos:secintel:structured
EVENT_BREAKER_ENABLE = true

[juniper:junos:secintel:structured]
SHOULD_LINEMERGE = false
KV_MODE = auto

REPORT-message_tag = message_tag_for_junos_secintel
REPORT-dvc = dvc_for_junos_secintel

FIELDALIAS-dest = destination_address AS dest
FIELDALIAS-dest_ip = destination_address as dest_ip
FIELDALIAS-dest_port = destination_port as dest_port
FIELDALIAS-dest_zone = destination_zone_name as dest_zone
FIELDALIAS-signature = policy_name as signature
FIELDALIAS-session_id = session_id_32 as session_id
FIELDALIAS-src = source_address AS src
FIELDALIAS-src_ip = source_address as src_ip
FIELDALIAS-src_port = source_port as src_port
FIELDALIAS-src_zone = source_zone_name as src_zone
FIELDALIAS-user = username as user
FIELDALIAS-vendor_action = action AS vendor_action

EVAL-action = case(action=="PERMIT" OR action=="ALLOW", "allowed", action=="BLOCK" OR action=="DENY", "blocked", true(), action)
EVAL-category = if(isnotnull(sub_category), category + " " + sub_category, category)
EVAL-dvc = coalesce(dvc, host)
EVAL-ids_type = "network"
EVAL-severity = case(threat_severity >= 1 AND threat_severity < 4, "low", threat_severity >= 4 AND threat_severity < 7, "medium", threat_severity >= 7 AND threat_severity < 9, "high", threat_severity >= 9 AND threat_severity <= 10, "critical", true(), "informational")
EVAL-vendor_product = "Juniper Security Intelligence"

LOOKUP-transport_for_junos_secintel_structured = juniper_transport_protocols_lookup transport_id AS protocol_id OUTPUT transport

###### JUNOS SNMP ######
[source::....junos_snmp]
sourcetype = juniper:junos:snmp
EVENT_BREAKER_ENABLE = true

[juniper:junos:snmp]
SHOULD_LINEMERGE = false
KV_MODE = auto

REPORT-auto_kv_for_snmp_link_up_down_fields = auto_kv_for_snmp_link_up_down_fields

FIELDALIAS-dvc = host AS dvc
FIELDALIAS-object = interface_name AS object
FIELDALIAS-object_id = interface_name AS object_id
FIELDALIAS-dest = host AS dest