From c9d5876b75709dd8be12f6823123d15c14231b14 Mon Sep 17 00:00:00 2001
From: merrimanr <merrimanr@gmail.com>
Date: Fri, 31 Aug 2018 16:06:15 -0500
Subject: [PATCH 1/6] initial commit

---
 .../CURRENT/configuration/metron-rest-env.xml |   4 +-
 .../CURRENT/package/files/bro_index.template  |  28 +-
 .../package/files/metaalert_index.template    |   4 +-
 .../package/files/snort_index.template        |  26 +-
 .../CURRENT/package/files/yaf_index.template  |  26 +-
 .../alerts-list/alerts-list.component.ts      |   3 +-
 .../table-view/table-view.component.ts        |   3 +-
 .../src/app/model/alert-source.ts             |  16 +-
 .../elasticsearch-localstorage-impl.ts        |   9 +-
 .../src/app/service/global-config.service.ts  |   5 +-
 .../src/app/service/update.service.ts         |   3 +-
 .../metron-alerts/src/app/utils/constants.ts  |   1 +
 .../rest/service/impl/SearchServiceImpl.java  |   3 +-
 .../src/main/resources/application.yml        |   2 +-
 .../org/apache/metron/common/Constants.java   |   2 +-
 .../common/field/FieldNameConverters.java     |   4 +-
 .../common/field/FieldNameConvertersTest.java |  12 +-
 .../dao/ElasticsearchColumnMetadataDao.java   |  63 +++--
 .../dao/ElasticsearchMetaAlertDao.java        |   3 +-
 .../ElasticsearchIndexingIntegrationTest.java |   2 +-
 ...ElasticsearchMetaAlertIntegrationTest.java |   2 +-
 .../ElasticsearchSearchIntegrationTest.java   |  71 ++++-
 .../bolt/BulkMessageWriterBoltTest.java       |   2 +-
 .../bolt/EnrichmentJoinBoltTest.java          |   2 +-
 .../bolt/GenericEnrichmentBoltTest.java       |   8 +-
 .../bolt/ThreatIntelJoinBoltTest.java         |   6 +-
 .../EnrichmentIntegrationTest.java            |   2 +-
 .../parallel/ParallelEnricherTest.java        |   8 +-
 .../dao/metaalert/MetaAlertConstants.java     |   2 +-
 .../indexing/dao/SearchIntegrationTest.java   |  60 ++--
 .../metaalert/MetaAlertIntegrationTest.java   |   3 +-
 .../config/zookeeper/enrichments/test.json    |   6 +-
 .../main/sample/data/asa/parsed/asa_parsed    | 256 +++++++++---------
 .../sample/data/bro/parsed/BroExampleParsed   |  62 ++---
 .../data/jsonMap/parsed/jsonMapExampleParsed  |   4 +-
 .../jsonMapQuery/parsed/jsonMapExampleParsed  |   4 +-
 .../parsed/jsonMapExampleParsed               |  12 +-
 .../main/sample/data/snort/parsed/SnortParsed |   6 +-
 .../data/squid/parsed/SquidExampleParsed      |   4 +-
 .../sample/data/test/parsed/TestExampleParsed |  20 +-
 .../data/websphere/parsed/WebsphereParsed     |  10 +-
 .../main/sample/data/yaf/indexed/YafIndexed   |  20 +-
 .../sample/data/yaf/parsed/YafExampleParsed   |  20 +-
 .../metron/parsers/bolt/ParserBoltTest.java   |   7 +-
 ...eHbaseEnrichmentWriterIntegrationTest.java |   4 +-
 .../WriterBoltIntegrationTest.java            |   3 +-
 .../src/main/config/schema/bro/schema.xml     |   2 +-
 .../main/config/schema/metaalert/schema.xml   |   2 +-
 .../src/main/config/schema/snort/schema.xml   |   2 +-
 .../src/main/config/schema/yaf/schema.xml     |   2 +-
 .../SolrMetaAlertIntegrationTest.java         |   2 +-
 .../SolrRetrieveLatestIntegrationTest.java    |   5 +-
 .../SolrSearchIntegrationTest.java            |  21 +-
 .../SolrUpdateIntegrationTest.java            |   3 +-
 .../integration/components/SolrComponent.java |   6 +-
 .../resources/config/test/conf/managed-schema |   4 +-
 .../test/bolt/BaseEnrichmentBoltTest.java     |   8 +-
 57 files changed, 480 insertions(+), 400 deletions(-)

diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-rest-env.xml b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-rest-env.xml
index 767afa3211..23a0f11a9b 100644
--- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-rest-env.xml
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-rest-env.xml
@@ -160,13 +160,13 @@
         <name>source_type_field</name>
         <display-name>Source Type Field Name</display-name>
         <description>The field name where the source type can be found in the search indices. This setting primarily affects the Alerts UI.</description>
-        <value>source:type</value>
+        <value>metron_sensor_type</value>
     </property>
     <property>
         <name>threat_triage_score_field</name>
         <display-name>Threat Triage Score Field Name</display-name>
         <description>The field name where the threat triage score can be found in the search indices. This setting primarily affects the Alerts UI.</description>
-        <value>threat:triage:score</value>
+        <value>threat.triage.score</value>
     </property>
     <property>
         <name>pcap_base_path</name>
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template
index 17ad4d2f8e..8a346a41ae 100644
--- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template
@@ -5,7 +5,7 @@
       "dynamic_templates": [
       {
         "geo_location_point": {
-          "match": "enrichments:geo:*:location_point",
+          "path_match": "enrichments.geo.*.location_point",
           "match_mapping_type": "*",
           "mapping": {
             "type": "geo_point"
@@ -14,7 +14,7 @@
       },
       {
         "geo_country": {
-          "match": "enrichments:geo:*:country",
+          "path_match": "enrichments.geo.*.country",
           "match_mapping_type": "*",
           "mapping": {
             "type": "keyword"
@@ -23,7 +23,7 @@
       },
       {
         "geo_city": {
-          "match": "enrichments:geo:*:city",
+          "path_match": "enrichments.geo.*.city",
           "match_mapping_type": "*",
           "mapping": {
             "type": "keyword"
@@ -32,7 +32,7 @@
       },
       {
         "geo_location_id": {
-          "match": "enrichments:geo:*:locID",
+          "path_match": "enrichments.geo.*.locID",
           "match_mapping_type": "*",
           "mapping": {
             "type": "keyword"
@@ -41,7 +41,7 @@
       },
       {
         "geo_dma_code": {
-          "match": "enrichments:geo:*:dmaCode",
+          "path_match": "enrichments.geo.*.dmaCode",
           "match_mapping_type": "*",
           "mapping": {
             "type": "keyword"
@@ -50,7 +50,7 @@
       },
       {
         "geo_postal_code": {
-          "match": "enrichments:geo:*:postalCode",
+          "path_match": "enrichments.geo.*.postalCode",
           "match_mapping_type": "*",
           "mapping": {
             "type": "keyword"
@@ -59,7 +59,7 @@
       },
       {
         "geo_latitude": {
-          "match": "enrichments:geo:*:latitude",
+          "path_match": "enrichments.geo.*.latitude",
           "match_mapping_type": "*",
           "mapping": {
             "type": "float"
@@ -68,7 +68,7 @@
       },
       {
         "geo_longitude": {
-          "match": "enrichments:geo:*:longitude",
+          "path_match": "enrichments.geo.*.longitude",
           "match_mapping_type": "*",
           "mapping": {
             "type": "float"
@@ -77,7 +77,7 @@
       },
       {
         "timestamps": {
-          "match": "*:ts",
+          "path_match": "*.ts",
           "match_mapping_type": "*",
           "mapping": {
             "type": "date",
@@ -90,7 +90,7 @@
           "mapping": {
             "type": "float"
           },
-          "match": "threat:triage:*score",
+          "path_match": "threat.triage.*score",
           "match_mapping_type": "*"
         }
       },
@@ -100,7 +100,7 @@
             "type": "text",
             "fielddata": "true"
           },
-          "match": "threat:triage:rules:*:reason",
+          "path_match": "threat.triage.rules.*.reason",
           "match_mapping_type": "*"
         }
       },
@@ -110,7 +110,7 @@
             "type": "text",
             "fielddata": "true"
           },
-          "match": "threat:triage:rules:*:name",
+          "path_match": "threat.triage.rules.*.name",
           "match_mapping_type": "*"
         }
       }
@@ -130,7 +130,7 @@
         /*
          * Metron-specific fields
          */
-        "source:type": {
+        "metron_sensor_type": {
           "type": "keyword"
         },
         /*
@@ -513,7 +513,7 @@
           "fielddata": "true",
           "analyzer": "simple"
         },
-        "source": {
+        "source2": {
           "type": "keyword"
         },
         "depth": {
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/metaalert_index.template b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/metaalert_index.template
index 05d5e32048..cec0739cfa 100644
--- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/metaalert_index.template
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/metaalert_index.template
@@ -17,7 +17,7 @@
            "mapping": {
               "type": "float"
             },
-            "match": "threat:triage:*score",
+            "path_match": "threat.triage.*score",
             "match_mapping_type": "*"
           }
         }
@@ -39,7 +39,7 @@
         "metron_alert": {
           "type": "nested"
         },
-        "source:type": {
+        "metron_sensor_type": {
           "type": "keyword"
         }
       }
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/snort_index.template b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/snort_index.template
index f7c6e590de..0a9a343bc9 100644
--- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/snort_index.template
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/snort_index.template
@@ -5,7 +5,7 @@
       "dynamic_templates": [
       {
         "geo_location_point": {
-          "match": "enrichments:geo:*:location_point",
+          "path_match": "enrichments.geo.*.location_point",
           "match_mapping_type": "*",
           "mapping": {
             "type": "geo_point"
@@ -14,7 +14,7 @@
       },
       {
         "geo_country": {
-          "match": "enrichments:geo:*:country",
+          "path_match": "enrichments.geo.*.country",
           "match_mapping_type": "*",
           "mapping": {
             "type": "keyword"
@@ -23,7 +23,7 @@
       },
       {
         "geo_city": {
-          "match": "enrichments:geo:*:city",
+          "path_match": "enrichments.geo.*.city",
           "match_mapping_type": "*",
           "mapping": {
             "type": "keyword"
@@ -32,7 +32,7 @@
       },
       {
         "geo_location_id": {
-          "match": "enrichments:geo:*:locID",
+          "path_match": "enrichments.geo.*.locID",
           "match_mapping_type": "*",
           "mapping": {
             "type": "keyword"
@@ -41,7 +41,7 @@
       },
       {
         "geo_dma_code": {
-          "match": "enrichments:geo:*:dmaCode",
+          "path_match": "enrichments.geo.*.dmaCode",
           "match_mapping_type": "*",
           "mapping": {
             "type": "keyword"
@@ -50,7 +50,7 @@
       },
       {
         "geo_postal_code": {
-          "match": "enrichments:geo:*:postalCode",
+          "path_match": "enrichments.geo.*.postalCode",
           "match_mapping_type": "*",
           "mapping": {
             "type": "keyword"
@@ -59,7 +59,7 @@
       },
       {
         "geo_latitude": {
-          "match": "enrichments:geo:*:latitude",
+          "path_match": "enrichments.geo.*.latitude",
           "match_mapping_type": "*",
           "mapping": {
             "type": "float"
@@ -68,7 +68,7 @@
       },
       {
         "geo_longitude": {
-          "match": "enrichments:geo:*:longitude",
+          "path_match": "enrichments.geo.*.longitude",
           "match_mapping_type": "*",
           "mapping": {
             "type": "float"
@@ -77,7 +77,7 @@
       },
       {
         "timestamps": {
-          "match": "*:ts",
+          "path_match": "*.ts",
           "match_mapping_type": "*",
           "mapping": {
             "type": "date",
@@ -90,7 +90,7 @@
           "mapping": {
             "type": "float"
           },
-          "match": "threat:triage:*score",
+          "path_match": "threat.triage.*score",
           "match_mapping_type": "*"
         }
       },
@@ -100,7 +100,7 @@
               "type": "text",
               "fielddata": "true"
             },
-            "match": "threat.triage.rules:*:reason",
+            "path_match": "threat.triage.rules.*.reason",
             "match_mapping_type": "*"
           }
         },
@@ -110,7 +110,7 @@
               "type": "text",
               "fielddata": "true"
             },
-            "match": "threat.triage.rules:*:name",
+            "path_match": "threat.triage.rules.*.name",
             "match_mapping_type": "*"
           }
         }
@@ -120,7 +120,7 @@
           "type": "date",
           "format": "epoch_millis"
         },
-        "source:type": {
+        "metron_sensor_type": {
           "type": "keyword"
         },
         "ip_dst_addr": {
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/yaf_index.template b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/yaf_index.template
index f4093bad87..0efbd69c2a 100644
--- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/yaf_index.template
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/yaf_index.template
@@ -5,7 +5,7 @@
       "dynamic_templates": [
       {
         "geo_location_point": {
-          "match": "enrichments:geo:*:location_point",
+          "path_match": "enrichments.geo.*.location_point",
           "match_mapping_type": "*",
           "mapping": {
             "type": "geo_point"
@@ -14,7 +14,7 @@
       },
       {
         "geo_country": {
-          "match": "enrichments:geo:*:country",
+          "path_match": "enrichments.geo.*.country",
           "match_mapping_type": "*",
           "mapping": {
             "type": "keyword"
@@ -23,7 +23,7 @@
       },
       {
         "geo_city": {
-          "match": "enrichments:geo:*:city",
+          "path_match": "enrichments.geo.*.city",
           "match_mapping_type": "*",
           "mapping": {
             "type": "keyword"
@@ -32,7 +32,7 @@
       },
       {
         "geo_location_id": {
-          "match": "enrichments:geo:*:locID",
+          "path_match": "enrichments.geo.*.locID",
           "match_mapping_type": "*",
           "mapping": {
             "type": "keyword"
@@ -41,7 +41,7 @@
       },
       {
         "geo_dma_code": {
-          "match": "enrichments:geo:*:dmaCode",
+          "path_match": "enrichments.geo.*.dmaCode",
           "match_mapping_type": "*",
           "mapping": {
             "type": "keyword"
@@ -50,7 +50,7 @@
       },
       {
         "geo_postal_code": {
-          "match": "enrichments:geo:*:postalCode",
+          "path_match": "enrichments.geo.*.postalCode",
           "match_mapping_type": "*",
           "mapping": {
             "type": "keyword"
@@ -59,7 +59,7 @@
       },
       {
         "geo_latitude": {
-          "match": "enrichments:geo:*:latitude",
+          "path_match": "enrichments.geo.*.latitude",
           "match_mapping_type": "*",
           "mapping": {
             "type": "float"
@@ -68,7 +68,7 @@
       },
       {
         "geo_longitude": {
-          "match": "enrichments:geo:*:longitude",
+          "path_match": "enrichments.geo.*.longitude",
           "match_mapping_type": "*",
           "mapping": {
             "type": "float"
@@ -77,7 +77,7 @@
       },
       {
         "timestamps": {
-          "match": "*:ts",
+          "path_match": "*.ts",
           "match_mapping_type": "*",
           "mapping": {
             "type": "date",
@@ -90,7 +90,7 @@
           "mapping": {
             "type": "float"
           },
-          "match": "threat:triage:*score",
+          "path_match": "threat.triage.*score",
           "match_mapping_type": "*"
         }
       },
@@ -100,7 +100,7 @@
             "type": "text",
             "fielddata": "true"
           },
-          "match": "threat:triage:rules:*:reason",
+          "path_match": "threat.triage.rules.*.reason",
           "match_mapping_type": "*"
         }
       },
@@ -110,7 +110,7 @@
             "type": "text",
             "fielddata": "true"
           },
-          "match": "threat:triage:rules:*:name",
+          "path_match": "threat.triage.rules.*.name",
           "match_mapping_type": "*"
         }
       }
@@ -120,7 +120,7 @@
           "type": "date",
           "format": "epoch_millis"
         },
-        "source:type": {
+        "metron_sensor_type": {
           "type": "keyword"
         },
         "ip_dst_addr": {
diff --git a/metron-interface/metron-alerts/src/app/alerts/alerts-list/alerts-list.component.ts b/metron-interface/metron-alerts/src/app/alerts/alerts-list/alerts-list.component.ts
index 15a87a4235..c5a3c04d05 100644
--- a/metron-interface/metron-alerts/src/app/alerts/alerts-list/alerts-list.component.ts
+++ b/metron-interface/metron-alerts/src/app/alerts/alerts-list/alerts-list.component.ts
@@ -43,6 +43,7 @@ import {META_ALERTS_SENSOR_TYPE} from '../../utils/constants';
 import {MetaAlertService} from '../../service/meta-alert.service';
 import {Facets} from '../../model/facets';
 import { GlobalConfigService } from '../../service/global-config.service';
+import {SENSOR_TYPE_FIELD} from '../../utils/constants';
 
 @Component({
   selector: 'app-alerts-list',
@@ -182,7 +183,7 @@ export class AlertsListComponent implements OnInit, OnDestroy {
     this.configSubscription = this.globalConfigService.get().subscribe((config: {}) => {
       this.globalConfig = config;
       if (this.globalConfig['source.type.field']) {
-        let filteredAlertsColumns = this.alertsColumns.filter(colName => colName.name !== 'source:type');
+        let filteredAlertsColumns = this.alertsColumns.filter(colName => colName.name !== SENSOR_TYPE_FIELD);
         if (filteredAlertsColumns.length < this.alertsColumns.length) {
           this.alertsColumns = filteredAlertsColumns;
           this.alertsColumns.splice(2, 0, new ColumnMetadata(this.globalConfig['source.type.field'], 'string'));
diff --git a/metron-interface/metron-alerts/src/app/alerts/alerts-list/table-view/table-view.component.ts b/metron-interface/metron-alerts/src/app/alerts/alerts-list/table-view/table-view.component.ts
index 91cae3e92a..f60780cf1c 100644
--- a/metron-interface/metron-alerts/src/app/alerts/alerts-list/table-view/table-view.component.ts
+++ b/metron-interface/metron-alerts/src/app/alerts/alerts-list/table-view/table-view.component.ts
@@ -34,6 +34,7 @@ import {MetaAlertService} from '../../../service/meta-alert.service';
 import {MetaAlertAddRemoveRequest} from '../../../model/meta-alert-add-remove-request';
 import {GetRequest} from '../../../model/get-request';
 import { GlobalConfigService } from '../../../service/global-config.service';
+import {SENSOR_TYPE_FIELD} from "../../../utils/constants";
 
 export enum MetronAlertDisplayState {
   COLLAPSE, EXPAND
@@ -87,7 +88,7 @@ export class TableViewComponent implements OnInit, OnChanges, OnDestroy {
     this.configSubscription = this.globalConfigService.get().subscribe((config: {}) => {
       this.globalConfig = config;
       if (this.globalConfig['source.type.field']) {
-        let filteredAlertsColumnsToDisplay = this.alertsColumnsToDisplay.filter(colName => colName.name !== 'source:type');
+        let filteredAlertsColumnsToDisplay = this.alertsColumnsToDisplay.filter(colName => colName.name !== SENSOR_TYPE_FIELD);
         if (filteredAlertsColumnsToDisplay.length < this.alertsColumnsToDisplay.length) {
           this.alertsColumnsToDisplay = filteredAlertsColumnsToDisplay;
           this.alertsColumnsToDisplay.splice(2, 0, new ColumnMetadata(this.globalConfig['source.type.field'], 'string'));
diff --git a/metron-interface/metron-alerts/src/app/model/alert-source.ts b/metron-interface/metron-alerts/src/app/model/alert-source.ts
index 33309603cd..3543ce78d5 100644
--- a/metron-interface/metron-alerts/src/app/model/alert-source.ts
+++ b/metron-interface/metron-alerts/src/app/model/alert-source.ts
@@ -27,7 +27,7 @@ export class AlertSource {
   tcpwindow: number;
   tcpack: number;
   protocol: string;
-  'source:type': string;
+  metron_sensor_type: string;
   ip_dst_addr: number;
   original_string: string;
   tos: number;
@@ -46,11 +46,11 @@ export class AlertSource {
   sig_generator: number;
   metron_alert: AlertSource[] = [];
   comments: AlertComment[] = [];
-  'threat:triage:score': number;
-  'threatinteljoinbolt:joiner:ts': number;
-  'enrichmentsplitterbolt:splitter:begin:ts': number;
-  'enrichmentjoinbolt:joiner:ts': number;
-  'threatintelsplitterbolt:splitter:end:ts': number;
-  'enrichmentsplitterbolt:splitter:end:ts': number;
-  'threatintelsplitterbolt:splitter:begin:ts': number;
+  'threat.triage.score': number;
+  'threatinteljoinbolt.joiner.ts': number;
+  'enrichmentsplitterbolt.splitter.begin.ts': number;
+  'enrichmentjoinbolt.joiner.ts': number;
+  'threatintelsplitterbolt.splitter.end.ts': number;
+  'enrichmentsplitterbolt.splitter.end.ts': number;
+  'threatintelsplitterbolt.splitter.begin.ts': number;
 }
diff --git a/metron-interface/metron-alerts/src/app/service/elasticsearch-localstorage-impl.ts b/metron-interface/metron-alerts/src/app/service/elasticsearch-localstorage-impl.ts
index fd4843acef..dc1bb273f2 100644
--- a/metron-interface/metron-alerts/src/app/service/elasticsearch-localstorage-impl.ts
+++ b/metron-interface/metron-alerts/src/app/service/elasticsearch-localstorage-impl.ts
@@ -24,7 +24,7 @@ import {ColumnMetadata} from '../model/column-metadata';
 import {ElasticsearchUtils} from '../utils/elasticsearch-utils';
 import {
   ALERTS_COLUMN_NAMES, ALERTS_TABLE_METADATA, ALERTS_RECENT_SEARCH,
-  ALERTS_SAVED_SEARCH, NUM_SAVED_SEARCH
+  ALERTS_SAVED_SEARCH, NUM_SAVED_SEARCH, SENSOR_TYPE_FIELD
 } from '../utils/constants';
 import {ColumnNames} from '../model/column-names';
 import {ColumnNamesService} from './column-names.service';
@@ -37,15 +37,12 @@ import {AlertSource} from '../model/alert-source';
 @Injectable()
 export class ElasticSearchLocalstorageImpl extends DataSource {
 
-  globalConfig: {} = {};
-  sourceType: 'source:type';
-
   private defaultColumnMetadata = [
     new ColumnMetadata('id', 'string'),
     new ColumnMetadata('timestamp', 'date'),
-    new ColumnMetadata('source:type', 'string'),
+    new ColumnMetadata(SENSOR_TYPE_FIELD, 'string'),
     new ColumnMetadata('ip_src_addr', 'ip'),
-    new ColumnMetadata('enrichments:geo:ip_dst_addr:country', 'string'),
+    new ColumnMetadata('enrichments.geo.ip_dst_addr.country', 'string'),
     new ColumnMetadata('ip_dst_addr', 'ip'),
     new ColumnMetadata('host', 'string'),
     new ColumnMetadata('alert_status', 'string')
diff --git a/metron-interface/metron-alerts/src/app/service/global-config.service.ts b/metron-interface/metron-alerts/src/app/service/global-config.service.ts
index c80d65a40f..fe6a397f4e 100644
--- a/metron-interface/metron-alerts/src/app/service/global-config.service.ts
+++ b/metron-interface/metron-alerts/src/app/service/global-config.service.ts
@@ -19,6 +19,7 @@ import {Injectable, Inject} from '@angular/core';
 import {Http, Headers, RequestOptions, Response, ResponseOptions} from '@angular/http';
 import {Observable} from 'rxjs/Observable';
 import {HttpUtil} from '../utils/httpUtil';
+import {SENSOR_TYPE_FIELD} from "../utils/constants";
 
 @Injectable()
 export class GlobalConfigService {
@@ -43,8 +44,8 @@ export class GlobalConfigService {
     let missingSourceTypeField = !globalConfig['source.type.field'];
     let missingThreatScoreField = !globalConfig['threat.triage.score.field'];
     if(missingSourceTypeField || missingThreatScoreField) {
-      let sourceTypeField = missingSourceTypeField?'source:type':globalConfig['source.type.field'];
-      let threatScoreField = missingThreatScoreField?'threat:triage:score':globalConfig['threat.triage.score.field'];
+      let sourceTypeField = missingSourceTypeField?SENSOR_TYPE_FIELD:globalConfig['source.type.field'];
+      let threatScoreField = missingThreatScoreField?'threat.triage.score':globalConfig['threat.triage.score.field'];
       return Object.assign({}, globalConfig,
                           {'source.type.field': sourceTypeField
                           , 'threat.triage.score.field' : threatScoreField
diff --git a/metron-interface/metron-alerts/src/app/service/update.service.ts b/metron-interface/metron-alerts/src/app/service/update.service.ts
index 3a18fc2e09..caf42c8ab5 100644
--- a/metron-interface/metron-alerts/src/app/service/update.service.ts
+++ b/metron-interface/metron-alerts/src/app/service/update.service.ts
@@ -31,6 +31,7 @@ import {Utils} from '../utils/utils';
 import {Patch} from '../model/patch';
 import { GlobalConfigService } from './global-config.service';
 import {CommentAddRemoveRequest} from "../model/comment-add-remove-request";
+import {SENSOR_TYPE_FIELD} from "../utils/constants";
 
 @Injectable()
 export class UpdateService {
@@ -39,7 +40,7 @@ export class UpdateService {
 
   alertChangedSource = new Subject<PatchRequest>();
   alertChanged$ = this.alertChangedSource.asObservable();
-  sourceType = 'source:type';
+  sourceType = SENSOR_TYPE_FIELD;
   alertCommentChangedSource = new Subject<CommentAddRemoveRequest>();
   alertCommentChanged$ = this.alertCommentChangedSource.asObservable();
 
diff --git a/metron-interface/metron-alerts/src/app/utils/constants.ts b/metron-interface/metron-alerts/src/app/utils/constants.ts
index 703e0f7dd8..9dfe942d9c 100644
--- a/metron-interface/metron-alerts/src/app/utils/constants.ts
+++ b/metron-interface/metron-alerts/src/app/utils/constants.ts
@@ -18,6 +18,7 @@
 
 import { environment } from '../../environments/environment';
 
+export const SENSOR_TYPE_FIELD = 'metron_sensor_type';
 export const META_ALERTS_SENSOR_TYPE = 'metaalert';
 
 export const NUM_SAVED_SEARCH = 10;
diff --git a/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/service/impl/SearchServiceImpl.java b/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/service/impl/SearchServiceImpl.java
index 54759e4547..c2192d9ab0 100644
--- a/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/service/impl/SearchServiceImpl.java
+++ b/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/service/impl/SearchServiceImpl.java
@@ -144,7 +144,8 @@ private List<String> getDefaultIndices() throws RestException {
 
   @SuppressWarnings("unchecked")
   public List<String> getDefaultFacetFields() throws RestException {
-    Optional<AlertsUIUserSettings> alertUserSettings = alertsUIService.getAlertsUIUserSettings();
+    //Optional<AlertsUIUserSettings> alertUserSettings = alertsUIService.getAlertsUIUserSettings();
+    Optional<AlertsUIUserSettings> alertUserSettings = Optional.empty();
     if (!alertUserSettings.isPresent() || alertUserSettings.get().getFacetFields() == null) {
       String facetFieldsProperty = environment
           .getProperty(SEARCH_FACET_FIELDS_SPRING_PROPERTY, String.class, "");
diff --git a/metron-interface/metron-rest/src/main/resources/application.yml b/metron-interface/metron-rest/src/main/resources/application.yml
index 866109e34c..a657743f40 100644
--- a/metron-interface/metron-rest/src/main/resources/application.yml
+++ b/metron-interface/metron-rest/src/main/resources/application.yml
@@ -51,7 +51,7 @@ search:
     results: 1000
     groups: 1000
   facet:
-    fields: ip_src_addr,ip_dst_addr,enrichments:geo:ip_dst_addr:country
+    fields: ip_src_addr,ip_dst_addr,enrichments.geo.ip_dst_addr.country
 
 index:
   dao:
diff --git a/metron-platform/metron-common/src/main/java/org/apache/metron/common/Constants.java b/metron-platform/metron-common/src/main/java/org/apache/metron/common/Constants.java
index 50545087be..ada84acd96 100644
--- a/metron-platform/metron-common/src/main/java/org/apache/metron/common/Constants.java
+++ b/metron-platform/metron-common/src/main/java/org/apache/metron/common/Constants.java
@@ -25,7 +25,7 @@ public class Constants {
   public static final String ZOOKEEPER_ROOT = "/metron";
   public static final String ZOOKEEPER_TOPOLOGY_ROOT = ZOOKEEPER_ROOT + "/topology";
   public static final long DEFAULT_CONFIGURED_BOLT_TIMEOUT = 5000;
-  public static final String SENSOR_TYPE = "source.type";
+  public static final String SENSOR_TYPE = "metron_sensor_type";
   public static final String SENSOR_TYPE_FIELD_PROPERTY = "source.type.field";
   public static final String THREAT_SCORE_FIELD_PROPERTY = "threat.triage.score.field";
   public static final String ENRICHMENT_TOPIC = "enrichments";
diff --git a/metron-platform/metron-common/src/main/java/org/apache/metron/common/field/FieldNameConverters.java b/metron-platform/metron-common/src/main/java/org/apache/metron/common/field/FieldNameConverters.java
index d5858ed272..e14d0a7b9d 100644
--- a/metron-platform/metron-common/src/main/java/org/apache/metron/common/field/FieldNameConverters.java
+++ b/metron-platform/metron-common/src/main/java/org/apache/metron/common/field/FieldNameConverters.java
@@ -104,8 +104,8 @@ public static FieldNameConverter create(String sensorType, WriterConfiguration c
     }
 
     if(result == null) {
-      // if no converter defined or an invalid converter is defined, default to 'DEDOT'
-      result = FieldNameConverters.DEDOT;
+      // if no converter defined or an invalid converter is defined, default to 'NOOP'
+      result = FieldNameConverters.NOOP;
     }
 
     LOG.debug("Created field name converter; sensorType={}, configured={}, class={}",
diff --git a/metron-platform/metron-common/src/test/java/org/apache/metron/common/field/FieldNameConvertersTest.java b/metron-platform/metron-common/src/test/java/org/apache/metron/common/field/FieldNameConvertersTest.java
index 2c263f2f92..118a33c339 100644
--- a/metron-platform/metron-common/src/test/java/org/apache/metron/common/field/FieldNameConvertersTest.java
+++ b/metron-platform/metron-common/src/test/java/org/apache/metron/common/field/FieldNameConvertersTest.java
@@ -125,7 +125,7 @@ public void testCreateDefault() throws Exception {
 
     // if none defined, should default to 'DEDOT'
     FieldNameConverter converter = FieldNameConverters.create(sensor, config);
-    assertEquals(FieldNameConverters.DEDOT, converter);
+    assertEquals(FieldNameConverters.NOOP, converter);
   }
 
   /**
@@ -140,11 +140,11 @@ public void testConfigChange() throws Exception {
 
     // no converter defined in config, should use 'DEDOT' converter
     WriterConfiguration config = createConfig(writer, sensor, jsonWithNoConverter);
-    assertEquals(FieldNameConverters.DEDOT, FieldNameConverters.create(sensor, config));
+    assertEquals(FieldNameConverters.NOOP, FieldNameConverters.create(sensor, config));
 
     // an 'updated' config uses the 'NOOP' converter
-    WriterConfiguration newConfig = createConfig(writer, sensor, jsonWithNoop);
-    assertEquals(FieldNameConverters.NOOP, FieldNameConverters.create(sensor, newConfig));
+    WriterConfiguration newConfig = createConfig(writer, sensor, jsonWithDedot);
+    assertEquals(FieldNameConverters.DEDOT, FieldNameConverters.create(sensor, newConfig));
   }
 
   /**
@@ -175,7 +175,7 @@ public void testCreateInvalid() throws Exception {
 
     // if invalid value defined, it should fall-back to using default 'DEDOT'
     FieldNameConverter converter = FieldNameConverters.create(sensor, config);
-    assertEquals(FieldNameConverters.DEDOT, converter);
+    assertEquals(FieldNameConverters.NOOP, converter);
   }
 
   /**
@@ -206,6 +206,6 @@ public void testCreateBlank() throws Exception {
 
     // if invalid value defined, it should fall-back to using default 'DEDOT'
     FieldNameConverter converter = FieldNameConverters.create(sensor, config);
-    assertEquals(FieldNameConverters.DEDOT, converter);
+    assertEquals(FieldNameConverters.NOOP, converter);
   }
 }
diff --git a/metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchColumnMetadataDao.java b/metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchColumnMetadataDao.java
index 6a8cad8cc1..e0f0b5a112 100644
--- a/metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchColumnMetadataDao.java
+++ b/metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchColumnMetadataDao.java
@@ -99,32 +99,35 @@ public Map<String, FieldType> getColumnMetadata(List<String> indices) throws IOE
           MappingMetaData mappingMetaData = mapping.get(mappingIterator.next());
           Map<String, Object> sourceAsMap = mappingMetaData.getSourceAsMap();
           if (sourceAsMap.containsKey("properties")) {
-            Map<String, Map<String, String>> map = (Map<String, Map<String, String>>) sourceAsMap.get("properties");
+            Map<String, Map<String, Object>> map = (Map<String, Map<String, Object>>) sourceAsMap.get("properties");
 
             // for each field in the mapping
-            for (String field : map.keySet()) {
-              if (!fieldBlackList.contains(field)) {
-                FieldType type = toFieldType(map.get(field).get("type"));
-
-                if(!indexColumnMetadata.containsKey(field)) {
-                  indexColumnMetadata.put(field, type);
-
-                  // record the last index in which a field exists, to be able to print helpful error message on type mismatch
-                  previousIndices.put(field, indexName);
-
-                } else {
-                  FieldType previousType = indexColumnMetadata.get(field);
-                  if (!type.equals(previousType)) {
-                    String previousIndexName = previousIndices.get(field);
-                    LOG.error(String.format(
-                        "Field type mismatch: %s.%s has type %s while %s.%s has type %s.  Defaulting type to %s.",
-                        indexName, field, type.getFieldType(),
-                        previousIndexName, field, previousType.getFieldType(),
-                        FieldType.OTHER.getFieldType()));
-                    indexColumnMetadata.put(field, FieldType.OTHER);
-
-                    // the field is defined in multiple indices with different types; ignore the field as type has been set to OTHER
-                    fieldBlackList.add(field);
+            for (Map.Entry<String, Map<String, Object>> entry : map.entrySet()) {
+              Map<String, FieldType> fields = new HashMap<>();
+              getFields(entry, entry.getKey(), fields);
+              for (String field: fields.keySet()) {
+                if (!fieldBlackList.contains(field)) {
+                  FieldType type = fields.get(field);
+                  if (!indexColumnMetadata.containsKey(field)) {
+                    indexColumnMetadata.put(field, type);
+
+                    // record the last index in which a field exists, to be able to print helpful error message on type mismatch
+                    previousIndices.put(field, indexName);
+
+                  } else {
+                    FieldType previousType = indexColumnMetadata.get(field);
+                    if (!type.equals(previousType)) {
+                      String previousIndexName = previousIndices.get(field);
+                      LOG.error(String.format(
+                              "Field type mismatch: %s.%s has type %s while %s.%s has type %s.  Defaulting type to %s.",
+                              indexName, field, type.getFieldType(),
+                              previousIndexName, field, previousType.getFieldType(),
+                              FieldType.OTHER.getFieldType()));
+                      indexColumnMetadata.put(field, FieldType.OTHER);
+
+                      // the field is defined in multiple indices with different types; ignore the field as type has been set to OTHER
+                      fieldBlackList.add(field);
+                    }
                   }
                 }
               }
@@ -192,6 +195,18 @@ String[] getLatestIndices(List<String> includeIndices) {
     return latestIndices.values().toArray(new String[latestIndices.size()]);
   }
 
+  private void getFields(Map.Entry<String, Map<String, Object>> entry, String fieldName, Map<String, FieldType> fields) {
+    if (entry.getValue().containsKey("properties")) {
+      Map<String, Map<String, Object>> map = (Map<String, Map<String, Object>>) entry.getValue().get("properties");
+      for(Map.Entry<String, Map<String, Object>> propertyEntry: map.entrySet()) {
+        getFields(propertyEntry, String.format("%s.%s", fieldName, propertyEntry.getKey()), fields);
+      }
+    } else {
+      FieldType type = toFieldType((String) entry.getValue().get("type"));
+      fields.put(fieldName, type);
+    }
+  }
+
   /**
    * Converts a string type to the corresponding FieldType.
    * @param type The type to convert.
diff --git a/metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchMetaAlertDao.java b/metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchMetaAlertDao.java
index 55123a5981..73ece97277 100644
--- a/metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchMetaAlertDao.java
+++ b/metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchMetaAlertDao.java
@@ -51,8 +51,7 @@
 
 public class ElasticsearchMetaAlertDao implements MetaAlertDao {
 
-  public static final String THREAT_TRIAGE_FIELD = MetaAlertConstants.THREAT_FIELD_DEFAULT
-      .replace('.', ':');
+  public static final String THREAT_TRIAGE_FIELD = MetaAlertConstants.THREAT_FIELD_DEFAULT;
   public static final String METAALERTS_INDEX = "metaalert_index";
   public static final String SOURCE_TYPE_FIELD = Constants.SENSOR_TYPE.replace('.', ':');
   protected String metaAlertsIndex = METAALERTS_INDEX;
diff --git a/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchIndexingIntegrationTest.java b/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchIndexingIntegrationTest.java
index df5e96a8f8..1091da1c0d 100644
--- a/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchIndexingIntegrationTest.java
+++ b/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchIndexingIntegrationTest.java
@@ -44,7 +44,7 @@ public class ElasticsearchIndexingIntegrationTest extends IndexingIntegrationTes
   private String indexDir = "target/elasticsearch";
   private String dateFormat = "yyyy.MM.dd.HH";
   private String index = "yaf_index_" + new SimpleDateFormat(dateFormat).format(new Date());
-  private FieldNameConverter fieldNameConverter = FieldNameConverters.DEDOT;
+  private FieldNameConverter fieldNameConverter = FieldNameConverters.NOOP;
   /**
    * {
    * "yaf_doc": {
diff --git a/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchMetaAlertIntegrationTest.java b/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchMetaAlertIntegrationTest.java
index c05efc1195..3faa34a648 100644
--- a/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchMetaAlertIntegrationTest.java
+++ b/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchMetaAlertIntegrationTest.java
@@ -114,7 +114,7 @@ public ElasticsearchMetaAlertIntegrationTest(Function<List<String>, List<String>
            "ip_src_addr" : { "type" : "keyword" },
            "score" : { "type" : "integer" },
            "metron_alert" : { "type" : "nested" },
-           "source:type" : { "type" : "keyword"}
+           "metron_sensor_type" : { "type" : "keyword"}
          }
      }
    }
diff --git a/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchSearchIntegrationTest.java b/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchSearchIntegrationTest.java
index 8071e68fc9..65d043ae6f 100644
--- a/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchSearchIntegrationTest.java
+++ b/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchSearchIntegrationTest.java
@@ -51,6 +51,8 @@
 import org.junit.BeforeClass;
 import org.junit.Test;
 
+import static org.apache.metron.common.Constants.SENSOR_TYPE;
+
 public class ElasticsearchSearchIntegrationTest extends SearchIntegrationTest {
 
   private static String indexDir = "target/elasticsearch_search";
@@ -63,7 +65,7 @@ public class ElasticsearchSearchIntegrationTest extends SearchIntegrationTest {
    * {
    * "bro_doc": {
    *   "properties": {
-   *     "source:type": {
+   *     "metron_sensor_type": {
    *        "type": "text",
    *        "fielddata" : "true"
    *     },
@@ -117,7 +119,7 @@ public class ElasticsearchSearchIntegrationTest extends SearchIntegrationTest {
    * {
    *  "snort_doc": {
    *     "properties": {
-   *        "source:type": {
+   *        "metron_sensor_type": {
    *          "type": "text",
    *          "fielddata" : "true"
    *        },
@@ -158,7 +160,7 @@ public class ElasticsearchSearchIntegrationTest extends SearchIntegrationTest {
    *        "alert": {
    *           "type": "nested"
    *        },
-   *        "threat:triage:score": {
+   *        "threat.triage.score": {
    *           "type": "float"
    *        }
    *      }
@@ -185,6 +187,44 @@ public class ElasticsearchSearchIntegrationTest extends SearchIntegrationTest {
   @Multiline
   private static String broDefaultStringMappings;
 
+  /**
+   * {
+   * "snort_doc_dynamic": {
+   *   "dynamic_templates": [{
+   *     "threat_triage_score": {
+   *       "mapping": {
+   *         "type": "float"
+   *       },
+   *       "path_match": "threat.triage.*score",
+   *       "match_mapping_type": "*"
+   *       }
+   *     },
+   *     {
+   *     "threat_triage_reason": {
+   *       "mapping": {
+   *         "type": "text",
+   *         "fielddata": "true"
+   *       },
+   *       "path_match": "threat.triage.rules.*.reason",
+   *       "match_mapping_type": "*"
+   *       }
+   *     },
+   *     {
+   *     "threat_triage_name": {
+   *       "mapping": {
+   *         "type": "text",
+   *         "fielddata": "true"
+   *       },
+   *       "path_match": "threat.triage.rules.*.name",
+   *       "match_mapping_type": "*"
+   *     }
+   *   }]
+   *  }
+   * }
+   */
+  @Multiline
+  private static String snortDynamicMappings;
+
   @BeforeClass
   public static void setup() throws Exception {
     indexComponent = startIndex();
@@ -226,7 +266,8 @@ protected static void loadTestData() throws ParseException {
         .addMapping("bro_doc", broTypeMappings)
         .addMapping("bro_doc_default", broDefaultStringMappings).get();
     es.getClient().admin().indices().prepareCreate("snort_index_2017.01.01.02")
-        .addMapping("snort_doc", snortTypeMappings).get();
+        .addMapping("snort_doc", snortTypeMappings)
+        .addMapping("snort_doc_dynamic", snortDynamicMappings).get();
 
     BulkRequestBuilder bulkRequest = es.getClient().prepareBulk()
         .setRefreshPolicy(WriteRequest.RefreshPolicy.WAIT_UNTIL);
@@ -277,7 +318,7 @@ public void returns_column_metadata_for_specified_indices() throws Exception {
       Assert.assertEquals(FieldType.TEXT, fieldTypes.get("bro_field"));
       Assert.assertEquals(FieldType.TEXT, fieldTypes.get("ttl"));
       Assert.assertEquals(FieldType.KEYWORD, fieldTypes.get("guid"));
-      Assert.assertEquals(FieldType.TEXT, fieldTypes.get("source:type"));
+      Assert.assertEquals(FieldType.TEXT, fieldTypes.get(SENSOR_TYPE));
       Assert.assertEquals(FieldType.IP, fieldTypes.get("ip_src_addr"));
       Assert.assertEquals(FieldType.INTEGER, fieldTypes.get("ip_src_port"));
       Assert.assertEquals(FieldType.LONG, fieldTypes.get("long_field"));
@@ -293,11 +334,10 @@ public void returns_column_metadata_for_specified_indices() throws Exception {
     // getColumnMetadata with only snort
     {
       Map<String, FieldType> fieldTypes = dao.getColumnMetadata(Collections.singletonList("snort"));
-      Assert.assertEquals(14, fieldTypes.size());
+      Assert.assertEquals(16, fieldTypes.size());
       Assert.assertEquals(FieldType.INTEGER, fieldTypes.get("snort_field"));
-      Assert.assertEquals(FieldType.INTEGER, fieldTypes.get("ttl"));
       Assert.assertEquals(FieldType.KEYWORD, fieldTypes.get("guid"));
-      Assert.assertEquals(FieldType.TEXT, fieldTypes.get("source:type"));
+      Assert.assertEquals(FieldType.TEXT, fieldTypes.get(SENSOR_TYPE));
       Assert.assertEquals(FieldType.IP, fieldTypes.get("ip_src_addr"));
       Assert.assertEquals(FieldType.INTEGER, fieldTypes.get("ip_src_port"));
       Assert.assertEquals(FieldType.LONG, fieldTypes.get("long_field"));
@@ -308,15 +348,18 @@ public void returns_column_metadata_for_specified_indices() throws Exception {
       Assert.assertEquals(FieldType.OTHER, fieldTypes.get("location_point"));
       Assert.assertEquals(FieldType.INTEGER, fieldTypes.get("ttl"));
       Assert.assertEquals(FieldType.OTHER, fieldTypes.get("alert"));
+      Assert.assertEquals(FieldType.FLOAT, fieldTypes.get("threat.triage.score"));
+      Assert.assertEquals(FieldType.TEXT, fieldTypes.get("threat.triage.rules.snort_field.name"));
+      Assert.assertEquals(FieldType.TEXT, fieldTypes.get("threat.triage.rules.snort_field.reason"));
     }
   }
 
   @Override
   public void returns_column_data_for_multiple_indices() throws Exception {
     Map<String, FieldType> fieldTypes = dao.getColumnMetadata(Arrays.asList("bro", "snort"));
-    Assert.assertEquals(15, fieldTypes.size());
+    Assert.assertEquals(17, fieldTypes.size());
     Assert.assertEquals(FieldType.KEYWORD, fieldTypes.get("guid"));
-    Assert.assertEquals(FieldType.TEXT, fieldTypes.get("source:type"));
+    Assert.assertEquals(FieldType.TEXT, fieldTypes.get(SENSOR_TYPE));
     Assert.assertEquals(FieldType.IP, fieldTypes.get("ip_src_addr"));
     Assert.assertEquals(FieldType.INTEGER, fieldTypes.get("ip_src_port"));
     Assert.assertEquals(FieldType.LONG, fieldTypes.get("long_field"));
@@ -329,7 +372,9 @@ public void returns_column_data_for_multiple_indices() throws Exception {
     Assert.assertEquals(FieldType.INTEGER, fieldTypes.get("snort_field"));
     //NOTE: This is because the field is in both bro and snort and they have different types.
     Assert.assertEquals(FieldType.OTHER, fieldTypes.get("ttl"));
-    Assert.assertEquals(FieldType.FLOAT, fieldTypes.get("threat:triage:score"));
+    Assert.assertEquals(FieldType.FLOAT, fieldTypes.get("threat.triage.score"));
+    Assert.assertEquals(FieldType.TEXT, fieldTypes.get("threat.triage.rules.snort_field.name"));
+    Assert.assertEquals(FieldType.TEXT, fieldTypes.get("threat.triage.rules.snort_field.reason"));
     Assert.assertEquals(FieldType.OTHER, fieldTypes.get("alert"));
   }
 
@@ -348,13 +393,13 @@ public void different_type_filter_query() throws Exception {
     SearchResponse response = dao.search(request);
     Assert.assertEquals(1, response.getTotal());
     List<SearchResult> results = response.getResults();
-    Assert.assertEquals("bro", results.get(0).getSource().get("source:type"));
+    Assert.assertEquals("bro", results.get(0).getSource().get(SENSOR_TYPE));
     Assert.assertEquals("data 1", results.get(0).getSource().get("ttl"));
   }
 
   @Override
   protected String getSourceTypeField() {
-    return Constants.SENSOR_TYPE.replace('.', ':');
+    return SENSOR_TYPE.replace('.', ':');
   }
 
   @Override
diff --git a/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/bolt/BulkMessageWriterBoltTest.java b/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/bolt/BulkMessageWriterBoltTest.java
index 588fc58595..60b15aa9c8 100644
--- a/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/bolt/BulkMessageWriterBoltTest.java
+++ b/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/bolt/BulkMessageWriterBoltTest.java
@@ -88,7 +88,7 @@ public void describeTo(Description description) {
   /**
    * {
    * "field": "value",
-   * "source.type": "test"
+   * "metron_sensor_type": "test"
    * }
    */
   @Multiline
diff --git a/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/bolt/EnrichmentJoinBoltTest.java b/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/bolt/EnrichmentJoinBoltTest.java
index 52135e3db0..5edc4f6fc3 100644
--- a/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/bolt/EnrichmentJoinBoltTest.java
+++ b/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/bolt/EnrichmentJoinBoltTest.java
@@ -52,7 +52,7 @@ public class EnrichmentJoinBoltTest extends BaseEnrichmentBoltTest {
    * {
    * "ip_src_addr": "ip1",
    * "ip_dst_addr": "ip2",
-   * "source.type": "test",
+   * "metron_sensor_type": "test",
    * "enrichedField": "enrichedValue"
    * }
    */
diff --git a/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/bolt/GenericEnrichmentBoltTest.java b/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/bolt/GenericEnrichmentBoltTest.java
index 17a53f4ed4..abd4f1be30 100644
--- a/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/bolt/GenericEnrichmentBoltTest.java
+++ b/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/bolt/GenericEnrichmentBoltTest.java
@@ -90,7 +90,7 @@ public void describeTo(Description description) {
    {
    "field1": "value1",
    "field2": "value2",
-   "source.type": "test"
+   "metron_sensor_type": "test"
    }
    */
   @Multiline
@@ -116,7 +116,7 @@ public void describeTo(Description description) {
    {
    "field1.enrichedField1": "enrichedValue1",
    "field2.enrichedField2": "enrichedValue2",
-   "source.type": "test"
+   "metron_sensor_type": "test"
    }
    */
   @Multiline
@@ -210,7 +210,7 @@ protected void initializeStellar() {
     when(tuple.getValueByField("message")).thenReturn(originalMessage);
     when(enrichmentAdapter.enrich(any())).thenReturn(new JSONObject());
     genericEnrichmentBolt.execute(tuple);
-    verify(outputCollector, times(1)).emit(eq(enrichmentType), argThat(new EnrichedMessageMatcher(key, new JSONObject(ImmutableMap.of("source.type", "test")))));
+    verify(outputCollector, times(1)).emit(eq(enrichmentType), argThat(new EnrichedMessageMatcher(key, new JSONObject(ImmutableMap.of("metron_sensor_type", "test")))));
     reset(enrichmentAdapter);
 
     SensorEnrichmentConfig sensorEnrichmentConfig = SensorEnrichmentConfig.
@@ -238,7 +238,7 @@ protected void initializeStellar() {
             .addRawMessage(new JSONObject() {{
               put("field1", "value1");
               put("field2", "value2");
-              put("source.type", "test");
+              put("metron_sensor_type", "test");
             }})
             .withThrowable(new Exception("[Metron] Could not enrich string: value1"));
     verify(outputCollector, times(1)).emit(eq(Constants.ERROR_STREAM), argThat(new MetronErrorJSONMatcher(error.getJSONObject())));
diff --git a/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/bolt/ThreatIntelJoinBoltTest.java b/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/bolt/ThreatIntelJoinBoltTest.java
index 62b2570c72..4048998aba 100644
--- a/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/bolt/ThreatIntelJoinBoltTest.java
+++ b/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/bolt/ThreatIntelJoinBoltTest.java
@@ -51,7 +51,7 @@ public class ThreatIntelJoinBoltTest extends BaseEnrichmentBoltTest {
    * {
    * "field1": "value1",
    * "enrichedField1": "enrichedValue1",
-   * "source.type": "test"
+   * "metron_sensor_type": "test"
    * }
    */
   @Multiline
@@ -61,7 +61,7 @@ public class ThreatIntelJoinBoltTest extends BaseEnrichmentBoltTest {
    * {
    * "field1": "value1",
    * "enrichedField1": "enrichedValue1",
-   * "source.type": "test",
+   * "metron_sensor_type": "test",
    * "threatintels.field.end.ts": "timing"
    * }
    */
@@ -72,7 +72,7 @@ public class ThreatIntelJoinBoltTest extends BaseEnrichmentBoltTest {
    * {
    * "field1": "value1",
    * "enrichedField1": "enrichedValue1",
-   * "source.type": "test",
+   * "metron_sensor_type": "test",
    * "threatintels.field": "threatIntelValue"
    * }
    */
diff --git a/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/integration/EnrichmentIntegrationTest.java b/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/integration/EnrichmentIntegrationTest.java
index 188f18ba70..6e0281eff9 100644
--- a/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/integration/EnrichmentIntegrationTest.java
+++ b/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/integration/EnrichmentIntegrationTest.java
@@ -271,7 +271,7 @@ protected void validateErrors(List<Map<String, Object>> errors) {
       Assert.assertTrue(error.get(Constants.ErrorFields.MESSAGE.getName()).toString(), error.get(Constants.ErrorFields.MESSAGE.getName()).toString().contains("/ by zero") );
       Assert.assertTrue(error.get(Constants.ErrorFields.EXCEPTION.getName()).toString().contains("/ by zero"));
       Assert.assertEquals(Constants.ErrorType.ENRICHMENT_ERROR.getType(), error.get(Constants.ErrorFields.ERROR_TYPE.getName()));
-      Assert.assertEquals("{\"error_test\":{},\"source.type\":\"test\"}", error.get(Constants.ErrorFields.RAW_MESSAGE.getName()));
+      Assert.assertEquals("{\"metron_sensor_type\":\"test\",\"error_test\":{}}", error.get(Constants.ErrorFields.RAW_MESSAGE.getName()));
     }
   }
 
diff --git a/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/parallel/ParallelEnricherTest.java b/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/parallel/ParallelEnricherTest.java
index d4fcdf4210..232e9126da 100644
--- a/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/parallel/ParallelEnricherTest.java
+++ b/metron-platform/metron-enrichment/src/test/java/org/apache/metron/enrichment/parallel/ParallelEnricherTest.java
@@ -49,7 +49,7 @@ public class ParallelEnricherTest {
                       ,"one" : "MAP_GET('blah', map)"
                       ,"foo": "1 + 1"
                       }
-          ,"ALL_CAPS" : "TO_UPPER(source.type)"
+          ,"ALL_CAPS" : "TO_UPPER(metron_sensor_type)"
         }
       }
     }
@@ -141,7 +141,7 @@ public void testGoodConfig() throws Exception {
     JSONObject ret = result.getResult();
     Assert.assertEquals("Got the wrong result count: " + ret, 8, ret.size());
     Assert.assertEquals(1, ret.get("map.blah"));
-    Assert.assertEquals("test", ret.get("source.type"));
+    Assert.assertEquals("test", ret.get("metron_sensor_type"));
     Assert.assertEquals(1, ret.get("one"));
     Assert.assertEquals(2, ret.get("foo"));
     Assert.assertEquals("TEST", ret.get("ALL_CAPS"));
@@ -184,7 +184,7 @@ public void testNullEnrichment() throws Exception {
                       ,"one := MAP_GET('blah', map)"
                       ,"foo := 1 + 1"
                       ]
-          ,"ALL_CAPS" : "TO_UPPER(source.type)"
+          ,"ALL_CAPS" : "TO_UPPER(metron_sensor_type)"
           ,"errors" : [
             "error := 1/0"
           ]
@@ -210,7 +210,7 @@ public void testBadConfig() throws Exception {
     JSONObject ret = result.getResult();
     Assert.assertEquals(ret + " is not what I expected", 8, ret.size());
     Assert.assertEquals(1, ret.get("map.blah"));
-    Assert.assertEquals("test", ret.get("source.type"));
+    Assert.assertEquals("test", ret.get("metron_sensor_type"));
     Assert.assertEquals(1, ret.get("one"));
     Assert.assertEquals(2, ret.get("foo"));
     Assert.assertEquals("TEST", ret.get("ALL_CAPS"));
diff --git a/metron-platform/metron-indexing/src/main/java/org/apache/metron/indexing/dao/metaalert/MetaAlertConstants.java b/metron-platform/metron-indexing/src/main/java/org/apache/metron/indexing/dao/metaalert/MetaAlertConstants.java
index daa54246d7..417254df08 100644
--- a/metron-platform/metron-indexing/src/main/java/org/apache/metron/indexing/dao/metaalert/MetaAlertConstants.java
+++ b/metron-platform/metron-indexing/src/main/java/org/apache/metron/indexing/dao/metaalert/MetaAlertConstants.java
@@ -22,7 +22,7 @@ public class MetaAlertConstants {
   public static String METAALERT_TYPE = "metaalert";
   public static String METAALERT_FIELD = "metaalerts";
   public static String METAALERT_DOC = METAALERT_TYPE + "_doc";
-  public static String THREAT_FIELD_DEFAULT = "threat:triage:score";
+  public static String THREAT_FIELD_DEFAULT = "threat.triage.score";
   public static String THREAT_SORT_DEFAULT = "sum";
   public static String ALERT_FIELD = "metron_alert";
   public static String STATUS_FIELD = "status";
diff --git a/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/SearchIntegrationTest.java b/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/SearchIntegrationTest.java
index 2e1968ac0a..ace4da2a01 100644
--- a/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/SearchIntegrationTest.java
+++ b/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/SearchIntegrationTest.java
@@ -7,9 +7,9 @@
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,12 +18,15 @@
  */
 package org.apache.metron.indexing.dao;
 
+import static org.apache.metron.common.Constants.SENSOR_TYPE;
+
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+
 import org.adrianwalker.multilinestring.Multiline;
 import org.apache.metron.common.utils.JSONUtils;
 import org.apache.metron.indexing.dao.search.FieldType;
@@ -46,11 +49,11 @@
 public abstract class SearchIntegrationTest {
   /**
    * [
-   * {"source:type": "bro", "ip_src_addr":"192.168.1.1", "ip_src_port": 8010, "long_field": 10000, "timestamp":1, "latitude": 48.5839, "score": 10.0, "is_alert":true, "location_point": "48.5839,7.7455", "bro_field": "bro data 1", "ttl": "data 1", "guid":"bro_1"},
-   * {"source:type": "bro", "ip_src_addr":"192.168.1.2", "ip_src_port": 8009, "long_field": 20000, "timestamp":2, "latitude": 48.0001, "score": 50.0, "is_alert":false, "location_point": "48.5839,7.7455", "bro_field": "bro data 2", "ttl": "data 2", "guid":"bro_2"},
-   * {"source:type": "bro", "ip_src_addr":"192.168.1.3", "ip_src_port": 8008, "long_field": 10000, "timestamp":3, "latitude": 48.5839, "score": 20.0, "is_alert":true, "location_point": "50.0,7.7455", "bro_field": "bro data 3", "ttl": "data 3", "guid":"bro_3"},
-   * {"source:type": "bro", "ip_src_addr":"192.168.1.4", "ip_src_port": 8007, "long_field": 10000, "timestamp":4, "latitude": 48.5839, "score": 10.0, "is_alert":true, "location_point": "48.5839,7.7455", "bro_field": "bro data 4", "ttl": "data 4", "guid":"bro_4"},
-   * {"source:type": "bro", "ip_src_addr":"192.168.1.5", "ip_src_port": 8006, "long_field": 10000, "timestamp":5, "latitude": 48.5839, "score": 98.0, "is_alert":true, "location_point": "48.5839,7.7455", "bro_field": "bro data 5", "ttl": "data 5", "guid":"bro_5"}
+   * {"metron_sensor_type": "bro", "ip_src_addr":"192.168.1.1", "ip_src_port": 8010, "long_field": 10000, "timestamp":1, "latitude": 48.5839, "score": 10.0, "is_alert":true, "location_point": "48.5839,7.7455", "bro_field": "bro data 1", "ttl": "data 1", "guid":"bro_1"},
+   * {"metron_sensor_type": "bro", "ip_src_addr":"192.168.1.2", "ip_src_port": 8009, "long_field": 20000, "timestamp":2, "latitude": 48.0001, "score": 50.0, "is_alert":false, "location_point": "48.5839,7.7455", "bro_field": "bro data 2", "ttl": "data 2", "guid":"bro_2"},
+   * {"metron_sensor_type": "bro", "ip_src_addr":"192.168.1.3", "ip_src_port": 8008, "long_field": 10000, "timestamp":3, "latitude": 48.5839, "score": 20.0, "is_alert":true, "location_point": "50.0,7.7455", "bro_field": "bro data 3", "ttl": "data 3", "guid":"bro_3"},
+   * {"metron_sensor_type": "bro", "ip_src_addr":"192.168.1.4", "ip_src_port": 8007, "long_field": 10000, "timestamp":4, "latitude": 48.5839, "score": 10.0, "is_alert":true, "location_point": "48.5839,7.7455", "bro_field": "bro data 4", "ttl": "data 4", "guid":"bro_4"},
+   * {"metron_sensor_type": "bro", "ip_src_addr":"192.168.1.5", "ip_src_port": 8006, "long_field": 10000, "timestamp":5, "latitude": 48.5839, "score": 98.0, "is_alert":true, "location_point": "48.5839,7.7455", "bro_field": "bro data 5", "ttl": "data 5", "guid":"bro_5"}
    * ]
    */
   @Multiline
@@ -58,11 +61,11 @@ public abstract class SearchIntegrationTest {
 
   /**
    * [
-   * {"source:type": "snort", "ip_src_addr":"192.168.1.6", "ip_src_port": 8005, "long_field": 10000, "timestamp":6, "latitude": 48.5839, "score": 50.0, "is_alert":false, "location_point": "50.0,7.7455", "snort_field": 10, "ttl": 1, "guid":"snort_1", "threat:triage:score":10.0},
-   * {"source:type": "snort", "ip_src_addr":"192.168.1.1", "ip_src_port": 8004, "long_field": 10000, "timestamp":7, "latitude": 48.5839, "score": 10.0, "is_alert":true, "location_point": "48.5839,7.7455", "snort_field": 20, "ttl": 2, "guid":"snort_2", "threat:triage:score":20.0},
-   * {"source:type": "snort", "ip_src_addr":"192.168.1.7", "ip_src_port": 8003, "long_field": 10000, "timestamp":8, "latitude": 48.5839, "score": 20.0, "is_alert":false, "location_point": "48.5839,7.7455", "snort_field": 30, "ttl": 3, "guid":"snort_3"},
-   * {"source:type": "snort", "ip_src_addr":"192.168.1.1", "ip_src_port": 8002, "long_field": 20000, "timestamp":9, "latitude": 48.0001, "score": 50.0, "is_alert":true, "location_point": "48.5839,7.7455", "snort_field": 40, "ttl": 4, "guid":"snort_4"},
-   * {"source:type": "snort", "ip_src_addr":"192.168.1.8", "ip_src_port": 8001, "long_field": 10000, "timestamp":10, "latitude": 48.5839, "score": 10.0, "is_alert":false, "location_point": "48.5839,7.7455", "snort_field": 50, "ttl": 5, "guid":"snort_5"}
+   * {"metron_sensor_type": "snort", "ip_src_addr":"192.168.1.6", "ip_src_port": 8005, "long_field": 10000, "timestamp":6, "latitude": 48.5839, "score": 50.0, "is_alert":false, "location_point": "50.0,7.7455", "snort_field": 10, "ttl": 1, "guid":"snort_1", "threat.triage.score":10.0, "threat.triage.rules.snort_field.reason":"snort_1 reason", "threat.triage.rules.snort_field.name":"snort_1 name"},
+   * {"metron_sensor_type": "snort", "ip_src_addr":"192.168.1.1", "ip_src_port": 8004, "long_field": 10000, "timestamp":7, "latitude": 48.5839, "score": 10.0, "is_alert":true, "location_point": "48.5839,7.7455", "snort_field": 20, "ttl": 2, "guid":"snort_2", "threat.triage.score":20.0, "threat.triage.rules.snort_field.reason":"snort_2 reason", "threat.triage.rules.snort_field.name":"snort_2 name"},
+   * {"metron_sensor_type": "snort", "ip_src_addr":"192.168.1.7", "ip_src_port": 8003, "long_field": 10000, "timestamp":8, "latitude": 48.5839, "score": 20.0, "is_alert":false, "location_point": "48.5839,7.7455", "snort_field": 30, "ttl": 3, "guid":"snort_3"},
+   * {"metron_sensor_type": "snort", "ip_src_addr":"192.168.1.1", "ip_src_port": 8002, "long_field": 20000, "timestamp":9, "latitude": 48.0001, "score": 50.0, "is_alert":true, "location_point": "48.5839,7.7455", "snort_field": 40, "ttl": 4, "guid":"snort_4"},
+   * {"metron_sensor_type": "snort", "ip_src_addr":"192.168.1.8", "ip_src_port": 8001, "long_field": 10000, "timestamp":10, "latitude": 48.5839, "score": 10.0, "is_alert":false, "location_point": "48.5839,7.7455", "snort_field": 50, "ttl": 5, "guid":"snort_5"}
    * ]
    */
   @Multiline
@@ -154,7 +157,7 @@ public abstract class SearchIntegrationTest {
    * "size": 25,
    * "sort": [
    *    {
-   *      "field": "threat:triage:score",
+   *      "field": "threat.triage.score",
    *      "sortOrder": "asc"
    *    }
    *  ]
@@ -174,7 +177,7 @@ public abstract class SearchIntegrationTest {
    * "size": 25,
    * "sort": [
    *    {
-   *      "field": "threat:triage:score",
+   *      "field": "threat.triage.score",
    *      "sortOrder": "desc"
    *    }
    *  ]
@@ -219,7 +222,7 @@ public abstract class SearchIntegrationTest {
 
   /**
    * {
-   * "facetFields": ["source:type", "ip_src_addr", "ip_src_port", "long_field", "timestamp", "latitude", "score", "is_alert"],
+   * "facetFields": ["metron_sensor_type", "ip_src_addr", "ip_src_port", "long_field", "timestamp", "latitude", "score", "is_alert"],
    * "indices": ["bro", "snort"],
    * "query": "*",
    * "from": 0,
@@ -482,7 +485,7 @@ public void all_query_returns_all_results() throws Exception {
     Assert.assertEquals(10, response.getTotal());
     List<SearchResult> results = response.getResults();
     Assert.assertEquals(10, results.size());
-    for(int i = 0;i < 5;++i) {
+    for (int i = 0; i < 5; ++i) {
       Assert.assertEquals("snort", results.get(i).getSource().get(getSourceTypeField()));
       Assert.assertEquals(getIndexName("snort"), results.get(i).getIndex());
       Assert.assertEquals(10 - i + "", results.get(i).getSource().get("timestamp").toString());
@@ -506,10 +509,11 @@ public void find_one_guid() throws Exception {
 
   @Test
   public void get_all_latest_guid() throws Exception {
-    List<GetRequest> request = JSONUtils.INSTANCE.load(getAllLatestQuery, new JSONUtils.ReferenceSupplier<List<GetRequest>>(){});
+    List<GetRequest> request = JSONUtils.INSTANCE.load(getAllLatestQuery, new JSONUtils.ReferenceSupplier<List<GetRequest>>() {
+    });
     Map<String, Document> docs = new HashMap<>();
 
-    for(Document doc : getIndexDao().getAllLatest(request)) {
+    for (Document doc : getIndexDao().getAllLatest(request)) {
       docs.put(doc.getGuid(), doc);
     }
     Assert.assertEquals(2, docs.size());
@@ -552,14 +556,14 @@ public void sort_ascending_with_missing_fields() throws Exception {
     List<SearchResult> results = response.getResults();
     Assert.assertEquals(10, results.size());
 
-    // the remaining are missing the 'threat:triage:score' and should be sorted last
+    // the remaining are missing the 'threat.triage.score' and should be sorted last
     for (int i = 0; i < 8; i++) {
-      Assert.assertFalse(results.get(i).getSource().containsKey("threat:triage:score"));
+      Assert.assertFalse(results.get(i).getSource().containsKey("threat.triage.score"));
     }
 
     // validate sorted order - there are only 2 with a 'threat:triage:score'
-    Assert.assertEquals("10.0", results.get(8).getSource().get("threat:triage:score").toString());
-    Assert.assertEquals("20.0", results.get(9).getSource().get("threat:triage:score").toString());
+    Assert.assertEquals("10.0", results.get(8).getSource().get("threat.triage.score").toString());
+    Assert.assertEquals("20.0", results.get(9).getSource().get("threat.triage.score").toString());
   }
 
   @Test
@@ -571,12 +575,12 @@ public void sort_descending_with_missing_fields() throws Exception {
     Assert.assertEquals(10, results.size());
 
     // validate sorted order - there are only 2 with a 'threat:triage:score'
-    Assert.assertEquals("20.0", results.get(0).getSource().get("threat:triage:score").toString());
-    Assert.assertEquals("10.0", results.get(1).getSource().get("threat:triage:score").toString());
+    Assert.assertEquals("20.0", results.get(0).getSource().get("threat.triage.score").toString());
+    Assert.assertEquals("10.0", results.get(1).getSource().get("threat.triage.score").toString());
 
     // the remaining are missing the 'threat:triage:score' and should be sorted last
     for (int i = 2; i < 10; i++) {
-      Assert.assertFalse(results.get(i).getSource().containsKey("threat:triage:score"));
+      Assert.assertFalse(results.get(i).getSource().containsKey("threat.triage.score"));
     }
   }
 
@@ -609,7 +613,7 @@ public void returns_results_only_for_specified_indices() throws Exception {
 
   @Test
   public void facet_query_yields_field_types() throws Exception {
-    String facetQuery = facetQueryRaw.replace("source:type", getSourceTypeField());
+    String facetQuery = facetQueryRaw.replace(SENSOR_TYPE, getSourceTypeField());
     SearchRequest request = JSONUtils.INSTANCE.load(facetQuery, SearchRequest.class);
     SearchResponse response = getIndexDao().search(request);
     Assert.assertEquals(10, response.getTotal());
@@ -934,8 +938,10 @@ public static void stop() {
 
   @Test
   public abstract void returns_column_data_for_multiple_indices() throws Exception;
+
   @Test
   public abstract void returns_column_metadata_for_specified_indices() throws Exception;
+
   @Test
   public abstract void different_type_filter_query() throws Exception;
 
diff --git a/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/metaalert/MetaAlertIntegrationTest.java b/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/metaalert/MetaAlertIntegrationTest.java
index f754b81df9..94c6170732 100644
--- a/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/metaalert/MetaAlertIntegrationTest.java
+++ b/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/metaalert/MetaAlertIntegrationTest.java
@@ -18,6 +18,7 @@
 
 package org.apache.metron.indexing.dao.metaalert;
 
+import static org.apache.metron.common.Constants.SENSOR_TYPE;
 import static org.apache.metron.indexing.dao.metaalert.MetaAlertConstants.ALERT_FIELD;
 import static org.apache.metron.indexing.dao.metaalert.MetaAlertConstants.METAALERT_FIELD;
 import static org.apache.metron.indexing.dao.metaalert.MetaAlertConstants.METAALERT_TYPE;
@@ -991,7 +992,7 @@ protected List<Map<String, Object>> buildAlerts(int count) {
       final String guid = "message_" + i;
       Map<String, Object> alerts = new HashMap<>();
       alerts.put(Constants.GUID, guid);
-      alerts.put(getSourceTypeField(), SENSOR_NAME);
+      alerts.put(SENSOR_TYPE, SENSOR_NAME);
       alerts.put(THREAT_FIELD_DEFAULT, (double) i);
       alerts.put("timestamp", System.currentTimeMillis());
       inputData.add(alerts);
diff --git a/metron-platform/metron-integration-test/src/main/config/zookeeper/enrichments/test.json b/metron-platform/metron-integration-test/src/main/config/zookeeper/enrichments/test.json
index 9b997a60ac..eff3baf7e6 100644
--- a/metron-platform/metron-integration-test/src/main/config/zookeeper/enrichments/test.json
+++ b/metron-platform/metron-integration-test/src/main/config/zookeeper/enrichments/test.json
@@ -19,9 +19,9 @@
                       "map" : "{ 'blah' : 1}"
                       ,"one" : "MAP_GET('blah', map)"
                       ,"foo": "1 + 1"
-                      ,"alt_src_type" : "MAP_GET('source.type', _)"
+                      ,"alt_src_type" : "MAP_GET('metron_sensor_type', _)"
                       }
-          ,"ALL_CAPS" : "TO_UPPER(source.type)"
+          ,"ALL_CAPS" : "TO_UPPER(metron_sensor_type)"
           ,"src_enrichment" : {
             "src_classification" : "ENRICHMENT_GET('playful_classification', ip_src_addr, 'enrichments', 'cf')"
           }
@@ -50,7 +50,7 @@
       ],
       "stellar" : {
         "config" : {
-          "bar" : "TO_UPPER(source.type)"
+          "bar" : "TO_UPPER(metron_sensor_type)"
          ,"is_src_malicious" : "ENRICHMENT_EXISTS('malicious_ip', ip_src_addr, 'threat_intel', 'cf')"
         }
       }
diff --git a/metron-platform/metron-integration-test/src/main/sample/data/asa/parsed/asa_parsed b/metron-platform/metron-integration-test/src/main/sample/data/asa/parsed/asa_parsed
index bbf4cd0cf5..fc3d332215 100755
--- a/metron-platform/metron-integration-test/src/main/sample/data/asa/parsed/asa_parsed
+++ b/metron-platform/metron-integration-test/src/main/sample/data/asa/parsed/asa_parsed
@@ -1,128 +1,128 @@
-{"syslog_host":"10.22.8.216","original_string":"<167>Jan  5 08:52:35 10.22.8.216 %ASA-7-609001: Built local-host inside:10.22.8.205","ciscotag":"ASA-7-609001","syslog_facility":"local4","syslog_severity":"debug","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"icmp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","ip_dst_addr":"10.22.8.74","ciscotag":"ASA-6-302021","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.205","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","original_string":"<167>Jan  5 08:52:35 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","ciscotag":"ASA-7-609002","syslog_facility":"local4","syslog_severity":"debug","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167725 for Outside_VPN:147.111.72.16\/26436 to DMZ-Inside:10.22.8.53\/443 duration 0:00:00 bytes 9687 TCP FINs","ip_dst_addr":"10.22.8.53","ip_src_port":26436,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"147.111.72.16","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805593 for outside:10.22.8.223\/59614(LOCAL\\user.name) to inside:10.22.8.78\/8102 duration 0:00:07 bytes 3433 TCP FINs (user.name)","ip_dst_addr":"10.22.8.78","ip_src_port":59614,"ip_dst_port":8102,"ciscotag":"ASA-6-302014","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.223","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.212","protocol":"tcp","original_string":"<174>Jan  5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245503 for outside:10.22.8.233\/54209 (10.22.8.233\/54209) to inside:198.111.72.238\/443 (198.111.72.238\/443) (user.name)","ip_dst_addr":"198.111.72.238","ip_src_port":54209,"ip_dst_port":443,"ciscotag":"ASA-6-302013","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.233","syslog_severity":"info","timestamp":1452005555000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806031 for outside:10.22.8.17\/58633 (10.22.8.17\/58633)(LOCAL\\user.name) to inside:10.22.8.12\/389 (10.22.8.12\/389) (user.name)","ip_dst_addr":"10.22.8.12","ip_src_port":58633,"ip_dst_port":389,"ciscotag":"ASA-6-302013","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.17","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168292 for DMZ-Inside:10.22.8.51\/51231 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 2103 TCP FINs","ip_dst_addr":"10.22.8.174","ip_src_port":51231,"ip_dst_port":40004,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"10.22.8.51","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 186.111.72.11\/80 to 204.111.72.226\/45019 flags SYN ACK  on interface Outside_VPN","ip_dst_addr":"204.111.72.226","ip_src_port":80,"ip_dst_port":45019,"ciscotag":"ASA-6-106015","syslog_facility":"local1","action":"deny","ip_src_addr":"186.111.72.11","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.12","protocol":"tcp","original_string":"<166>Jan  5 09:52:35 10.22.8.12 %ASA-6-302014: Teardown TCP connection 17604987 for outside:209.111.72.151\/443 to inside:10.22.8.188\/64306 duration 0:00:31 bytes 10128 TCP FINs","ip_dst_addr":"10.22.8.188","ip_src_port":443,"ip_dst_port":64306,"ciscotag":"ASA-6-302014","syslog_facility":"local4","action":"teardown","ip_src_addr":"209.111.72.151","syslog_severity":"info","timestamp":1451987555000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.12","protocol":"tcp","original_string":"<166>Jan  5 09:52:35 10.22.8.12 %ASA-6-302014: Teardown TCP connection 17604999 for outside:209.111.72.151\/443 to inside:10.22.8.188\/64307 duration 0:00:30 bytes 6370 TCP FINs","ip_dst_addr":"10.22.8.188","ip_src_port":443,"ip_dst_port":64307,"ciscotag":"ASA-6-302014","syslog_facility":"local4","action":"teardown","ip_src_addr":"209.111.72.151","syslog_severity":"info","timestamp":1451987555000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167347 for Outside_VPN:198.111.72.24\/2134 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 9785 TCP FINs","ip_dst_addr":"10.22.8.53","ip_src_port":2134,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"198.111.72.24","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.212","protocol":"udp","original_string":"<174>Jan  5 14:52:35 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245506 for outside:10.22.8.110\/49886 (10.22.8.110\/49886) to inside:192.111.72.8\/8612 (192.111.72.8\/8612) (user.name)","ip_dst_addr":"192.111.72.8","ip_src_port":49886,"ip_dst_port":8612,"ciscotag":"ASA-6-302015","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.110","syslog_severity":"info","timestamp":1452005555000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805993 for outside:10.22.8.89\/56917(LOCAL\\user.name) to inside:216.111.72.126\/443 duration 0:00:00 bytes 0 TCP FINs (user.name)","ip_dst_addr":"216.111.72.126","ip_src_port":56917,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.89","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<167>Jan  5 08:52:35 10.22.8.216 %ASA-7-710005: UDP request discarded from 10.22.8.223\/49192 to outside:224.111.72.252\/5355","ip_dst_addr":"224.111.72.252","ip_src_port":49192,"ip_dst_port":5355,"ciscotag":"ASA-7-710005","syslog_facility":"local4","action":"discarded","ip_src_addr":"10.22.8.223","syslog_severity":"debug","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488166143 for Outside_VPN:198.111.72.64\/80 to Inside-Trunk:10.22.8.39\/54883 duration 0:00:04 bytes 1148 TCP FINs","ip_dst_addr":"10.22.8.39","ip_src_port":80,"ip_dst_port":54883,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"198.111.72.64","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.84\/445 to 10.22.8.219\/60726 flags ACK  on interface inside","ip_dst_addr":"10.22.8.219","ip_src_port":445,"ip_dst_port":60726,"ciscotag":"ASA-6-106015","syslog_facility":"local4","action":"deny","ip_src_addr":"10.22.8.84","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168344 for DMZ-Inside:10.22.8.53\/61682 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 5648 TCP FINs","ip_dst_addr":"10.22.8.174","ip_src_port":61682,"ip_dst_port":40004,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"10.22.8.53","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168345 for DMZ-Inside:10.22.8.16\/31454 to Inside-Trunk:10.22.8.21\/443 duration 0:00:00 bytes 756 TCP FINs","ip_dst_addr":"10.22.8.21","ip_src_port":31454,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"10.22.8.16","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.4","protocol":"icmp","original_string":"<182>Jan  5 20:22:35 10.22.8.4 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.12\/0 gaddr 10.22.8.45\/1 laddr 10.22.8.45\/1","ip_dst_addr":"10.22.8.12","ciscotag":"ASA-6-302020","syslog_facility":"local6","action":"built","ip_src_addr":"10.22.8.45","syslog_severity":"info","timestamp":1452025355000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 50.111.72.230\/80 to 204.111.72.254\/53077 flags RST  on interface Outside_VPN","ip_dst_addr":"204.111.72.254","ip_src_port":80,"ip_dst_port":53077,"ciscotag":"ASA-6-106015","syslog_facility":"local1","action":"deny","ip_src_addr":"50.111.72.230","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.12","protocol":"udp","original_string":"<166>Jan  5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603649 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63297 duration 0:02:01 bytes 209","ip_dst_addr":"10.22.8.48","ip_src_port":161,"ip_dst_port":63297,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"206.111.72.2","syslog_severity":"info","timestamp":1451987555000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.12","protocol":"udp","original_string":"<166>Jan  5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603650 for outside:207.111.72.122\/161 to inside:10.22.8.48\/63298 duration 0:02:01 bytes 209","ip_dst_addr":"10.22.8.48","ip_src_port":161,"ip_dst_port":63298,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"207.111.72.122","syslog_severity":"info","timestamp":1451987555000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.12","protocol":"udp","original_string":"<166>Jan  5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603652 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63300 duration 0:02:01 bytes 115","ip_dst_addr":"10.22.8.48","ip_src_port":161,"ip_dst_port":63300,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"206.111.72.2","syslog_severity":"info","timestamp":1451987555000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.12","protocol":"udp","original_string":"<166>Jan  5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603657 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63306 duration 0:02:01 bytes 115","ip_dst_addr":"10.22.8.48","ip_src_port":161,"ip_dst_port":63306,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"206.111.72.2","syslog_severity":"info","timestamp":1451987555000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168436 for DMZ-Inside:10.22.8.51\/51235 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 2497 TCP FINs","ip_dst_addr":"10.22.8.174","ip_src_port":51235,"ip_dst_port":40004,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"10.22.8.51","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167656 for Outside_VPN:69.111.72.70\/21560 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 11410 TCP FINs","ip_dst_addr":"10.22.8.53","ip_src_port":21560,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"69.111.72.70","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806050 for outside:10.22.8.62\/53965 (10.22.8.62\/53965)(LOCAL\\user.name) to inside:10.22.8.85\/53 (10.22.8.85\/53) (user.name)","ip_dst_addr":"10.22.8.85","ip_src_port":53965,"ip_dst_port":53,"ciscotag":"ASA-6-302015","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.62","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806052 for outside:10.22.8.62\/56500 (10.22.8.62\/56500)(LOCAL\\user.name) to inside:198.111.72.83\/443 (198.111.72.83\/443) (user.name)","ip_dst_addr":"198.111.72.83","ip_src_port":56500,"ip_dst_port":443,"ciscotag":"ASA-6-302013","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.62","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806054 for outside:10.22.8.62\/56502 (10.22.8.62\/56502)(LOCAL\\user.name) to inside:50.111.72.252\/443 (50.111.72.252\/443) (user.name)","ip_dst_addr":"50.111.72.252","ip_src_port":56502,"ip_dst_port":443,"ciscotag":"ASA-6-302013","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.62","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.12","protocol":"tcp","original_string":"<166>Jan  5 09:52:35 10.22.8.12 %ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.188\/64340 to outside:206.111.72.41\/2013","ip_src_port":64340,"ciscotag":"ASA-6-305011","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.188","syslog_severity":"info","timestamp":1451987555000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.33","protocol":"udp","original_string":"<166>Jan  5 15:52:35 10.22.8.33 %ASA-6-305012: Teardown dynamic UDP translation from inside:192.111.72.2\/62251 to outside:79.111.72.174\/21311 duration 0:02:30","ip_src_port":62251,"ciscotag":"ASA-6-305012","syslog_facility":"local4","action":"teardown","ip_src_addr":"192.111.72.2","syslog_severity":"info","timestamp":1452009155000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806058 for outside:10.22.8.221\/56631 (10.22.8.221\/56631)(LOCAL\\user.name) to inside:10.22.8.26\/389 (10.22.8.26\/389) (user.name)","ip_dst_addr":"10.22.8.26","ip_src_port":56631,"ip_dst_port":389,"ciscotag":"ASA-6-302015","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.221","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168189 for Outside_VPN:209.111.72.10\/56619 to DMZ-Inside:10.22.8.53\/443 duration 0:00:00 bytes 2477 TCP FINs","ip_dst_addr":"10.22.8.53","ip_src_port":56619,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"209.111.72.10","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.112\/52235 to 198.111.72.227\/80 flags ACK  on interface Inside-Trunk","ip_dst_addr":"198.111.72.227","ip_src_port":52235,"ip_dst_port":80,"ciscotag":"ASA-6-106015","syslog_facility":"local1","action":"deny","ip_src_addr":"10.22.8.112","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167192 for Outside_VPN:115.111.72.7\/49196 to DMZ-Inside:10.22.8.57\/443 duration 0:00:02 bytes 20588 TCP Reset-O","ip_dst_addr":"10.22.8.57","ip_src_port":49196,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"115.111.72.7","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212806055 for outside:10.22.8.62\/55383(LOCAL\\user.name) to inside:10.22.8.85\/53 duration 0:00:00 bytes 349 (user.name)","ip_dst_addr":"10.22.8.85","ip_src_port":55383,"ip_dst_port":53,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.62","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168380 for Outside_VPN:74.111.72.12\/443 to Inside-Trunk:10.22.8.39\/54894 duration 0:00:00 bytes 5701 TCP FINs","ip_dst_addr":"10.22.8.39","ip_src_port":443,"ip_dst_port":54894,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"74.111.72.12","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.212","protocol":"tcp","original_string":"<174>Jan  5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245522 for outside:10.22.8.147\/56343 (10.22.8.147\/56343) to inside:209.111.72.151\/443 (209.111.72.151\/443) (user.name)","ip_dst_addr":"209.111.72.151","ip_src_port":56343,"ip_dst_port":443,"ciscotag":"ASA-6-302013","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.147","syslog_severity":"info","timestamp":1452005555000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168443 for Outside_VPN:23.111.72.27\/80 to Inside-Trunk:10.22.8.81\/64713 duration 0:00:00 bytes 2426 TCP FINs","ip_dst_addr":"10.22.8.81","ip_src_port":80,"ip_dst_port":64713,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"23.111.72.27","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488111566 for Outside_VPN:131.111.72.49\/443 to Inside-Trunk:10.22.8.127\/56558 duration 0:01:57 bytes 3614 TCP Reset-O","ip_dst_addr":"10.22.8.127","ip_src_port":443,"ip_dst_port":56558,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"131.111.72.49","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806061 for outside:10.22.8.17\/58635 (10.22.8.17\/58635)(LOCAL\\user.name) to inside:10.22.8.12\/389 (10.22.8.12\/389) (user.name)","ip_dst_addr":"10.22.8.12","ip_src_port":58635,"ip_dst_port":389,"ciscotag":"ASA-6-302013","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.17","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806010 for outside:10.22.8.33\/60223(LOCAL\\user.name) to inside:10.22.8.86\/389 duration 0:00:00 bytes 416 TCP Reset-I (user.name)","ip_dst_addr":"10.22.8.86","ip_src_port":60223,"ip_dst_port":389,"ciscotag":"ASA-6-302014","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.33","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806062 for outside:10.22.8.221\/56632 (10.22.8.221\/56632)(LOCAL\\user.name) to inside:10.22.8.73\/389 (10.22.8.73\/389) (user.name)","ip_dst_addr":"10.22.8.73","ip_src_port":56632,"ip_dst_port":389,"ciscotag":"ASA-6-302015","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.221","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","original_string":"<167>Jan  5 08:52:35 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","ciscotag":"ASA-7-609002","syslog_facility":"local4","syslog_severity":"debug","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168231 for Outside_VPN:204.111.72.243\/3011 to Inside-Trunk:10.22.8.208\/60037 duration 0:00:00 bytes 19415 TCP FINs","ip_dst_addr":"10.22.8.208","ip_src_port":3011,"ip_dst_port":60037,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"204.111.72.243","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.41","protocol":"tcp","original_string":"<166>Jan  5 16:52:35 10.22.8.41 %ASA-6-302013: Built inbound TCP connection 45476108 for Outside:10.22.8.97\/53484 (10.22.8.97\/53484)(LOCAL\\user.name) to Inside:141.111.72.70\/7576 (141.111.72.70\/7576) (user.name)","ip_dst_addr":"141.111.72.70","ip_src_port":53484,"ip_dst_port":7576,"ciscotag":"ASA-6-302013","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.97","syslog_severity":"info","timestamp":1452012755000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.212","protocol":"tcp","original_string":"<174>Jan  5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245527 for outside:10.22.8.97\/65195 (10.22.8.97\/65195) to inside:17.111.72.212\/5223 (17.111.72.212\/5223) (user.name)","ip_dst_addr":"17.111.72.212","ip_src_port":65195,"ip_dst_port":5223,"ciscotag":"ASA-6-302013","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.97","syslog_severity":"info","timestamp":1452005555000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806018 for outside:10.22.8.17\/58632(LOCAL\\user.name) to inside:10.22.8.12\/389 duration 0:00:00 bytes 0 TCP FINs (user.name)","ip_dst_addr":"10.22.8.12","ip_src_port":58632,"ip_dst_port":389,"ciscotag":"ASA-6-302014","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.17","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168562 for DMZ-Inside:10.22.8.51\/51236 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 2273 TCP FINs","ip_dst_addr":"10.22.8.174","ip_src_port":51236,"ip_dst_port":40004,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"10.22.8.51","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806065 for outside:10.22.8.62\/59829 (10.22.8.62\/59829)(LOCAL\\user.name) to inside:10.22.8.85\/53 (10.22.8.85\/53) (user.name)","ip_dst_addr":"10.22.8.85","ip_src_port":59829,"ip_dst_port":53,"ciscotag":"ASA-6-302015","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.62","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806067 for outside:10.22.8.143\/62675 (10.22.8.143\/62675)(LOCAL\\user.name) to inside:141.111.72.12\/389 (141.111.72.12\/389) (user.name)","ip_dst_addr":"141.111.72.12","ip_src_port":62675,"ip_dst_port":389,"ciscotag":"ASA-6-302013","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.143","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<167>Jan  5 08:52:35 10.22.8.216 %ASA-7-710005: UDP request discarded from 10.22.8.223\/61122 to outside:224.111.72.252\/5355","ip_dst_addr":"224.111.72.252","ip_src_port":61122,"ip_dst_port":5355,"ciscotag":"ASA-7-710005","syslog_facility":"local4","action":"discarded","ip_src_addr":"10.22.8.223","syslog_severity":"debug","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"icmp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.143\/0(LOCAL\\user.name) gaddr 141.111.72.12\/0 laddr 141.111.72.12\/0 (user.name)","ip_dst_addr":"10.22.8.143","ciscotag":"ASA-6-302020","syslog_facility":"local4","action":"built","ip_src_addr":"141.111.72.12","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168547 for Outside_VPN:107.111.72.102\/80 to Inside-Trunk:10.22.8.54\/61676 duration 0:00:00 bytes 1030 TCP FINs","ip_dst_addr":"10.22.8.54","ip_src_port":80,"ip_dst_port":61676,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"107.111.72.102","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806078 for outside:10.22.8.221\/56633 (10.22.8.221\/56633)(LOCAL\\user.name) to inside:10.22.8.20\/389 (10.22.8.20\/389) (user.name)","ip_dst_addr":"10.22.8.20","ip_src_port":56633,"ip_dst_port":389,"ciscotag":"ASA-6-302015","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.221","syslog_severity":"info","timestamp":1451983955000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.12","protocol":"tcp","original_string":"<166>Jan  5 09:52:35 10.22.8.12 %ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.83\/59915 to outside:206.111.72.41\/22776","ip_src_port":59915,"ciscotag":"ASA-6-305011","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.83","syslog_severity":"info","timestamp":1451987555000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168044 for Outside_VPN:50.111.72.39\/80 to Inside-Trunk:10.22.8.75\/60877 duration 0:00:01 bytes 13304 TCP FINs","ip_dst_addr":"10.22.8.75","ip_src_port":80,"ip_dst_port":60877,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"50.111.72.39","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488118326 for Outside_VPN:23.111.72.27\/80 to Inside-Trunk:10.22.8.229\/57901 duration 0:01:45 bytes 1942 TCP FINs","ip_dst_addr":"10.22.8.229","ip_src_port":80,"ip_dst_port":57901,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"23.111.72.27","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488160565 for Outside_VPN:72.111.72.29\/80 to Inside-Trunk:10.22.8.42\/57520 duration 0:00:15 bytes 1025 TCP FINs","ip_dst_addr":"10.22.8.42","ip_src_port":80,"ip_dst_port":57520,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"72.111.72.29","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488096423 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59096 duration 0:02:27 bytes 99347 TCP Reset-O","ip_dst_addr":"10.22.8.127","ip_src_port":80,"ip_dst_port":59096,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"72.111.72.43","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488095522 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59087 duration 0:02:29 bytes 154785 TCP Reset-O","ip_dst_addr":"10.22.8.127","ip_src_port":80,"ip_dst_port":59087,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"72.111.72.43","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488106557 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59134 duration 0:02:09 bytes 25319 TCP Reset-O","ip_dst_addr":"10.22.8.127","ip_src_port":80,"ip_dst_port":59134,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"72.111.72.43","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488096426 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59099 duration 0:02:27 bytes 26171 TCP Reset-O","ip_dst_addr":"10.22.8.127","ip_src_port":80,"ip_dst_port":59099,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"72.111.72.43","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:36 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806005 for outside:10.22.8.17\/58630(LOCAL\\user.name) to inside:10.22.8.12\/389 duration 0:00:00 bytes 3942 TCP FINs (user.name)","ip_dst_addr":"10.22.8.12","ip_src_port":58630,"ip_dst_port":389,"ciscotag":"ASA-6-302014","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.17","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:36 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806085 for outside:10.22.8.143\/54018 (10.22.8.143\/54018)(LOCAL\\user.name) to inside:10.22.8.85\/53 (10.22.8.85\/53) (user.name)","ip_dst_addr":"10.22.8.85","ip_src_port":54018,"ip_dst_port":53,"ciscotag":"ASA-6-302015","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.143","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.212","protocol":"icmp","original_string":"<174>Jan  5 14:52:36 10.22.8.212 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.96\/2708 gaddr 10.22.8.30\/0 laddr 10.22.8.30\/0 (user.name)","ip_dst_addr":"10.22.8.96","ciscotag":"ASA-6-302020","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.30","syslog_severity":"info","timestamp":1452005556000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.212","protocol":"udp","original_string":"<174>Jan  5 14:52:36 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245537 for outside:10.22.8.110\/49886 (10.22.8.110\/49886) to inside:192.111.72.11\/8612 (192.111.72.11\/8612) (user.name)","ip_dst_addr":"192.111.72.11","ip_src_port":49886,"ip_dst_port":8612,"ciscotag":"ASA-6-302015","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.110","syslog_severity":"info","timestamp":1452005556000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.41","protocol":"tcp","original_string":"<166>Jan  5 16:52:36 10.22.8.41 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.85\/58359 to 10.22.8.11\/88 flags RST ACK  on interface Outside","ip_dst_addr":"10.22.8.11","ip_src_port":58359,"ip_dst_port":88,"ciscotag":"ASA-6-106015","syslog_facility":"local4","action":"deny","ip_src_addr":"10.22.8.85","syslog_severity":"info","timestamp":1452012756000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"icmp","original_string":"<166>Jan  5 08:52:36 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.82\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","ip_dst_addr":"10.22.8.82","ciscotag":"ASA-6-302021","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.205","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:36 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212799832 for outside:10.22.8.230\/55549(LOCAL\\user.name) to inside:10.22.8.11\/389 duration 0:02:01 bytes 354 (user.name)","ip_dst_addr":"10.22.8.11","ip_src_port":55549,"ip_dst_port":389,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.230","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:36 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212799867 for outside:10.22.8.240\/138(LOCAL\\user.name) to inside:10.22.8.255\/138 duration 0:02:01 bytes 214 (user.name)","ip_dst_addr":"10.22.8.255","ip_src_port":138,"ip_dst_port":138,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.240","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","original_string":"<167>Jan  5 08:52:36 10.22.8.216 %ASA-7-609001: Built local-host inside:67.111.72.204","ciscotag":"ASA-7-609001","syslog_facility":"local4","syslog_severity":"debug","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.212","protocol":"tcp","original_string":"<174>Jan  5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245544 for outside:10.22.8.227\/54540 (10.22.8.227\/54540) to inside:63.111.72.124\/80 (63.111.72.124\/80) (user.name)","ip_dst_addr":"63.111.72.124","ip_src_port":54540,"ip_dst_port":80,"ciscotag":"ASA-6-302013","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.227","syslog_severity":"info","timestamp":1452005556000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168135 for Outside_VPN:198.111.72.66\/36797 to DMZ-Inside:10.22.8.53\/80 duration 0:00:01 bytes 89039 TCP FINs","ip_dst_addr":"10.22.8.53","ip_src_port":36797,"ip_dst_port":80,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"198.111.72.66","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:36 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805836 for outside:10.22.8.62\/56471(LOCAL\\user.name) to inside:208.111.72.1\/443 duration 0:00:04 bytes 1700 TCP FINs (user.name)","ip_dst_addr":"208.111.72.1","ip_src_port":56471,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.62","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.212","protocol":"tcp","original_string":"<174>Jan  5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245546 for outside:10.22.8.227\/54542 (10.22.8.227\/54542) to inside:63.111.72.124\/80 (63.111.72.124\/80) (user.name)","ip_dst_addr":"63.111.72.124","ip_src_port":54542,"ip_dst_port":80,"ciscotag":"ASA-6-302013","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.227","syslog_severity":"info","timestamp":1452005556000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"icmp","original_string":"<166>Jan  5 08:52:36 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","ip_dst_addr":"10.22.8.74","ciscotag":"ASA-6-302021","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.205","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.212","protocol":"icmp","original_string":"<174>Jan  5 14:52:36 10.22.8.212 %ASA-6-302020: Built outbound ICMP connection for faddr 10.22.8.96\/2708 gaddr 10.22.8.30\/0 laddr 10.22.8.30\/0","ip_dst_addr":"10.22.8.96","ciscotag":"ASA-6-302020","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.30","syslog_severity":"info","timestamp":1452005556000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168388 for DMZ-Inside:10.22.8.10\/49771 to Inside-Trunk:10.22.8.128\/443 duration 0:00:00 bytes 19132 TCP Reset-O","ip_dst_addr":"10.22.8.128","ip_src_port":49771,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"10.22.8.10","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168692 for DMZ-Inside:10.22.8.53\/61694 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 5660 TCP FINs","ip_dst_addr":"10.22.8.174","ip_src_port":61694,"ip_dst_port":40004,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"10.22.8.53","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.212","protocol":"tcp","original_string":"<174>Jan  5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245552 for outside:10.22.8.92\/51042 (10.22.8.92\/51042) to inside:10.22.8.193\/9100 (10.22.8.193\/9100) (user.name)","ip_dst_addr":"10.22.8.193","ip_src_port":51042,"ip_dst_port":9100,"ciscotag":"ASA-6-302013","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.92","syslog_severity":"info","timestamp":1452005556000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.41","protocol":"udp","original_string":"<166>Jan  5 16:52:36 10.22.8.41 %ASA-6-302016: Teardown UDP connection 45474680 for Outside:10.22.8.49\/137(LOCAL\\user.name) to Inside:10.22.8.12\/137 duration 0:02:03 bytes 486 (user.name)","ip_dst_addr":"10.22.8.12","ip_src_port":137,"ip_dst_port":137,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.49","syslog_severity":"info","timestamp":1452012756000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.41","protocol":"udp","original_string":"<166>Jan  5 16:52:36 10.22.8.41 %ASA-6-302016: Teardown UDP connection 45474694 for Outside:10.22.8.49\/138(LOCAL\\user.name) to Inside:10.22.8.12\/138 duration 0:02:01 bytes 184 (user.name)","ip_dst_addr":"10.22.8.12","ip_src_port":138,"ip_dst_port":138,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.49","syslog_severity":"info","timestamp":1452012756000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167720 for Outside_VPN:198.111.72.75\/1033 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 9634 TCP FINs","ip_dst_addr":"10.22.8.53","ip_src_port":1033,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"198.111.72.75","syslog_severity":"info","timestamp":1451983956000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488165627 for Outside_VPN:170.111.72.22\/27463 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 9756 TCP FINs","ip_dst_addr":"10.22.8.53","ip_src_port":27463,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"170.111.72.22","syslog_severity":"info","timestamp":1451983952000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:32 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212805854 for outside:10.22.8.62\/54704(LOCAL\\user.name) to inside:10.22.8.85\/53 duration 0:00:00 bytes 114 (user.name)","ip_dst_addr":"10.22.8.85","ip_src_port":54704,"ip_dst_port":53,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.62","syslog_severity":"info","timestamp":1451983952000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.12","protocol":"icmp","original_string":"<166>Jan  5 09:52:32 10.22.8.12 %ASA-6-302020: Built inbound ICMP connection for faddr 207.111.72.122\/0 gaddr 206.111.72.24\/512 laddr 10.22.8.57\/512","ip_dst_addr":"207.111.72.122","ciscotag":"ASA-6-302020","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.57","syslog_severity":"info","timestamp":1451987552000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.12","protocol":"tcp","original_string":"<166>Jan  5 09:52:32 10.22.8.12 %ASA-6-302013: Built outbound TCP connection 17605397 for outside:69.111.72.0\/80 (69.111.72.0\/80) to inside:10.22.8.102\/55659 (206.111.72.41\/40627)","ip_dst_addr":"10.22.8.102","ip_src_port":80,"ip_dst_port":55659,"ciscotag":"ASA-6-302013","syslog_facility":"local4","action":"built","ip_src_addr":"69.111.72.0","syslog_severity":"info","timestamp":1451987552000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.212","protocol":"udp","original_string":"<174>Jan  5 14:52:32 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245230 for outside:10.22.8.96\/123 (10.22.8.96\/123) to inside:10.22.8.12\/123 (10.22.8.12\/123) (user.name)","ip_dst_addr":"10.22.8.12","ip_src_port":123,"ip_dst_port":123,"ciscotag":"ASA-6-302015","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.96","syslog_severity":"info","timestamp":1452005552000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488031413 for Outside_VPN:184.111.72.216\/50341 to DMZ-Inside:10.22.8.57\/443 duration 0:05:01 bytes 13543 TCP Reset-O","ip_dst_addr":"10.22.8.57","ip_src_port":50341,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"184.111.72.216","syslog_severity":"info","timestamp":1451983952000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.41","protocol":"icmp","original_string":"<166>Jan  5 16:52:32 10.22.8.41 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.95\/1(LOCAL\\user.name) gaddr 10.22.8.12\/0 laddr 10.22.8.12\/0 (user.name)","ip_dst_addr":"10.22.8.95","ciscotag":"ASA-6-302020","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.12","syslog_severity":"info","timestamp":1452012752000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","original_string":"<142>Jan  5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488030393 for DMZ-Inside:[10.22.8.10\/57109 to Inside-Trunk:10.22.8.128\/443 duration 0:05:04 bytes 13541 TCP Reset-O","ciscotag":"ASA-6-302014","syslog_facility":"local1","syslog_severity":"info","timestamp":1451983952000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.12","protocol":"tcp","original_string":"<166>Jan  5 09:52:32 10.22.8.12 %ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149\/62156 to outside:206.111.72.41\/19576 duration 0:00:44","ip_src_port":62156,"ciscotag":"ASA-6-305012","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.149","syslog_severity":"info","timestamp":1451987552000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.12","protocol":"tcp","original_string":"<166>Jan  5 09:52:32 10.22.8.12 %ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149\/62159 to outside:206.111.72.41\/39634 duration 0:00:44","ip_src_port":62159,"ciscotag":"ASA-6-305012","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.149","syslog_severity":"info","timestamp":1451987552000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488031793 for Outside_VPN:198.111.72.146\/28026 to DMZ-Inside:10.22.8.53\/443 duration 0:05:00 bytes 119 TCP FINs","ip_dst_addr":"10.22.8.53","ip_src_port":28026,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"198.111.72.146","syslog_severity":"info","timestamp":1451983952000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488030810 for DMZ-Inside:10.22.8.10\/56930 to Inside-Trunk:10.22.8.128\/443 duration 0:05:03 bytes 13543 TCP Reset-O","ip_dst_addr":"10.22.8.128","ip_src_port":56930,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"10.22.8.10","syslog_severity":"info","timestamp":1451983952000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:32 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 186.111.72.11\/80 to 204.111.72.199\/61438 flags SYN ACK  on interface Outside_VPN","ip_dst_addr":"204.111.72.199","ip_src_port":80,"ip_dst_port":61438,"ciscotag":"ASA-6-106015","syslog_facility":"local1","action":"deny","ip_src_addr":"186.111.72.11","syslog_severity":"info","timestamp":1451983952000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:32 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212805863 for outside:10.22.8.144\/61999 (10.22.8.144\/61999)(LOCAL\\user.name) to inside:10.22.8.163\/80 (10.22.8.163\/80) (user.name)","ip_dst_addr":"10.22.8.163","ip_src_port":61999,"ip_dst_port":80,"ciscotag":"ASA-6-302013","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.144","syslog_severity":"info","timestamp":1451983952000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"syslog_host":"10.22.8.216","original_string":"<167>Jan  5 08:52:32 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","ciscotag":"ASA-7-609002","syslog_facility":"local4","syslog_severity":"debug","timestamp":1451983952000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"protocol":"udp","original_string":"<166>Aug 06 2016 20:39:42: %ASA-6-110002: Failed to locate egress interface for UDP from Inside:10.25.14.52\/56544 to 172.18.106.2\/161","ip_dst_addr":"172.18.106.2","ip_src_port":56544,"ip_dst_port":161,"ciscotag":"ASA-6-110002","syslog_facility":"local4","ip_src_addr":"10.25.14.52","syslog_severity":"info","timestamp":1470515982000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<165>Aug 11 2016 15:42:07: %ASA-5-111010: User 'admin', running 'N\/A' from IP 10.25.112.191, executed 'service-object object TCP44720-44722'","ciscotag":"ASA-5-111010","syslog_facility":"local4","syslog_severity":"notice","timestamp":1470930127000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<165>Aug 06 2016 18:05:27: %ASA-5-713202: IP = 192.168.140.20, Duplicate first packet detected.  Ignoring packet.","ciscotag":"ASA-5-713202","syslog_facility":"local4","syslog_severity":"notice","timestamp":1470506727000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<165>Aug 07 2016 22:38:41: %ASA-5-713904: IP = 206.16.173.28, Received encrypted packet with no matching SA, dropping","ciscotag":"ASA-5-713904","syslog_facility":"local4","syslog_severity":"notice","timestamp":1470609521000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<165>Aug 16 2016 08:20:21: %ASA-5-713050: Group = 192.168.136.20, IP = 192.168.136.20, Connection terminated for peer 192.168.136.20.  Reason: IPSec SA Idle Timeout  Remote Proxy 192.168.136.22, Local Proxy 172.18.106.36","ciscotag":"ASA-5-713050","syslog_facility":"local4","syslog_severity":"notice","timestamp":1471335621000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<164>Aug 16 2016 13:01:43: %ASA-4-313004: Denied ICMP type=0, from laddr 172.20.30.1 on interface Outside to 10.25.24.122: no matching session","ciscotag":"ASA-4-313004","syslog_facility":"local4","syslog_severity":"warn","timestamp":1471352503000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<166>Aug 16 2016 08:54:22: %ASA-6-113009: AAA retrieved default group policy (DefaultPolicyCA) for user = 192.168.136.20","ciscotag":"ASA-6-113009","syslog_facility":"local4","syslog_severity":"info","timestamp":1471337662000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<163>Aug 05 2016 20:21:04: %ASA-3-106010: Deny inbound protocol 47 src Outside:14.169.120.66 dst Outside:172.18.105.105","ciscotag":"ASA-3-106010","syslog_facility":"local4","syslog_severity":"err","timestamp":1470428464000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<164>Aug 06 2016 17:43:49: %ASA-4-113019: Group = 192.168.140.20, Username = 192.168.140.20, IP = 192.168.140.20, Session disconnected. Session Type: LAN-to-LAN, Duration: 12d 9h:11m:22s, Bytes xmt: 523781833, Bytes rcv: 16336203, Reason: Lost Service","ciscotag":"ASA-4-113019","syslog_facility":"local4","syslog_severity":"warn","timestamp":1470505429000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<165>Aug 05 2016 22:13:07: %ASA-5-500003: Bad TCP hdr length (hdrlen=4, pktlen=74) from 159.203.208.134\/0 to 172.18.105.12\/0, flags: INVALID, on interface Outside","ciscotag":"ASA-5-500003","syslog_facility":"local4","syslog_severity":"notice","timestamp":1470435187000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<165>Aug 06 2016 17:43:49: %ASA-5-713259: Group = 192.168.140.20, IP = 192.168.140.20, Session is being torn down. Reason: Lost Service","ciscotag":"ASA-5-713259","syslog_facility":"local4","syslog_severity":"notice","timestamp":1470505429000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"protocol":"icmp","original_string":"<163>Aug 05 2016 19:13:26: %ASA-3-313001: Denied ICMP type=3, code=3 from 198.27.69.147 on interface Outside","ciscotag":"ASA-3-313001","syslog_facility":"local4","action":"denied","ip_src_addr":"198.27.69.147","syslog_severity":"err","timestamp":1470424406000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"protocol":"icmp","original_string":"<164>Aug 05 2016 19:13:26: %ASA-4-313005: No matching connection for ICMP error message: icmp src Outside:198.27.69.147 dst identity:172.18.106.2 (type 3, code 3) on Outside interface.  Original IP payload: udp src 172.18.106.2\/9993 dst 198.27.69.147\/26410.","ciscotag":"ASA-4-313005","syslog_facility":"local4","syslog_severity":"warn","timestamp":1470424406000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<163>Aug 11 2016 11:43:25: %ASA-3-713902: Group = 10.12.208.226, IP = 10.12.208.226, Removing peer from correlator table failed, no match!","ciscotag":"ASA-3-713902","syslog_facility":"local4","syslog_severity":"err","timestamp":1470915805000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<164>Aug 11 2016 11:43:02: %ASA-4-752010: IKEv2 Doesn't have a proposal specified","ciscotag":"ASA-4-752010","syslog_facility":"local4","syslog_severity":"warn","timestamp":1470915782000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<165>Aug 11 2016 11:43:02: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = demap.  Map Sequence Number = 1.","ciscotag":"ASA-5-752004","syslog_facility":"local4","syslog_severity":"notice","timestamp":1470915782000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<163>Aug 11 2016 12:15:25: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= demap.  Map Sequence Number = 1.","ciscotag":"ASA-3-752015","syslog_facility":"local4","syslog_severity":"err","timestamp":1470917725000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<164>Aug 11 2016 12:11:16: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = demap.  Map Sequence Number = 1.","ciscotag":"ASA-4-752012","syslog_facility":"local4","syslog_severity":"warn","timestamp":1470917476000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<164>Aug 06 2016 00:02:25: %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 500 from 172.30.106.180:57380","ciscotag":"ASA-4-713903","syslog_facility":"local4","syslog_severity":"warn","timestamp":1470441745000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<163>Aug 11 2016 11:43:25: %ASA-3-713227: IP = 10.12.208.226, Rejecting new IPSec SA negotiation for peer 10.12.208.226. A negotiation was already in progress for local Proxy 10.25.0.0\/255.255.0.0, remote Proxy 172.20.30.0\/255.255.255.0","ciscotag":"ASA-3-713227","syslog_facility":"local4","syslog_severity":"err","timestamp":1470915805000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<166>Aug 20 2016 23:06:27: %ASA-6-713905: INFO: IKE Transform #8 next payload is 3 (should be 0).","ciscotag":"ASA-6-713905","syslog_facility":"local4","syslog_severity":"info","timestamp":1471734387000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<166>Aug 11 2016 11:43:02: %ASA-6-713219: IP = 10.12.208.226, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.","ciscotag":"ASA-6-713219","syslog_facility":"local4","syslog_severity":"info","timestamp":1470915782000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"original_string":"<166>Aug 11 2016 11:43:19: %ASA-6-713220: Group = 10.12.208.226, IP = 10.12.208.226, De-queuing KEY-ACQUIRE messages that were left pending.","ciscotag":"ASA-6-713220","syslog_facility":"local4","syslog_severity":"info","timestamp":1470915799000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"protocol":"tcp","original_string":"<162>Aug 05 2016 01:02:25: %ASA-2-106001: Inbound TCP connection denied from 10.47.32.45\/60641 to 10.254.8.193\/5060 flags SYN  on interface Inside","ip_dst_addr":"10.254.8.193","ip_src_port":60641,"ip_dst_port":5060,"ciscotag":"ASA-2-106001","syslog_facility":"local4","action":"denied","ip_src_addr":"10.47.32.45","syslog_severity":"crit","timestamp":1470358945000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"protocol":"icmp","original_string":"<163>Aug 05 2016 01:02:25: %ASA-3-106014: Deny inbound icmp src Inside:10.230.4.87 dst Inside:10.22.75.251 (type 8, code 0)","ip_dst_addr":"10.22.75.251","ciscotag":"ASA-3-106014","syslog_facility":"local4","action":"deny","ip_src_addr":"10.230.4.87","syslog_severity":"err","timestamp":1470358945000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"protocol":"udp","original_string":"<164>Aug 05 2016 01:02:25: %ASA-4-106023: Deny udp src Inside:10.230.4.88\/42350 dst Outside:192.168.2.53\/53 by access-group \"Inside_access_in\" [0x962df600, 0x0]","ip_dst_addr":"192.168.2.53","ip_src_port":42350,"ip_dst_port":53,"ciscotag":"ASA-4-106023","syslog_facility":"local4","action":"deny","ip_src_addr":"10.230.4.88","syslog_severity":"warn","timestamp":1470358945000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"protocol":"tcp","original_string":"<164>Aug 05 2016 01:02:25: %ASA-4-106023: Deny tcp src Inside:10.30.6.47\/4562 dst Outside:192.168.133.204\/443 by access-group \"Inside_access_in\" [0x962df600, 0x0]","ip_dst_addr":"192.168.133.204","ip_src_port":4562,"ip_dst_port":443,"ciscotag":"ASA-4-106023","syslog_facility":"local4","action":"deny","ip_src_addr":"10.30.6.47","syslog_severity":"warn","timestamp":1470358945000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
-{"protocol":"tcp","original_string":"<164>Aug 05 2016 01:02:25: %ASA-4-106023: Deny tcp src Inside:10.30.6.47\/4563 dst Outside:192.168.133.204\/443 by access-group \"Inside_access_in\" [0x962df600, 0x0]","ip_dst_addr":"192.168.133.204","ip_src_port":4563,"ip_dst_port":443,"ciscotag":"ASA-4-106023","syslog_facility":"local4","action":"deny","ip_src_addr":"10.30.6.47","syslog_severity":"warn","timestamp":1470358945000,"source.type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
\ No newline at end of file
+{"syslog_host":"10.22.8.216","original_string":"<167>Jan  5 08:52:35 10.22.8.216 %ASA-7-609001: Built local-host inside:10.22.8.205","ciscotag":"ASA-7-609001","syslog_facility":"local4","syslog_severity":"debug","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"icmp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","ip_dst_addr":"10.22.8.74","ciscotag":"ASA-6-302021","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.205","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","original_string":"<167>Jan  5 08:52:35 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","ciscotag":"ASA-7-609002","syslog_facility":"local4","syslog_severity":"debug","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167725 for Outside_VPN:147.111.72.16\/26436 to DMZ-Inside:10.22.8.53\/443 duration 0:00:00 bytes 9687 TCP FINs","ip_dst_addr":"10.22.8.53","ip_src_port":26436,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"147.111.72.16","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805593 for outside:10.22.8.223\/59614(LOCAL\\user.name) to inside:10.22.8.78\/8102 duration 0:00:07 bytes 3433 TCP FINs (user.name)","ip_dst_addr":"10.22.8.78","ip_src_port":59614,"ip_dst_port":8102,"ciscotag":"ASA-6-302014","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.223","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.212","protocol":"tcp","original_string":"<174>Jan  5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245503 for outside:10.22.8.233\/54209 (10.22.8.233\/54209) to inside:198.111.72.238\/443 (198.111.72.238\/443) (user.name)","ip_dst_addr":"198.111.72.238","ip_src_port":54209,"ip_dst_port":443,"ciscotag":"ASA-6-302013","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.233","syslog_severity":"info","timestamp":1452005555000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806031 for outside:10.22.8.17\/58633 (10.22.8.17\/58633)(LOCAL\\user.name) to inside:10.22.8.12\/389 (10.22.8.12\/389) (user.name)","ip_dst_addr":"10.22.8.12","ip_src_port":58633,"ip_dst_port":389,"ciscotag":"ASA-6-302013","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.17","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168292 for DMZ-Inside:10.22.8.51\/51231 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 2103 TCP FINs","ip_dst_addr":"10.22.8.174","ip_src_port":51231,"ip_dst_port":40004,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"10.22.8.51","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 186.111.72.11\/80 to 204.111.72.226\/45019 flags SYN ACK  on interface Outside_VPN","ip_dst_addr":"204.111.72.226","ip_src_port":80,"ip_dst_port":45019,"ciscotag":"ASA-6-106015","syslog_facility":"local1","action":"deny","ip_src_addr":"186.111.72.11","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.12","protocol":"tcp","original_string":"<166>Jan  5 09:52:35 10.22.8.12 %ASA-6-302014: Teardown TCP connection 17604987 for outside:209.111.72.151\/443 to inside:10.22.8.188\/64306 duration 0:00:31 bytes 10128 TCP FINs","ip_dst_addr":"10.22.8.188","ip_src_port":443,"ip_dst_port":64306,"ciscotag":"ASA-6-302014","syslog_facility":"local4","action":"teardown","ip_src_addr":"209.111.72.151","syslog_severity":"info","timestamp":1451987555000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.12","protocol":"tcp","original_string":"<166>Jan  5 09:52:35 10.22.8.12 %ASA-6-302014: Teardown TCP connection 17604999 for outside:209.111.72.151\/443 to inside:10.22.8.188\/64307 duration 0:00:30 bytes 6370 TCP FINs","ip_dst_addr":"10.22.8.188","ip_src_port":443,"ip_dst_port":64307,"ciscotag":"ASA-6-302014","syslog_facility":"local4","action":"teardown","ip_src_addr":"209.111.72.151","syslog_severity":"info","timestamp":1451987555000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167347 for Outside_VPN:198.111.72.24\/2134 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 9785 TCP FINs","ip_dst_addr":"10.22.8.53","ip_src_port":2134,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"198.111.72.24","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.212","protocol":"udp","original_string":"<174>Jan  5 14:52:35 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245506 for outside:10.22.8.110\/49886 (10.22.8.110\/49886) to inside:192.111.72.8\/8612 (192.111.72.8\/8612) (user.name)","ip_dst_addr":"192.111.72.8","ip_src_port":49886,"ip_dst_port":8612,"ciscotag":"ASA-6-302015","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.110","syslog_severity":"info","timestamp":1452005555000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805993 for outside:10.22.8.89\/56917(LOCAL\\user.name) to inside:216.111.72.126\/443 duration 0:00:00 bytes 0 TCP FINs (user.name)","ip_dst_addr":"216.111.72.126","ip_src_port":56917,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.89","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<167>Jan  5 08:52:35 10.22.8.216 %ASA-7-710005: UDP request discarded from 10.22.8.223\/49192 to outside:224.111.72.252\/5355","ip_dst_addr":"224.111.72.252","ip_src_port":49192,"ip_dst_port":5355,"ciscotag":"ASA-7-710005","syslog_facility":"local4","action":"discarded","ip_src_addr":"10.22.8.223","syslog_severity":"debug","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488166143 for Outside_VPN:198.111.72.64\/80 to Inside-Trunk:10.22.8.39\/54883 duration 0:00:04 bytes 1148 TCP FINs","ip_dst_addr":"10.22.8.39","ip_src_port":80,"ip_dst_port":54883,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"198.111.72.64","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.84\/445 to 10.22.8.219\/60726 flags ACK  on interface inside","ip_dst_addr":"10.22.8.219","ip_src_port":445,"ip_dst_port":60726,"ciscotag":"ASA-6-106015","syslog_facility":"local4","action":"deny","ip_src_addr":"10.22.8.84","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168344 for DMZ-Inside:10.22.8.53\/61682 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 5648 TCP FINs","ip_dst_addr":"10.22.8.174","ip_src_port":61682,"ip_dst_port":40004,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"10.22.8.53","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168345 for DMZ-Inside:10.22.8.16\/31454 to Inside-Trunk:10.22.8.21\/443 duration 0:00:00 bytes 756 TCP FINs","ip_dst_addr":"10.22.8.21","ip_src_port":31454,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"10.22.8.16","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.4","protocol":"icmp","original_string":"<182>Jan  5 20:22:35 10.22.8.4 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.12\/0 gaddr 10.22.8.45\/1 laddr 10.22.8.45\/1","ip_dst_addr":"10.22.8.12","ciscotag":"ASA-6-302020","syslog_facility":"local6","action":"built","ip_src_addr":"10.22.8.45","syslog_severity":"info","timestamp":1452025355000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 50.111.72.230\/80 to 204.111.72.254\/53077 flags RST  on interface Outside_VPN","ip_dst_addr":"204.111.72.254","ip_src_port":80,"ip_dst_port":53077,"ciscotag":"ASA-6-106015","syslog_facility":"local1","action":"deny","ip_src_addr":"50.111.72.230","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.12","protocol":"udp","original_string":"<166>Jan  5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603649 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63297 duration 0:02:01 bytes 209","ip_dst_addr":"10.22.8.48","ip_src_port":161,"ip_dst_port":63297,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"206.111.72.2","syslog_severity":"info","timestamp":1451987555000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.12","protocol":"udp","original_string":"<166>Jan  5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603650 for outside:207.111.72.122\/161 to inside:10.22.8.48\/63298 duration 0:02:01 bytes 209","ip_dst_addr":"10.22.8.48","ip_src_port":161,"ip_dst_port":63298,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"207.111.72.122","syslog_severity":"info","timestamp":1451987555000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.12","protocol":"udp","original_string":"<166>Jan  5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603652 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63300 duration 0:02:01 bytes 115","ip_dst_addr":"10.22.8.48","ip_src_port":161,"ip_dst_port":63300,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"206.111.72.2","syslog_severity":"info","timestamp":1451987555000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.12","protocol":"udp","original_string":"<166>Jan  5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603657 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63306 duration 0:02:01 bytes 115","ip_dst_addr":"10.22.8.48","ip_src_port":161,"ip_dst_port":63306,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"206.111.72.2","syslog_severity":"info","timestamp":1451987555000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168436 for DMZ-Inside:10.22.8.51\/51235 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 2497 TCP FINs","ip_dst_addr":"10.22.8.174","ip_src_port":51235,"ip_dst_port":40004,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"10.22.8.51","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167656 for Outside_VPN:69.111.72.70\/21560 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 11410 TCP FINs","ip_dst_addr":"10.22.8.53","ip_src_port":21560,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"69.111.72.70","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806050 for outside:10.22.8.62\/53965 (10.22.8.62\/53965)(LOCAL\\user.name) to inside:10.22.8.85\/53 (10.22.8.85\/53) (user.name)","ip_dst_addr":"10.22.8.85","ip_src_port":53965,"ip_dst_port":53,"ciscotag":"ASA-6-302015","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.62","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806052 for outside:10.22.8.62\/56500 (10.22.8.62\/56500)(LOCAL\\user.name) to inside:198.111.72.83\/443 (198.111.72.83\/443) (user.name)","ip_dst_addr":"198.111.72.83","ip_src_port":56500,"ip_dst_port":443,"ciscotag":"ASA-6-302013","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.62","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806054 for outside:10.22.8.62\/56502 (10.22.8.62\/56502)(LOCAL\\user.name) to inside:50.111.72.252\/443 (50.111.72.252\/443) (user.name)","ip_dst_addr":"50.111.72.252","ip_src_port":56502,"ip_dst_port":443,"ciscotag":"ASA-6-302013","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.62","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.12","protocol":"tcp","original_string":"<166>Jan  5 09:52:35 10.22.8.12 %ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.188\/64340 to outside:206.111.72.41\/2013","ip_src_port":64340,"ciscotag":"ASA-6-305011","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.188","syslog_severity":"info","timestamp":1451987555000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.33","protocol":"udp","original_string":"<166>Jan  5 15:52:35 10.22.8.33 %ASA-6-305012: Teardown dynamic UDP translation from inside:192.111.72.2\/62251 to outside:79.111.72.174\/21311 duration 0:02:30","ip_src_port":62251,"ciscotag":"ASA-6-305012","syslog_facility":"local4","action":"teardown","ip_src_addr":"192.111.72.2","syslog_severity":"info","timestamp":1452009155000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806058 for outside:10.22.8.221\/56631 (10.22.8.221\/56631)(LOCAL\\user.name) to inside:10.22.8.26\/389 (10.22.8.26\/389) (user.name)","ip_dst_addr":"10.22.8.26","ip_src_port":56631,"ip_dst_port":389,"ciscotag":"ASA-6-302015","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.221","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168189 for Outside_VPN:209.111.72.10\/56619 to DMZ-Inside:10.22.8.53\/443 duration 0:00:00 bytes 2477 TCP FINs","ip_dst_addr":"10.22.8.53","ip_src_port":56619,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"209.111.72.10","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.112\/52235 to 198.111.72.227\/80 flags ACK  on interface Inside-Trunk","ip_dst_addr":"198.111.72.227","ip_src_port":52235,"ip_dst_port":80,"ciscotag":"ASA-6-106015","syslog_facility":"local1","action":"deny","ip_src_addr":"10.22.8.112","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167192 for Outside_VPN:115.111.72.7\/49196 to DMZ-Inside:10.22.8.57\/443 duration 0:00:02 bytes 20588 TCP Reset-O","ip_dst_addr":"10.22.8.57","ip_src_port":49196,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"115.111.72.7","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212806055 for outside:10.22.8.62\/55383(LOCAL\\user.name) to inside:10.22.8.85\/53 duration 0:00:00 bytes 349 (user.name)","ip_dst_addr":"10.22.8.85","ip_src_port":55383,"ip_dst_port":53,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.62","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168380 for Outside_VPN:74.111.72.12\/443 to Inside-Trunk:10.22.8.39\/54894 duration 0:00:00 bytes 5701 TCP FINs","ip_dst_addr":"10.22.8.39","ip_src_port":443,"ip_dst_port":54894,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"74.111.72.12","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.212","protocol":"tcp","original_string":"<174>Jan  5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245522 for outside:10.22.8.147\/56343 (10.22.8.147\/56343) to inside:209.111.72.151\/443 (209.111.72.151\/443) (user.name)","ip_dst_addr":"209.111.72.151","ip_src_port":56343,"ip_dst_port":443,"ciscotag":"ASA-6-302013","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.147","syslog_severity":"info","timestamp":1452005555000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168443 for Outside_VPN:23.111.72.27\/80 to Inside-Trunk:10.22.8.81\/64713 duration 0:00:00 bytes 2426 TCP FINs","ip_dst_addr":"10.22.8.81","ip_src_port":80,"ip_dst_port":64713,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"23.111.72.27","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488111566 for Outside_VPN:131.111.72.49\/443 to Inside-Trunk:10.22.8.127\/56558 duration 0:01:57 bytes 3614 TCP Reset-O","ip_dst_addr":"10.22.8.127","ip_src_port":443,"ip_dst_port":56558,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"131.111.72.49","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806061 for outside:10.22.8.17\/58635 (10.22.8.17\/58635)(LOCAL\\user.name) to inside:10.22.8.12\/389 (10.22.8.12\/389) (user.name)","ip_dst_addr":"10.22.8.12","ip_src_port":58635,"ip_dst_port":389,"ciscotag":"ASA-6-302013","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.17","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806010 for outside:10.22.8.33\/60223(LOCAL\\user.name) to inside:10.22.8.86\/389 duration 0:00:00 bytes 416 TCP Reset-I (user.name)","ip_dst_addr":"10.22.8.86","ip_src_port":60223,"ip_dst_port":389,"ciscotag":"ASA-6-302014","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.33","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806062 for outside:10.22.8.221\/56632 (10.22.8.221\/56632)(LOCAL\\user.name) to inside:10.22.8.73\/389 (10.22.8.73\/389) (user.name)","ip_dst_addr":"10.22.8.73","ip_src_port":56632,"ip_dst_port":389,"ciscotag":"ASA-6-302015","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.221","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","original_string":"<167>Jan  5 08:52:35 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","ciscotag":"ASA-7-609002","syslog_facility":"local4","syslog_severity":"debug","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168231 for Outside_VPN:204.111.72.243\/3011 to Inside-Trunk:10.22.8.208\/60037 duration 0:00:00 bytes 19415 TCP FINs","ip_dst_addr":"10.22.8.208","ip_src_port":3011,"ip_dst_port":60037,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"204.111.72.243","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.41","protocol":"tcp","original_string":"<166>Jan  5 16:52:35 10.22.8.41 %ASA-6-302013: Built inbound TCP connection 45476108 for Outside:10.22.8.97\/53484 (10.22.8.97\/53484)(LOCAL\\user.name) to Inside:141.111.72.70\/7576 (141.111.72.70\/7576) (user.name)","ip_dst_addr":"141.111.72.70","ip_src_port":53484,"ip_dst_port":7576,"ciscotag":"ASA-6-302013","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.97","syslog_severity":"info","timestamp":1452012755000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.212","protocol":"tcp","original_string":"<174>Jan  5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245527 for outside:10.22.8.97\/65195 (10.22.8.97\/65195) to inside:17.111.72.212\/5223 (17.111.72.212\/5223) (user.name)","ip_dst_addr":"17.111.72.212","ip_src_port":65195,"ip_dst_port":5223,"ciscotag":"ASA-6-302013","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.97","syslog_severity":"info","timestamp":1452005555000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806018 for outside:10.22.8.17\/58632(LOCAL\\user.name) to inside:10.22.8.12\/389 duration 0:00:00 bytes 0 TCP FINs (user.name)","ip_dst_addr":"10.22.8.12","ip_src_port":58632,"ip_dst_port":389,"ciscotag":"ASA-6-302014","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.17","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168562 for DMZ-Inside:10.22.8.51\/51236 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 2273 TCP FINs","ip_dst_addr":"10.22.8.174","ip_src_port":51236,"ip_dst_port":40004,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"10.22.8.51","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806065 for outside:10.22.8.62\/59829 (10.22.8.62\/59829)(LOCAL\\user.name) to inside:10.22.8.85\/53 (10.22.8.85\/53) (user.name)","ip_dst_addr":"10.22.8.85","ip_src_port":59829,"ip_dst_port":53,"ciscotag":"ASA-6-302015","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.62","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806067 for outside:10.22.8.143\/62675 (10.22.8.143\/62675)(LOCAL\\user.name) to inside:141.111.72.12\/389 (141.111.72.12\/389) (user.name)","ip_dst_addr":"141.111.72.12","ip_src_port":62675,"ip_dst_port":389,"ciscotag":"ASA-6-302013","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.143","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<167>Jan  5 08:52:35 10.22.8.216 %ASA-7-710005: UDP request discarded from 10.22.8.223\/61122 to outside:224.111.72.252\/5355","ip_dst_addr":"224.111.72.252","ip_src_port":61122,"ip_dst_port":5355,"ciscotag":"ASA-7-710005","syslog_facility":"local4","action":"discarded","ip_src_addr":"10.22.8.223","syslog_severity":"debug","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"icmp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.143\/0(LOCAL\\user.name) gaddr 141.111.72.12\/0 laddr 141.111.72.12\/0 (user.name)","ip_dst_addr":"10.22.8.143","ciscotag":"ASA-6-302020","syslog_facility":"local4","action":"built","ip_src_addr":"141.111.72.12","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168547 for Outside_VPN:107.111.72.102\/80 to Inside-Trunk:10.22.8.54\/61676 duration 0:00:00 bytes 1030 TCP FINs","ip_dst_addr":"10.22.8.54","ip_src_port":80,"ip_dst_port":61676,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"107.111.72.102","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806078 for outside:10.22.8.221\/56633 (10.22.8.221\/56633)(LOCAL\\user.name) to inside:10.22.8.20\/389 (10.22.8.20\/389) (user.name)","ip_dst_addr":"10.22.8.20","ip_src_port":56633,"ip_dst_port":389,"ciscotag":"ASA-6-302015","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.221","syslog_severity":"info","timestamp":1451983955000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.12","protocol":"tcp","original_string":"<166>Jan  5 09:52:35 10.22.8.12 %ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.83\/59915 to outside:206.111.72.41\/22776","ip_src_port":59915,"ciscotag":"ASA-6-305011","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.83","syslog_severity":"info","timestamp":1451987555000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168044 for Outside_VPN:50.111.72.39\/80 to Inside-Trunk:10.22.8.75\/60877 duration 0:00:01 bytes 13304 TCP FINs","ip_dst_addr":"10.22.8.75","ip_src_port":80,"ip_dst_port":60877,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"50.111.72.39","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488118326 for Outside_VPN:23.111.72.27\/80 to Inside-Trunk:10.22.8.229\/57901 duration 0:01:45 bytes 1942 TCP FINs","ip_dst_addr":"10.22.8.229","ip_src_port":80,"ip_dst_port":57901,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"23.111.72.27","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488160565 for Outside_VPN:72.111.72.29\/80 to Inside-Trunk:10.22.8.42\/57520 duration 0:00:15 bytes 1025 TCP FINs","ip_dst_addr":"10.22.8.42","ip_src_port":80,"ip_dst_port":57520,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"72.111.72.29","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488096423 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59096 duration 0:02:27 bytes 99347 TCP Reset-O","ip_dst_addr":"10.22.8.127","ip_src_port":80,"ip_dst_port":59096,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"72.111.72.43","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488095522 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59087 duration 0:02:29 bytes 154785 TCP Reset-O","ip_dst_addr":"10.22.8.127","ip_src_port":80,"ip_dst_port":59087,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"72.111.72.43","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488106557 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59134 duration 0:02:09 bytes 25319 TCP Reset-O","ip_dst_addr":"10.22.8.127","ip_src_port":80,"ip_dst_port":59134,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"72.111.72.43","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488096426 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59099 duration 0:02:27 bytes 26171 TCP Reset-O","ip_dst_addr":"10.22.8.127","ip_src_port":80,"ip_dst_port":59099,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"72.111.72.43","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:36 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806005 for outside:10.22.8.17\/58630(LOCAL\\user.name) to inside:10.22.8.12\/389 duration 0:00:00 bytes 3942 TCP FINs (user.name)","ip_dst_addr":"10.22.8.12","ip_src_port":58630,"ip_dst_port":389,"ciscotag":"ASA-6-302014","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.17","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:36 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806085 for outside:10.22.8.143\/54018 (10.22.8.143\/54018)(LOCAL\\user.name) to inside:10.22.8.85\/53 (10.22.8.85\/53) (user.name)","ip_dst_addr":"10.22.8.85","ip_src_port":54018,"ip_dst_port":53,"ciscotag":"ASA-6-302015","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.143","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.212","protocol":"icmp","original_string":"<174>Jan  5 14:52:36 10.22.8.212 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.96\/2708 gaddr 10.22.8.30\/0 laddr 10.22.8.30\/0 (user.name)","ip_dst_addr":"10.22.8.96","ciscotag":"ASA-6-302020","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.30","syslog_severity":"info","timestamp":1452005556000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.212","protocol":"udp","original_string":"<174>Jan  5 14:52:36 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245537 for outside:10.22.8.110\/49886 (10.22.8.110\/49886) to inside:192.111.72.11\/8612 (192.111.72.11\/8612) (user.name)","ip_dst_addr":"192.111.72.11","ip_src_port":49886,"ip_dst_port":8612,"ciscotag":"ASA-6-302015","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.110","syslog_severity":"info","timestamp":1452005556000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.41","protocol":"tcp","original_string":"<166>Jan  5 16:52:36 10.22.8.41 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.85\/58359 to 10.22.8.11\/88 flags RST ACK  on interface Outside","ip_dst_addr":"10.22.8.11","ip_src_port":58359,"ip_dst_port":88,"ciscotag":"ASA-6-106015","syslog_facility":"local4","action":"deny","ip_src_addr":"10.22.8.85","syslog_severity":"info","timestamp":1452012756000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"icmp","original_string":"<166>Jan  5 08:52:36 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.82\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","ip_dst_addr":"10.22.8.82","ciscotag":"ASA-6-302021","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.205","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:36 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212799832 for outside:10.22.8.230\/55549(LOCAL\\user.name) to inside:10.22.8.11\/389 duration 0:02:01 bytes 354 (user.name)","ip_dst_addr":"10.22.8.11","ip_src_port":55549,"ip_dst_port":389,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.230","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:36 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212799867 for outside:10.22.8.240\/138(LOCAL\\user.name) to inside:10.22.8.255\/138 duration 0:02:01 bytes 214 (user.name)","ip_dst_addr":"10.22.8.255","ip_src_port":138,"ip_dst_port":138,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.240","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","original_string":"<167>Jan  5 08:52:36 10.22.8.216 %ASA-7-609001: Built local-host inside:67.111.72.204","ciscotag":"ASA-7-609001","syslog_facility":"local4","syslog_severity":"debug","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.212","protocol":"tcp","original_string":"<174>Jan  5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245544 for outside:10.22.8.227\/54540 (10.22.8.227\/54540) to inside:63.111.72.124\/80 (63.111.72.124\/80) (user.name)","ip_dst_addr":"63.111.72.124","ip_src_port":54540,"ip_dst_port":80,"ciscotag":"ASA-6-302013","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.227","syslog_severity":"info","timestamp":1452005556000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168135 for Outside_VPN:198.111.72.66\/36797 to DMZ-Inside:10.22.8.53\/80 duration 0:00:01 bytes 89039 TCP FINs","ip_dst_addr":"10.22.8.53","ip_src_port":36797,"ip_dst_port":80,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"198.111.72.66","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:36 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805836 for outside:10.22.8.62\/56471(LOCAL\\user.name) to inside:208.111.72.1\/443 duration 0:00:04 bytes 1700 TCP FINs (user.name)","ip_dst_addr":"208.111.72.1","ip_src_port":56471,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.62","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.212","protocol":"tcp","original_string":"<174>Jan  5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245546 for outside:10.22.8.227\/54542 (10.22.8.227\/54542) to inside:63.111.72.124\/80 (63.111.72.124\/80) (user.name)","ip_dst_addr":"63.111.72.124","ip_src_port":54542,"ip_dst_port":80,"ciscotag":"ASA-6-302013","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.227","syslog_severity":"info","timestamp":1452005556000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"icmp","original_string":"<166>Jan  5 08:52:36 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","ip_dst_addr":"10.22.8.74","ciscotag":"ASA-6-302021","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.205","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.212","protocol":"icmp","original_string":"<174>Jan  5 14:52:36 10.22.8.212 %ASA-6-302020: Built outbound ICMP connection for faddr 10.22.8.96\/2708 gaddr 10.22.8.30\/0 laddr 10.22.8.30\/0","ip_dst_addr":"10.22.8.96","ciscotag":"ASA-6-302020","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.30","syslog_severity":"info","timestamp":1452005556000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168388 for DMZ-Inside:10.22.8.10\/49771 to Inside-Trunk:10.22.8.128\/443 duration 0:00:00 bytes 19132 TCP Reset-O","ip_dst_addr":"10.22.8.128","ip_src_port":49771,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"10.22.8.10","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168692 for DMZ-Inside:10.22.8.53\/61694 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 5660 TCP FINs","ip_dst_addr":"10.22.8.174","ip_src_port":61694,"ip_dst_port":40004,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"10.22.8.53","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.212","protocol":"tcp","original_string":"<174>Jan  5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245552 for outside:10.22.8.92\/51042 (10.22.8.92\/51042) to inside:10.22.8.193\/9100 (10.22.8.193\/9100) (user.name)","ip_dst_addr":"10.22.8.193","ip_src_port":51042,"ip_dst_port":9100,"ciscotag":"ASA-6-302013","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.92","syslog_severity":"info","timestamp":1452005556000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.41","protocol":"udp","original_string":"<166>Jan  5 16:52:36 10.22.8.41 %ASA-6-302016: Teardown UDP connection 45474680 for Outside:10.22.8.49\/137(LOCAL\\user.name) to Inside:10.22.8.12\/137 duration 0:02:03 bytes 486 (user.name)","ip_dst_addr":"10.22.8.12","ip_src_port":137,"ip_dst_port":137,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.49","syslog_severity":"info","timestamp":1452012756000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.41","protocol":"udp","original_string":"<166>Jan  5 16:52:36 10.22.8.41 %ASA-6-302016: Teardown UDP connection 45474694 for Outside:10.22.8.49\/138(LOCAL\\user.name) to Inside:10.22.8.12\/138 duration 0:02:01 bytes 184 (user.name)","ip_dst_addr":"10.22.8.12","ip_src_port":138,"ip_dst_port":138,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.49","syslog_severity":"info","timestamp":1452012756000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167720 for Outside_VPN:198.111.72.75\/1033 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 9634 TCP FINs","ip_dst_addr":"10.22.8.53","ip_src_port":1033,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"198.111.72.75","syslog_severity":"info","timestamp":1451983956000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488165627 for Outside_VPN:170.111.72.22\/27463 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 9756 TCP FINs","ip_dst_addr":"10.22.8.53","ip_src_port":27463,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"170.111.72.22","syslog_severity":"info","timestamp":1451983952000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"udp","original_string":"<166>Jan  5 08:52:32 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212805854 for outside:10.22.8.62\/54704(LOCAL\\user.name) to inside:10.22.8.85\/53 duration 0:00:00 bytes 114 (user.name)","ip_dst_addr":"10.22.8.85","ip_src_port":54704,"ip_dst_port":53,"ciscotag":"ASA-6-302016","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.62","syslog_severity":"info","timestamp":1451983952000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.12","protocol":"icmp","original_string":"<166>Jan  5 09:52:32 10.22.8.12 %ASA-6-302020: Built inbound ICMP connection for faddr 207.111.72.122\/0 gaddr 206.111.72.24\/512 laddr 10.22.8.57\/512","ip_dst_addr":"207.111.72.122","ciscotag":"ASA-6-302020","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.57","syslog_severity":"info","timestamp":1451987552000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.12","protocol":"tcp","original_string":"<166>Jan  5 09:52:32 10.22.8.12 %ASA-6-302013: Built outbound TCP connection 17605397 for outside:69.111.72.0\/80 (69.111.72.0\/80) to inside:10.22.8.102\/55659 (206.111.72.41\/40627)","ip_dst_addr":"10.22.8.102","ip_src_port":80,"ip_dst_port":55659,"ciscotag":"ASA-6-302013","syslog_facility":"local4","action":"built","ip_src_addr":"69.111.72.0","syslog_severity":"info","timestamp":1451987552000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.212","protocol":"udp","original_string":"<174>Jan  5 14:52:32 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245230 for outside:10.22.8.96\/123 (10.22.8.96\/123) to inside:10.22.8.12\/123 (10.22.8.12\/123) (user.name)","ip_dst_addr":"10.22.8.12","ip_src_port":123,"ip_dst_port":123,"ciscotag":"ASA-6-302015","syslog_facility":"local5","action":"built","ip_src_addr":"10.22.8.96","syslog_severity":"info","timestamp":1452005552000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488031413 for Outside_VPN:184.111.72.216\/50341 to DMZ-Inside:10.22.8.57\/443 duration 0:05:01 bytes 13543 TCP Reset-O","ip_dst_addr":"10.22.8.57","ip_src_port":50341,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"184.111.72.216","syslog_severity":"info","timestamp":1451983952000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.41","protocol":"icmp","original_string":"<166>Jan  5 16:52:32 10.22.8.41 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.95\/1(LOCAL\\user.name) gaddr 10.22.8.12\/0 laddr 10.22.8.12\/0 (user.name)","ip_dst_addr":"10.22.8.95","ciscotag":"ASA-6-302020","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.12","syslog_severity":"info","timestamp":1452012752000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","original_string":"<142>Jan  5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488030393 for DMZ-Inside:[10.22.8.10\/57109 to Inside-Trunk:10.22.8.128\/443 duration 0:05:04 bytes 13541 TCP Reset-O","ciscotag":"ASA-6-302014","syslog_facility":"local1","syslog_severity":"info","timestamp":1451983952000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.12","protocol":"tcp","original_string":"<166>Jan  5 09:52:32 10.22.8.12 %ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149\/62156 to outside:206.111.72.41\/19576 duration 0:00:44","ip_src_port":62156,"ciscotag":"ASA-6-305012","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.149","syslog_severity":"info","timestamp":1451987552000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.12","protocol":"tcp","original_string":"<166>Jan  5 09:52:32 10.22.8.12 %ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149\/62159 to outside:206.111.72.41\/39634 duration 0:00:44","ip_src_port":62159,"ciscotag":"ASA-6-305012","syslog_facility":"local4","action":"teardown","ip_src_addr":"10.22.8.149","syslog_severity":"info","timestamp":1451987552000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488031793 for Outside_VPN:198.111.72.146\/28026 to DMZ-Inside:10.22.8.53\/443 duration 0:05:00 bytes 119 TCP FINs","ip_dst_addr":"10.22.8.53","ip_src_port":28026,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"198.111.72.146","syslog_severity":"info","timestamp":1451983952000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488030810 for DMZ-Inside:10.22.8.10\/56930 to Inside-Trunk:10.22.8.128\/443 duration 0:05:03 bytes 13543 TCP Reset-O","ip_dst_addr":"10.22.8.128","ip_src_port":56930,"ip_dst_port":443,"ciscotag":"ASA-6-302014","syslog_facility":"local1","action":"teardown","ip_src_addr":"10.22.8.10","syslog_severity":"info","timestamp":1451983952000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.201","protocol":"tcp","original_string":"<142>Jan  5 08:52:32 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 186.111.72.11\/80 to 204.111.72.199\/61438 flags SYN ACK  on interface Outside_VPN","ip_dst_addr":"204.111.72.199","ip_src_port":80,"ip_dst_port":61438,"ciscotag":"ASA-6-106015","syslog_facility":"local1","action":"deny","ip_src_addr":"186.111.72.11","syslog_severity":"info","timestamp":1451983952000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","protocol":"tcp","original_string":"<166>Jan  5 08:52:32 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212805863 for outside:10.22.8.144\/61999 (10.22.8.144\/61999)(LOCAL\\user.name) to inside:10.22.8.163\/80 (10.22.8.163\/80) (user.name)","ip_dst_addr":"10.22.8.163","ip_src_port":61999,"ip_dst_port":80,"ciscotag":"ASA-6-302013","syslog_facility":"local4","action":"built","ip_src_addr":"10.22.8.144","syslog_severity":"info","timestamp":1451983952000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"syslog_host":"10.22.8.216","original_string":"<167>Jan  5 08:52:32 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","ciscotag":"ASA-7-609002","syslog_facility":"local4","syslog_severity":"debug","timestamp":1451983952000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"protocol":"udp","original_string":"<166>Aug 06 2016 20:39:42: %ASA-6-110002: Failed to locate egress interface for UDP from Inside:10.25.14.52\/56544 to 172.18.106.2\/161","ip_dst_addr":"172.18.106.2","ip_src_port":56544,"ip_dst_port":161,"ciscotag":"ASA-6-110002","syslog_facility":"local4","ip_src_addr":"10.25.14.52","syslog_severity":"info","timestamp":1470515982000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<165>Aug 11 2016 15:42:07: %ASA-5-111010: User 'admin', running 'N\/A' from IP 10.25.112.191, executed 'service-object object TCP44720-44722'","ciscotag":"ASA-5-111010","syslog_facility":"local4","syslog_severity":"notice","timestamp":1470930127000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<165>Aug 06 2016 18:05:27: %ASA-5-713202: IP = 192.168.140.20, Duplicate first packet detected.  Ignoring packet.","ciscotag":"ASA-5-713202","syslog_facility":"local4","syslog_severity":"notice","timestamp":1470506727000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<165>Aug 07 2016 22:38:41: %ASA-5-713904: IP = 206.16.173.28, Received encrypted packet with no matching SA, dropping","ciscotag":"ASA-5-713904","syslog_facility":"local4","syslog_severity":"notice","timestamp":1470609521000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<165>Aug 16 2016 08:20:21: %ASA-5-713050: Group = 192.168.136.20, IP = 192.168.136.20, Connection terminated for peer 192.168.136.20.  Reason: IPSec SA Idle Timeout  Remote Proxy 192.168.136.22, Local Proxy 172.18.106.36","ciscotag":"ASA-5-713050","syslog_facility":"local4","syslog_severity":"notice","timestamp":1471335621000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<164>Aug 16 2016 13:01:43: %ASA-4-313004: Denied ICMP type=0, from laddr 172.20.30.1 on interface Outside to 10.25.24.122: no matching session","ciscotag":"ASA-4-313004","syslog_facility":"local4","syslog_severity":"warn","timestamp":1471352503000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<166>Aug 16 2016 08:54:22: %ASA-6-113009: AAA retrieved default group policy (DefaultPolicyCA) for user = 192.168.136.20","ciscotag":"ASA-6-113009","syslog_facility":"local4","syslog_severity":"info","timestamp":1471337662000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<163>Aug 05 2016 20:21:04: %ASA-3-106010: Deny inbound protocol 47 src Outside:14.169.120.66 dst Outside:172.18.105.105","ciscotag":"ASA-3-106010","syslog_facility":"local4","syslog_severity":"err","timestamp":1470428464000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<164>Aug 06 2016 17:43:49: %ASA-4-113019: Group = 192.168.140.20, Username = 192.168.140.20, IP = 192.168.140.20, Session disconnected. Session Type: LAN-to-LAN, Duration: 12d 9h:11m:22s, Bytes xmt: 523781833, Bytes rcv: 16336203, Reason: Lost Service","ciscotag":"ASA-4-113019","syslog_facility":"local4","syslog_severity":"warn","timestamp":1470505429000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<165>Aug 05 2016 22:13:07: %ASA-5-500003: Bad TCP hdr length (hdrlen=4, pktlen=74) from 159.203.208.134\/0 to 172.18.105.12\/0, flags: INVALID, on interface Outside","ciscotag":"ASA-5-500003","syslog_facility":"local4","syslog_severity":"notice","timestamp":1470435187000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<165>Aug 06 2016 17:43:49: %ASA-5-713259: Group = 192.168.140.20, IP = 192.168.140.20, Session is being torn down. Reason: Lost Service","ciscotag":"ASA-5-713259","syslog_facility":"local4","syslog_severity":"notice","timestamp":1470505429000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"protocol":"icmp","original_string":"<163>Aug 05 2016 19:13:26: %ASA-3-313001: Denied ICMP type=3, code=3 from 198.27.69.147 on interface Outside","ciscotag":"ASA-3-313001","syslog_facility":"local4","action":"denied","ip_src_addr":"198.27.69.147","syslog_severity":"err","timestamp":1470424406000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"protocol":"icmp","original_string":"<164>Aug 05 2016 19:13:26: %ASA-4-313005: No matching connection for ICMP error message: icmp src Outside:198.27.69.147 dst identity:172.18.106.2 (type 3, code 3) on Outside interface.  Original IP payload: udp src 172.18.106.2\/9993 dst 198.27.69.147\/26410.","ciscotag":"ASA-4-313005","syslog_facility":"local4","syslog_severity":"warn","timestamp":1470424406000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<163>Aug 11 2016 11:43:25: %ASA-3-713902: Group = 10.12.208.226, IP = 10.12.208.226, Removing peer from correlator table failed, no match!","ciscotag":"ASA-3-713902","syslog_facility":"local4","syslog_severity":"err","timestamp":1470915805000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<164>Aug 11 2016 11:43:02: %ASA-4-752010: IKEv2 Doesn't have a proposal specified","ciscotag":"ASA-4-752010","syslog_facility":"local4","syslog_severity":"warn","timestamp":1470915782000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<165>Aug 11 2016 11:43:02: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = demap.  Map Sequence Number = 1.","ciscotag":"ASA-5-752004","syslog_facility":"local4","syslog_severity":"notice","timestamp":1470915782000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<163>Aug 11 2016 12:15:25: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= demap.  Map Sequence Number = 1.","ciscotag":"ASA-3-752015","syslog_facility":"local4","syslog_severity":"err","timestamp":1470917725000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<164>Aug 11 2016 12:11:16: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = demap.  Map Sequence Number = 1.","ciscotag":"ASA-4-752012","syslog_facility":"local4","syslog_severity":"warn","timestamp":1470917476000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<164>Aug 06 2016 00:02:25: %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 500 from 172.30.106.180:57380","ciscotag":"ASA-4-713903","syslog_facility":"local4","syslog_severity":"warn","timestamp":1470441745000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<163>Aug 11 2016 11:43:25: %ASA-3-713227: IP = 10.12.208.226, Rejecting new IPSec SA negotiation for peer 10.12.208.226. A negotiation was already in progress for local Proxy 10.25.0.0\/255.255.0.0, remote Proxy 172.20.30.0\/255.255.255.0","ciscotag":"ASA-3-713227","syslog_facility":"local4","syslog_severity":"err","timestamp":1470915805000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<166>Aug 20 2016 23:06:27: %ASA-6-713905: INFO: IKE Transform #8 next payload is 3 (should be 0).","ciscotag":"ASA-6-713905","syslog_facility":"local4","syslog_severity":"info","timestamp":1471734387000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<166>Aug 11 2016 11:43:02: %ASA-6-713219: IP = 10.12.208.226, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.","ciscotag":"ASA-6-713219","syslog_facility":"local4","syslog_severity":"info","timestamp":1470915782000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"original_string":"<166>Aug 11 2016 11:43:19: %ASA-6-713220: Group = 10.12.208.226, IP = 10.12.208.226, De-queuing KEY-ACQUIRE messages that were left pending.","ciscotag":"ASA-6-713220","syslog_facility":"local4","syslog_severity":"info","timestamp":1470915799000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"protocol":"tcp","original_string":"<162>Aug 05 2016 01:02:25: %ASA-2-106001: Inbound TCP connection denied from 10.47.32.45\/60641 to 10.254.8.193\/5060 flags SYN  on interface Inside","ip_dst_addr":"10.254.8.193","ip_src_port":60641,"ip_dst_port":5060,"ciscotag":"ASA-2-106001","syslog_facility":"local4","action":"denied","ip_src_addr":"10.47.32.45","syslog_severity":"crit","timestamp":1470358945000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"protocol":"icmp","original_string":"<163>Aug 05 2016 01:02:25: %ASA-3-106014: Deny inbound icmp src Inside:10.230.4.87 dst Inside:10.22.75.251 (type 8, code 0)","ip_dst_addr":"10.22.75.251","ciscotag":"ASA-3-106014","syslog_facility":"local4","action":"deny","ip_src_addr":"10.230.4.87","syslog_severity":"err","timestamp":1470358945000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"protocol":"udp","original_string":"<164>Aug 05 2016 01:02:25: %ASA-4-106023: Deny udp src Inside:10.230.4.88\/42350 dst Outside:192.168.2.53\/53 by access-group \"Inside_access_in\" [0x962df600, 0x0]","ip_dst_addr":"192.168.2.53","ip_src_port":42350,"ip_dst_port":53,"ciscotag":"ASA-4-106023","syslog_facility":"local4","action":"deny","ip_src_addr":"10.230.4.88","syslog_severity":"warn","timestamp":1470358945000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"protocol":"tcp","original_string":"<164>Aug 05 2016 01:02:25: %ASA-4-106023: Deny tcp src Inside:10.30.6.47\/4562 dst Outside:192.168.133.204\/443 by access-group \"Inside_access_in\" [0x962df600, 0x0]","ip_dst_addr":"192.168.133.204","ip_src_port":4562,"ip_dst_port":443,"ciscotag":"ASA-4-106023","syslog_facility":"local4","action":"deny","ip_src_addr":"10.30.6.47","syslog_severity":"warn","timestamp":1470358945000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
+{"protocol":"tcp","original_string":"<164>Aug 05 2016 01:02:25: %ASA-4-106023: Deny tcp src Inside:10.30.6.47\/4563 dst Outside:192.168.133.204\/443 by access-group \"Inside_access_in\" [0x962df600, 0x0]","ip_dst_addr":"192.168.133.204","ip_src_port":4563,"ip_dst_port":443,"ciscotag":"ASA-4-106023","syslog_facility":"local4","action":"deny","ip_src_addr":"10.30.6.47","syslog_severity":"warn","timestamp":1470358945000,"metron_sensor_type":"asa","guid":"this-is-random-uuid-will-be-36-chars"}
\ No newline at end of file
diff --git a/metron-platform/metron-integration-test/src/main/sample/data/bro/parsed/BroExampleParsed b/metron-platform/metron-integration-test/src/main/sample/data/bro/parsed/BroExampleParsed
index 8db8a5feeb..2a65c9052e 100644
--- a/metron-platform/metron-integration-test/src/main/sample/data/bro/parsed/BroExampleParsed
+++ b/metron-platform/metron-integration-test/src/main/sample/data/bro/parsed/BroExampleParsed
@@ -1,31 +1,31 @@
-{"bro_timestamp":"1402307733.473","status_code":200,"method":"GET","ip_dst_port":80,"request_body_len":0,"uri":"\/","tags":[],"source.type":"bro","uid":"CTo78A11g7CYbbOHvj","resp_mime_types":["text\/html"],"trans_depth":1,"protocol":"http","original_string":"HTTP | id.orig_p:58808 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/ tags:[] uid:CTo78A11g7CYbbOHvj resp_mime_types:[\"text\\\/html\"] trans_depth:1 host:www.cisco.com status_msg:OK id.orig_h:192.249.113.37 response_body_len:25523 user_agent:curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3 ts:1402307733.473 id.resp_h:72.163.4.161 resp_fuids:[\"FJDyMC15lxUn5ngPfd\"]","ip_dst_addr":"72.163.4.161","ip_src_port":58808,"host":"www.cisco.com","status_msg":"OK","response_body_len":25523,"ip_src_addr":"192.249.113.37","user_agent":"curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3","resp_fuids":["FJDyMC15lxUn5ngPfd"],"timestamp":1402307733473,"guid":"this-is-random-uuid-will-be-36-chars"}
-{"TTLs":[3600.0,289.0,14.0],"qclass_name":"C_INTERNET","bro_timestamp":"1402308259.609","qtype_name":"AAAA","ip_dst_port":53,"qtype":28,"rejected":false,"answers":["www.cisco.com.akadns.net","origin-www.cisco.com","2001:420:1201:2::a"],"trans_id":62418,"uid":"CuJT272SKaJSuqO0Ia","protocol":"dns","original_string":"DNS | AA:true TTLs:[3600.0,289.0,14.0] qclass_name:C_INTERNET id.orig_p:33976 qtype_name:AAAA qtype:28 rejected:false id.resp_p:53 query:www.cisco.com answers:[\"www.cisco.com.akadns.net\",\"origin-www.cisco.com\",\"2001:420:1201:2::a\"] trans_id:62418 rcode:0 rcode_name:NOERROR TC:false RA:true uid:CuJT272SKaJSuqO0Ia RD:true proto:udp id.orig_h:10.122.196.204 Z:0 qclass:1 ts:1402308259.609 id.resp_h:144.254.71.184","ip_dst_addr":"144.254.71.184","Z":0,"ip_src_addr":"10.122.196.204","qclass":1,"timestamp":1402308259609,"AA":true,"query":"www.cisco.com","rcode":0,"rcode_name":"NOERROR","TC":false,"RA":true,"source.type":"bro","RD":true,"ip_src_port":33976,"proto":"udp","guid":"this-is-random-uuid-will-be-36-chars"}
-{"bro_timestamp":"1402307733.473","status_code":200,"method":"GET","ip_dst_port":80,"request_body_len":0,"uri":"\/","tags":[],"source.type":"bro","uid":"KIRAN","resp_mime_types":["text\/html"],"trans_depth":1,"protocol":"http","original_string":"HTTP | id.orig_p:58808 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/ tags:[] uid:KIRAN resp_mime_types:[\"text\\\/html\"] trans_depth:1 host:www.cisco.com status_msg:OK id.orig_h:10.122.196.204 response_body_len:25523 user_agent:curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3 ts:1402307733.473 id.resp_h:72.163.4.161 resp_fuids:[\"FJDyMC15lxUn5ngPfd\"]","ip_dst_addr":"72.163.4.161","ip_src_port":58808,"host":"www.cisco.com","status_msg":"OK","response_body_len":25523,"ip_src_addr":"10.122.196.204","user_agent":"curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3","resp_fuids":["FJDyMC15lxUn5ngPfd"],"timestamp":1402307733473,"guid":"this-is-random-uuid-will-be-36-chars"}
-{"bro_timestamp":"1402307733.473","status_code":200,"method":"GET","ip_dst_port":80,"request_body_len":0,"uri":"\/","tags":[],"source.type":"bro","uid":"KIRAN12312312","resp_mime_types":["text\/html"],"trans_depth":1,"protocol":"http","original_string":"HTTP | id.orig_p:58808 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/ tags:[] uid:KIRAN12312312 resp_mime_types:[\"text\\\/html\"] trans_depth:1 host:www.cisco.com status_msg:OK id.orig_h:192.249.113.37 response_body_len:25523 user_agent:curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3 ts:1402307733.473 id.resp_h:72.163.4.161 resp_fuids:[\"FJDyMC15lxUn5ngPfd\"]","ip_dst_addr":"72.163.4.161","ip_src_port":58808,"host":"www.cisco.com","status_msg":"OK","response_body_len":25523,"ip_src_addr":"192.249.113.37","user_agent":"curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3","resp_fuids":["FJDyMC15lxUn5ngPfd"],"timestamp":1402307733473,"guid":"this-is-random-uuid-will-be-36-chars"}
-{"bro_timestamp":"1402307733.473","status_code":200,"method":"GET","ip_dst_port":80,"request_body_len":0,"uri":"\/","tags":[],"source.type":"bro","uid":"KIRAN12312312","resp_mime_types":["text\/html"],"trans_depth":1,"protocol":"http","original_string":"HTTP | id.orig_p:58808 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/ tags:[] uid:KIRAN12312312 resp_mime_types:[\"text\\\/html\"] trans_depth:1 host:www.cisco.com status_msg:OK id.orig_h:192.249.113.37 response_body_len:25523 user_agent:curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3 ts:1402307733.473 id.resp_h:72.163.4.161 resp_fuids:[\"FJDyMC15lxUn5ngPfd\"]","ip_dst_addr":"72.163.4.161","ip_src_port":58808,"host":"www.cisco.com","status_msg":"OK","response_body_len":25523,"ip_src_addr":"192.249.113.37","user_agent":"curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3","resp_fuids":["FJDyMC15lxUn5ngPfd"],"timestamp":1402307733473,"guid":"this-is-random-uuid-will-be-36-chars"}
-{"bro_timestamp":"1402307733.473","status_code":200,"method":"GET","ip_dst_port":80,"request_body_len":0,"uri":"\/","tags":[],"source.type":"bro","uid":"CTo78A11g7CYbbOHvj","resp_mime_types":["text\/html"],"trans_depth":1,"protocol":"http","original_string":"HTTP | id.orig_p:58808 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/ tags:[] uid:CTo78A11g7CYbbOHvj resp_mime_types:[\"text\\\/html\"] trans_depth:1 host:gabacentre.pw status_msg:OK id.orig_h:10.122.196.204 response_body_len:25523 email:abullis@mail.csuchico.edu user_agent:curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3 ts:1402307733.473 id.resp_h:72.163.4.161 resp_fuids:[\"FJDyMC15lxUn5ngPfd\"]","ip_dst_addr":"72.163.4.161","ip_src_port":58808,"host":"gabacentre.pw","status_msg":"OK","response_body_len":25523,"ip_src_addr":"10.122.196.204","email":"abullis@mail.csuchico.edu","user_agent":"curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3","resp_fuids":["FJDyMC15lxUn5ngPfd"],"timestamp":1402307733473,"guid":"this-is-random-uuid-will-be-36-chars"}
-{"TTLs":[3600.0,289.0,14.0],"qclass_name":"C_INTERNET","bro_timestamp":"1402308259.609","qtype_name":"AAAA","ip_dst_port":53,"qtype":28,"rejected":false,"answers":["gabacentre.pw","www.cisco.com.akadns.net","origin-www.cisco.com","2001:420:1201:2::a"],"trans_id":62418,"uid":"CYbbOHvj","protocol":"dns","original_string":"DNS | AA:true TTLs:[3600.0,289.0,14.0] qclass_name:C_INTERNET id.orig_p:33976 qtype_name:AAAA qtype:28 rejected:false id.resp_p:53 query:www.cisco.com answers:[\"gabacentre.pw\",\"www.cisco.com.akadns.net\",\"origin-www.cisco.com\",\"2001:420:1201:2::a\"] trans_id:62418 rcode:0 rcode_name:NOERROR TC:false RA:true uid:CYbbOHvj RD:true proto:udp id.orig_h:93.188.160.43 Z:0 qclass:1 ts:1402308259.609 id.resp_h:144.254.71.184","ip_dst_addr":"144.254.71.184","Z":0,"ip_src_addr":"93.188.160.43","qclass":1,"timestamp":1402308259609,"AA":true,"query":"www.cisco.com","rcode":0,"rcode_name":"NOERROR","TC":false,"RA":true,"source.type":"bro","RD":true,"ip_src_port":33976,"proto":"udp","guid":"this-is-random-uuid-will-be-36-chars"}
-{"bro_timestamp":"1402307733.473","status_code":200,"method":"GET","ip_dst_port":80,"request_body_len":0,"uri":"\/","tags":[],"source.type":"bro","uid":"CTo78A11g7CYbbOHvj","resp_mime_types":["text\/html"],"trans_depth":1,"protocol":"http","original_string":"HTTP | id.orig_p:58808 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/ tags:[] uid:CTo78A11g7CYbbOHvj resp_mime_types:[\"text\\\/html\"] trans_depth:1 host:www.cisco.com status_msg:OK id.orig_h:192.249.113.37 response_body_len:25523 user_agent:curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3 ts:1402307733.473 id.resp_h:72.163.4.161 resp_fuids:[\"FJDyMC15lxUn5ngPfd\"]","ip_dst_addr":"72.163.4.161","ip_src_port":58808,"host":"www.cisco.com","status_msg":"OK","response_body_len":25523,"ip_src_addr":"192.249.113.37","user_agent":"curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3","resp_fuids":["FJDyMC15lxUn5ngPfd"],"timestamp":1402307733473,"guid":"this-is-random-uuid-will-be-36-chars"}
-{"TTLs":[3600.0,289.0,14.0],"qclass_name":"C_INTERNET","bro_timestamp":"1402308259.609","qtype_name":"AAAA","ip_dst_port":53,"qtype":28,"rejected":false,"answers":["www.cisco.com.akadns.net","origin-www.cisco.com","2001:420:1201:2::a"],"trans_id":62418,"uid":"CuJT272SKaJSuqO0Ia","protocol":"dns","original_string":"DNS | AA:true TTLs:[3600.0,289.0,14.0] qclass_name:C_INTERNET id.orig_p:33976 qtype_name:AAAA qtype:28 rejected:false id.resp_p:53 query:www.cisco.com answers:[\"www.cisco.com.akadns.net\",\"origin-www.cisco.com\",\"2001:420:1201:2::a\"] trans_id:62418 rcode:0 rcode_name:NOERROR TC:false RA:true uid:CuJT272SKaJSuqO0Ia RD:true proto:udp id.orig_h:10.122.196.204 Z:0 qclass:1 ts:1402308259.609 id.resp_h:144.254.71.184","ip_dst_addr":"144.254.71.184","Z":0,"ip_src_addr":"10.122.196.204","qclass":1,"timestamp":1402308259609,"AA":true,"query":"www.cisco.com","rcode":0,"rcode_name":"NOERROR","TC":false,"RA":true,"source.type":"bro","RD":true,"ip_src_port":33976,"proto":"udp","guid":"this-is-random-uuid-will-be-36-chars"}
-{"bro_timestamp":"1402307733.473","status_code":200,"method":"GET","ip_dst_port":80,"request_body_len":0,"uri":"\/","tags":[],"source.type":"bro","uid":"KIRAN","resp_mime_types":["text\/html"],"trans_depth":1,"protocol":"http","original_string":"HTTP | id.orig_p:58808 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/ tags:[] uid:KIRAN resp_mime_types:[\"text\\\/html\"] trans_depth:1 host:www.cisco.com status_msg:OK id.orig_h:10.122.196.204 response_body_len:25523 user_agent:curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3 ts:1402307733.473 id.resp_h:72.163.4.161 resp_fuids:[\"FJDyMC15lxUn5ngPfd\"]","ip_dst_addr":"72.163.4.161","ip_src_port":58808,"host":"www.cisco.com","status_msg":"OK","response_body_len":25523,"ip_src_addr":"10.122.196.204","user_agent":"curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3","resp_fuids":["FJDyMC15lxUn5ngPfd"],"timestamp":1402307733473,"guid":"this-is-random-uuid-will-be-36-chars"}
-{"bro_timestamp":"1440447880.931272","resp_pkts":1,"resp_ip_bytes":48,"ip_dst_port":1812,"orig_bytes":75,"orig_ip_bytes":103,"orig_pkts":1,"missed_bytes":0,"history":"Dd","tunnel_parents":[],"source.type":"bro","duration":1.001459,"uid":"CWxtRHnBTbldHnmGh","protocol":"conn","resp_bytes":20,"original_string":"CONN | id.orig_p:52178 resp_pkts:1 resp_ip_bytes:48 orig_bytes:75 id.resp_p:1812 orig_ip_bytes:103 orig_pkts:1 missed_bytes:0 history:Dd tunnel_parents:[] duration:1.001459 uid:CWxtRHnBTbldHnmGh resp_bytes:20 service:radius conn_state:SF proto:udp id.orig_h:127.0.0.1 ts:1440447880.931272 id.resp_h:127.0.0.1","ip_dst_addr":"127.0.0.1","ip_src_port":52178,"service":"radius","conn_state":"SF","proto":"udp","guid":"4a92fe07-8f9d-4092-83c3-0d4e37c92d29","ip_src_addr":"127.0.0.1","timestamp":1440447880931}
-{"bro_timestamp":"1440447904.122012","resp_pkts":0,"resp_ip_bytes":0,"ip_dst_port":1812,"orig_bytes":225,"orig_ip_bytes":309,"orig_pkts":3,"missed_bytes":0,"history":"D","tunnel_parents":[],"source.type":"bro","duration":10.008839,"uid":"CK2Oivhlh0ovRcYx","protocol":"conn","resp_bytes":0,"original_string":"CONN | id.orig_p:62956 resp_pkts:0 resp_ip_bytes:0 orig_bytes:225 id.resp_p:1812 orig_ip_bytes:309 orig_pkts:3 missed_bytes:0 history:D tunnel_parents:[] duration:10.008839 uid:CK2Oivhlh0ovRcYx resp_bytes:0 service:radius conn_state:S0 proto:udp id.orig_h:127.0.0.1 ts:1440447904.122012 id.resp_h:127.0.0.1","ip_dst_addr":"127.0.0.1","ip_src_port":62956,"service":"radius","conn_state":"S0","proto":"udp","guid":"9e4952e0-6dd3-4487-b5fa-299b9433c381","ip_src_addr":"127.0.0.1","timestamp":1440447904122}
-{"bro_timestamp":"1440448190.335333","resp_pkts":1,"resp_ip_bytes":99,"ip_dst_port":1812,"orig_bytes":75,"orig_ip_bytes":103,"orig_pkts":1,"missed_bytes":0,"history":"Dd","tunnel_parents":[],"source.type":"bro","duration":5.17E-4,"uid":"CX6mcO38sO7dkDxK55","protocol":"conn","resp_bytes":71,"original_string":"CONN | id.orig_p:53127 resp_pkts:1 resp_ip_bytes:99 orig_bytes:75 id.resp_p:1812 orig_ip_bytes:103 orig_pkts:1 missed_bytes:0 history:Dd tunnel_parents:[] duration:0.000517 uid:CX6mcO38sO7dkDxK55 resp_bytes:71 service:radius conn_state:SF proto:udp id.orig_h:127.0.0.1 ts:1440448190.335333 id.resp_h:127.0.0.1","ip_dst_addr":"127.0.0.1","ip_src_port":53127,"service":"radius","conn_state":"SF","proto":"udp","guid":"bc1af1bf-5b1c-4829-b574-3243670fd448","ip_src_addr":"127.0.0.1","timestamp":1440448190335}
-{"bro_timestamp":"1216702277.477596","ip_dst_port":80,"failure_reason":"not a http reply line","source.type":"bro","uid":"C4O50B3WAUCb2Yw29j","protocol":"dpd","original_string":"DPD | uid:C4O50B3WAUCb2Yw29j id.orig_p:33348 analyzer:HTTP id.resp_p:80 proto:tcp id.orig_h:192.168.15.4 failure_reason:not a http reply line ts:1216702277.477596 id.resp_h:66.33.212.43","ip_dst_addr":"66.33.212.43","ip_src_port":33348,"analyzer":"HTTP","proto":"tcp","guid":"b03d9d34-4a39-4e68-8b21-08bdd532ae07","ip_src_addr":"192.168.15.4","timestamp":1216702277477}
-{"bro_timestamp":"1166289883.160785","ip_dst_port":21,"reply_msg":"Entering Passive Mode (192,168,0,193,28,86)","data_channel.orig_h":"192.168.0.114","data_channel.passive":true,"data_channel.resp_p":7254,"command":"PASV","source.type":"bro","uid":"ClOsCM3BUs3saPsD2c","password":"<hidden>","protocol":"ftp","original_string":"FTP | id.orig_p:1137 id.resp_p:21 reply_msg:Entering Passive Mode (192,168,0,193,28,86) data_channel.orig_h:192.168.0.114 data_channel.passive:true data_channel.resp_p:7254 command:PASV uid:ClOsCM3BUs3saPsD2c password:<hidden> data_channel.resp_h:192.168.0.193 id.orig_h:192.168.0.114 user:csanders reply_code:227 ts:1166289883.160785 id.resp_h:192.168.0.193","ip_dst_addr":"192.168.0.193","ip_src_port":1137,"data_channel.resp_h":"192.168.0.193","guid":"4b0c4cda-28ee-404e-b966-036bc7f638ff","user":"csanders","ip_src_addr":"192.168.0.114","reply_code":227,"timestamp":1166289883160}
-{"bro_timestamp":"1216706983.387664","timedout":true,"source":"HTTP","is_orig":false,"overflow_bytes":0,"source.type":"bro","duration":30.701792,"protocol":"files","depth":0,"original_string":"FILES | timedout:true rx_hosts:[\"192.168.15.4\"] source:HTTP is_orig:false tx_hosts:[\"216.113.185.92\"] overflow_bytes:0 duration:30.701792 depth:0 analyzers:[\"MD5\",\"SHA1\"] fuid:FnEYba9VPOcC41c1 conn_uids:[\"CLWqoN1IA9MB8Ru9i3\"] seen_bytes:0 missing_bytes:3384 ts:1216706983.387664","ip_dst_addr":"192.168.15.4","analyzers":["MD5","SHA1"],"guid":"7b7148a0-f484-4450-97a3-29493e1c7360","fuid":"FnEYba9VPOcC41c1","conn_uids":["CLWqoN1IA9MB8Ru9i3"],"seen_bytes":0,"missing_bytes":3384,"ip_src_addr":"216.113.185.92","timestamp":1216706983387}
-{"bro_timestamp":"1216706999.34818","protocol":"known_certs","original_string":"KNOWN_CERTS | issuer_subject:CN=VeriSign Class 3 Secure Server CA,OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)05,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US serial:24A2DD82DC52358E7F0C6AF6135F3B32 subject:CN=nexus.passport.com,OU=MSN Passport,O=Microsoft,L=Redmond,ST=Washington,C=US port_num:443 host:65.54.179.216 ts:1216706999.34818","issuer_subject":"CN=VeriSign Class 3 Secure Server CA,OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)05,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US","serial":"24A2DD82DC52358E7F0C6AF6135F3B32","subject":"CN=nexus.passport.com,OU=MSN Passport,O=Microsoft,L=Redmond,ST=Washington,C=US","port_num":443,"host":"65.54.179.216","guid":"76fe881c-3ed7-4477-a870-f5381577e4ae","timestamp":1216706999348,"source.type":"bro"}
-{"bro_timestamp":"1258568036.57884","ip_dst_port":25,"source.type":"bro","helo":"M57Terry","uid":"ChR6254RrWbrxiGsd7","path":["192.168.1.1","192.168.1.105"],"trans_depth":1,"protocol":"smtp","original_string":"SMTP | id.orig_p:49353 id.resp_p:25 helo:M57Terry uid:ChR6254RrWbrxiGsd7 path:[\"192.168.1.1\",\"192.168.1.105\"] trans_depth:1 is_webmail:false last_reply:220 2.0.0 Ready to start TLS id.orig_h:192.168.1.105 tls:true fuids:[] ts:1258568036.57884 id.resp_h:192.168.1.1","ip_dst_addr":"192.168.1.1","ip_src_port":49353,"is_webmail":false,"last_reply":"220 2.0.0 Ready to start TLS","guid":"9a3d1e86-7d25-4426-b2af-6ab5be1e607f","tls":true,"fuids":[],"ip_src_addr":"192.168.1.105","timestamp":1258568036578}
-{"cipher":"TLS_RSA_WITH_RC4_128_MD5","established":true,"server_name":"login.live.com","bro_timestamp":"1216706999.444925","client_cert_chain_fuids":[],"ip_dst_port":443,"subject":"CN=login.live.com,OU=MSN-Passport,O=Microsoft Corporation,street=One Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=V1.0\\, Clause 5.(b),1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553","cert_chain_fuids":["FkYBO41LPAXxh44KFk","FPrzYN1SuBqHflXZId","FZ71xF13r5XVSam1z1"],"version":"TLSv10","issuer":"CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US","source.type":"bro","uid":"CVrS2IBW8gukBClA8","protocol":"ssl","original_string":"SSL | cipher:TLS_RSA_WITH_RC4_128_MD5 established:true server_name:login.live.com id.orig_p:36532 client_cert_chain_fuids:[] subject:CN=login.live.com,OU=MSN-Passport,O=Microsoft Corporation,street=One Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=V1.0\\, Clause 5.(b),1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553 id.resp_p:443 cert_chain_fuids:[\"FkYBO41LPAXxh44KFk\",\"FPrzYN1SuBqHflXZId\",\"FZ71xF13r5XVSam1z1\"] version:TLSv10 issuer:CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US uid:CVrS2IBW8gukBClA8 id.orig_h:192.168.15.4 validation_status:unable to get local issuer certificate resumed:false ts:1216706999.444925 id.resp_h:65.54.186.47","ip_dst_addr":"65.54.186.47","ip_src_port":36532,"guid":"1bff79d0-7b86-43de-b5ec-132bb62f4339","validation_status":"unable to get local issuer certificate","resumed":false,"ip_src_addr":"192.168.15.4","timestamp":1216706999444}
-{"bro_timestamp":"1216706981.177382","ip_dst_port":80,"source.type":"bro","uid":"Cfxxnt3m0v9SEf5XQ7","protocol":"weird","original_string":"WEIRD | uid:Cfxxnt3m0v9SEf5XQ7 id.orig_p:36446 peer:bro id.resp_p:80 name:unescaped_special_URI_char id.orig_h:192.168.15.4 ts:1216706981.177382 id.resp_h:66.151.146.194 notice:false","ip_dst_addr":"66.151.146.194","ip_src_port":36446,"peer":"bro","name":"unescaped_special_URI_char","guid":"fa2d1068-ca33-4962-b9ab-902605ea3e14","ip_src_addr":"192.168.15.4","notice":false,"timestamp":1216706981177}
-{"msg":"SSL certificate validation failed with (unable to get local issuer certificate)","suppress_for":3600.0,"note":"SSL::Invalid_Server_Cert","sub":"CN=www.google.com,O=Google Inc,L=Mountain View,ST=California,C=US","bro_timestamp":"1216706377.196728","dst":"74.125.19.104","ip_dst_port":443,"src":"192.168.15.4","dropped":false,"peer_descr":"bro","source.type":"bro","p":443,"uid":"CNHQmp1mNiZHdAf5Ce","protocol":"notice","original_string":"NOTICE | msg:SSL certificate validation failed with (unable to get local issuer certificate) suppress_for:3600.0 note:SSL::Invalid_Server_Cert sub:CN=www.google.com,O=Google Inc,L=Mountain View,ST=California,C=US id.orig_p:35736 dst:74.125.19.104 src:192.168.15.4 id.resp_p:443 dropped:false peer_descr:bro p:443 uid:CNHQmp1mNiZHdAf5Ce proto:tcp id.orig_h:192.168.15.4 actions:[\"Notice::ACTION_LOG\"] ts:1216706377.196728 id.resp_h:74.125.19.104","ip_dst_addr":"74.125.19.104","ip_src_port":35736,"proto":"tcp","guid":"31e56b6a-48fd-4605-81ec-b0586006f7d7","actions":["Notice::ACTION_LOG"],"ip_src_addr":"192.168.15.4","timestamp":1216706377196}
-{"bro_timestamp":"1258567562.944638","ip_dst_port":67,"trans_id":418901490,"assigned_ip":"192.168.1.103","mac":"00:0b:db:63:5b:d4","source.type":"bro","uid":"CSiO9f3y8Uyu0XprAi","protocol":"dhcp","original_string":"DHCP | uid:CSiO9f3y8Uyu0XprAi id.orig_p:68 lease_time:3564.0 id.resp_p:67 id.orig_h:192.168.1.103 trans_id:418901490 assigned_ip:192.168.1.103 mac:00:0b:db:63:5b:d4 ts:1258567562.944638 id.resp_h:192.168.1.1","ip_dst_addr":"192.168.1.1","ip_src_port":68,"lease_time":3564.0,"guid":"0d2ed5dc-f44c-4d37-b286-7b9f40da420a","ip_src_addr":"192.168.1.103","timestamp":1258567562944}
-{"kex_alg":"diffie-hellman-group-exchange-sha256","server":"SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1","mac_alg":"hmac-md5","bro_timestamp":"1320435930.914196","auth_success":false,"ip_dst_port":22,"host_key_alg":"ssh-rsa","compression_alg":"none","version":2,"source.type":"bro","uid":"CyrWKo1E1rRywjbOAk","host_key":"87:11:46:da:89:c5:2b:d9:6b:ee:e0:44:7e:73:80:f8","protocol":"ssh","original_string":"SSH | kex_alg:diffie-hellman-group-exchange-sha256 server:SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1 mac_alg:hmac-md5 id.orig_p:58435 auth_success:false id.resp_p:22 host_key_alg:ssh-rsa compression_alg:none version:2 uid:CyrWKo1E1rRywjbOAk host_key:87:11:46:da:89:c5:2b:d9:6b:ee:e0:44:7e:73:80:f8 cipher_alg:aes128-ctr client:SSH-2.0-OpenSSH_5.6 id.orig_h:172.16.238.1 ts:1320435930.914196 id.resp_h:172.16.238.136","ip_dst_addr":"172.16.238.136","ip_src_port":58435,"cipher_alg":"aes128-ctr","client":"SSH-2.0-OpenSSH_5.6","guid":"8aebc887-4090-4807-8d65-e841f52b6177","ip_src_addr":"172.16.238.1","timestamp":1320435930914}
-{"bro_timestamp":"1320435464.768382","software_type":"SSH::SERVER","source.type":"bro","unparsed_version":"OpenSSH_5.3","protocol":"software","host_p":22,"original_string":"SOFTWARE | unparsed_version:OpenSSH_5.3 host_p:22 host:172.16.238.168 name:OpenSSH software_type:SSH::SERVER version.major:5 version.minor:3 ts:1320435464.768382","host":"172.16.238.168","name":"OpenSSH","guid":"ad3d1b4b-ffad-4416-be0f-7df08587ccb5","version.major":5,"version.minor":3,"timestamp":1320435464768}
-{"bro_timestamp":"1440447766.441298","ip_dst_port":1812,"source.type":"bro","result":"failed","uid":"CqF4zGzBOXFjTWqHh","protocol":"radius","original_string":"RADIUS | result:failed uid:CqF4zGzBOXFjTWqHh id.orig_p:53031 id.resp_p:1812 id.orig_h:127.0.0.1 ts:1440447766.441298 id.resp_h:127.0.0.1 username:steve","ip_dst_addr":"127.0.0.1","ip_src_port":53031,"guid":"b029735a-3e98-45a0-b8da-232967a34085","ip_src_addr":"127.0.0.1","username":"steve","timestamp":1440447766441}
-{"certificate.key_length":1024,"bro_timestamp":"1216706999.661483","certificate.sig_alg":"sha1WithRSAEncryption","certificate.not_valid_before":1.2138336E9,"certificate.key_type":"rsa","basic_constraints.ca":false,"certificate.key_alg":"rsaEncryption","certificate.exponent":"65537","source.type":"bro","protocol":"x509","original_string":"X509 | certificate.key_length:1024 certificate.sig_alg:sha1WithRSAEncryption certificate.not_valid_before:1213833600.0 certificate.key_type:rsa basic_constraints.ca:false certificate.key_alg:rsaEncryption certificate.exponent:65537 certificate.version:3 certificate.subject:CN=login.live.com,OU=MSN-Passport,O=Microsoft Corporation,street=One Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=V1.0\\, Clause 5.(b),1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553 id:FkYBO41LPAXxh44KFk certificate.not_valid_after:1248134399.0 certificate.serial:6905C4A47CFDBF9DBC98DACE38835FB8 certificate.issuer:CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US ts:1216706999.661483","certificate.version":3,"certificate.subject":"CN=login.live.com,OU=MSN-Passport,O=Microsoft Corporation,street=One Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=V1.0\\, Clause 5.(b),1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553","guid":"578eac04-9024-49ab-828d-e25f01c33c82","id":"FkYBO41LPAXxh44KFk","certificate.not_valid_after":1.248134399E9,"certificate.serial":"6905C4A47CFDBF9DBC98DACE38835FB8","certificate.issuer":"CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US","timestamp":1216706999661}
-{"bro_timestamp":"1258531221.486539","protocol":"known_devices","original_string":"KNOWN_DEVICES | dhcp_host_name:m57-jo mac:00:0b:db:63:58:a6 ts:1258531221.486539","dhcp_host_name":"m57-jo","guid":"e7a216d8-3623-4dea-af78-01da8c5e0bc5","mac":"00:0b:db:63:58:a6","timestamp":1258531221486,"source.type":"bro"}
-{"client_minor_version":"007","bro_timestamp":"1328634261.675248","client_major_version":"003","ip_dst_port":5900,"auth":true,"share_flag":false,"desktop_name":"aneagles@localhost.localdomain","source.type":"bro","authentication_method":"VNC","uid":"CGhHbC1P1kuJYtR4Ul","server_minor_version":"007","protocol":"rfb","original_string":"RFB | client_minor_version:007 id.orig_p:10254 client_major_version:003 auth:true id.resp_p:5900 share_flag:false desktop_name:aneagles@localhost.localdomain authentication_method:VNC uid:CGhHbC1P1kuJYtR4Ul server_minor_version:007 server_major_version:003 width:1280 id.orig_h:192.168.1.10 ts:1328634261.675248 id.resp_h:192.168.1.114 height:800","ip_dst_addr":"192.168.1.114","ip_src_port":10254,"server_major_version":"003","width":1280,"guid":"c2da5c0b-bfaf-4fff-80c4-be6040fdb57d","ip_src_addr":"192.168.1.10","height":800,"timestamp":1328634261675}
-{"dns_requests":0,"bro_timestamp":"1328634261.351352","reassem_frag_size":0,"protocol":"stats","original_string":"STATS | dns_requests:0 timers:35 active_udp_conns:0 reassem_frag_size:0 events_proc:392 active_icmp_conns:0 reassem_file_size:0 udp_conns:0 active_timers:32 events_queued:13 mem:55 reassem_tcp_size:0 peer:bro pkts_proc:1 icmp_conns:0 active_dns_requests:0 files:0 bytes_recv:62 active_files:0 tcp_conns:1 reassem_unknown_size:0 active_tcp_conns:1 ts:1328634261.351352","mem":55,"reassem_tcp_size":0,"peer":"bro","active_dns_requests":0,"active_files":0,"timestamp":1328634261351,"timers":35,"active_udp_conns":0,"events_proc":392,"active_icmp_conns":0,"reassem_file_size":0,"source.type":"bro","udp_conns":0,"active_timers":32,"events_queued":13,"pkts_proc":1,"icmp_conns":0,"files":0,"guid":"2ba97a72-8446-44ba-ac86-d491fa64a4c7","bytes_recv":62,"tcp_conns":1,"reassem_unknown_size":0,"active_tcp_conns":1}
-{"bro_timestamp":"1328634276.90953","protocol":"capture_loss","original_string":"CAPTURE_LOSS | peer:bro acks:710 ts_delta:15.558178 gaps:0 ts:1328634276.90953 percent_lost:0.0","peer":"bro","acks":710,"guid":"1587b0b9-2d85-4808-9aaa-9a19477e8f98","ts_delta":15.558178,"gaps":0,"percent_lost":0.0,"timestamp":1328634276909,"source.type":"bro"}
-{"bro_timestamp":"1216698600.338338","method":"REGISTER","ip_dst_port":10000,"request_body_len":0,"response_path":[],"uri":"sip:t.voncp.com:10000","call_id":"7757a70e218b95730dd2daeaac7d20b1@192.168.1.64","source.type":"bro","uid":"Cl2G2m3bdeE8F9I9ei","trans_depth":0,"request_from":"\"16178766111\" <sip:16178766111@t.voncp.com:10000>","protocol":"sip","original_string":"SIP | id.orig_p:1033 method:REGISTER request_body_len:0 id.resp_p:10000 response_path:[] uri:sip:t.voncp.com:10000 call_id:7757a70e218b95730dd2daeaac7d20b1@192.168.1.64 uid:Cl2G2m3bdeE8F9I9ei trans_depth:0 request_from:\"16178766111\" <sip:16178766111@t.voncp.com:10000> request_path:[\"SIP\\\/2.0\\\/UDP 192.168.1.64:10000\",\"SIP\\\/2.0\\\/UDP 192.168.1.64:10000\",\"SIP\\\/2.0\\\/UDP 192.168.1.64:10000\",\"SIP\\\/2.0\\\/UDP 192.168.1.64:10000\"] id.orig_h:192.168.1.64 request_to:\"16178766111\" <sip:16178766111@t.voncp.com:10000> seq:1761527957 REGISTER user_agent:VDV21 001DD92E4F61 2.8.1_1.4.7 LwooEk3GCD\/bcm001DD92E4F61.xml ts:1216698600.338338 id.resp_h:69.59.232.120","ip_dst_addr":"69.59.232.120","ip_src_port":1033,"request_path":["SIP\/2.0\/UDP 192.168.1.64:10000","SIP\/2.0\/UDP 192.168.1.64:10000","SIP\/2.0\/UDP 192.168.1.64:10000","SIP\/2.0\/UDP 192.168.1.64:10000"],"guid":"a4d1d1c2-b55f-46c5-bd41-d741c9926ff1","request_to":"\"16178766111\" <sip:16178766111@t.voncp.com:10000>","ip_src_addr":"192.168.1.64","seq":"1761527957 REGISTER","user_agent":"VDV21 001DD92E4F61 2.8.1_1.4.7 LwooEk3GCD\/bcm001DD92E4F61.xml","timestamp":1216698600338}
+{"bro_timestamp":"1402307733.473","status_code":200,"method":"GET","ip_dst_port":80,"request_body_len":0,"uri":"\/","tags":[],"metron_sensor_type":"bro","uid":"CTo78A11g7CYbbOHvj","resp_mime_types":["text\/html"],"trans_depth":1,"protocol":"http","original_string":"HTTP | id.orig_p:58808 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/ tags:[] uid:CTo78A11g7CYbbOHvj resp_mime_types:[\"text\\\/html\"] trans_depth:1 host:www.cisco.com status_msg:OK id.orig_h:192.249.113.37 response_body_len:25523 user_agent:curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3 ts:1402307733.473 id.resp_h:72.163.4.161 resp_fuids:[\"FJDyMC15lxUn5ngPfd\"]","ip_dst_addr":"72.163.4.161","ip_src_port":58808,"host":"www.cisco.com","status_msg":"OK","response_body_len":25523,"ip_src_addr":"192.249.113.37","user_agent":"curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3","resp_fuids":["FJDyMC15lxUn5ngPfd"],"timestamp":1402307733473,"guid":"this-is-random-uuid-will-be-36-chars"}
+{"TTLs":[3600.0,289.0,14.0],"qclass_name":"C_INTERNET","bro_timestamp":"1402308259.609","qtype_name":"AAAA","ip_dst_port":53,"qtype":28,"rejected":false,"answers":["www.cisco.com.akadns.net","origin-www.cisco.com","2001:420:1201:2::a"],"trans_id":62418,"uid":"CuJT272SKaJSuqO0Ia","protocol":"dns","original_string":"DNS | AA:true TTLs:[3600.0,289.0,14.0] qclass_name:C_INTERNET id.orig_p:33976 qtype_name:AAAA qtype:28 rejected:false id.resp_p:53 query:www.cisco.com answers:[\"www.cisco.com.akadns.net\",\"origin-www.cisco.com\",\"2001:420:1201:2::a\"] trans_id:62418 rcode:0 rcode_name:NOERROR TC:false RA:true uid:CuJT272SKaJSuqO0Ia RD:true proto:udp id.orig_h:10.122.196.204 Z:0 qclass:1 ts:1402308259.609 id.resp_h:144.254.71.184","ip_dst_addr":"144.254.71.184","Z":0,"ip_src_addr":"10.122.196.204","qclass":1,"timestamp":1402308259609,"AA":true,"query":"www.cisco.com","rcode":0,"rcode_name":"NOERROR","TC":false,"RA":true,"metron_sensor_type":"bro","RD":true,"ip_src_port":33976,"proto":"udp","guid":"this-is-random-uuid-will-be-36-chars"}
+{"bro_timestamp":"1402307733.473","status_code":200,"method":"GET","ip_dst_port":80,"request_body_len":0,"uri":"\/","tags":[],"metron_sensor_type":"bro","uid":"KIRAN","resp_mime_types":["text\/html"],"trans_depth":1,"protocol":"http","original_string":"HTTP | id.orig_p:58808 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/ tags:[] uid:KIRAN resp_mime_types:[\"text\\\/html\"] trans_depth:1 host:www.cisco.com status_msg:OK id.orig_h:10.122.196.204 response_body_len:25523 user_agent:curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3 ts:1402307733.473 id.resp_h:72.163.4.161 resp_fuids:[\"FJDyMC15lxUn5ngPfd\"]","ip_dst_addr":"72.163.4.161","ip_src_port":58808,"host":"www.cisco.com","status_msg":"OK","response_body_len":25523,"ip_src_addr":"10.122.196.204","user_agent":"curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3","resp_fuids":["FJDyMC15lxUn5ngPfd"],"timestamp":1402307733473,"guid":"this-is-random-uuid-will-be-36-chars"}
+{"bro_timestamp":"1402307733.473","status_code":200,"method":"GET","ip_dst_port":80,"request_body_len":0,"uri":"\/","tags":[],"metron_sensor_type":"bro","uid":"KIRAN12312312","resp_mime_types":["text\/html"],"trans_depth":1,"protocol":"http","original_string":"HTTP | id.orig_p:58808 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/ tags:[] uid:KIRAN12312312 resp_mime_types:[\"text\\\/html\"] trans_depth:1 host:www.cisco.com status_msg:OK id.orig_h:192.249.113.37 response_body_len:25523 user_agent:curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3 ts:1402307733.473 id.resp_h:72.163.4.161 resp_fuids:[\"FJDyMC15lxUn5ngPfd\"]","ip_dst_addr":"72.163.4.161","ip_src_port":58808,"host":"www.cisco.com","status_msg":"OK","response_body_len":25523,"ip_src_addr":"192.249.113.37","user_agent":"curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3","resp_fuids":["FJDyMC15lxUn5ngPfd"],"timestamp":1402307733473,"guid":"this-is-random-uuid-will-be-36-chars"}
+{"bro_timestamp":"1402307733.473","status_code":200,"method":"GET","ip_dst_port":80,"request_body_len":0,"uri":"\/","tags":[],"metron_sensor_type":"bro","uid":"KIRAN12312312","resp_mime_types":["text\/html"],"trans_depth":1,"protocol":"http","original_string":"HTTP | id.orig_p:58808 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/ tags:[] uid:KIRAN12312312 resp_mime_types:[\"text\\\/html\"] trans_depth:1 host:www.cisco.com status_msg:OK id.orig_h:192.249.113.37 response_body_len:25523 user_agent:curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3 ts:1402307733.473 id.resp_h:72.163.4.161 resp_fuids:[\"FJDyMC15lxUn5ngPfd\"]","ip_dst_addr":"72.163.4.161","ip_src_port":58808,"host":"www.cisco.com","status_msg":"OK","response_body_len":25523,"ip_src_addr":"192.249.113.37","user_agent":"curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3","resp_fuids":["FJDyMC15lxUn5ngPfd"],"timestamp":1402307733473,"guid":"this-is-random-uuid-will-be-36-chars"}
+{"bro_timestamp":"1402307733.473","status_code":200,"method":"GET","ip_dst_port":80,"request_body_len":0,"uri":"\/","tags":[],"metron_sensor_type":"bro","uid":"CTo78A11g7CYbbOHvj","resp_mime_types":["text\/html"],"trans_depth":1,"protocol":"http","original_string":"HTTP | id.orig_p:58808 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/ tags:[] uid:CTo78A11g7CYbbOHvj resp_mime_types:[\"text\\\/html\"] trans_depth:1 host:gabacentre.pw status_msg:OK id.orig_h:10.122.196.204 response_body_len:25523 email:abullis@mail.csuchico.edu user_agent:curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3 ts:1402307733.473 id.resp_h:72.163.4.161 resp_fuids:[\"FJDyMC15lxUn5ngPfd\"]","ip_dst_addr":"72.163.4.161","ip_src_port":58808,"host":"gabacentre.pw","status_msg":"OK","response_body_len":25523,"ip_src_addr":"10.122.196.204","email":"abullis@mail.csuchico.edu","user_agent":"curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3","resp_fuids":["FJDyMC15lxUn5ngPfd"],"timestamp":1402307733473,"guid":"this-is-random-uuid-will-be-36-chars"}
+{"TTLs":[3600.0,289.0,14.0],"qclass_name":"C_INTERNET","bro_timestamp":"1402308259.609","qtype_name":"AAAA","ip_dst_port":53,"qtype":28,"rejected":false,"answers":["gabacentre.pw","www.cisco.com.akadns.net","origin-www.cisco.com","2001:420:1201:2::a"],"trans_id":62418,"uid":"CYbbOHvj","protocol":"dns","original_string":"DNS | AA:true TTLs:[3600.0,289.0,14.0] qclass_name:C_INTERNET id.orig_p:33976 qtype_name:AAAA qtype:28 rejected:false id.resp_p:53 query:www.cisco.com answers:[\"gabacentre.pw\",\"www.cisco.com.akadns.net\",\"origin-www.cisco.com\",\"2001:420:1201:2::a\"] trans_id:62418 rcode:0 rcode_name:NOERROR TC:false RA:true uid:CYbbOHvj RD:true proto:udp id.orig_h:93.188.160.43 Z:0 qclass:1 ts:1402308259.609 id.resp_h:144.254.71.184","ip_dst_addr":"144.254.71.184","Z":0,"ip_src_addr":"93.188.160.43","qclass":1,"timestamp":1402308259609,"AA":true,"query":"www.cisco.com","rcode":0,"rcode_name":"NOERROR","TC":false,"RA":true,"metron_sensor_type":"bro","RD":true,"ip_src_port":33976,"proto":"udp","guid":"this-is-random-uuid-will-be-36-chars"}
+{"bro_timestamp":"1402307733.473","status_code":200,"method":"GET","ip_dst_port":80,"request_body_len":0,"uri":"\/","tags":[],"metron_sensor_type":"bro","uid":"CTo78A11g7CYbbOHvj","resp_mime_types":["text\/html"],"trans_depth":1,"protocol":"http","original_string":"HTTP | id.orig_p:58808 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/ tags:[] uid:CTo78A11g7CYbbOHvj resp_mime_types:[\"text\\\/html\"] trans_depth:1 host:www.cisco.com status_msg:OK id.orig_h:192.249.113.37 response_body_len:25523 user_agent:curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3 ts:1402307733.473 id.resp_h:72.163.4.161 resp_fuids:[\"FJDyMC15lxUn5ngPfd\"]","ip_dst_addr":"72.163.4.161","ip_src_port":58808,"host":"www.cisco.com","status_msg":"OK","response_body_len":25523,"ip_src_addr":"192.249.113.37","user_agent":"curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3","resp_fuids":["FJDyMC15lxUn5ngPfd"],"timestamp":1402307733473,"guid":"this-is-random-uuid-will-be-36-chars"}
+{"TTLs":[3600.0,289.0,14.0],"qclass_name":"C_INTERNET","bro_timestamp":"1402308259.609","qtype_name":"AAAA","ip_dst_port":53,"qtype":28,"rejected":false,"answers":["www.cisco.com.akadns.net","origin-www.cisco.com","2001:420:1201:2::a"],"trans_id":62418,"uid":"CuJT272SKaJSuqO0Ia","protocol":"dns","original_string":"DNS | AA:true TTLs:[3600.0,289.0,14.0] qclass_name:C_INTERNET id.orig_p:33976 qtype_name:AAAA qtype:28 rejected:false id.resp_p:53 query:www.cisco.com answers:[\"www.cisco.com.akadns.net\",\"origin-www.cisco.com\",\"2001:420:1201:2::a\"] trans_id:62418 rcode:0 rcode_name:NOERROR TC:false RA:true uid:CuJT272SKaJSuqO0Ia RD:true proto:udp id.orig_h:10.122.196.204 Z:0 qclass:1 ts:1402308259.609 id.resp_h:144.254.71.184","ip_dst_addr":"144.254.71.184","Z":0,"ip_src_addr":"10.122.196.204","qclass":1,"timestamp":1402308259609,"AA":true,"query":"www.cisco.com","rcode":0,"rcode_name":"NOERROR","TC":false,"RA":true,"metron_sensor_type":"bro","RD":true,"ip_src_port":33976,"proto":"udp","guid":"this-is-random-uuid-will-be-36-chars"}
+{"bro_timestamp":"1402307733.473","status_code":200,"method":"GET","ip_dst_port":80,"request_body_len":0,"uri":"\/","tags":[],"metron_sensor_type":"bro","uid":"KIRAN","resp_mime_types":["text\/html"],"trans_depth":1,"protocol":"http","original_string":"HTTP | id.orig_p:58808 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/ tags:[] uid:KIRAN resp_mime_types:[\"text\\\/html\"] trans_depth:1 host:www.cisco.com status_msg:OK id.orig_h:10.122.196.204 response_body_len:25523 user_agent:curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3 ts:1402307733.473 id.resp_h:72.163.4.161 resp_fuids:[\"FJDyMC15lxUn5ngPfd\"]","ip_dst_addr":"72.163.4.161","ip_src_port":58808,"host":"www.cisco.com","status_msg":"OK","response_body_len":25523,"ip_src_addr":"10.122.196.204","user_agent":"curl\/7.22.0 (x86_64-pc-linux-gnu) libcurl\/7.22.0 OpenSSL\/1.0.1 zlib\/1.2.3.4 libidn\/1.23 librtmp\/2.3","resp_fuids":["FJDyMC15lxUn5ngPfd"],"timestamp":1402307733473,"guid":"this-is-random-uuid-will-be-36-chars"}
+{"bro_timestamp":"1440447880.931272","resp_pkts":1,"resp_ip_bytes":48,"ip_dst_port":1812,"orig_bytes":75,"orig_ip_bytes":103,"orig_pkts":1,"missed_bytes":0,"history":"Dd","tunnel_parents":[],"metron_sensor_type":"bro","duration":1.001459,"uid":"CWxtRHnBTbldHnmGh","protocol":"conn","resp_bytes":20,"original_string":"CONN | id.orig_p:52178 resp_pkts:1 resp_ip_bytes:48 orig_bytes:75 id.resp_p:1812 orig_ip_bytes:103 orig_pkts:1 missed_bytes:0 history:Dd tunnel_parents:[] duration:1.001459 uid:CWxtRHnBTbldHnmGh resp_bytes:20 service:radius conn_state:SF proto:udp id.orig_h:127.0.0.1 ts:1440447880.931272 id.resp_h:127.0.0.1","ip_dst_addr":"127.0.0.1","ip_src_port":52178,"service":"radius","conn_state":"SF","proto":"udp","guid":"4a92fe07-8f9d-4092-83c3-0d4e37c92d29","ip_src_addr":"127.0.0.1","timestamp":1440447880931}
+{"bro_timestamp":"1440447904.122012","resp_pkts":0,"resp_ip_bytes":0,"ip_dst_port":1812,"orig_bytes":225,"orig_ip_bytes":309,"orig_pkts":3,"missed_bytes":0,"history":"D","tunnel_parents":[],"metron_sensor_type":"bro","duration":10.008839,"uid":"CK2Oivhlh0ovRcYx","protocol":"conn","resp_bytes":0,"original_string":"CONN | id.orig_p:62956 resp_pkts:0 resp_ip_bytes:0 orig_bytes:225 id.resp_p:1812 orig_ip_bytes:309 orig_pkts:3 missed_bytes:0 history:D tunnel_parents:[] duration:10.008839 uid:CK2Oivhlh0ovRcYx resp_bytes:0 service:radius conn_state:S0 proto:udp id.orig_h:127.0.0.1 ts:1440447904.122012 id.resp_h:127.0.0.1","ip_dst_addr":"127.0.0.1","ip_src_port":62956,"service":"radius","conn_state":"S0","proto":"udp","guid":"9e4952e0-6dd3-4487-b5fa-299b9433c381","ip_src_addr":"127.0.0.1","timestamp":1440447904122}
+{"bro_timestamp":"1440448190.335333","resp_pkts":1,"resp_ip_bytes":99,"ip_dst_port":1812,"orig_bytes":75,"orig_ip_bytes":103,"orig_pkts":1,"missed_bytes":0,"history":"Dd","tunnel_parents":[],"metron_sensor_type":"bro","duration":5.17E-4,"uid":"CX6mcO38sO7dkDxK55","protocol":"conn","resp_bytes":71,"original_string":"CONN | id.orig_p:53127 resp_pkts:1 resp_ip_bytes:99 orig_bytes:75 id.resp_p:1812 orig_ip_bytes:103 orig_pkts:1 missed_bytes:0 history:Dd tunnel_parents:[] duration:0.000517 uid:CX6mcO38sO7dkDxK55 resp_bytes:71 service:radius conn_state:SF proto:udp id.orig_h:127.0.0.1 ts:1440448190.335333 id.resp_h:127.0.0.1","ip_dst_addr":"127.0.0.1","ip_src_port":53127,"service":"radius","conn_state":"SF","proto":"udp","guid":"bc1af1bf-5b1c-4829-b574-3243670fd448","ip_src_addr":"127.0.0.1","timestamp":1440448190335}
+{"bro_timestamp":"1216702277.477596","ip_dst_port":80,"failure_reason":"not a http reply line","metron_sensor_type":"bro","uid":"C4O50B3WAUCb2Yw29j","protocol":"dpd","original_string":"DPD | uid:C4O50B3WAUCb2Yw29j id.orig_p:33348 analyzer:HTTP id.resp_p:80 proto:tcp id.orig_h:192.168.15.4 failure_reason:not a http reply line ts:1216702277.477596 id.resp_h:66.33.212.43","ip_dst_addr":"66.33.212.43","ip_src_port":33348,"analyzer":"HTTP","proto":"tcp","guid":"b03d9d34-4a39-4e68-8b21-08bdd532ae07","ip_src_addr":"192.168.15.4","timestamp":1216702277477}
+{"bro_timestamp":"1166289883.160785","ip_dst_port":21,"reply_msg":"Entering Passive Mode (192,168,0,193,28,86)","data_channel.orig_h":"192.168.0.114","data_channel.passive":true,"data_channel.resp_p":7254,"command":"PASV","metron_sensor_type":"bro","uid":"ClOsCM3BUs3saPsD2c","password":"<hidden>","protocol":"ftp","original_string":"FTP | id.orig_p:1137 id.resp_p:21 reply_msg:Entering Passive Mode (192,168,0,193,28,86) data_channel.orig_h:192.168.0.114 data_channel.passive:true data_channel.resp_p:7254 command:PASV uid:ClOsCM3BUs3saPsD2c password:<hidden> data_channel.resp_h:192.168.0.193 id.orig_h:192.168.0.114 user:csanders reply_code:227 ts:1166289883.160785 id.resp_h:192.168.0.193","ip_dst_addr":"192.168.0.193","ip_src_port":1137,"data_channel.resp_h":"192.168.0.193","guid":"4b0c4cda-28ee-404e-b966-036bc7f638ff","user":"csanders","ip_src_addr":"192.168.0.114","reply_code":227,"timestamp":1166289883160}
+{"bro_timestamp":"1216706983.387664","timedout":true,"source":"HTTP","is_orig":false,"overflow_bytes":0,"metron_sensor_type":"bro","duration":30.701792,"protocol":"files","depth":0,"original_string":"FILES | timedout:true rx_hosts:[\"192.168.15.4\"] source:HTTP is_orig:false tx_hosts:[\"216.113.185.92\"] overflow_bytes:0 duration:30.701792 depth:0 analyzers:[\"MD5\",\"SHA1\"] fuid:FnEYba9VPOcC41c1 conn_uids:[\"CLWqoN1IA9MB8Ru9i3\"] seen_bytes:0 missing_bytes:3384 ts:1216706983.387664","ip_dst_addr":"192.168.15.4","analyzers":["MD5","SHA1"],"guid":"7b7148a0-f484-4450-97a3-29493e1c7360","fuid":"FnEYba9VPOcC41c1","conn_uids":["CLWqoN1IA9MB8Ru9i3"],"seen_bytes":0,"missing_bytes":3384,"ip_src_addr":"216.113.185.92","timestamp":1216706983387}
+{"bro_timestamp":"1216706999.34818","protocol":"known_certs","original_string":"KNOWN_CERTS | issuer_subject:CN=VeriSign Class 3 Secure Server CA,OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)05,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US serial:24A2DD82DC52358E7F0C6AF6135F3B32 subject:CN=nexus.passport.com,OU=MSN Passport,O=Microsoft,L=Redmond,ST=Washington,C=US port_num:443 host:65.54.179.216 ts:1216706999.34818","issuer_subject":"CN=VeriSign Class 3 Secure Server CA,OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)05,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US","serial":"24A2DD82DC52358E7F0C6AF6135F3B32","subject":"CN=nexus.passport.com,OU=MSN Passport,O=Microsoft,L=Redmond,ST=Washington,C=US","port_num":443,"host":"65.54.179.216","guid":"76fe881c-3ed7-4477-a870-f5381577e4ae","timestamp":1216706999348,"metron_sensor_type":"bro"}
+{"bro_timestamp":"1258568036.57884","ip_dst_port":25,"metron_sensor_type":"bro","helo":"M57Terry","uid":"ChR6254RrWbrxiGsd7","path":["192.168.1.1","192.168.1.105"],"trans_depth":1,"protocol":"smtp","original_string":"SMTP | id.orig_p:49353 id.resp_p:25 helo:M57Terry uid:ChR6254RrWbrxiGsd7 path:[\"192.168.1.1\",\"192.168.1.105\"] trans_depth:1 is_webmail:false last_reply:220 2.0.0 Ready to start TLS id.orig_h:192.168.1.105 tls:true fuids:[] ts:1258568036.57884 id.resp_h:192.168.1.1","ip_dst_addr":"192.168.1.1","ip_src_port":49353,"is_webmail":false,"last_reply":"220 2.0.0 Ready to start TLS","guid":"9a3d1e86-7d25-4426-b2af-6ab5be1e607f","tls":true,"fuids":[],"ip_src_addr":"192.168.1.105","timestamp":1258568036578}
+{"cipher":"TLS_RSA_WITH_RC4_128_MD5","established":true,"server_name":"login.live.com","bro_timestamp":"1216706999.444925","client_cert_chain_fuids":[],"ip_dst_port":443,"subject":"CN=login.live.com,OU=MSN-Passport,O=Microsoft Corporation,street=One Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=V1.0\\, Clause 5.(b),1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553","cert_chain_fuids":["FkYBO41LPAXxh44KFk","FPrzYN1SuBqHflXZId","FZ71xF13r5XVSam1z1"],"version":"TLSv10","issuer":"CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US","metron_sensor_type":"bro","uid":"CVrS2IBW8gukBClA8","protocol":"ssl","original_string":"SSL | cipher:TLS_RSA_WITH_RC4_128_MD5 established:true server_name:login.live.com id.orig_p:36532 client_cert_chain_fuids:[] subject:CN=login.live.com,OU=MSN-Passport,O=Microsoft Corporation,street=One Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=V1.0\\, Clause 5.(b),1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553 id.resp_p:443 cert_chain_fuids:[\"FkYBO41LPAXxh44KFk\",\"FPrzYN1SuBqHflXZId\",\"FZ71xF13r5XVSam1z1\"] version:TLSv10 issuer:CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US uid:CVrS2IBW8gukBClA8 id.orig_h:192.168.15.4 validation_status:unable to get local issuer certificate resumed:false ts:1216706999.444925 id.resp_h:65.54.186.47","ip_dst_addr":"65.54.186.47","ip_src_port":36532,"guid":"1bff79d0-7b86-43de-b5ec-132bb62f4339","validation_status":"unable to get local issuer certificate","resumed":false,"ip_src_addr":"192.168.15.4","timestamp":1216706999444}
+{"bro_timestamp":"1216706981.177382","ip_dst_port":80,"metron_sensor_type":"bro","uid":"Cfxxnt3m0v9SEf5XQ7","protocol":"weird","original_string":"WEIRD | uid:Cfxxnt3m0v9SEf5XQ7 id.orig_p:36446 peer:bro id.resp_p:80 name:unescaped_special_URI_char id.orig_h:192.168.15.4 ts:1216706981.177382 id.resp_h:66.151.146.194 notice:false","ip_dst_addr":"66.151.146.194","ip_src_port":36446,"peer":"bro","name":"unescaped_special_URI_char","guid":"fa2d1068-ca33-4962-b9ab-902605ea3e14","ip_src_addr":"192.168.15.4","notice":false,"timestamp":1216706981177}
+{"msg":"SSL certificate validation failed with (unable to get local issuer certificate)","suppress_for":3600.0,"note":"SSL::Invalid_Server_Cert","sub":"CN=www.google.com,O=Google Inc,L=Mountain View,ST=California,C=US","bro_timestamp":"1216706377.196728","dst":"74.125.19.104","ip_dst_port":443,"src":"192.168.15.4","dropped":false,"peer_descr":"bro","metron_sensor_type":"bro","p":443,"uid":"CNHQmp1mNiZHdAf5Ce","protocol":"notice","original_string":"NOTICE | msg:SSL certificate validation failed with (unable to get local issuer certificate) suppress_for:3600.0 note:SSL::Invalid_Server_Cert sub:CN=www.google.com,O=Google Inc,L=Mountain View,ST=California,C=US id.orig_p:35736 dst:74.125.19.104 src:192.168.15.4 id.resp_p:443 dropped:false peer_descr:bro p:443 uid:CNHQmp1mNiZHdAf5Ce proto:tcp id.orig_h:192.168.15.4 actions:[\"Notice::ACTION_LOG\"] ts:1216706377.196728 id.resp_h:74.125.19.104","ip_dst_addr":"74.125.19.104","ip_src_port":35736,"proto":"tcp","guid":"31e56b6a-48fd-4605-81ec-b0586006f7d7","actions":["Notice::ACTION_LOG"],"ip_src_addr":"192.168.15.4","timestamp":1216706377196}
+{"bro_timestamp":"1258567562.944638","ip_dst_port":67,"trans_id":418901490,"assigned_ip":"192.168.1.103","mac":"00:0b:db:63:5b:d4","metron_sensor_type":"bro","uid":"CSiO9f3y8Uyu0XprAi","protocol":"dhcp","original_string":"DHCP | uid:CSiO9f3y8Uyu0XprAi id.orig_p:68 lease_time:3564.0 id.resp_p:67 id.orig_h:192.168.1.103 trans_id:418901490 assigned_ip:192.168.1.103 mac:00:0b:db:63:5b:d4 ts:1258567562.944638 id.resp_h:192.168.1.1","ip_dst_addr":"192.168.1.1","ip_src_port":68,"lease_time":3564.0,"guid":"0d2ed5dc-f44c-4d37-b286-7b9f40da420a","ip_src_addr":"192.168.1.103","timestamp":1258567562944}
+{"kex_alg":"diffie-hellman-group-exchange-sha256","server":"SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1","mac_alg":"hmac-md5","bro_timestamp":"1320435930.914196","auth_success":false,"ip_dst_port":22,"host_key_alg":"ssh-rsa","compression_alg":"none","version":2,"metron_sensor_type":"bro","uid":"CyrWKo1E1rRywjbOAk","host_key":"87:11:46:da:89:c5:2b:d9:6b:ee:e0:44:7e:73:80:f8","protocol":"ssh","original_string":"SSH | kex_alg:diffie-hellman-group-exchange-sha256 server:SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1 mac_alg:hmac-md5 id.orig_p:58435 auth_success:false id.resp_p:22 host_key_alg:ssh-rsa compression_alg:none version:2 uid:CyrWKo1E1rRywjbOAk host_key:87:11:46:da:89:c5:2b:d9:6b:ee:e0:44:7e:73:80:f8 cipher_alg:aes128-ctr client:SSH-2.0-OpenSSH_5.6 id.orig_h:172.16.238.1 ts:1320435930.914196 id.resp_h:172.16.238.136","ip_dst_addr":"172.16.238.136","ip_src_port":58435,"cipher_alg":"aes128-ctr","client":"SSH-2.0-OpenSSH_5.6","guid":"8aebc887-4090-4807-8d65-e841f52b6177","ip_src_addr":"172.16.238.1","timestamp":1320435930914}
+{"bro_timestamp":"1320435464.768382","software_type":"SSH::SERVER","metron_sensor_type":"bro","unparsed_version":"OpenSSH_5.3","protocol":"software","host_p":22,"original_string":"SOFTWARE | unparsed_version:OpenSSH_5.3 host_p:22 host:172.16.238.168 name:OpenSSH software_type:SSH::SERVER version.major:5 version.minor:3 ts:1320435464.768382","host":"172.16.238.168","name":"OpenSSH","guid":"ad3d1b4b-ffad-4416-be0f-7df08587ccb5","version.major":5,"version.minor":3,"timestamp":1320435464768}
+{"bro_timestamp":"1440447766.441298","ip_dst_port":1812,"metron_sensor_type":"bro","result":"failed","uid":"CqF4zGzBOXFjTWqHh","protocol":"radius","original_string":"RADIUS | result:failed uid:CqF4zGzBOXFjTWqHh id.orig_p:53031 id.resp_p:1812 id.orig_h:127.0.0.1 ts:1440447766.441298 id.resp_h:127.0.0.1 username:steve","ip_dst_addr":"127.0.0.1","ip_src_port":53031,"guid":"b029735a-3e98-45a0-b8da-232967a34085","ip_src_addr":"127.0.0.1","username":"steve","timestamp":1440447766441}
+{"certificate.key_length":1024,"bro_timestamp":"1216706999.661483","certificate.sig_alg":"sha1WithRSAEncryption","certificate.not_valid_before":1.2138336E9,"certificate.key_type":"rsa","basic_constraints.ca":false,"certificate.key_alg":"rsaEncryption","certificate.exponent":"65537","metron_sensor_type":"bro","protocol":"x509","original_string":"X509 | certificate.key_length:1024 certificate.sig_alg:sha1WithRSAEncryption certificate.not_valid_before:1213833600.0 certificate.key_type:rsa basic_constraints.ca:false certificate.key_alg:rsaEncryption certificate.exponent:65537 certificate.version:3 certificate.subject:CN=login.live.com,OU=MSN-Passport,O=Microsoft Corporation,street=One Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=V1.0\\, Clause 5.(b),1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553 id:FkYBO41LPAXxh44KFk certificate.not_valid_after:1248134399.0 certificate.serial:6905C4A47CFDBF9DBC98DACE38835FB8 certificate.issuer:CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US ts:1216706999.661483","certificate.version":3,"certificate.subject":"CN=login.live.com,OU=MSN-Passport,O=Microsoft Corporation,street=One Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=V1.0\\, Clause 5.(b),1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553","guid":"578eac04-9024-49ab-828d-e25f01c33c82","id":"FkYBO41LPAXxh44KFk","certificate.not_valid_after":1.248134399E9,"certificate.serial":"6905C4A47CFDBF9DBC98DACE38835FB8","certificate.issuer":"CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US","timestamp":1216706999661}
+{"bro_timestamp":"1258531221.486539","protocol":"known_devices","original_string":"KNOWN_DEVICES | dhcp_host_name:m57-jo mac:00:0b:db:63:58:a6 ts:1258531221.486539","dhcp_host_name":"m57-jo","guid":"e7a216d8-3623-4dea-af78-01da8c5e0bc5","mac":"00:0b:db:63:58:a6","timestamp":1258531221486,"metron_sensor_type":"bro"}
+{"client_minor_version":"007","bro_timestamp":"1328634261.675248","client_major_version":"003","ip_dst_port":5900,"auth":true,"share_flag":false,"desktop_name":"aneagles@localhost.localdomain","metron_sensor_type":"bro","authentication_method":"VNC","uid":"CGhHbC1P1kuJYtR4Ul","server_minor_version":"007","protocol":"rfb","original_string":"RFB | client_minor_version:007 id.orig_p:10254 client_major_version:003 auth:true id.resp_p:5900 share_flag:false desktop_name:aneagles@localhost.localdomain authentication_method:VNC uid:CGhHbC1P1kuJYtR4Ul server_minor_version:007 server_major_version:003 width:1280 id.orig_h:192.168.1.10 ts:1328634261.675248 id.resp_h:192.168.1.114 height:800","ip_dst_addr":"192.168.1.114","ip_src_port":10254,"server_major_version":"003","width":1280,"guid":"c2da5c0b-bfaf-4fff-80c4-be6040fdb57d","ip_src_addr":"192.168.1.10","height":800,"timestamp":1328634261675}
+{"dns_requests":0,"bro_timestamp":"1328634261.351352","reassem_frag_size":0,"protocol":"stats","original_string":"STATS | dns_requests:0 timers:35 active_udp_conns:0 reassem_frag_size:0 events_proc:392 active_icmp_conns:0 reassem_file_size:0 udp_conns:0 active_timers:32 events_queued:13 mem:55 reassem_tcp_size:0 peer:bro pkts_proc:1 icmp_conns:0 active_dns_requests:0 files:0 bytes_recv:62 active_files:0 tcp_conns:1 reassem_unknown_size:0 active_tcp_conns:1 ts:1328634261.351352","mem":55,"reassem_tcp_size":0,"peer":"bro","active_dns_requests":0,"active_files":0,"timestamp":1328634261351,"timers":35,"active_udp_conns":0,"events_proc":392,"active_icmp_conns":0,"reassem_file_size":0,"metron_sensor_type":"bro","udp_conns":0,"active_timers":32,"events_queued":13,"pkts_proc":1,"icmp_conns":0,"files":0,"guid":"2ba97a72-8446-44ba-ac86-d491fa64a4c7","bytes_recv":62,"tcp_conns":1,"reassem_unknown_size":0,"active_tcp_conns":1}
+{"bro_timestamp":"1328634276.90953","protocol":"capture_loss","original_string":"CAPTURE_LOSS | peer:bro acks:710 ts_delta:15.558178 gaps:0 ts:1328634276.90953 percent_lost:0.0","peer":"bro","acks":710,"guid":"1587b0b9-2d85-4808-9aaa-9a19477e8f98","ts_delta":15.558178,"gaps":0,"percent_lost":0.0,"timestamp":1328634276909,"metron_sensor_type":"bro"}
+{"bro_timestamp":"1216698600.338338","method":"REGISTER","ip_dst_port":10000,"request_body_len":0,"response_path":[],"uri":"sip:t.voncp.com:10000","call_id":"7757a70e218b95730dd2daeaac7d20b1@192.168.1.64","metron_sensor_type":"bro","uid":"Cl2G2m3bdeE8F9I9ei","trans_depth":0,"request_from":"\"16178766111\" <sip:16178766111@t.voncp.com:10000>","protocol":"sip","original_string":"SIP | id.orig_p:1033 method:REGISTER request_body_len:0 id.resp_p:10000 response_path:[] uri:sip:t.voncp.com:10000 call_id:7757a70e218b95730dd2daeaac7d20b1@192.168.1.64 uid:Cl2G2m3bdeE8F9I9ei trans_depth:0 request_from:\"16178766111\" <sip:16178766111@t.voncp.com:10000> request_path:[\"SIP\\\/2.0\\\/UDP 192.168.1.64:10000\",\"SIP\\\/2.0\\\/UDP 192.168.1.64:10000\",\"SIP\\\/2.0\\\/UDP 192.168.1.64:10000\",\"SIP\\\/2.0\\\/UDP 192.168.1.64:10000\"] id.orig_h:192.168.1.64 request_to:\"16178766111\" <sip:16178766111@t.voncp.com:10000> seq:1761527957 REGISTER user_agent:VDV21 001DD92E4F61 2.8.1_1.4.7 LwooEk3GCD\/bcm001DD92E4F61.xml ts:1216698600.338338 id.resp_h:69.59.232.120","ip_dst_addr":"69.59.232.120","ip_src_port":1033,"request_path":["SIP\/2.0\/UDP 192.168.1.64:10000","SIP\/2.0\/UDP 192.168.1.64:10000","SIP\/2.0\/UDP 192.168.1.64:10000","SIP\/2.0\/UDP 192.168.1.64:10000"],"guid":"a4d1d1c2-b55f-46c5-bd41-d741c9926ff1","request_to":"\"16178766111\" <sip:16178766111@t.voncp.com:10000>","ip_src_addr":"192.168.1.64","seq":"1761527957 REGISTER","user_agent":"VDV21 001DD92E4F61 2.8.1_1.4.7 LwooEk3GCD\/bcm001DD92E4F61.xml","timestamp":1216698600338}
diff --git a/metron-platform/metron-integration-test/src/main/sample/data/jsonMap/parsed/jsonMapExampleParsed b/metron-platform/metron-integration-test/src/main/sample/data/jsonMap/parsed/jsonMapExampleParsed
index 7e00c0ec8a..f39c436dfa 100644
--- a/metron-platform/metron-integration-test/src/main/sample/data/jsonMap/parsed/jsonMapExampleParsed
+++ b/metron-platform/metron-integration-test/src/main/sample/data/jsonMap/parsed/jsonMapExampleParsed
@@ -1,2 +1,2 @@
-{ "string" : "bar", "number" : 2, "ignored" : [ "blah" ], "original_string":"{ \"string\" : \"bar\", \"number\" : 2, \"ignored\" : [ \"blah\" ] }","timestamp":1000000000000, "source.type":"jsonMap","guid":"this-is-random-uuid-will-be-36-chars" }
-{ "number" : 7 , "original_string" : "{ \"number\" : 7 }", "source.type":"jsonMap","timestamp":1000000000000,"guid":"this-is-random-uuid-will-be-36-chars"}
+{ "string" : "bar", "number" : 2, "ignored" : [ "blah" ], "original_string":"{ \"string\" : \"bar\", \"number\" : 2, \"ignored\" : [ \"blah\" ] }","timestamp":1000000000000, "metron_sensor_type":"jsonMap","guid":"this-is-random-uuid-will-be-36-chars" }
+{ "number" : 7 , "original_string" : "{ \"number\" : 7 }", "metron_sensor_type":"jsonMap","timestamp":1000000000000,"guid":"this-is-random-uuid-will-be-36-chars"}
diff --git a/metron-platform/metron-integration-test/src/main/sample/data/jsonMapQuery/parsed/jsonMapExampleParsed b/metron-platform/metron-integration-test/src/main/sample/data/jsonMapQuery/parsed/jsonMapExampleParsed
index e614bda818..137585be3a 100644
--- a/metron-platform/metron-integration-test/src/main/sample/data/jsonMapQuery/parsed/jsonMapExampleParsed
+++ b/metron-platform/metron-integration-test/src/main/sample/data/jsonMapQuery/parsed/jsonMapExampleParsed
@@ -1,2 +1,2 @@
-{ "string" : "bar", "number" : 2, "ignored" : [ "blah" ], "original_string":"{ \"string\" : \"bar\", \"number\" : 2, \"ignored\" : [ \"blah\" ] }","timestamp":1000000000000, "source.type":"jsonMapQuery","guid":"this-is-random-uuid-will-be-36-chars" }
-{ "number" : 7 , "original_string" : "{ \"number\" : 7 }", "source.type":"jsonMapQuery","timestamp":1000000000000,"guid":"this-is-random-uuid-will-be-36-chars"}
+{ "string" : "bar", "number" : 2, "ignored" : [ "blah" ], "original_string":"{ \"string\" : \"bar\", \"number\" : 2, \"ignored\" : [ \"blah\" ] }","timestamp":1000000000000, "metron_sensor_type":"jsonMapQuery","guid":"this-is-random-uuid-will-be-36-chars" }
+{ "number" : 7 , "original_string" : "{ \"number\" : 7 }", "metron_sensor_type":"jsonMapQuery","timestamp":1000000000000,"guid":"this-is-random-uuid-will-be-36-chars"}
diff --git a/metron-platform/metron-integration-test/src/main/sample/data/jsonMapWrappedQuery/parsed/jsonMapExampleParsed b/metron-platform/metron-integration-test/src/main/sample/data/jsonMapWrappedQuery/parsed/jsonMapExampleParsed
index c6aac78858..4f126bc3d5 100644
--- a/metron-platform/metron-integration-test/src/main/sample/data/jsonMapWrappedQuery/parsed/jsonMapExampleParsed
+++ b/metron-platform/metron-integration-test/src/main/sample/data/jsonMapWrappedQuery/parsed/jsonMapExampleParsed
@@ -1,6 +1,6 @@
-{ "string" : "foo", "number" : 1, "ignored" : [ "blah" ], "original_string":"{ \"string\" : \"foo\", \"number\" : 1, \"ignored\" : [ \"blah\" ] }","timestamp":1000000000000, "source.type":"jsonMapWrappedQuery","guid":"this-is-random-uuid-will-be-36-chars" }
-{ "number" : 4 , "original_string" : "{ \"number\" : 4 }", "source.type":"jsonMapWrappedQuery","timestamp":1000000000000,"guid":"this-is-random-uuid-will-be-36-chars"}
-{ "string" : "bar", "number" : 2, "ignored" : [ "blah" ], "original_string":"{ \"string\" : \"bar\", \"number\" : 2, \"ignored\" : [ \"blah\" ] }","timestamp":1000000000000, "source.type":"jsonMapWrappedQuery","guid":"this-is-random-uuid-will-be-36-chars" }
-{ "number" : 5 , "original_string" : "{ \"number\" : 5 }", "source.type":"jsonMapWrappedQuery","timestamp":1000000000000,"guid":"this-is-random-uuid-will-be-36-chars"}
-{ "string" : "baz", "number" : 3, "ignored" : [ "blah" ], "original_string":"{ \"string\" : \"baz\", \"number\" : 3, \"ignored\" : [ \"blah\" ] }","timestamp":1000000000000, "source.type":"jsonMapWrappedQuery","guid":"this-is-random-uuid-will-be-36-chars" }
-{ "number" : 6 , "original_string" : "{ \"number\" : 6 }", "source.type":"jsonMapWrappedQuery","timestamp":1000000000000,"guid":"this-is-random-uuid-will-be-36-chars"}
+{ "string" : "foo", "number" : 1, "ignored" : [ "blah" ], "original_string":"{ \"string\" : \"foo\", \"number\" : 1, \"ignored\" : [ \"blah\" ] }","timestamp":1000000000000, "metron_sensor_type":"jsonMapWrappedQuery","guid":"this-is-random-uuid-will-be-36-chars" }
+{ "number" : 4 , "original_string" : "{ \"number\" : 4 }", "metron_sensor_type":"jsonMapWrappedQuery","timestamp":1000000000000,"guid":"this-is-random-uuid-will-be-36-chars"}
+{ "string" : "bar", "number" : 2, "ignored" : [ "blah" ], "original_string":"{ \"string\" : \"bar\", \"number\" : 2, \"ignored\" : [ \"blah\" ] }","timestamp":1000000000000, "metron_sensor_type":"jsonMapWrappedQuery","guid":"this-is-random-uuid-will-be-36-chars" }
+{ "number" : 5 , "original_string" : "{ \"number\" : 5 }", "metron_sensor_type":"jsonMapWrappedQuery","timestamp":1000000000000,"guid":"this-is-random-uuid-will-be-36-chars"}
+{ "string" : "baz", "number" : 3, "ignored" : [ "blah" ], "original_string":"{ \"string\" : \"baz\", \"number\" : 3, \"ignored\" : [ \"blah\" ] }","timestamp":1000000000000, "metron_sensor_type":"jsonMapWrappedQuery","guid":"this-is-random-uuid-will-be-36-chars" }
+{ "number" : 6 , "original_string" : "{ \"number\" : 6 }", "metron_sensor_type":"jsonMapWrappedQuery","timestamp":1000000000000,"guid":"this-is-random-uuid-will-be-36-chars"}
diff --git a/metron-platform/metron-integration-test/src/main/sample/data/snort/parsed/SnortParsed b/metron-platform/metron-integration-test/src/main/sample/data/snort/parsed/SnortParsed
index 02d519e2c2..2362395d02 100644
--- a/metron-platform/metron-integration-test/src/main/sample/data/snort/parsed/SnortParsed
+++ b/metron-platform/metron-integration-test/src/main/sample/data/snort/parsed/SnortParsed
@@ -1,3 +1,3 @@
-{"msg":"Consecutive TCP small segments exceeding threshold","sig_rev":"1","ip_dst_addr":"10.0.2.15","ip_dst_port":"22","ethsrc":"52:54:00:12:35:02","tcpseq":"0x9AFF3D7","dgmlen":"64","icmpid":"","tcplen":"","tcpwindow":"0xFFFF","icmpseq":"","tcpack":"0xC8761D52","original_string":"01\/27\/16-16:01:04.877970 ,129,12,1,\"Consecutive TCP small segments exceeding threshold\",TCP,10.0.2.2,56642,10.0.2.15,22,52:54:00:12:35:02,08:00:27:7F:93:2D,0x4E,***AP***,0x9AFF3D7,0xC8761D52,,0xFFFF,64,0,59677,64,65536,,,,","icmpcode":"","tos":"0","id":"59677","timestamp":1453932941970,"ethdst":"08:00:27:7F:93:2D","ip_src_addr":"10.0.2.2","ttl":"64","source.type":"snort","ethlen":"0x4E","iplen":"65536","icmptype":"","protocol":"TCP","ip_src_port":"56642","tcpflags":"***AP***","sig_id":"12","sig_generator":"129", "is_alert" : "true","guid":"this-is-random-uuid-will-be-36-chars"}
-{"msg":"Consecutive TCP small segments exceeding threshold","sig_rev":"1","ip_dst_addr":"10.0.2.15","ip_dst_port":"50895","ethsrc":"52:54:00:12:35:02","tcpseq":"0xDB45F7A","dgmlen":"96","icmpid":"","tcplen":"","tcpwindow":"0xFFFF","icmpseq":"","tcpack":"0x7701DD5B","original_string":"02\/22\/16-15:56:48.612494 ,129,12,1,\"Consecutive TCP small segments exceeding threshold\",TCP,96.44.142.5,80,10.0.2.15,50895,52:54:00:12:35:02,08:00:27:7F:93:2D,0x6E,***AP***,0xDB45F7A,0x7701DD5B,,0xFFFF,64,0,16785,96,98304,,,,","icmpcode":"","tos":"0","id":"16785","timestamp":1456178820494,"ethdst":"08:00:27:7F:93:2D","ip_src_addr":"96.44.142.5","ttl":"64","source.type":"snort","ethlen":"0x6E","iplen":"98304","icmptype":"","protocol":"TCP","ip_src_port":"80","tcpflags":"***AP***","sig_id":"12","sig_generator":"129", "is_alert" : "true","guid":"this-is-random-uuid-will-be-36-chars"}
-{"msg":"Consecutive TCP small segments exceeding threshold","sig_rev":"1","ip_dst_addr":"10.0.2.15","ip_dst_port":"50895","ethsrc":"52:54:00:12:35:02","tcpseq":"0xDB508F2","dgmlen":"152","icmpid":"","tcplen":"","tcpwindow":"0xFFFF","icmpseq":"","tcpack":"0x7701DD5B","original_string":"02\/22\/16-15:56:48.616775 ,129,12,1,\"Consecutive TCP small segments exceeding threshold\",TCP,96.44.142.5,80,10.0.2.15,50895,52:54:00:12:35:02,08:00:27:7F:93:2D,0xA6,***AP***,0xDB508F2,0x7701DD5B,,0xFFFF,64,0,16824,152,155648,,,,","icmpcode":"","tos":"0","id":"16824","timestamp":1456178824775,"ethdst":"08:00:27:7F:93:2D","ip_src_addr":"96.44.142.5","ttl":"64","source.type":"snort","ethlen":"0xA6","iplen":"155648","icmptype":"","protocol":"TCP","ip_src_port":"80","tcpflags":"***AP***","sig_id":"12","sig_generator":"129", "is_alert" : "true","guid":"this-is-random-uuid-will-be-36-chars"}
+{"msg":"Consecutive TCP small segments exceeding threshold","sig_rev":"1","ip_dst_addr":"10.0.2.15","ip_dst_port":"22","ethsrc":"52:54:00:12:35:02","tcpseq":"0x9AFF3D7","dgmlen":"64","icmpid":"","tcplen":"","tcpwindow":"0xFFFF","icmpseq":"","tcpack":"0xC8761D52","original_string":"01\/27\/16-16:01:04.877970 ,129,12,1,\"Consecutive TCP small segments exceeding threshold\",TCP,10.0.2.2,56642,10.0.2.15,22,52:54:00:12:35:02,08:00:27:7F:93:2D,0x4E,***AP***,0x9AFF3D7,0xC8761D52,,0xFFFF,64,0,59677,64,65536,,,,","icmpcode":"","tos":"0","id":"59677","timestamp":1453932941970,"ethdst":"08:00:27:7F:93:2D","ip_src_addr":"10.0.2.2","ttl":"64","metron_sensor_type":"snort","ethlen":"0x4E","iplen":"65536","icmptype":"","protocol":"TCP","ip_src_port":"56642","tcpflags":"***AP***","sig_id":"12","sig_generator":"129", "is_alert" : "true","guid":"this-is-random-uuid-will-be-36-chars"}
+{"msg":"Consecutive TCP small segments exceeding threshold","sig_rev":"1","ip_dst_addr":"10.0.2.15","ip_dst_port":"50895","ethsrc":"52:54:00:12:35:02","tcpseq":"0xDB45F7A","dgmlen":"96","icmpid":"","tcplen":"","tcpwindow":"0xFFFF","icmpseq":"","tcpack":"0x7701DD5B","original_string":"02\/22\/16-15:56:48.612494 ,129,12,1,\"Consecutive TCP small segments exceeding threshold\",TCP,96.44.142.5,80,10.0.2.15,50895,52:54:00:12:35:02,08:00:27:7F:93:2D,0x6E,***AP***,0xDB45F7A,0x7701DD5B,,0xFFFF,64,0,16785,96,98304,,,,","icmpcode":"","tos":"0","id":"16785","timestamp":1456178820494,"ethdst":"08:00:27:7F:93:2D","ip_src_addr":"96.44.142.5","ttl":"64","metron_sensor_type":"snort","ethlen":"0x6E","iplen":"98304","icmptype":"","protocol":"TCP","ip_src_port":"80","tcpflags":"***AP***","sig_id":"12","sig_generator":"129", "is_alert" : "true","guid":"this-is-random-uuid-will-be-36-chars"}
+{"msg":"Consecutive TCP small segments exceeding threshold","sig_rev":"1","ip_dst_addr":"10.0.2.15","ip_dst_port":"50895","ethsrc":"52:54:00:12:35:02","tcpseq":"0xDB508F2","dgmlen":"152","icmpid":"","tcplen":"","tcpwindow":"0xFFFF","icmpseq":"","tcpack":"0x7701DD5B","original_string":"02\/22\/16-15:56:48.616775 ,129,12,1,\"Consecutive TCP small segments exceeding threshold\",TCP,96.44.142.5,80,10.0.2.15,50895,52:54:00:12:35:02,08:00:27:7F:93:2D,0xA6,***AP***,0xDB508F2,0x7701DD5B,,0xFFFF,64,0,16824,152,155648,,,,","icmpcode":"","tos":"0","id":"16824","timestamp":1456178824775,"ethdst":"08:00:27:7F:93:2D","ip_src_addr":"96.44.142.5","ttl":"64","metron_sensor_type":"snort","ethlen":"0xA6","iplen":"155648","icmptype":"","protocol":"TCP","ip_src_port":"80","tcpflags":"***AP***","sig_id":"12","sig_generator":"129", "is_alert" : "true","guid":"this-is-random-uuid-will-be-36-chars"}
diff --git a/metron-platform/metron-integration-test/src/main/sample/data/squid/parsed/SquidExampleParsed b/metron-platform/metron-integration-test/src/main/sample/data/squid/parsed/SquidExampleParsed
index aad1f9f0b9..9bbd007b1e 100644
--- a/metron-platform/metron-integration-test/src/main/sample/data/squid/parsed/SquidExampleParsed
+++ b/metron-platform/metron-integration-test/src/main/sample/data/squid/parsed/SquidExampleParsed
@@ -1,2 +1,2 @@
-{"elapsed":161,"code":200,"ip_dst_addr":"199.27.79.73","original_string":"1461576382.642    161 127.0.0.1 TCP_MISS\/200 103701 GET http:\/\/www.cnn.com\/ - DIRECT\/199.27.79.73 text\/html","method":"GET","bytes":103701,"action":"TCP_MISS","ip_src_addr":"127.0.0.1","url":"http://www.cnn.com/","full_hostname":"www.cnn.com", "domain_without_subdomains": "cnn.com", "timestamp":1461576382642,"source.type":"squid","guid":"this-is-random-uuid-will-be-36-chars"}
-{"elapsed":159,"code":200,"ip_dst_addr":"66.210.41.9","original_string":"1461576442.228    159 127.0.0.1 TCP_MISS\/200 137183 GET http:\/\/www.nba.com\/ - DIRECT\/66.210.41.9 text\/html","method":"GET","bytes":137183,"action":"TCP_MISS","ip_src_addr":"127.0.0.1","url":"http://www.nba.com/", "full_hostname":"www.nba.com", "domain_without_subdomains" : "nba.com", "timestamp":1461576442228,"source.type":"squid","guid":"this-is-random-uuid-will-be-36-chars"}
\ No newline at end of file
+{"elapsed":161,"code":200,"ip_dst_addr":"199.27.79.73","original_string":"1461576382.642    161 127.0.0.1 TCP_MISS\/200 103701 GET http:\/\/www.cnn.com\/ - DIRECT\/199.27.79.73 text\/html","method":"GET","bytes":103701,"action":"TCP_MISS","ip_src_addr":"127.0.0.1","url":"http://www.cnn.com/","full_hostname":"www.cnn.com", "domain_without_subdomains": "cnn.com", "timestamp":1461576382642,"metron_sensor_type":"squid","guid":"this-is-random-uuid-will-be-36-chars"}
+{"elapsed":159,"code":200,"ip_dst_addr":"66.210.41.9","original_string":"1461576442.228    159 127.0.0.1 TCP_MISS\/200 137183 GET http:\/\/www.nba.com\/ - DIRECT\/66.210.41.9 text\/html","method":"GET","bytes":137183,"action":"TCP_MISS","ip_src_addr":"127.0.0.1","url":"http://www.nba.com/", "full_hostname":"www.nba.com", "domain_without_subdomains" : "nba.com", "timestamp":1461576442228,"metron_sensor_type":"squid","guid":"this-is-random-uuid-will-be-36-chars"}
\ No newline at end of file
diff --git a/metron-platform/metron-integration-test/src/main/sample/data/test/parsed/TestExampleParsed b/metron-platform/metron-integration-test/src/main/sample/data/test/parsed/TestExampleParsed
index bbb90f337d..aff748adc1 100644
--- a/metron-platform/metron-integration-test/src/main/sample/data/test/parsed/TestExampleParsed
+++ b/metron-platform/metron-integration-test/src/main/sample/data/test/parsed/TestExampleParsed
@@ -1,10 +1,10 @@
-{"iflags":"AS","uflags":0,"isn":"22efa001","ip_dst_addr":"10.0.2.15","ip_dst_port":39468,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|      AS|       0|       0|       0|22efa001|00000000|000|000|       1|      44|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"216.21.170.221","tag":0,"rtag":0,"ip_src_port":80,"timestamp":1453994988512,"app":0,"oct":44,"end_reason":"idle","risn":0,"end_time":1453994988512,"source.type":"test","start_time":1453994988512,"riflags":0,"rtt":"0.000","protocol":6}
-{"iflags":"A","uflags":0,"isn":10000000,"ip_dst_addr":"10.0.2.3","ip_dst_port":53,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.502|2016-01-28 15:29:48.502|   0.000|   0.000| 17|                               10.0.2.15|37299|                                10.0.2.3|   53|       A|       0|       0|       0|10000000|00000000|000|000|       1|      56|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":37299,"timestamp":1453994988502,"app":0,"oct":56,"end_reason":"idle","risn":0,"end_time":1453994988502,"source.type":"test","start_time":1453994988502,"riflags":0,"rtt":"0.000","protocol":17}
-{"iflags":"A","uflags":0,"isn":0,"ip_dst_addr":"10.0.2.15","ip_dst_port":37299,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.504|2016-01-28 15:29:48.504|   0.000|   0.000| 17|                                10.0.2.3|   53|                               10.0.2.15|37299|       A|       0|       0|       0|00000000|00000000|000|000|       1|     312|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.3","tag":0,"rtag":0,"ip_src_port":53,"timestamp":1453994988504,"app":0,"oct":312,"end_reason":"idle","risn":0,"end_time":1453994988504,"source.type":"test","start_time":1453994988504,"riflags":0,"rtt":"0.000","protocol":17}
-{"iflags":"A","uflags":0,"isn":0,"ip_dst_addr":"10.0.2.3","ip_dst_port":53,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.504|2016-01-28 15:29:48.504|   0.000|   0.000| 17|                               10.0.2.15|56303|                                10.0.2.3|   53|       A|       0|       0|       0|00000000|00000000|000|000|       1|      56|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":56303,"timestamp":1453994988504,"app":0,"oct":56,"end_reason":"idle","risn":0,"end_time":1453994988504,"source.type":"test","start_time":1453994988504,"riflags":0,"rtt":"0.000","protocol":17}
-{"iflags":"A","uflags":0,"isn":0,"ip_dst_addr":"10.0.2.15","ip_dst_port":56303,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.506|2016-01-28 15:29:48.506|   0.000|   0.000| 17|                                10.0.2.3|   53|                               10.0.2.15|56303|       A|       0|       0|       0|00000000|00000000|000|000|       1|      84|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.3","tag":0,"rtag":0,"ip_src_port":53,"timestamp":1453994988506,"app":0,"oct":84,"end_reason":"idle","risn":0,"end_time":1453994988506,"source.type":"test","start_time":1453994988506,"riflags":0,"rtt":"0.000","protocol":17}
-{"iflags":"S","uflags":0,"isn":"58c52fca","ip_dst_addr":"216.21.170.221","ip_dst_port":80,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.508|2016-01-28 15:29:48.508|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|       S|       0|       0|       0|58c52fca|00000000|000|000|       1|      60|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":39468,"timestamp":1453994988508,"app":0,"oct":60,"end_reason":"idle","risn":0,"end_time":1453994988508,"source.type":"test","start_time":1453994988508,"riflags":0,"rtt":"0.000","protocol":6}
-{"iflags":"A","uflags":0,"isn":"58c52fcb","ip_dst_addr":"216.21.170.221","ip_dst_port":80,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|       A|       0|       0|       0|58c52fcb|00000000|000|000|       1|      40|       0|       0|    0|idle ","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":39468,"timestamp":1453994988512,"app":0,"oct":40,"end_reason":"idle ","risn":0,"end_time":1453994988512,"source.type":"test","start_time":1453994988512,"riflags":0,"rtt":"0.000","protocol":6}
-{"iflags":"AP","uflags":0,"isn":"58c52fcb","ip_dst_addr":"216.21.170.221","ip_dst_port":80,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|      AP|       0|       0|       0|58c52fcb|00000000|000|000|       1|     148|       0|       0|    0|idle ","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":39468,"timestamp":1453994988512,"app":0,"oct":148,"end_reason":"idle ","risn":0,"end_time":1453994988512,"source.type":"test","start_time":1453994988512,"riflags":0,"rtt":"0.000","protocol":6}
-{"iflags":"A","uflags":0,"isn":"22efa002","ip_dst_addr":"10.0.2.15","ip_dst_port":39468,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|       A|       0|       0|       0|22efa002|00000000|000|000|       1|      40|       0|       0|    0|idle ","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"216.21.170.221","tag":0,"rtag":0,"ip_src_port":80,"timestamp":1453994988512,"app":0,"oct":40,"end_reason":"idle ","risn":0,"end_time":1453994988512,"source.type":"test","start_time":1453994988512,"riflags":0,"rtt":"0.000","protocol":6}
-{"iflags":"AP","uflags":0,"isn":"22efa002","ip_dst_addr":"10.0.2.15","ip_dst_port":39468,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.562|2016-01-28 15:29:48.562|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|      AP|       0|       0|       0|22efa002|00000000|000|000|       1|     604|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"216.21.170.221","tag":0,"rtag":0,"ip_src_port":80,"timestamp":1453994988562,"app":0,"oct":604,"end_reason":"idle","risn":0,"end_time":1453994988562,"source.type":"test","start_time":1453994988562,"riflags":0,"rtt":"0.000","protocol":6}
+{"iflags":"AS","uflags":0,"isn":"22efa001","ip_dst_addr":"10.0.2.15","ip_dst_port":39468,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|      AS|       0|       0|       0|22efa001|00000000|000|000|       1|      44|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"216.21.170.221","tag":0,"rtag":0,"ip_src_port":80,"timestamp":1453994988512,"app":0,"oct":44,"end_reason":"idle","risn":0,"end_time":1453994988512,"metron_sensor_type":"test","start_time":1453994988512,"riflags":0,"rtt":"0.000","protocol":6}
+{"iflags":"A","uflags":0,"isn":10000000,"ip_dst_addr":"10.0.2.3","ip_dst_port":53,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.502|2016-01-28 15:29:48.502|   0.000|   0.000| 17|                               10.0.2.15|37299|                                10.0.2.3|   53|       A|       0|       0|       0|10000000|00000000|000|000|       1|      56|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":37299,"timestamp":1453994988502,"app":0,"oct":56,"end_reason":"idle","risn":0,"end_time":1453994988502,"metron_sensor_type":"test","start_time":1453994988502,"riflags":0,"rtt":"0.000","protocol":17}
+{"iflags":"A","uflags":0,"isn":0,"ip_dst_addr":"10.0.2.15","ip_dst_port":37299,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.504|2016-01-28 15:29:48.504|   0.000|   0.000| 17|                                10.0.2.3|   53|                               10.0.2.15|37299|       A|       0|       0|       0|00000000|00000000|000|000|       1|     312|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.3","tag":0,"rtag":0,"ip_src_port":53,"timestamp":1453994988504,"app":0,"oct":312,"end_reason":"idle","risn":0,"end_time":1453994988504,"metron_sensor_type":"test","start_time":1453994988504,"riflags":0,"rtt":"0.000","protocol":17}
+{"iflags":"A","uflags":0,"isn":0,"ip_dst_addr":"10.0.2.3","ip_dst_port":53,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.504|2016-01-28 15:29:48.504|   0.000|   0.000| 17|                               10.0.2.15|56303|                                10.0.2.3|   53|       A|       0|       0|       0|00000000|00000000|000|000|       1|      56|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":56303,"timestamp":1453994988504,"app":0,"oct":56,"end_reason":"idle","risn":0,"end_time":1453994988504,"metron_sensor_type":"test","start_time":1453994988504,"riflags":0,"rtt":"0.000","protocol":17}
+{"iflags":"A","uflags":0,"isn":0,"ip_dst_addr":"10.0.2.15","ip_dst_port":56303,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.506|2016-01-28 15:29:48.506|   0.000|   0.000| 17|                                10.0.2.3|   53|                               10.0.2.15|56303|       A|       0|       0|       0|00000000|00000000|000|000|       1|      84|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.3","tag":0,"rtag":0,"ip_src_port":53,"timestamp":1453994988506,"app":0,"oct":84,"end_reason":"idle","risn":0,"end_time":1453994988506,"metron_sensor_type":"test","start_time":1453994988506,"riflags":0,"rtt":"0.000","protocol":17}
+{"iflags":"S","uflags":0,"isn":"58c52fca","ip_dst_addr":"216.21.170.221","ip_dst_port":80,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.508|2016-01-28 15:29:48.508|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|       S|       0|       0|       0|58c52fca|00000000|000|000|       1|      60|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":39468,"timestamp":1453994988508,"app":0,"oct":60,"end_reason":"idle","risn":0,"end_time":1453994988508,"metron_sensor_type":"test","start_time":1453994988508,"riflags":0,"rtt":"0.000","protocol":6}
+{"iflags":"A","uflags":0,"isn":"58c52fcb","ip_dst_addr":"216.21.170.221","ip_dst_port":80,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|       A|       0|       0|       0|58c52fcb|00000000|000|000|       1|      40|       0|       0|    0|idle ","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":39468,"timestamp":1453994988512,"app":0,"oct":40,"end_reason":"idle ","risn":0,"end_time":1453994988512,"metron_sensor_type":"test","start_time":1453994988512,"riflags":0,"rtt":"0.000","protocol":6}
+{"iflags":"AP","uflags":0,"isn":"58c52fcb","ip_dst_addr":"216.21.170.221","ip_dst_port":80,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|      AP|       0|       0|       0|58c52fcb|00000000|000|000|       1|     148|       0|       0|    0|idle ","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":39468,"timestamp":1453994988512,"app":0,"oct":148,"end_reason":"idle ","risn":0,"end_time":1453994988512,"metron_sensor_type":"test","start_time":1453994988512,"riflags":0,"rtt":"0.000","protocol":6}
+{"iflags":"A","uflags":0,"isn":"22efa002","ip_dst_addr":"10.0.2.15","ip_dst_port":39468,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|       A|       0|       0|       0|22efa002|00000000|000|000|       1|      40|       0|       0|    0|idle ","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"216.21.170.221","tag":0,"rtag":0,"ip_src_port":80,"timestamp":1453994988512,"app":0,"oct":40,"end_reason":"idle ","risn":0,"end_time":1453994988512,"metron_sensor_type":"test","start_time":1453994988512,"riflags":0,"rtt":"0.000","protocol":6}
+{"iflags":"AP","uflags":0,"isn":"22efa002","ip_dst_addr":"10.0.2.15","ip_dst_port":39468,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.562|2016-01-28 15:29:48.562|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|      AP|       0|       0|       0|22efa002|00000000|000|000|       1|     604|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"216.21.170.221","tag":0,"rtag":0,"ip_src_port":80,"timestamp":1453994988562,"app":0,"oct":604,"end_reason":"idle","risn":0,"end_time":1453994988562,"metron_sensor_type":"test","start_time":1453994988562,"riflags":0,"rtt":"0.000","protocol":6}
diff --git a/metron-platform/metron-integration-test/src/main/sample/data/websphere/parsed/WebsphereParsed b/metron-platform/metron-integration-test/src/main/sample/data/websphere/parsed/WebsphereParsed
index 0f5b0fca0e..7e32213cd0 100644
--- a/metron-platform/metron-integration-test/src/main/sample/data/websphere/parsed/WebsphereParsed
+++ b/metron-platform/metron-integration-test/src/main/sample/data/websphere/parsed/WebsphereParsed
@@ -1,5 +1,5 @@
-{"severity":"notice","hostname":"ABCXML1413","event_type":"auth","original_string":"<133>Apr 15 17:47:28 ABCXML1413 [rojOut][0x81000033][auth][notice] user(rick007): [120.43.200.6]: User logged into 'cohlOut'.","event_code":"0x81000033","security_domain":"rojOut","event_subtype":"login","priority":133,"ip_src_addr":"120.43.200.6","timestamp":1460742448000,"username":"rick007","source.type":"websphere","guid":"this-is-random-uuid-will-be-36-chars"}
-{"severity":"info","hostname":"PHIXML3RWD","event_type":"auth","original_string":"<134>Apr 15 18:02:27 PHIXML3RWD [0x81000019][auth][info] [14.122.2.201]: User 'hjpotter' logged out from 'default'.","event_code":"0x81000019","security_domain":"default","event_subtype":"logout","priority":134,"ip_src_addr":"14.122.2.201","timestamp":1460743347000,"username":"hjpotter","source.type":"websphere","guid":"this-is-random-uuid-will-be-36-chars"}
-{"severity":"error","hostname":"ROBXML3QRS","process":"rbm","event_type":"auth","original_string":"<131>Apr 15 17:36:35 ROBXML3QRS [0x80800018][auth][error] rbm(RBM-Settings): trans(3502888135)[request] gtid(3502888135): RBM: Resource access denied.","event_code":"0x80800018","message":"trans(3502888135)[request] gtid(3502888135): RBM: Resource access denied.","priority":131,"timestamp":1460741795000,"source.type":"websphere","guid":"this-is-random-uuid-will-be-36-chars"}
-{"severity":"info","hostname":"SAGPXMLQA333","process":"trans","event_type":"audit","original_string":"<134>Apr 15 17:17:34 SAGPXMLQA333 [0x8240001c][audit][info] trans(191): (admin:default:system:*): ntp-service 'NTP Service' - Operational state down","event_code":"0x8240001c","message":"(admin:default:system:*): ntp-service 'NTP Service' - Operational state down","priority":134,"timestamp":1460740654000,"source.type":"websphere","guid":"this-is-random-uuid-will-be-36-chars"}
-{"severity":"info","hostname":"DOMXML3PUZ","event_type":"auth","original_string":"<134>Apr 15 17:46:52 DOMXML3PUZ [0x8100448e][auth][info] CLI timeout occurred.","event_code":"0x8100448e","message":"CLI timeout occurred.","priority":134,"timestamp":1460742412000,"source.type":"websphere","guid":"this-is-random-uuid-will-be-36-chars"}
\ No newline at end of file
+{"severity":"notice","hostname":"ABCXML1413","event_type":"auth","original_string":"<133>Apr 15 17:47:28 ABCXML1413 [rojOut][0x81000033][auth][notice] user(rick007): [120.43.200.6]: User logged into 'cohlOut'.","event_code":"0x81000033","security_domain":"rojOut","event_subtype":"login","priority":133,"ip_src_addr":"120.43.200.6","timestamp":1460742448000,"username":"rick007","metron_sensor_type":"websphere","guid":"this-is-random-uuid-will-be-36-chars"}
+{"severity":"info","hostname":"PHIXML3RWD","event_type":"auth","original_string":"<134>Apr 15 18:02:27 PHIXML3RWD [0x81000019][auth][info] [14.122.2.201]: User 'hjpotter' logged out from 'default'.","event_code":"0x81000019","security_domain":"default","event_subtype":"logout","priority":134,"ip_src_addr":"14.122.2.201","timestamp":1460743347000,"username":"hjpotter","metron_sensor_type":"websphere","guid":"this-is-random-uuid-will-be-36-chars"}
+{"severity":"error","hostname":"ROBXML3QRS","process":"rbm","event_type":"auth","original_string":"<131>Apr 15 17:36:35 ROBXML3QRS [0x80800018][auth][error] rbm(RBM-Settings): trans(3502888135)[request] gtid(3502888135): RBM: Resource access denied.","event_code":"0x80800018","message":"trans(3502888135)[request] gtid(3502888135): RBM: Resource access denied.","priority":131,"timestamp":1460741795000,"metron_sensor_type":"websphere","guid":"this-is-random-uuid-will-be-36-chars"}
+{"severity":"info","hostname":"SAGPXMLQA333","process":"trans","event_type":"audit","original_string":"<134>Apr 15 17:17:34 SAGPXMLQA333 [0x8240001c][audit][info] trans(191): (admin:default:system:*): ntp-service 'NTP Service' - Operational state down","event_code":"0x8240001c","message":"(admin:default:system:*): ntp-service 'NTP Service' - Operational state down","priority":134,"timestamp":1460740654000,"metron_sensor_type":"websphere","guid":"this-is-random-uuid-will-be-36-chars"}
+{"severity":"info","hostname":"DOMXML3PUZ","event_type":"auth","original_string":"<134>Apr 15 17:46:52 DOMXML3PUZ [0x8100448e][auth][info] CLI timeout occurred.","event_code":"0x8100448e","message":"CLI timeout occurred.","priority":134,"timestamp":1460742412000,"metron_sensor_type":"websphere","guid":"this-is-random-uuid-will-be-36-chars"}
\ No newline at end of file
diff --git a/metron-platform/metron-integration-test/src/main/sample/data/yaf/indexed/YafIndexed b/metron-platform/metron-integration-test/src/main/sample/data/yaf/indexed/YafIndexed
index d48fa461be..11be6e5476 100644
--- a/metron-platform/metron-integration-test/src/main/sample/data/yaf/indexed/YafIndexed
+++ b/metron-platform/metron-integration-test/src/main/sample/data/yaf/indexed/YafIndexed
@@ -1,10 +1,10 @@
-{"adapter.threatinteladapter.end.ts":"1457102731219","enrichments.geo.dip.location_point":"test latitude,test longitude","isn":"22efa001","index.elasticsearchwriter.ts":"1457102731220","dip":"10.0.2.15","dp":39468,"rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|      AS|       0|       0|       0|22efa001|00000000|000|000|       1|      44|       0|       0|    0|idle","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichmentjoinbolt.joiner.ts":"1457102731206","adapter.hostfromjsonlistadapter.begin.ts":"1457102731185","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":44,"end_reason":"idle","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731185","threatintelsplitterbolt.splitter.ts":"1457102731207","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988512,"adapter.threatinteladapter.begin.ts":"1457102731210","riflags":0,"proto":6,"enrichments.host.dip.known_info.local":"YES","enrichments.geo.dip.longitude":"test longitude","iflags":"AS","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731198","adapter.hostfromjsonlistadapter.end.ts":"1457102731197","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731220","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"216.21.170.221","rtag":0,"sp":80,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988512,"risn":0,"enrichments.host.dip.known_info.type":"printer","end_time":1453994988512,"enrichments.host.dip.known_info.asset_value":"important","source.type":"yaf","rtt":"0.000"}
-{"adapter.threatinteladapter.end.ts":"1457102731221","enrichments.geo.dip.location_point":"test latitude,test longitude","enrichments.host.sip.known_info.asset_value":"important","isn":10000000,"index.elasticsearchwriter.ts":"1457102731221","dip":"10.0.2.3","dp":53,"rpkt":0,"original_string":"2016-01-28 15:29:48.502|2016-01-28 15:29:48.502|   0.000|   0.000| 17|                               10.0.2.15|37299|                                10.0.2.3|   53|       A|       0|       0|       0|10000000|00000000|000|000|       1|      56|       0|       0|    0|idle","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichments.host.sip.known_info.type":"printer","enrichmentjoinbolt.joiner.ts":"1457102731208","adapter.hostfromjsonlistadapter.begin.ts":"1457102731197","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":56,"end_reason":"idle","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731198","threatintelsplitterbolt.splitter.ts":"1457102731210","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988502,"adapter.threatinteladapter.begin.ts":"1457102731219","riflags":0,"proto":17,"enrichments.geo.dip.longitude":"test longitude","iflags":"A","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731198","adapter.hostfromjsonlistadapter.end.ts":"1457102731197","enrichments.host.sip.known_info.local":"YES","threatintels.ip.dip.ip_threat_intel":"alert","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731221","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"10.0.2.15","rtag":0,"sp":37299,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988502,"risn":0,"end_time":1453994988502,"is_alert":"true","source.type":"yaf","rtt":"0.000"}
-{"adapter.threatinteladapter.end.ts":"1457102731221","enrichments.geo.dip.location_point":"test latitude,test longitude","isn":0,"index.elasticsearchwriter.ts":"1457102731222","dip":"10.0.2.15","dp":37299,"rpkt":0,"original_string":"2016-01-28 15:29:48.504|2016-01-28 15:29:48.504|   0.000|   0.000| 17|                                10.0.2.3|   53|                               10.0.2.15|37299|       A|       0|       0|       0|00000000|00000000|000|000|       1|     312|       0|       0|    0|idle","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichmentjoinbolt.joiner.ts":"1457102731209","adapter.hostfromjsonlistadapter.begin.ts":"1457102731197","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":312,"end_reason":"idle","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731198","threatintelsplitterbolt.splitter.ts":"1457102731210","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988504,"adapter.threatinteladapter.begin.ts":"1457102731221","riflags":0,"proto":17,"enrichments.host.dip.known_info.local":"YES","enrichments.geo.dip.longitude":"test longitude","iflags":"A","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731199","adapter.hostfromjsonlistadapter.end.ts":"1457102731198","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731222","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"10.0.2.3","rtag":0,"sp":53,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988504,"risn":0,"enrichments.host.dip.known_info.type":"printer","end_time":1453994988504,"enrichments.host.dip.known_info.asset_value":"important","is_alert":"true","source.type":"yaf","threatintels.ip.sip.ip_threat_intel":"alert","rtt":"0.000"}
-{"adapter.threatinteladapter.end.ts":"1457102731222","enrichments.geo.dip.location_point":"test latitude,test longitude","enrichments.host.sip.known_info.asset_value":"important","isn":0,"index.elasticsearchwriter.ts":"1457102731222","dip":"10.0.2.3","dp":53,"rpkt":0,"original_string":"2016-01-28 15:29:48.504|2016-01-28 15:29:48.504|   0.000|   0.000| 17|                               10.0.2.15|56303|                                10.0.2.3|   53|       A|       0|       0|       0|00000000|00000000|000|000|       1|      56|       0|       0|    0|idle","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichments.host.sip.known_info.type":"printer","enrichmentjoinbolt.joiner.ts":"1457102731209","adapter.hostfromjsonlistadapter.begin.ts":"1457102731198","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":56,"end_reason":"idle","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731199","threatintelsplitterbolt.splitter.ts":"1457102731211","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988504,"adapter.threatinteladapter.begin.ts":"1457102731221","riflags":0,"proto":17,"enrichments.geo.dip.longitude":"test longitude","iflags":"A","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731199","adapter.hostfromjsonlistadapter.end.ts":"1457102731198","enrichments.host.sip.known_info.local":"YES","threatintels.ip.dip.ip_threat_intel":"alert","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731222","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"10.0.2.15","rtag":0,"sp":56303,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988504,"risn":0,"end_time":1453994988504,"is_alert":"true","source.type":"yaf","rtt":"0.000"}
-{"adapter.threatinteladapter.end.ts":"1457102731222","enrichments.geo.dip.location_point":"test latitude,test longitude","isn":0,"index.elasticsearchwriter.ts":"1457102731222","dip":"10.0.2.15","dp":56303,"rpkt":0,"original_string":"2016-01-28 15:29:48.506|2016-01-28 15:29:48.506|   0.000|   0.000| 17|                                10.0.2.3|   53|                               10.0.2.15|56303|       A|       0|       0|       0|00000000|00000000|000|000|       1|      84|       0|       0|    0|idle","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichmentjoinbolt.joiner.ts":"1457102731210","adapter.hostfromjsonlistadapter.begin.ts":"1457102731198","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":84,"end_reason":"idle","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731199","threatintelsplitterbolt.splitter.ts":"1457102731212","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988506,"adapter.threatinteladapter.begin.ts":"1457102731222","riflags":0,"proto":17,"enrichments.host.dip.known_info.local":"YES","enrichments.geo.dip.longitude":"test longitude","iflags":"A","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731199","adapter.hostfromjsonlistadapter.end.ts":"1457102731198","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731222","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"10.0.2.3","rtag":0,"sp":53,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988506,"risn":0,"enrichments.host.dip.known_info.type":"printer","end_time":1453994988506,"enrichments.host.dip.known_info.asset_value":"important","is_alert":"true","source.type":"yaf","threatintels.ip.sip.ip_threat_intel":"alert","rtt":"0.000"}
-{"adapter.threatinteladapter.end.ts":"1457102731222","enrichments.geo.dip.location_point":"test latitude,test longitude","enrichments.host.sip.known_info.asset_value":"important","isn":"58c52fca","index.elasticsearchwriter.ts":"1457102732038","dip":"216.21.170.221","dp":80,"rpkt":0,"original_string":"2016-01-28 15:29:48.508|2016-01-28 15:29:48.508|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|       S|       0|       0|       0|58c52fca|00000000|000|000|       1|      60|       0|       0|    0|idle","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichments.host.sip.known_info.type":"printer","enrichmentjoinbolt.joiner.ts":"1457102731210","adapter.hostfromjsonlistadapter.begin.ts":"1457102731198","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":60,"end_reason":"idle","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731199","threatintelsplitterbolt.splitter.ts":"1457102731212","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988508,"adapter.threatinteladapter.begin.ts":"1457102731222","riflags":0,"proto":6,"enrichments.geo.dip.longitude":"test longitude","iflags":"S","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731199","adapter.hostfromjsonlistadapter.end.ts":"1457102731198","enrichments.host.sip.known_info.local":"YES","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731223","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"10.0.2.15","rtag":0,"sp":39468,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988508,"risn":0,"end_time":1453994988508,"source.type":"yaf","rtt":"0.000"}
-{"adapter.threatinteladapter.end.ts":"1457102731223","enrichments.geo.dip.location_point":"test latitude,test longitude","enrichments.host.sip.known_info.asset_value":"important","isn":"58c52fcb","index.elasticsearchwriter.ts":"1457102732038","dip":"216.21.170.221","dp":80,"rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|       A|       0|       0|       0|58c52fcb|00000000|000|000|       1|      40|       0|       0|    0|idle ","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichments.host.sip.known_info.type":"printer","enrichmentjoinbolt.joiner.ts":"1457102731210","adapter.hostfromjsonlistadapter.begin.ts":"1457102731198","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":40,"end_reason":"idle ","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731199","threatintelsplitterbolt.splitter.ts":"1457102731212","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988512,"adapter.threatinteladapter.begin.ts":"1457102731223","riflags":0,"proto":6,"enrichments.geo.dip.longitude":"test longitude","iflags":"A","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731199","adapter.hostfromjsonlistadapter.end.ts":"1457102731198","enrichments.host.sip.known_info.local":"YES","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731223","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"10.0.2.15","rtag":0,"sp":39468,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988512,"risn":0,"end_time":1453994988512,"source.type":"yaf","rtt":"0.000"}
-{"adapter.threatinteladapter.end.ts":"1457102731223","enrichments.geo.dip.location_point":"test latitude,test longitude","enrichments.host.sip.known_info.asset_value":"important","isn":"58c52fcb","index.elasticsearchwriter.ts":"1457102732038","dip":"216.21.170.221","dp":80,"rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|      AP|       0|       0|       0|58c52fcb|00000000|000|000|       1|     148|       0|       0|    0|idle ","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichments.host.sip.known_info.type":"printer","enrichmentjoinbolt.joiner.ts":"1457102731210","adapter.hostfromjsonlistadapter.begin.ts":"1457102731198","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":148,"end_reason":"idle ","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731199","threatintelsplitterbolt.splitter.ts":"1457102731212","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988512,"adapter.threatinteladapter.begin.ts":"1457102731223","riflags":0,"proto":6,"enrichments.geo.dip.longitude":"test longitude","iflags":"AP","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731199","adapter.hostfromjsonlistadapter.end.ts":"1457102731198","enrichments.host.sip.known_info.local":"YES","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731225","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"10.0.2.15","rtag":0,"sp":39468,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988512,"risn":0,"end_time":1453994988512,"source.type":"yaf","rtt":"0.000"}
-{"adapter.threatinteladapter.end.ts":"1457102731225","enrichments.geo.dip.location_point":"test latitude,test longitude","isn":"22efa002","index.elasticsearchwriter.ts":"1457102732038","dip":"10.0.2.15","dp":39468,"rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|       A|       0|       0|       0|22efa002|00000000|000|000|       1|      40|       0|       0|    0|idle ","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichmentjoinbolt.joiner.ts":"1457102731211","adapter.hostfromjsonlistadapter.begin.ts":"1457102731198","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":40,"end_reason":"idle ","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731199","threatintelsplitterbolt.splitter.ts":"1457102731212","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988512,"adapter.threatinteladapter.begin.ts":"1457102731223","riflags":0,"proto":6,"enrichments.host.dip.known_info.local":"YES","enrichments.geo.dip.longitude":"test longitude","iflags":"A","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731199","adapter.hostfromjsonlistadapter.end.ts":"1457102731198","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731225","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"216.21.170.221","rtag":0,"sp":80,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988512,"risn":0,"enrichments.host.dip.known_info.type":"printer","end_time":1453994988512,"enrichments.host.dip.known_info.asset_value":"important","source.type":"yaf","rtt":"0.000"}
-{"adapter.threatinteladapter.end.ts":"1457102731226","enrichments.geo.dip.location_point":"test latitude,test longitude","isn":"22efa002","index.elasticsearchwriter.ts":"1457102732038","dip":"10.0.2.15","dp":39468,"rpkt":0,"original_string":"2016-01-28 15:29:48.562|2016-01-28 15:29:48.562|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|      AP|       0|       0|       0|22efa002|00000000|000|000|       1|     604|       0|       0|    0|idle","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichmentjoinbolt.joiner.ts":"1457102731211","adapter.hostfromjsonlistadapter.begin.ts":"1457102731198","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":604,"end_reason":"idle","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731199","threatintelsplitterbolt.splitter.ts":"1457102731213","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988562,"adapter.threatinteladapter.begin.ts":"1457102731226","riflags":0,"proto":6,"enrichments.host.dip.known_info.local":"YES","enrichments.geo.dip.longitude":"test longitude","iflags":"AP","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731199","adapter.hostfromjsonlistadapter.end.ts":"1457102731198","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731226","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"216.21.170.221","rtag":0,"sp":80,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988562,"risn":0,"enrichments.host.dip.known_info.type":"printer","end_time":1453994988562,"enrichments.host.dip.known_info.asset_value":"important","source.type":"yaf","rtt":"0.000"}
+{"adapter.threatinteladapter.end.ts":"1457102731219","enrichments.geo.dip.location_point":"test latitude,test longitude","isn":"22efa001","index.elasticsearchwriter.ts":"1457102731220","dip":"10.0.2.15","dp":39468,"rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|      AS|       0|       0|       0|22efa001|00000000|000|000|       1|      44|       0|       0|    0|idle","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichmentjoinbolt.joiner.ts":"1457102731206","adapter.hostfromjsonlistadapter.begin.ts":"1457102731185","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":44,"end_reason":"idle","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731185","threatintelsplitterbolt.splitter.ts":"1457102731207","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988512,"adapter.threatinteladapter.begin.ts":"1457102731210","riflags":0,"proto":6,"enrichments.host.dip.known_info.local":"YES","enrichments.geo.dip.longitude":"test longitude","iflags":"AS","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731198","adapter.hostfromjsonlistadapter.end.ts":"1457102731197","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731220","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"216.21.170.221","rtag":0,"sp":80,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988512,"risn":0,"enrichments.host.dip.known_info.type":"printer","end_time":1453994988512,"enrichments.host.dip.known_info.asset_value":"important","metron_sensor_type":"yaf","rtt":"0.000"}
+{"adapter.threatinteladapter.end.ts":"1457102731221","enrichments.geo.dip.location_point":"test latitude,test longitude","enrichments.host.sip.known_info.asset_value":"important","isn":10000000,"index.elasticsearchwriter.ts":"1457102731221","dip":"10.0.2.3","dp":53,"rpkt":0,"original_string":"2016-01-28 15:29:48.502|2016-01-28 15:29:48.502|   0.000|   0.000| 17|                               10.0.2.15|37299|                                10.0.2.3|   53|       A|       0|       0|       0|10000000|00000000|000|000|       1|      56|       0|       0|    0|idle","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichments.host.sip.known_info.type":"printer","enrichmentjoinbolt.joiner.ts":"1457102731208","adapter.hostfromjsonlistadapter.begin.ts":"1457102731197","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":56,"end_reason":"idle","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731198","threatintelsplitterbolt.splitter.ts":"1457102731210","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988502,"adapter.threatinteladapter.begin.ts":"1457102731219","riflags":0,"proto":17,"enrichments.geo.dip.longitude":"test longitude","iflags":"A","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731198","adapter.hostfromjsonlistadapter.end.ts":"1457102731197","enrichments.host.sip.known_info.local":"YES","threatintels.ip.dip.ip_threat_intel":"alert","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731221","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"10.0.2.15","rtag":0,"sp":37299,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988502,"risn":0,"end_time":1453994988502,"is_alert":"true","metron_sensor_type":"yaf","rtt":"0.000"}
+{"adapter.threatinteladapter.end.ts":"1457102731221","enrichments.geo.dip.location_point":"test latitude,test longitude","isn":0,"index.elasticsearchwriter.ts":"1457102731222","dip":"10.0.2.15","dp":37299,"rpkt":0,"original_string":"2016-01-28 15:29:48.504|2016-01-28 15:29:48.504|   0.000|   0.000| 17|                                10.0.2.3|   53|                               10.0.2.15|37299|       A|       0|       0|       0|00000000|00000000|000|000|       1|     312|       0|       0|    0|idle","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichmentjoinbolt.joiner.ts":"1457102731209","adapter.hostfromjsonlistadapter.begin.ts":"1457102731197","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":312,"end_reason":"idle","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731198","threatintelsplitterbolt.splitter.ts":"1457102731210","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988504,"adapter.threatinteladapter.begin.ts":"1457102731221","riflags":0,"proto":17,"enrichments.host.dip.known_info.local":"YES","enrichments.geo.dip.longitude":"test longitude","iflags":"A","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731199","adapter.hostfromjsonlistadapter.end.ts":"1457102731198","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731222","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"10.0.2.3","rtag":0,"sp":53,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988504,"risn":0,"enrichments.host.dip.known_info.type":"printer","end_time":1453994988504,"enrichments.host.dip.known_info.asset_value":"important","is_alert":"true","metron_sensor_type":"yaf","threatintels.ip.sip.ip_threat_intel":"alert","rtt":"0.000"}
+{"adapter.threatinteladapter.end.ts":"1457102731222","enrichments.geo.dip.location_point":"test latitude,test longitude","enrichments.host.sip.known_info.asset_value":"important","isn":0,"index.elasticsearchwriter.ts":"1457102731222","dip":"10.0.2.3","dp":53,"rpkt":0,"original_string":"2016-01-28 15:29:48.504|2016-01-28 15:29:48.504|   0.000|   0.000| 17|                               10.0.2.15|56303|                                10.0.2.3|   53|       A|       0|       0|       0|00000000|00000000|000|000|       1|      56|       0|       0|    0|idle","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichments.host.sip.known_info.type":"printer","enrichmentjoinbolt.joiner.ts":"1457102731209","adapter.hostfromjsonlistadapter.begin.ts":"1457102731198","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":56,"end_reason":"idle","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731199","threatintelsplitterbolt.splitter.ts":"1457102731211","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988504,"adapter.threatinteladapter.begin.ts":"1457102731221","riflags":0,"proto":17,"enrichments.geo.dip.longitude":"test longitude","iflags":"A","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731199","adapter.hostfromjsonlistadapter.end.ts":"1457102731198","enrichments.host.sip.known_info.local":"YES","threatintels.ip.dip.ip_threat_intel":"alert","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731222","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"10.0.2.15","rtag":0,"sp":56303,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988504,"risn":0,"end_time":1453994988504,"is_alert":"true","metron_sensor_type":"yaf","rtt":"0.000"}
+{"adapter.threatinteladapter.end.ts":"1457102731222","enrichments.geo.dip.location_point":"test latitude,test longitude","isn":0,"index.elasticsearchwriter.ts":"1457102731222","dip":"10.0.2.15","dp":56303,"rpkt":0,"original_string":"2016-01-28 15:29:48.506|2016-01-28 15:29:48.506|   0.000|   0.000| 17|                                10.0.2.3|   53|                               10.0.2.15|56303|       A|       0|       0|       0|00000000|00000000|000|000|       1|      84|       0|       0|    0|idle","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichmentjoinbolt.joiner.ts":"1457102731210","adapter.hostfromjsonlistadapter.begin.ts":"1457102731198","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":84,"end_reason":"idle","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731199","threatintelsplitterbolt.splitter.ts":"1457102731212","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988506,"adapter.threatinteladapter.begin.ts":"1457102731222","riflags":0,"proto":17,"enrichments.host.dip.known_info.local":"YES","enrichments.geo.dip.longitude":"test longitude","iflags":"A","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731199","adapter.hostfromjsonlistadapter.end.ts":"1457102731198","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731222","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"10.0.2.3","rtag":0,"sp":53,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988506,"risn":0,"enrichments.host.dip.known_info.type":"printer","end_time":1453994988506,"enrichments.host.dip.known_info.asset_value":"important","is_alert":"true","metron_sensor_type":"yaf","threatintels.ip.sip.ip_threat_intel":"alert","rtt":"0.000"}
+{"adapter.threatinteladapter.end.ts":"1457102731222","enrichments.geo.dip.location_point":"test latitude,test longitude","enrichments.host.sip.known_info.asset_value":"important","isn":"58c52fca","index.elasticsearchwriter.ts":"1457102732038","dip":"216.21.170.221","dp":80,"rpkt":0,"original_string":"2016-01-28 15:29:48.508|2016-01-28 15:29:48.508|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|       S|       0|       0|       0|58c52fca|00000000|000|000|       1|      60|       0|       0|    0|idle","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichments.host.sip.known_info.type":"printer","enrichmentjoinbolt.joiner.ts":"1457102731210","adapter.hostfromjsonlistadapter.begin.ts":"1457102731198","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":60,"end_reason":"idle","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731199","threatintelsplitterbolt.splitter.ts":"1457102731212","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988508,"adapter.threatinteladapter.begin.ts":"1457102731222","riflags":0,"proto":6,"enrichments.geo.dip.longitude":"test longitude","iflags":"S","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731199","adapter.hostfromjsonlistadapter.end.ts":"1457102731198","enrichments.host.sip.known_info.local":"YES","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731223","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"10.0.2.15","rtag":0,"sp":39468,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988508,"risn":0,"end_time":1453994988508,"metron_sensor_type":"yaf","rtt":"0.000"}
+{"adapter.threatinteladapter.end.ts":"1457102731223","enrichments.geo.dip.location_point":"test latitude,test longitude","enrichments.host.sip.known_info.asset_value":"important","isn":"58c52fcb","index.elasticsearchwriter.ts":"1457102732038","dip":"216.21.170.221","dp":80,"rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|       A|       0|       0|       0|58c52fcb|00000000|000|000|       1|      40|       0|       0|    0|idle ","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichments.host.sip.known_info.type":"printer","enrichmentjoinbolt.joiner.ts":"1457102731210","adapter.hostfromjsonlistadapter.begin.ts":"1457102731198","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":40,"end_reason":"idle ","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731199","threatintelsplitterbolt.splitter.ts":"1457102731212","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988512,"adapter.threatinteladapter.begin.ts":"1457102731223","riflags":0,"proto":6,"enrichments.geo.dip.longitude":"test longitude","iflags":"A","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731199","adapter.hostfromjsonlistadapter.end.ts":"1457102731198","enrichments.host.sip.known_info.local":"YES","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731223","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"10.0.2.15","rtag":0,"sp":39468,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988512,"risn":0,"end_time":1453994988512,"metron_sensor_type":"yaf","rtt":"0.000"}
+{"adapter.threatinteladapter.end.ts":"1457102731223","enrichments.geo.dip.location_point":"test latitude,test longitude","enrichments.host.sip.known_info.asset_value":"important","isn":"58c52fcb","index.elasticsearchwriter.ts":"1457102732038","dip":"216.21.170.221","dp":80,"rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|      AP|       0|       0|       0|58c52fcb|00000000|000|000|       1|     148|       0|       0|    0|idle ","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichments.host.sip.known_info.type":"printer","enrichmentjoinbolt.joiner.ts":"1457102731210","adapter.hostfromjsonlistadapter.begin.ts":"1457102731198","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":148,"end_reason":"idle ","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731199","threatintelsplitterbolt.splitter.ts":"1457102731212","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988512,"adapter.threatinteladapter.begin.ts":"1457102731223","riflags":0,"proto":6,"enrichments.geo.dip.longitude":"test longitude","iflags":"AP","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731199","adapter.hostfromjsonlistadapter.end.ts":"1457102731198","enrichments.host.sip.known_info.local":"YES","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731225","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"10.0.2.15","rtag":0,"sp":39468,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988512,"risn":0,"end_time":1453994988512,"metron_sensor_type":"yaf","rtt":"0.000"}
+{"adapter.threatinteladapter.end.ts":"1457102731225","enrichments.geo.dip.location_point":"test latitude,test longitude","isn":"22efa002","index.elasticsearchwriter.ts":"1457102732038","dip":"10.0.2.15","dp":39468,"rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|       A|       0|       0|       0|22efa002|00000000|000|000|       1|      40|       0|       0|    0|idle ","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichmentjoinbolt.joiner.ts":"1457102731211","adapter.hostfromjsonlistadapter.begin.ts":"1457102731198","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":40,"end_reason":"idle ","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731199","threatintelsplitterbolt.splitter.ts":"1457102731212","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988512,"adapter.threatinteladapter.begin.ts":"1457102731223","riflags":0,"proto":6,"enrichments.host.dip.known_info.local":"YES","enrichments.geo.dip.longitude":"test longitude","iflags":"A","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731199","adapter.hostfromjsonlistadapter.end.ts":"1457102731198","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731225","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"216.21.170.221","rtag":0,"sp":80,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988512,"risn":0,"enrichments.host.dip.known_info.type":"printer","end_time":1453994988512,"enrichments.host.dip.known_info.asset_value":"important","metron_sensor_type":"yaf","rtt":"0.000"}
+{"adapter.threatinteladapter.end.ts":"1457102731226","enrichments.geo.dip.location_point":"test latitude,test longitude","isn":"22efa002","index.elasticsearchwriter.ts":"1457102732038","dip":"10.0.2.15","dp":39468,"rpkt":0,"original_string":"2016-01-28 15:29:48.562|2016-01-28 15:29:48.562|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|      AP|       0|       0|       0|22efa002|00000000|000|000|       1|     604|       0|       0|    0|idle","enrichments.geo.dip.locID":"1","enrichments.geo.sip.city":"test city","enrichmentjoinbolt.joiner.ts":"1457102731211","adapter.hostfromjsonlistadapter.begin.ts":"1457102731198","tag":0,"enrichments.geo.dip.dmaCode":"test dmaCode","app":0,"oct":604,"end_reason":"idle","enrichments.geo.sip.locID":"1","adapter.mockgeoadapter.begin.ts":"1457102731199","threatintelsplitterbolt.splitter.ts":"1457102731213","enrichments.geo.dip.postalCode":"test postalCode","start_time":1453994988562,"adapter.threatinteladapter.begin.ts":"1457102731226","riflags":0,"proto":6,"enrichments.host.dip.known_info.local":"YES","enrichments.geo.dip.longitude":"test longitude","iflags":"AP","uflags":0,"adapter.mockgeoadapter.end.ts":"1457102731199","adapter.hostfromjsonlistadapter.end.ts":"1457102731198","enrichments.geo.sip.postalCode":"test postalCode","duration":"0.000","enrichments.geo.dip.country":"test country","threatinteljoinbolt.joiner.ts":"1457102731226","enrichments.geo.dip.latitude":"test latitude","enrichments.geo.sip.country":"test country","enrichments.geo.dip.city":"test city","enrichments.geo.sip.dmaCode":"test dmaCode","pkt":1,"enrichments.geo.sip.location_point":"test latitude,test longitude","ruflags":0,"roct":0,"sip":"216.21.170.221","rtag":0,"sp":80,"enrichments.geo.sip.longitude":"test longitude","enrichments.geo.sip.latitude":"test latitude","timestamp":1453994988562,"risn":0,"enrichments.host.dip.known_info.type":"printer","end_time":1453994988562,"enrichments.host.dip.known_info.asset_value":"important","metron_sensor_type":"yaf","rtt":"0.000"}
diff --git a/metron-platform/metron-integration-test/src/main/sample/data/yaf/parsed/YafExampleParsed b/metron-platform/metron-integration-test/src/main/sample/data/yaf/parsed/YafExampleParsed
index 6ee2b2faf7..83be5ecc4d 100644
--- a/metron-platform/metron-integration-test/src/main/sample/data/yaf/parsed/YafExampleParsed
+++ b/metron-platform/metron-integration-test/src/main/sample/data/yaf/parsed/YafExampleParsed
@@ -1,10 +1,10 @@
-{"iflags":"AS","uflags":0,"isn":"22efa001","ip_dst_addr":"10.0.2.15","ip_dst_port":39468,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|      AS|       0|       0|       0|22efa001|00000000|000|000|       1|      44|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"216.21.170.221","tag":0,"rtag":0,"ip_src_port":80,"timestamp":1453994988512,"app":0,"oct":44,"end_reason":"idle","risn":0,"end_time":1453994988512,"source.type":"yaf","start_time":1453994988512,"riflags":0,"rtt":"0.000","protocol":"TCP","guid":"this-is-random-uuid-will-be-36-chars"}
-{"iflags":"A","uflags":0,"isn":10000000,"ip_dst_addr":"10.0.2.3","ip_dst_port":53,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.502|2016-01-28 15:29:48.502|   0.000|   0.000| 17|                               10.0.2.15|37299|                                10.0.2.3|   53|       A|       0|       0|       0|10000000|00000000|000|000|       1|      56|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":37299,"timestamp":1453994988502,"app":0,"oct":56,"end_reason":"idle","risn":0,"end_time":1453994988502,"source.type":"yaf","start_time":1453994988502,"riflags":0,"rtt":"0.000","protocol":"UDP","guid":"this-is-random-uuid-will-be-36-chars"}
-{"iflags":"A","uflags":0,"isn":0,"ip_dst_addr":"10.0.2.15","ip_dst_port":37299,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.504|2016-01-28 15:29:48.504|   0.000|   0.000| 17|                                10.0.2.3|   53|                               10.0.2.15|37299|       A|       0|       0|       0|00000000|00000000|000|000|       1|     312|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.3","tag":0,"rtag":0,"ip_src_port":53,"timestamp":1453994988504,"app":0,"oct":312,"end_reason":"idle","risn":0,"end_time":1453994988504,"source.type":"yaf","start_time":1453994988504,"riflags":0,"rtt":"0.000","protocol":"UDP","guid":"this-is-random-uuid-will-be-36-chars"}
-{"iflags":"A","uflags":0,"isn":0,"ip_dst_addr":"10.0.2.3","ip_dst_port":53,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.504|2016-01-28 15:29:48.504|   0.000|   0.000| 17|                               10.0.2.15|56303|                                10.0.2.3|   53|       A|       0|       0|       0|00000000|00000000|000|000|       1|      56|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":56303,"timestamp":1453994988504,"app":0,"oct":56,"end_reason":"idle","risn":0,"end_time":1453994988504,"source.type":"yaf","start_time":1453994988504,"riflags":0,"rtt":"0.000","protocol":"UDP","guid":"this-is-random-uuid-will-be-36-chars"}
-{"iflags":"A","uflags":0,"isn":0,"ip_dst_addr":"10.0.2.15","ip_dst_port":56303,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.506|2016-01-28 15:29:48.506|   0.000|   0.000| 17|                                10.0.2.3|   53|                               10.0.2.15|56303|       A|       0|       0|       0|00000000|00000000|000|000|       1|      84|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.3","tag":0,"rtag":0,"ip_src_port":53,"timestamp":1453994988506,"app":0,"oct":84,"end_reason":"idle","risn":0,"end_time":1453994988506,"source.type":"yaf","start_time":1453994988506,"riflags":0,"rtt":"0.000","protocol":"UDP","guid":"this-is-random-uuid-will-be-36-chars"}
-{"iflags":"S","uflags":0,"isn":"58c52fca","ip_dst_addr":"216.21.170.221","ip_dst_port":80,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.508|2016-01-28 15:29:48.508|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|       S|       0|       0|       0|58c52fca|00000000|000|000|       1|      60|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":39468,"timestamp":1453994988508,"app":0,"oct":60,"end_reason":"idle","risn":0,"end_time":1453994988508,"source.type":"yaf","start_time":1453994988508,"riflags":0,"rtt":"0.000","protocol":"TCP","guid":"this-is-random-uuid-will-be-36-chars"}
-{"iflags":"A","uflags":0,"isn":"58c52fcb","ip_dst_addr":"216.21.170.221","ip_dst_port":80,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|       A|       0|       0|       0|58c52fcb|00000000|000|000|       1|      40|       0|       0|    0|idle ","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":39468,"timestamp":1453994988512,"app":0,"oct":40,"end_reason":"idle ","risn":0,"end_time":1453994988512,"source.type":"yaf","start_time":1453994988512,"riflags":0,"rtt":"0.000","protocol":"TCP","guid":"this-is-random-uuid-will-be-36-chars"}
-{"iflags":"AP","uflags":0,"isn":"58c52fcb","ip_dst_addr":"216.21.170.221","ip_dst_port":80,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|      AP|       0|       0|       0|58c52fcb|00000000|000|000|       1|     148|       0|       0|    0|idle ","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":39468,"timestamp":1453994988512,"app":0,"oct":148,"end_reason":"idle ","risn":0,"end_time":1453994988512,"source.type":"yaf","start_time":1453994988512,"riflags":0,"rtt":"0.000","protocol":"TCP","guid":"this-is-random-uuid-will-be-36-chars"}
-{"iflags":"A","uflags":0,"isn":"22efa002","ip_dst_addr":"10.0.2.15","ip_dst_port":39468,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|       A|       0|       0|       0|22efa002|00000000|000|000|       1|      40|       0|       0|    0|idle ","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"216.21.170.221","tag":0,"rtag":0,"ip_src_port":80,"timestamp":1453994988512,"app":0,"oct":40,"end_reason":"idle ","risn":0,"end_time":1453994988512,"source.type":"yaf","start_time":1453994988512,"riflags":0,"rtt":"0.000","protocol":"TCP","guid":"this-is-random-uuid-will-be-36-chars"}
-{"iflags":"AP","uflags":0,"isn":"22efa002","ip_dst_addr":"10.0.2.15","ip_dst_port":39468,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.562|2016-01-28 15:29:48.562|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|      AP|       0|       0|       0|22efa002|00000000|000|000|       1|     604|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"216.21.170.221","tag":0,"rtag":0,"ip_src_port":80,"timestamp":1453994988562,"app":0,"oct":604,"end_reason":"idle","risn":0,"end_time":1453994988562,"source.type":"yaf","start_time":1453994988562,"riflags":0,"rtt":"0.000","protocol":"TCP","guid":"this-is-random-uuid-will-be-36-chars"}
+{"iflags":"AS","uflags":0,"isn":"22efa001","ip_dst_addr":"10.0.2.15","ip_dst_port":39468,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|      AS|       0|       0|       0|22efa001|00000000|000|000|       1|      44|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"216.21.170.221","tag":0,"rtag":0,"ip_src_port":80,"timestamp":1453994988512,"app":0,"oct":44,"end_reason":"idle","risn":0,"end_time":1453994988512,"metron_sensor_type":"yaf","start_time":1453994988512,"riflags":0,"rtt":"0.000","protocol":"TCP","guid":"this-is-random-uuid-will-be-36-chars"}
+{"iflags":"A","uflags":0,"isn":10000000,"ip_dst_addr":"10.0.2.3","ip_dst_port":53,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.502|2016-01-28 15:29:48.502|   0.000|   0.000| 17|                               10.0.2.15|37299|                                10.0.2.3|   53|       A|       0|       0|       0|10000000|00000000|000|000|       1|      56|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":37299,"timestamp":1453994988502,"app":0,"oct":56,"end_reason":"idle","risn":0,"end_time":1453994988502,"metron_sensor_type":"yaf","start_time":1453994988502,"riflags":0,"rtt":"0.000","protocol":"UDP","guid":"this-is-random-uuid-will-be-36-chars"}
+{"iflags":"A","uflags":0,"isn":0,"ip_dst_addr":"10.0.2.15","ip_dst_port":37299,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.504|2016-01-28 15:29:48.504|   0.000|   0.000| 17|                                10.0.2.3|   53|                               10.0.2.15|37299|       A|       0|       0|       0|00000000|00000000|000|000|       1|     312|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.3","tag":0,"rtag":0,"ip_src_port":53,"timestamp":1453994988504,"app":0,"oct":312,"end_reason":"idle","risn":0,"end_time":1453994988504,"metron_sensor_type":"yaf","start_time":1453994988504,"riflags":0,"rtt":"0.000","protocol":"UDP","guid":"this-is-random-uuid-will-be-36-chars"}
+{"iflags":"A","uflags":0,"isn":0,"ip_dst_addr":"10.0.2.3","ip_dst_port":53,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.504|2016-01-28 15:29:48.504|   0.000|   0.000| 17|                               10.0.2.15|56303|                                10.0.2.3|   53|       A|       0|       0|       0|00000000|00000000|000|000|       1|      56|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":56303,"timestamp":1453994988504,"app":0,"oct":56,"end_reason":"idle","risn":0,"end_time":1453994988504,"metron_sensor_type":"yaf","start_time":1453994988504,"riflags":0,"rtt":"0.000","protocol":"UDP","guid":"this-is-random-uuid-will-be-36-chars"}
+{"iflags":"A","uflags":0,"isn":0,"ip_dst_addr":"10.0.2.15","ip_dst_port":56303,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.506|2016-01-28 15:29:48.506|   0.000|   0.000| 17|                                10.0.2.3|   53|                               10.0.2.15|56303|       A|       0|       0|       0|00000000|00000000|000|000|       1|      84|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.3","tag":0,"rtag":0,"ip_src_port":53,"timestamp":1453994988506,"app":0,"oct":84,"end_reason":"idle","risn":0,"end_time":1453994988506,"metron_sensor_type":"yaf","start_time":1453994988506,"riflags":0,"rtt":"0.000","protocol":"UDP","guid":"this-is-random-uuid-will-be-36-chars"}
+{"iflags":"S","uflags":0,"isn":"58c52fca","ip_dst_addr":"216.21.170.221","ip_dst_port":80,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.508|2016-01-28 15:29:48.508|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|       S|       0|       0|       0|58c52fca|00000000|000|000|       1|      60|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":39468,"timestamp":1453994988508,"app":0,"oct":60,"end_reason":"idle","risn":0,"end_time":1453994988508,"metron_sensor_type":"yaf","start_time":1453994988508,"riflags":0,"rtt":"0.000","protocol":"TCP","guid":"this-is-random-uuid-will-be-36-chars"}
+{"iflags":"A","uflags":0,"isn":"58c52fcb","ip_dst_addr":"216.21.170.221","ip_dst_port":80,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|       A|       0|       0|       0|58c52fcb|00000000|000|000|       1|      40|       0|       0|    0|idle ","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":39468,"timestamp":1453994988512,"app":0,"oct":40,"end_reason":"idle ","risn":0,"end_time":1453994988512,"metron_sensor_type":"yaf","start_time":1453994988512,"riflags":0,"rtt":"0.000","protocol":"TCP","guid":"this-is-random-uuid-will-be-36-chars"}
+{"iflags":"AP","uflags":0,"isn":"58c52fcb","ip_dst_addr":"216.21.170.221","ip_dst_port":80,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                               10.0.2.15|39468|                          216.21.170.221|   80|      AP|       0|       0|       0|58c52fcb|00000000|000|000|       1|     148|       0|       0|    0|idle ","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"10.0.2.15","tag":0,"rtag":0,"ip_src_port":39468,"timestamp":1453994988512,"app":0,"oct":148,"end_reason":"idle ","risn":0,"end_time":1453994988512,"metron_sensor_type":"yaf","start_time":1453994988512,"riflags":0,"rtt":"0.000","protocol":"TCP","guid":"this-is-random-uuid-will-be-36-chars"}
+{"iflags":"A","uflags":0,"isn":"22efa002","ip_dst_addr":"10.0.2.15","ip_dst_port":39468,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.512|2016-01-28 15:29:48.512|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|       A|       0|       0|       0|22efa002|00000000|000|000|       1|      40|       0|       0|    0|idle ","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"216.21.170.221","tag":0,"rtag":0,"ip_src_port":80,"timestamp":1453994988512,"app":0,"oct":40,"end_reason":"idle ","risn":0,"end_time":1453994988512,"metron_sensor_type":"yaf","start_time":1453994988512,"riflags":0,"rtt":"0.000","protocol":"TCP","guid":"this-is-random-uuid-will-be-36-chars"}
+{"iflags":"AP","uflags":0,"isn":"22efa002","ip_dst_addr":"10.0.2.15","ip_dst_port":39468,"duration":"0.000","rpkt":0,"original_string":"2016-01-28 15:29:48.562|2016-01-28 15:29:48.562|   0.000|   0.000|  6|                          216.21.170.221|   80|                               10.0.2.15|39468|      AP|       0|       0|       0|22efa002|00000000|000|000|       1|     604|       0|       0|    0|idle","pkt":1,"ruflags":0,"roct":0,"ip_src_addr":"216.21.170.221","tag":0,"rtag":0,"ip_src_port":80,"timestamp":1453994988562,"app":0,"oct":604,"end_reason":"idle","risn":0,"end_time":1453994988562,"metron_sensor_type":"yaf","start_time":1453994988562,"riflags":0,"rtt":"0.000","protocol":"TCP","guid":"this-is-random-uuid-will-be-36-chars"}
diff --git a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/bolt/ParserBoltTest.java b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/bolt/ParserBoltTest.java
index 06f4cecac8..52756cf609 100644
--- a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/bolt/ParserBoltTest.java
+++ b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/bolt/ParserBoltTest.java
@@ -17,6 +17,7 @@
  */
 package org.apache.metron.parsers.bolt;
 
+import static org.apache.metron.common.Constants.SENSOR_TYPE;
 import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.eq;
 import static org.mockito.Mockito.argThat;
@@ -264,7 +265,7 @@ protected ConfigurationsUpdater<ParserConfigurations> createUpdater() {
             .withErrorFields(new HashSet<String>() {{ add("field"); }})
             .addRawMessage(new JSONObject(){{
               put("field", "invalidValue");
-              put("source.type", "yaf");
+              put(SENSOR_TYPE, "yaf");
               put("guid", "this-is-unique-identifier-for-tuple");
             }});
     verify(outputCollector, times(1)).emit(eq(Constants.ERROR_STREAM), argThat(new MetronErrorJSONMatcher(error.getJSONObject())));
@@ -300,8 +301,8 @@ protected ConfigurationsUpdater<ParserConfigurations> createUpdater() {
       add(sampleMessage1);
       add(sampleMessage2);
     }};
-    final JSONObject finalMessage1 = (JSONObject) jsonParser.parse("{ \"field1\":\"value1\", \"source.type\":\"" + sensorType + "\", \"guid\": \"this-is-unique-identifier-for-tuple\" }");
-    final JSONObject finalMessage2 = (JSONObject) jsonParser.parse("{ \"field2\":\"value2\", \"source.type\":\"" + sensorType + "\", \"guid\": \"this-is-unique-identifier-for-tuple\" }");
+    final JSONObject finalMessage1 = (JSONObject) jsonParser.parse("{ \"field1\":\"value1\", \"" + SENSOR_TYPE + "\":\"" + sensorType + "\", \"guid\": \"this-is-unique-identifier-for-tuple\" }");
+    final JSONObject finalMessage2 = (JSONObject) jsonParser.parse("{ \"field2\":\"value2\", \"" + SENSOR_TYPE + "\":\"" + sensorType + "\", \"guid\": \"this-is-unique-identifier-for-tuple\" }");
     when(tuple.getBinary(0)).thenReturn(sampleBinary);
     when(parser.parseOptional(sampleBinary)).thenReturn(Optional.of(messages));
     when(parser.validate(eq(messages.get(0)))).thenReturn(true);
diff --git a/metron-platform/metron-parsers/src/test/java/org/apache/metron/writers/integration/SimpleHbaseEnrichmentWriterIntegrationTest.java b/metron-platform/metron-parsers/src/test/java/org/apache/metron/writers/integration/SimpleHbaseEnrichmentWriterIntegrationTest.java
index 788df2da67..5f06c8530c 100644
--- a/metron-platform/metron-parsers/src/test/java/org/apache/metron/writers/integration/SimpleHbaseEnrichmentWriterIntegrationTest.java
+++ b/metron-platform/metron-parsers/src/test/java/org/apache/metron/writers/integration/SimpleHbaseEnrichmentWriterIntegrationTest.java
@@ -54,6 +54,8 @@
 import java.util.Properties;
 import java.util.Set;
 
+import static org.apache.metron.common.Constants.SENSOR_TYPE;
+
 public class SimpleHbaseEnrichmentWriterIntegrationTest extends BaseIntegrationTest {
 
   /**
@@ -170,7 +172,7 @@ public ProcessorResult<List<LookupKV<EnrichmentKey, EnrichmentValue>>> getResult
       }};
       for (LookupKV<EnrichmentKey, EnrichmentValue> kv : result.getResult()) {
         Assert.assertTrue(validIndicators.contains(kv.getKey().indicator));
-        Assert.assertEquals(kv.getValue().getMetadata().get("source.type"), "dummy");
+        Assert.assertEquals(kv.getValue().getMetadata().get(SENSOR_TYPE), "dummy");
         Assert.assertNotNull(kv.getValue().getMetadata().get("timestamp"));
         Assert.assertNotNull(kv.getValue().getMetadata().get("original_string"));
         Map<String, String> metadata = validMetadata.get(kv.getKey().indicator);
diff --git a/metron-platform/metron-parsers/src/test/java/org/apache/metron/writers/integration/WriterBoltIntegrationTest.java b/metron-platform/metron-parsers/src/test/java/org/apache/metron/writers/integration/WriterBoltIntegrationTest.java
index cecba3ddf0..d57211e6ff 100644
--- a/metron-platform/metron-parsers/src/test/java/org/apache/metron/writers/integration/WriterBoltIntegrationTest.java
+++ b/metron-platform/metron-parsers/src/test/java/org/apache/metron/writers/integration/WriterBoltIntegrationTest.java
@@ -17,6 +17,7 @@
  */
 package org.apache.metron.writers.integration;
 
+import static org.apache.metron.common.Constants.SENSOR_TYPE;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.junit.Assert.assertThat;
 
@@ -376,7 +377,7 @@ public void commits_kafka_offsets_for_empty_objects() throws Exception {
       assertThat("size should match", result.getResult().size(), equalTo(inputMessages.size()));
       for (JSONObject record : result.getResult()) {
         assertThat("record should have a guid", record.containsKey("guid"), equalTo(true));
-        assertThat("record should have correct source.type", record.get("source.type"),
+        assertThat(String.format("record should have correct %s", SENSOR_TYPE), record.get(SENSOR_TYPE),
             equalTo(sensorType));
       }
     } finally {
diff --git a/metron-platform/metron-solr/src/main/config/schema/bro/schema.xml b/metron-platform/metron-solr/src/main/config/schema/bro/schema.xml
index ea9f6d3ccd..0c54f1dc14 100644
--- a/metron-platform/metron-solr/src/main/config/schema/bro/schema.xml
+++ b/metron-platform/metron-solr/src/main/config/schema/bro/schema.xml
@@ -33,7 +33,7 @@
   <!--
          * Metron-specific fields
   -->
-  <field name="source.type" type="string" indexed="true" stored="true" />
+  <field name="metron_sensor_type" type="string" indexed="true" stored="true" />
   <field name="timestamp" type="timestamp" indexed="true" stored="true" />
   <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" />
   <uniqueKey>guid</uniqueKey>
diff --git a/metron-platform/metron-solr/src/main/config/schema/metaalert/schema.xml b/metron-platform/metron-solr/src/main/config/schema/metaalert/schema.xml
index 6555bf61d7..906c336355 100644
--- a/metron-platform/metron-solr/src/main/config/schema/metaalert/schema.xml
+++ b/metron-platform/metron-solr/src/main/config/schema/metaalert/schema.xml
@@ -24,7 +24,7 @@
   <field name="guid" type="string" indexed="true" stored="true" required="true"
     multiValued="false"/>
 
-  <field name="source.type" type="string" indexed="true" stored="true"/>
+  <field name="metron_sensor_type" type="string" indexed="true" stored="true"/>
   <field name="timestamp" type="plong" indexed="true" stored="true"/>
   <field name="score" type="pdouble" indexed="true" stored="true"/>
   <field name="status" type="string" indexed="true" stored="true"/>
diff --git a/metron-platform/metron-solr/src/main/config/schema/snort/schema.xml b/metron-platform/metron-solr/src/main/config/schema/snort/schema.xml
index 84855df399..465d66e7d3 100644
--- a/metron-platform/metron-solr/src/main/config/schema/snort/schema.xml
+++ b/metron-platform/metron-solr/src/main/config/schema/snort/schema.xml
@@ -21,7 +21,7 @@
 
   <!-- Metron specific fields -->
   <field name="timestamp" type="timestamp" indexed="true" stored="true" />
-  <field name="source.type" type="string" indexed="true" stored="true" />
+  <field name="metron_sensor_type" type="string" indexed="true" stored="true" />
   <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" />
   <uniqueKey>guid</uniqueKey>
 
diff --git a/metron-platform/metron-solr/src/main/config/schema/yaf/schema.xml b/metron-platform/metron-solr/src/main/config/schema/yaf/schema.xml
index 5555a14fed..5b1898af6d 100644
--- a/metron-platform/metron-solr/src/main/config/schema/yaf/schema.xml
+++ b/metron-platform/metron-solr/src/main/config/schema/yaf/schema.xml
@@ -21,7 +21,7 @@
 
   <!-- Metron specific fields -->
   <field name="timestamp" type="timestamp" indexed="true" stored="true" />
-  <field name="source.type" type="string" indexed="true" stored="true" />
+  <field name="metron_sensor_type" type="string" indexed="true" stored="true" />
   <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" />
   <uniqueKey>guid</uniqueKey>
 
diff --git a/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrMetaAlertIntegrationTest.java b/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrMetaAlertIntegrationTest.java
index 6687e9af57..dee4bec3e7 100644
--- a/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrMetaAlertIntegrationTest.java
+++ b/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrMetaAlertIntegrationTest.java
@@ -104,7 +104,7 @@ public static void setupBefore() throws Exception {
 
       @Override
       protected String getDefaultThreatTriageField() {
-        return THREAT_FIELD_DEFAULT.replace(':', '.');
+        return THREAT_FIELD_DEFAULT;
       }
 
       @Override
diff --git a/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrRetrieveLatestIntegrationTest.java b/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrRetrieveLatestIntegrationTest.java
index f7c2e86a20..7698bc74b2 100644
--- a/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrRetrieveLatestIntegrationTest.java
+++ b/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrRetrieveLatestIntegrationTest.java
@@ -18,6 +18,7 @@
 
 package org.apache.metron.solr.integration;
 
+import static org.apache.metron.common.Constants.SENSOR_TYPE;
 import static org.apache.metron.solr.SolrConstants.SOLR_ZOOKEEPER;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNull;
@@ -176,7 +177,7 @@ public void testGetAllLatestCollectionOneMissing() throws IOException {
 
   protected Document buildExpectedDocument(String sensor, int i) {
     Map<String, Object> expectedMapOne = new HashMap<>();
-    expectedMapOne.put("source.type", sensor);
+    expectedMapOne.put(SENSOR_TYPE, sensor);
     expectedMapOne.put(Constants.GUID, buildGuid(sensor, i));
     return new Document(expectedMapOne, buildGuid(sensor, i), sensor, 0L);
   }
@@ -194,7 +195,7 @@ protected static void addData(String collection, String sensorName)
     for (int i = 0; i < 3; ++i) {
       final String name = buildGuid(sensorName, i);
       HashMap<String, Object> inputMap = new HashMap<>();
-      inputMap.put("source.type", sensorName);
+      inputMap.put(SENSOR_TYPE, sensorName);
       inputMap.put(Constants.GUID, name);
       inputData.add(inputMap);
     }
diff --git a/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrSearchIntegrationTest.java b/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrSearchIntegrationTest.java
index 4390fd1fc0..3a60bb2a54 100644
--- a/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrSearchIntegrationTest.java
+++ b/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrSearchIntegrationTest.java
@@ -17,6 +17,7 @@
  */
 package org.apache.metron.solr.integration;
 
+import static org.apache.metron.common.Constants.SENSOR_TYPE;
 import static org.apache.metron.solr.SolrConstants.SOLR_ZOOKEEPER;
 
 import java.io.IOException;
@@ -24,7 +25,6 @@
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
-import org.apache.metron.common.Constants;
 import org.apache.metron.common.utils.JSONUtils;
 import org.apache.metron.indexing.dao.AccessConfig;
 import org.apache.metron.indexing.dao.IndexDao;
@@ -55,8 +55,6 @@ public static void setupClass() throws Exception {
     indexComponent = startIndex();
     dao = createDao();
     // The data is all static for searches, so we can set it up here, and not do anything between tests.
-    broData = SearchIntegrationTest.broData.replace("source:type", "source.type");
-    snortData = SearchIntegrationTest.snortData.replace("source:type", "source.type");
     solrComponent.addCollection("bro", "../metron-solr/src/main/config/schema/bro");
     solrComponent.addCollection("snort", "../metron-solr/src/main/config/schema/snort");
     loadTestData();
@@ -115,7 +113,7 @@ public void returns_column_metadata_for_specified_indices() throws Exception {
 
       // Fields present in both with same type
       Assert.assertEquals(FieldType.TEXT, fieldTypes.get("guid"));
-      Assert.assertEquals(FieldType.TEXT, fieldTypes.get("source.type"));
+      Assert.assertEquals(FieldType.TEXT, fieldTypes.get(SENSOR_TYPE));
       Assert.assertEquals(FieldType.IP, fieldTypes.get("ip_src_addr"));
       Assert.assertEquals(FieldType.INTEGER, fieldTypes.get("ip_src_port"));
       Assert.assertEquals(FieldType.BOOLEAN, fieldTypes.get("is_alert"));
@@ -147,11 +145,11 @@ public void returns_column_metadata_for_specified_indices() throws Exception {
     // getColumnMetadata with only snort
     {
       Map<String, FieldType> fieldTypes = dao.getColumnMetadata(Collections.singletonList("snort"));
-      Assert.assertEquals(33, fieldTypes.size());
+      Assert.assertEquals(35, fieldTypes.size());
 
       // Fields present in both with same type
       Assert.assertEquals(FieldType.TEXT, fieldTypes.get("guid"));
-      Assert.assertEquals(FieldType.TEXT, fieldTypes.get("source.type"));
+      Assert.assertEquals(FieldType.TEXT, fieldTypes.get(SENSOR_TYPE));
       Assert.assertEquals(FieldType.IP, fieldTypes.get("ip_src_addr"));
       Assert.assertEquals(FieldType.INTEGER, fieldTypes.get("ip_src_port"));
       Assert.assertEquals(FieldType.BOOLEAN, fieldTypes.get("is_alert"));
@@ -162,9 +160,14 @@ public void returns_column_metadata_for_specified_indices() throws Exception {
       // A dynamic field present in both with same type
       Assert.assertEquals(FieldType.FLOAT, fieldTypes.get("score"));
 
-      // Dyanamic field present in both with nonstandard types.
+      // Dynamic field present in both with nonstandard types.
       Assert.assertEquals(FieldType.OTHER, fieldTypes.get("location_point"));
 
+      // Dynamic fields only present in snort
+      Assert.assertEquals(FieldType.FLOAT, fieldTypes.get("threat.triage.score"));
+      Assert.assertEquals(FieldType.TEXT, fieldTypes.get("threat.triage.rules.snort_field.name"));
+      Assert.assertEquals(FieldType.TEXT, fieldTypes.get("threat.triage.rules.snort_field.reason"));
+
       // Field with nonstandard type
       Assert.assertEquals(FieldType.OTHER, fieldTypes.get("timestamp"));
 
@@ -190,7 +193,7 @@ public void returns_column_data_for_multiple_indices() throws Exception {
 
     // Fields present in both with same type
     Assert.assertEquals(FieldType.TEXT, fieldTypes.get("guid"));
-    Assert.assertEquals(FieldType.TEXT, fieldTypes.get("source.type"));
+    Assert.assertEquals(FieldType.TEXT, fieldTypes.get(SENSOR_TYPE));
     Assert.assertEquals(FieldType.IP, fieldTypes.get("ip_src_addr"));
     Assert.assertEquals(FieldType.INTEGER, fieldTypes.get("ip_src_port"));
     Assert.assertEquals(FieldType.BOOLEAN, fieldTypes.get("is_alert"));
@@ -232,7 +235,7 @@ public void different_type_filter_query() throws Exception {
 
   @Override
   protected String getSourceTypeField() {
-    return Constants.SENSOR_TYPE;
+    return SENSOR_TYPE;
   }
 
   @Override
diff --git a/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrUpdateIntegrationTest.java b/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrUpdateIntegrationTest.java
index 5b965590c7..8936145c3c 100644
--- a/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrUpdateIntegrationTest.java
+++ b/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrUpdateIntegrationTest.java
@@ -17,6 +17,7 @@
  */
 package org.apache.metron.solr.integration;
 
+import static org.apache.metron.common.Constants.SENSOR_TYPE;
 import static org.apache.metron.solr.SolrConstants.SOLR_ZOOKEEPER;
 import static org.junit.Assert.assertEquals;
 
@@ -140,7 +141,7 @@ protected List<Map<String, Object>> getIndexedTestData(String indexName, String
   public void suppress_expanded_fields() throws Exception {
     Map<String, Object> fields = new HashMap<>();
     fields.put("guid", "bro_1");
-    fields.put("source.type", SENSOR_NAME);
+    fields.put(SENSOR_TYPE, SENSOR_NAME);
     fields.put("ip_src_port", 8010);
     fields.put("long_field", 10000);
     fields.put("latitude", 48.5839);
diff --git a/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/components/SolrComponent.java b/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/components/SolrComponent.java
index 4bc9f8a469..e8967f47b7 100644
--- a/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/components/SolrComponent.java
+++ b/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/components/SolrComponent.java
@@ -47,6 +47,8 @@
 import org.apache.solr.common.SolrInputDocument;
 import org.apache.zookeeper.KeeperException;
 
+import static org.apache.metron.common.Constants.SENSOR_TYPE;
+
 public class SolrComponent implements InMemoryComponent {
 
   public static class Builder {
@@ -173,8 +175,8 @@ public List<Map<String, Object>> getAllIndexedDocs(String collection) {
     // If it's metaalert, we need to adjust the query. We want child docs with the parent,
     // not separate.
     if (collection.equals("metaalert")) {
-      parameters.setQuery("source.type:metaalert")
-          .setFields("*", "[child parentFilter=source.type:metaalert limit=999]");
+      parameters.setQuery(String.format("%s:metaalert", SENSOR_TYPE))
+          .setFields("*", String.format("[child parentFilter=%s:metaalert limit=999]", SENSOR_TYPE));
     } else {
       parameters.set("q", "*:*");
     }
diff --git a/metron-platform/metron-solr/src/test/resources/config/test/conf/managed-schema b/metron-platform/metron-solr/src/test/resources/config/test/conf/managed-schema
index 8340a360c4..6ebcd51ceb 100644
--- a/metron-platform/metron-solr/src/test/resources/config/test/conf/managed-schema
+++ b/metron-platform/metron-solr/src/test/resources/config/test/conf/managed-schema
@@ -35,12 +35,12 @@
   <field name="guid" type="string" indexed="true" stored="true" required="true"
     multiValued="false"/>
 
-  <field name="source.type" type="string" indexed="true" stored="true"/>
+  <field name="metron_sensor_type" type="string" indexed="true" stored="true"/>
   <field name="name" type="string" indexed="true" stored="true"/>
   <field name="timestamp" type="plong" indexed="true" stored="true"/>
   <field name="new-field" type="string" indexed="true" stored="true"/>
   <field name="metaalerts" type="string" multiValued="true" indexed="true" stored="true"/>
-  <field name="threat:triage:score" type="pdouble" indexed="true" stored="true"/>
+  <field name="threat.triage.score" type="pdouble" indexed="true" stored="true"/>
   <field name="score" type="pdouble" indexed="true" stored="true"/>
 
 
diff --git a/metron-platform/metron-test-utilities/src/main/java/org/apache/metron/test/bolt/BaseEnrichmentBoltTest.java b/metron-platform/metron-test-utilities/src/main/java/org/apache/metron/test/bolt/BaseEnrichmentBoltTest.java
index f270d97c05..ccee4c360d 100644
--- a/metron-platform/metron-test-utilities/src/main/java/org/apache/metron/test/bolt/BaseEnrichmentBoltTest.java
+++ b/metron-platform/metron-test-utilities/src/main/java/org/apache/metron/test/bolt/BaseEnrichmentBoltTest.java
@@ -40,7 +40,7 @@ public class BaseEnrichmentBoltTest extends BaseBoltTest {
    * {
    * "ip_src_addr": "ip1",
    * "ip_dst_addr": "ip2",
-   * "source.type": "test"
+   * "metron_sensor_type": "test"
    * }
    */
   @Multiline
@@ -50,7 +50,7 @@ public class BaseEnrichmentBoltTest extends BaseBoltTest {
    * {
    * "enrichments.geo.ip_src_addr": "ip1",
    * "enrichments.geo.ip_dst_addr": "ip2",
-   * "source.type": "test"
+   * "metron_sensor_type": "test"
    * }
    */
   @Multiline
@@ -60,7 +60,7 @@ public class BaseEnrichmentBoltTest extends BaseBoltTest {
    * {
    * "enrichments.host.ip_src_addr": "ip1",
    * "enrichments.host.ip_dst_addr": "ip2",
-   * "source.type": "test"
+   * "metron_sensor_type": "test"
    * }
    */
   @Multiline
@@ -70,7 +70,7 @@ public class BaseEnrichmentBoltTest extends BaseBoltTest {
    * {
    * "enrichments.hbaseEnrichment.ip_src_addr": "ip1",
    * "enrichments.hbaseEnrichment.ip_dst_addr": "ip2",
-   * "source.type": "test"
+   * "metron_sensor_type": "test"
    * }
    */
   @Multiline

From d3befc1c5cb0fdccb7577956ecc5ae2b1ba0b62f Mon Sep 17 00:00:00 2001
From: merrimanr <merrimanr@gmail.com>
Date: Fri, 31 Aug 2018 16:13:49 -0500
Subject: [PATCH 2/6] removed unnecessary steps to enable solr

---
 metron-platform/metron-solr/README.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/metron-platform/metron-solr/README.md b/metron-platform/metron-solr/README.md
index ca90c73a99..b49623ace2 100644
--- a/metron-platform/metron-solr/README.md
+++ b/metron-platform/metron-solr/README.md
@@ -103,8 +103,6 @@ Elasticsearch is the real-time store used by default in Metron.  Solr can be ena
 1. Stop the Metron Indexing component in Ambari.
 1. Update Ambari UI -> Services -> Metron -> Configs -> Index Settings -> Solr Zookeeper Urls to match the Solr installation described in the previous section.
 1. Change Ambari UI -> Services -> Metron -> Configs -> Indexing -> Index Writer - Random Access -> Random Access Search Engine to `Solr`.
-1. Set the `source.type.field` property to `source.type` in the [Global Configuration](../metron-common#global-configuration).
-1. Set the `threat.triage.score.field` property to `threat.triage.score` in the [Global Configuration](../metron-common#global-configuration).
 1. Start the Metron Indexing component in Ambari.
 1. Restart Metron REST and the Alerts UI in Ambari.
 

From a35296b430bf43f5cff8eda842cf2d1d393896e2 Mon Sep 17 00:00:00 2001
From: merrimanr <merrimanr@gmail.com>
Date: Fri, 31 Aug 2018 17:34:01 -0500
Subject: [PATCH 3/6] cleaned up commented code and removed some unnecessary
 methods

---
 .../metron/rest/service/impl/SearchServiceImpl.java  |  5 ++---
 .../elasticsearch/dao/ElasticsearchMetaAlertDao.java | 12 ------------
 .../indexing/dao/metaalert/MetaAlertConfig.java      | 12 ++++--------
 .../lucene/AbstractLuceneMetaAlertUpdateDaoTest.java | 10 ----------
 .../org/apache/metron/solr/dao/SolrMetaAlertDao.java |  9 ---------
 .../integration/SolrMetaAlertIntegrationTest.java    | 10 ----------
 6 files changed, 6 insertions(+), 52 deletions(-)

diff --git a/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/service/impl/SearchServiceImpl.java b/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/service/impl/SearchServiceImpl.java
index c2192d9ab0..92f10ccb8d 100644
--- a/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/service/impl/SearchServiceImpl.java
+++ b/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/service/impl/SearchServiceImpl.java
@@ -144,13 +144,12 @@ private List<String> getDefaultIndices() throws RestException {
 
   @SuppressWarnings("unchecked")
   public List<String> getDefaultFacetFields() throws RestException {
-    //Optional<AlertsUIUserSettings> alertUserSettings = alertsUIService.getAlertsUIUserSettings();
-    Optional<AlertsUIUserSettings> alertUserSettings = Optional.empty();
+    Optional<AlertsUIUserSettings> alertUserSettings = alertsUIService.getAlertsUIUserSettings();
     if (!alertUserSettings.isPresent() || alertUserSettings.get().getFacetFields() == null) {
       String facetFieldsProperty = environment
           .getProperty(SEARCH_FACET_FIELDS_SPRING_PROPERTY, String.class, "");
       String sourceTypeField = ConfigurationsUtils.getFieldName(globalConfigService.get(), SENSOR_TYPE_FIELD_PROPERTY,
-              Constants.SENSOR_TYPE.replace('.', ':'));
+              Constants.SENSOR_TYPE);
       List<String> facetFields = new ArrayList<>();
       facetFields.add(sourceTypeField);
       if (facetFieldsProperty != null) {
diff --git a/metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchMetaAlertDao.java b/metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchMetaAlertDao.java
index 73ece97277..aa8bcfbf23 100644
--- a/metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchMetaAlertDao.java
+++ b/metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchMetaAlertDao.java
@@ -18,7 +18,6 @@
 
 package org.apache.metron.elasticsearch.dao;
 
-import org.apache.metron.common.Constants;
 import org.apache.metron.indexing.dao.AccessConfig;
 import org.apache.metron.indexing.dao.IndexDao;
 import org.apache.metron.indexing.dao.MultiIndexDao;
@@ -51,9 +50,7 @@
 
 public class ElasticsearchMetaAlertDao implements MetaAlertDao {
 
-  public static final String THREAT_TRIAGE_FIELD = MetaAlertConstants.THREAT_FIELD_DEFAULT;
   public static final String METAALERTS_INDEX = "metaalert_index";
-  public static final String SOURCE_TYPE_FIELD = Constants.SENSOR_TYPE.replace('.', ':');
   protected String metaAlertsIndex = METAALERTS_INDEX;
   protected String threatSort = MetaAlertConstants.THREAT_SORT_DEFAULT;
 
@@ -132,15 +129,6 @@ public void init(IndexDao indexDao, Optional<String> threatSort) {
             this.threatSort,
             globalConfigSupplier
     ) {
-      @Override
-      protected String getDefaultThreatTriageField() {
-        return THREAT_TRIAGE_FIELD;
-      }
-
-      @Override
-      protected String getDefaultSourceTypeField() {
-        return SOURCE_TYPE_FIELD;
-      }
     };
 
     this.metaAlertSearchDao = new ElasticsearchMetaAlertSearchDao(
diff --git a/metron-platform/metron-indexing/src/main/java/org/apache/metron/indexing/dao/metaalert/MetaAlertConfig.java b/metron-platform/metron-indexing/src/main/java/org/apache/metron/indexing/dao/metaalert/MetaAlertConfig.java
index b538bc2d87..fdc761e783 100644
--- a/metron-platform/metron-indexing/src/main/java/org/apache/metron/indexing/dao/metaalert/MetaAlertConfig.java
+++ b/metron-platform/metron-indexing/src/main/java/org/apache/metron/indexing/dao/metaalert/MetaAlertConfig.java
@@ -55,13 +55,11 @@ public void setMetaAlertIndex(String metaAlertIndex) {
   public String getThreatTriageField() {
     Optional<Map<String, Object>> globalConfig = Optional.ofNullable(globalConfigSupplier.get());
     if(!globalConfig.isPresent()) {
-      return getDefaultThreatTriageField();
+      return MetaAlertConstants.THREAT_FIELD_DEFAULT;
     }
-    return ConfigurationsUtils.getFieldName(globalConfig.get(), Constants.THREAT_SCORE_FIELD_PROPERTY, getDefaultThreatTriageField());
+    return ConfigurationsUtils.getFieldName(globalConfig.get(), Constants.THREAT_SCORE_FIELD_PROPERTY, MetaAlertConstants.THREAT_FIELD_DEFAULT);
   }
 
-  protected abstract String getDefaultThreatTriageField();
-
   public String getThreatSort() {
     return threatSort;
   }
@@ -73,11 +71,9 @@ public void setThreatSort(String threatSort) {
   public String getSourceTypeField() {
     Optional<Map<String, Object>> globalConfig = Optional.ofNullable(globalConfigSupplier.get());
     if(!globalConfig.isPresent()) {
-      return getDefaultSourceTypeField();
+      return Constants.SENSOR_TYPE;
     }
-    return ConfigurationsUtils.getFieldName(globalConfig.get(), Constants.SENSOR_TYPE_FIELD_PROPERTY, getDefaultSourceTypeField());
+    return ConfigurationsUtils.getFieldName(globalConfig.get(), Constants.SENSOR_TYPE_FIELD_PROPERTY, Constants.SENSOR_TYPE);
   }
 
-  protected abstract String getDefaultSourceTypeField();
-
 }
diff --git a/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/metaalert/lucene/AbstractLuceneMetaAlertUpdateDaoTest.java b/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/metaalert/lucene/AbstractLuceneMetaAlertUpdateDaoTest.java
index 5a706367b4..28954905a1 100644
--- a/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/metaalert/lucene/AbstractLuceneMetaAlertUpdateDaoTest.java
+++ b/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/metaalert/lucene/AbstractLuceneMetaAlertUpdateDaoTest.java
@@ -97,16 +97,6 @@ public void setup() {
                                                     , Constants.THREAT_SCORE_FIELD_PROPERTY, THREAT_FIELD_DEFAULT
                                                     )
           ) {
-
-            @Override
-            protected String getDefaultThreatTriageField() {
-              return THREAT_FIELD_DEFAULT.replace(':', '.');
-            }
-
-            @Override
-            protected String getDefaultSourceTypeField() {
-              return Constants.SENSOR_TYPE;
-            }
           };
 
   private static Map<String, Document> documents = new HashMap<>();
diff --git a/metron-platform/metron-solr/src/main/java/org/apache/metron/solr/dao/SolrMetaAlertDao.java b/metron-platform/metron-solr/src/main/java/org/apache/metron/solr/dao/SolrMetaAlertDao.java
index 4748315bf3..ed54b1e74b 100644
--- a/metron-platform/metron-solr/src/main/java/org/apache/metron/solr/dao/SolrMetaAlertDao.java
+++ b/metron-platform/metron-solr/src/main/java/org/apache/metron/solr/dao/SolrMetaAlertDao.java
@@ -134,15 +134,6 @@ public void init(IndexDao indexDao, Optional<String> threatSort) {
         this.threatSort,
         globalConfigSupplier
     ) {
-      @Override
-      protected String getDefaultThreatTriageField() {
-        return MetaAlertConstants.THREAT_FIELD_DEFAULT.replace(':', '.');
-      }
-
-      @Override
-      protected String getDefaultSourceTypeField() {
-        return Constants.SENSOR_TYPE;
-      }
     };
 
     SolrClient solrClient = solrDao.getSolrClient(solrDao.getZkHosts());
diff --git a/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrMetaAlertIntegrationTest.java b/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrMetaAlertIntegrationTest.java
index dee4bec3e7..dff2d380f0 100644
--- a/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrMetaAlertIntegrationTest.java
+++ b/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrMetaAlertIntegrationTest.java
@@ -101,16 +101,6 @@ public static void setupBefore() throws Exception {
                                                     , Constants.THREAT_SCORE_FIELD_PROPERTY, THREAT_FIELD_DEFAULT
                                                     )
     ) {
-
-      @Override
-      protected String getDefaultThreatTriageField() {
-        return THREAT_FIELD_DEFAULT;
-      }
-
-      @Override
-      protected String getDefaultSourceTypeField() {
-        return Constants.SENSOR_TYPE;
-      }
     };
 
 

From 54261227dabc3964402a9b29b03e117c2388f0b0 Mon Sep 17 00:00:00 2001
From: merrimanr <merrimanr@gmail.com>
Date: Tue, 4 Sep 2018 08:59:47 -0500
Subject: [PATCH 4/6] fixed rest tests

---
 .../SearchControllerIntegrationTest.java      | 59 ++++++++++---------
 .../UpdateControllerIntegrationTest.java      |  9 +--
 .../service/impl/SearchServiceImplTest.java   |  5 +-
 3 files changed, 38 insertions(+), 35 deletions(-)

diff --git a/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/controller/SearchControllerIntegrationTest.java b/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/controller/SearchControllerIntegrationTest.java
index aa7b6cd5ab..697cd4451a 100644
--- a/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/controller/SearchControllerIntegrationTest.java
+++ b/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/controller/SearchControllerIntegrationTest.java
@@ -17,6 +17,7 @@
  */
 package org.apache.metron.rest.controller;
 
+import static org.apache.metron.common.Constants.SENSOR_TYPE;
 import static org.apache.metron.integration.utils.TestUtils.assertEventually;
 import static org.apache.metron.rest.MetronRestConstants.TEST_PROFILE;
 import static org.hamcrest.Matchers.hasSize;
@@ -132,19 +133,19 @@ public void testSearchWithDefaults() throws Exception {
             .andExpect(status().isOk())
             .andExpect(content().contentType(MediaType.parseMediaType("application/json;charset=UTF-8")))
             .andExpect(jsonPath("$.total").value(5))
-            .andExpect(jsonPath("$.results[0].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[0].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[0].source.timestamp").value(5))
-            .andExpect(jsonPath("$.results[1].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[1].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[1].source.timestamp").value(4))
-            .andExpect(jsonPath("$.results[2].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[2].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[2].source.timestamp").value(3))
-            .andExpect(jsonPath("$.results[3].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[3].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[3].source.timestamp").value(2))
-            .andExpect(jsonPath("$.results[4].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[4].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[4].source.timestamp").value(1))
             .andExpect(jsonPath("$.facetCounts.*", hasSize(2)))
-            .andExpect(jsonPath("$.facetCounts.source:type.*", hasSize(1)))
-            .andExpect(jsonPath("$.facetCounts.source:type['bro']").value(5))
+            .andExpect(jsonPath("$.facetCounts." + SENSOR_TYPE + ".*", hasSize(1)))
+            .andExpect(jsonPath("$.facetCounts." + SENSOR_TYPE + "['bro']").value(5))
             .andExpect(jsonPath("$.facetCounts.ip_src_addr.*", hasSize(2)))
             .andExpect(jsonPath("$.facetCounts.ip_src_addr['192.168.1.1']").value(3))
             .andExpect(jsonPath("$.facetCounts.ip_src_addr['192.168.1.2']").value(1))
@@ -210,36 +211,36 @@ public void test() throws Exception {
             .andExpect(status().isOk())
             .andExpect(content().contentType(MediaType.parseMediaType("application/json;charset=UTF-8")))
             .andExpect(jsonPath("$.total").value(10))
-            .andExpect(jsonPath("$.results[0].source.source:type").value("snort"))
+            .andExpect(jsonPath("$.results[0].source." + SENSOR_TYPE).value("snort"))
             .andExpect(jsonPath("$.results[0].source.timestamp").value(10))
-            .andExpect(jsonPath("$.results[1].source.source:type").value("snort"))
+            .andExpect(jsonPath("$.results[1].source." + SENSOR_TYPE).value("snort"))
             .andExpect(jsonPath("$.results[1].source.timestamp").value(9))
-            .andExpect(jsonPath("$.results[2].source.source:type").value("snort"))
+            .andExpect(jsonPath("$.results[2].source." + SENSOR_TYPE).value("snort"))
             .andExpect(jsonPath("$.results[2].source.timestamp").value(8))
-            .andExpect(jsonPath("$.results[3].source.source:type").value("snort"))
+            .andExpect(jsonPath("$.results[3].source." + SENSOR_TYPE).value("snort"))
             .andExpect(jsonPath("$.results[3].source.timestamp").value(7))
-            .andExpect(jsonPath("$.results[4].source.source:type").value("snort"))
+            .andExpect(jsonPath("$.results[4].source." + SENSOR_TYPE).value("snort"))
             .andExpect(jsonPath("$.results[4].source.timestamp").value(6))
-            .andExpect(jsonPath("$.results[5].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[5].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[5].source.timestamp").value(5))
-            .andExpect(jsonPath("$.results[6].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[6].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[6].source.timestamp").value(4))
-            .andExpect(jsonPath("$.results[7].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[7].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[7].source.timestamp").value(3))
-            .andExpect(jsonPath("$.results[8].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[8].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[8].source.timestamp").value(2))
-            .andExpect(jsonPath("$.results[9].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[9].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[9].source.timestamp").value(1));
 
     this.mockMvc.perform(post(searchUrl + "/search").with(httpBasic(user, password)).with(csrf()).contentType(MediaType.parseMediaType("application/json;charset=UTF-8")).content(SearchIntegrationTest.filterQuery))
             .andExpect(status().isOk())
             .andExpect(content().contentType(MediaType.parseMediaType("application/json;charset=UTF-8")))
             .andExpect(jsonPath("$.total").value(3))
-            .andExpect(jsonPath("$.results[0].source.source:type").value("snort"))
+            .andExpect(jsonPath("$.results[0].source." + SENSOR_TYPE).value("snort"))
             .andExpect(jsonPath("$.results[0].source.timestamp").value(9))
-            .andExpect(jsonPath("$.results[1].source.source:type").value("snort"))
+            .andExpect(jsonPath("$.results[1].source." + SENSOR_TYPE).value("snort"))
             .andExpect(jsonPath("$.results[1].source.timestamp").value(7))
-            .andExpect(jsonPath("$.results[2].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[2].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[2].source.timestamp").value(1));
 
 
@@ -262,26 +263,26 @@ public void test() throws Exception {
             .andExpect(status().isOk())
             .andExpect(content().contentType(MediaType.parseMediaType("application/json;charset=UTF-8")))
             .andExpect(jsonPath("$.total").value(10))
-            .andExpect(jsonPath("$.results[0].source.source:type").value("snort"))
+            .andExpect(jsonPath("$.results[0].source." + SENSOR_TYPE).value("snort"))
             .andExpect(jsonPath("$.results[0].source.timestamp").value(6))
-            .andExpect(jsonPath("$.results[1].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[1].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[1].source.timestamp").value(5))
-            .andExpect(jsonPath("$.results[2].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[2].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[2].source.timestamp").value(4));
 
     this.mockMvc.perform(post(searchUrl + "/search").with(httpBasic(user, password)).with(csrf()).contentType(MediaType.parseMediaType("application/json;charset=UTF-8")).content(SearchIntegrationTest.indexQuery))
             .andExpect(status().isOk())
             .andExpect(content().contentType(MediaType.parseMediaType("application/json;charset=UTF-8")))
             .andExpect(jsonPath("$.total").value(5))
-            .andExpect(jsonPath("$.results[0].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[0].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[0].source.timestamp").value(5))
-            .andExpect(jsonPath("$.results[1].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[1].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[1].source.timestamp").value(4))
-            .andExpect(jsonPath("$.results[2].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[2].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[2].source.timestamp").value(3))
-            .andExpect(jsonPath("$.results[3].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[3].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[3].source.timestamp").value(2))
-            .andExpect(jsonPath("$.results[4].source.source:type").value("bro"))
+            .andExpect(jsonPath("$.results[4].source." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.results[4].source.timestamp").value(1));
 
     this.mockMvc.perform(post(searchUrl + "/search").with(httpBasic(user, password)).with(csrf()).contentType(MediaType.parseMediaType("application/json;charset=UTF-8")).content(SearchIntegrationTest.exceededMaxResultsQuery))
@@ -373,7 +374,7 @@ private void loadFacetCounts() {
     sourceTypeCounts.put("bro", 5L);
     facetCounts.put("ip_src_addr", ipSrcAddrCounts);
     facetCounts.put("ip_src_port", ipSrcPortCounts);
-    facetCounts.put("source:type", sourceTypeCounts);
+    facetCounts.put(SENSOR_TYPE, sourceTypeCounts);
 
     InMemoryDao.setFacetCounts(facetCounts);
   }
diff --git a/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/controller/UpdateControllerIntegrationTest.java b/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/controller/UpdateControllerIntegrationTest.java
index 6b8d5d36a9..285028d40a 100644
--- a/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/controller/UpdateControllerIntegrationTest.java
+++ b/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/controller/UpdateControllerIntegrationTest.java
@@ -17,6 +17,7 @@
  */
 package org.apache.metron.rest.controller;
 
+import static org.apache.metron.common.Constants.SENSOR_TYPE;
 import static org.apache.metron.rest.MetronRestConstants.TEST_PROFILE;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic;
@@ -106,7 +107,7 @@ public class UpdateControllerIntegrationTest extends DaoControllerTest {
      "guid" : "bro_2",
      "sensorType" : "bro",
      "replacement" : {
-       "source:type": "bro",
+       "metron_sensor_type": "bro",
        "guid" : "bro_2",
        "ip_src_addr":"192.168.1.2",
        "ip_src_port": 8009,
@@ -160,7 +161,7 @@ public void test() throws Exception {
     try {
      result.andExpect(status().isOk())
             .andExpect(content().contentType(MediaType.parseMediaType("application/json;charset=UTF-8")))
-            .andExpect(jsonPath("$.source:type").value("bro"))
+            .andExpect(jsonPath("$." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.guid").value(guid))
             .andExpect(jsonPath("$.project").doesNotExist())
             .andExpect(jsonPath("$.timestamp").value(2))
@@ -181,7 +182,7 @@ public void test() throws Exception {
     this.mockMvc.perform(post(searchUrl + "/findOne").with(httpBasic(user, password)).with(csrf()).contentType(MediaType.parseMediaType("application/json;charset=UTF-8")).content(findMessage0))
             .andExpect(status().isOk())
             .andExpect(content().contentType(MediaType.parseMediaType("application/json;charset=UTF-8")))
-            .andExpect(jsonPath("$.source:type").value("bro"))
+            .andExpect(jsonPath("$." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.guid").value(guid))
             .andExpect(jsonPath("$.project").value("metron"))
             .andExpect(jsonPath("$.timestamp").value(2))
@@ -203,7 +204,7 @@ public void test() throws Exception {
     this.mockMvc.perform(post(searchUrl + "/findOne").with(httpBasic(user, password)).with(csrf()).contentType(MediaType.parseMediaType("application/json;charset=UTF-8")).content(findMessage0))
             .andExpect(status().isOk())
             .andExpect(content().contentType(MediaType.parseMediaType("application/json;charset=UTF-8")))
-            .andExpect(jsonPath("$.source:type").value("bro"))
+            .andExpect(jsonPath("$." + SENSOR_TYPE).value("bro"))
             .andExpect(jsonPath("$.guid").value(guid))
             .andExpect(jsonPath("$.project").doesNotExist())
             .andExpect(jsonPath("$.timestamp").value(200))
diff --git a/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/service/impl/SearchServiceImplTest.java b/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/service/impl/SearchServiceImplTest.java
index 82e7221ad0..86b5d729b4 100644
--- a/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/service/impl/SearchServiceImplTest.java
+++ b/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/service/impl/SearchServiceImplTest.java
@@ -17,6 +17,7 @@
  */
 package org.apache.metron.rest.service.impl;
 
+import static org.apache.metron.common.Constants.SENSOR_TYPE;
 import static org.apache.metron.common.Constants.SENSOR_TYPE_FIELD_PROPERTY;
 import static org.apache.metron.rest.MetronRestConstants.INDEX_WRITER_NAME;
 import static org.apache.metron.rest.MetronRestConstants.SEARCH_FACET_FIELDS_SPRING_PROPERTY;
@@ -119,7 +120,7 @@ public void searchShouldProperlySearchDefaultFacetFields() throws Exception {
 
     SearchRequest expectedSearchRequest = new SearchRequest();
     expectedSearchRequest.setIndices(Arrays.asList("bro", "snort", "metaalert"));
-    expectedSearchRequest.setFacetFields(Arrays.asList("source:type", "ip_src_addr", "ip_dst_addr"));
+    expectedSearchRequest.setFacetFields(Arrays.asList(SENSOR_TYPE, "ip_src_addr", "ip_dst_addr"));
     verify(dao).search(eq(expectedSearchRequest));
   }
 
@@ -206,7 +207,7 @@ public void testGetDefaultFacetFieldsEmptyGlobalConfig() throws RestException {
     List<String> defaultFields = searchService.getDefaultFacetFields();
 
     List<String> expectedFields = new ArrayList<>();
-    expectedFields.add("source:type");
+    expectedFields.add(SENSOR_TYPE);
     expectedFields.add("ip_src_addr");
 
     assertEquals(expectedFields, defaultFields);

From 9a7080137a455fbe4bf8085c8f639413bae64899 Mon Sep 17 00:00:00 2001
From: merrimanr <merrimanr@gmail.com>
Date: Tue, 4 Sep 2018 10:37:58 -0500
Subject: [PATCH 5/6] fixed compile error

---
 .../integration/ElasticsearchMetaAlertIntegrationTest.java   | 5 -----
 .../indexing/dao/metaalert/MetaAlertIntegrationTest.java     | 4 +---
 .../solr/integration/SolrMetaAlertIntegrationTest.java       | 5 -----
 3 files changed, 1 insertion(+), 13 deletions(-)

diff --git a/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchMetaAlertIntegrationTest.java b/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchMetaAlertIntegrationTest.java
index 3faa34a648..f7cc142b5d 100644
--- a/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchMetaAlertIntegrationTest.java
+++ b/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchMetaAlertIntegrationTest.java
@@ -356,11 +356,6 @@ protected String getMetaAlertIndex() {
     return METAALERTS_INDEX;
   }
 
-  @Override
-  protected String getSourceTypeField() {
-    return ElasticsearchMetaAlertDao.SOURCE_TYPE_FIELD;
-  }
-
   @Override
   protected void setEmptiedMetaAlertField(Map<String, Object> docMap) {
     docMap.put(METAALERT_FIELD, new ArrayList<>());
diff --git a/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/metaalert/MetaAlertIntegrationTest.java b/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/metaalert/MetaAlertIntegrationTest.java
index 94c6170732..b7fcc8a968 100644
--- a/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/metaalert/MetaAlertIntegrationTest.java
+++ b/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/metaalert/MetaAlertIntegrationTest.java
@@ -1014,7 +1014,7 @@ protected Map<String, Object> buildMetaAlert(String guid, MetaAlertStatus status
       Optional<List<Map<String, Object>>> alerts) {
     Map<String, Object> metaAlert = new HashMap<>();
     metaAlert.put(Constants.GUID, guid);
-    metaAlert.put(getSourceTypeField(), METAALERT_TYPE);
+    metaAlert.put(SENSOR_TYPE, METAALERT_TYPE);
     metaAlert.put(STATUS_FIELD, status.getStatusString());
     metaAlert.put(getThreatTriageField(), 100.0d);
     if (alerts.isPresent()) {
@@ -1045,8 +1045,6 @@ protected String getTestIndexFullName() {
 
   protected abstract String getMetaAlertIndex();
 
-  protected abstract String getSourceTypeField();
-
   protected String getThreatTriageField() {
     return THREAT_FIELD_DEFAULT;
   }
diff --git a/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrMetaAlertIntegrationTest.java b/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrMetaAlertIntegrationTest.java
index dff2d380f0..99c4443234 100644
--- a/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrMetaAlertIntegrationTest.java
+++ b/metron-platform/metron-solr/src/test/java/org/apache/metron/solr/integration/SolrMetaAlertIntegrationTest.java
@@ -368,11 +368,6 @@ protected String getMetaAlertIndex() {
     return METAALERTS_COLLECTION;
   }
 
-  @Override
-  protected String getSourceTypeField() {
-    return Constants.SENSOR_TYPE;
-  }
-
   @Override
   protected void commit() throws IOException {
     try {

From 0eab2df85aa4373e858406cec158278212e4fa26 Mon Sep 17 00:00:00 2001
From: merrimanr <merrimanr@gmail.com>
Date: Tue, 4 Sep 2018 11:15:42 -0500
Subject: [PATCH 6/6] fixed compile error

---
 .../metaalert/MetaAlertIntegrationTest.java   | 20 ++++++++-----------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/metaalert/MetaAlertIntegrationTest.java b/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/metaalert/MetaAlertIntegrationTest.java
index b7fcc8a968..6d3820a4c9 100644
--- a/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/metaalert/MetaAlertIntegrationTest.java
+++ b/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/metaalert/MetaAlertIntegrationTest.java
@@ -219,7 +219,7 @@ public void shouldSortByThreatTriageScore() throws Exception {
 
     // Test descending
     SortField sf = new SortField();
-    sf.setField(getThreatTriageField());
+    sf.setField(THREAT_FIELD_DEFAULT);
     sf.setSortOrder(SortOrder.DESC.getSortOrder());
     SearchRequest sr = new SearchRequest();
     sr.setQuery("*:*");
@@ -235,7 +235,7 @@ public void shouldSortByThreatTriageScore() throws Exception {
 
     // Test ascending
     SortField sfAsc = new SortField();
-    sfAsc.setField(getThreatTriageField());
+    sfAsc.setField(THREAT_FIELD_DEFAULT);
     sfAsc.setSortOrder(SortOrder.ASC.getSortOrder());
     SearchRequest srAsc = new SearchRequest();
     srAsc.setQuery("*:*");
@@ -352,7 +352,7 @@ public void shouldAddAlertsToMetaAlert() throws Exception {
     expectedMetaAlert.put("max", 2.0d);
     expectedMetaAlert.put("count", 3);
     expectedMetaAlert.put("sum", 3.0d);
-    expectedMetaAlert.put(getThreatTriageField(), 3.0d);
+    expectedMetaAlert.put(THREAT_FIELD_DEFAULT, 3.0d);
 
     {
       // Verify alerts were successfully added to the meta alert
@@ -384,7 +384,7 @@ public void shouldAddAlertsToMetaAlert() throws Exception {
       expectedMetaAlert.put("max", 3.0d);
       expectedMetaAlert.put("count", 4);
       expectedMetaAlert.put("sum", 6.0d);
-      expectedMetaAlert.put(getThreatTriageField(), 6.0d);
+      expectedMetaAlert.put(THREAT_FIELD_DEFAULT, 6.0d);
 
       Assert.assertTrue(metaDao.addAlertsToMetaAlert("meta_alert", Arrays
           .asList(new GetRequest("message_2", SENSOR_NAME),
@@ -434,7 +434,7 @@ public void shouldRemoveAlertsFromMetaAlert() throws Exception {
     expectedMetaAlert.put("max", 3.0d);
     expectedMetaAlert.put("count", 2);
     expectedMetaAlert.put("sum", 5.0d);
-    expectedMetaAlert.put(getThreatTriageField(), 5.0d);
+    expectedMetaAlert.put(THREAT_FIELD_DEFAULT, 5.0d);
 
     {
       // Verify a list of alerts are removed from a meta alert
@@ -465,7 +465,7 @@ public void shouldRemoveAlertsFromMetaAlert() throws Exception {
       expectedMetaAlert.put("max", 3.0d);
       expectedMetaAlert.put("count", 1);
       expectedMetaAlert.put("sum", 3.0d);
-      expectedMetaAlert.put(getThreatTriageField(), 3.0d);
+      expectedMetaAlert.put(THREAT_FIELD_DEFAULT, 3.0d);
 
       Assert.assertTrue(metaDao.removeAlertsFromMetaAlert("meta_alert", Arrays
           .asList(new GetRequest("message_0", SENSOR_NAME),
@@ -487,7 +487,7 @@ public void shouldRemoveAlertsFromMetaAlert() throws Exception {
       expectedMetaAlert.put("average", 0.0d);
       expectedMetaAlert.put("count", 0);
       expectedMetaAlert.put("sum", 0.0d);
-      expectedMetaAlert.put(getThreatTriageField(), 0.0d);
+      expectedMetaAlert.put(THREAT_FIELD_DEFAULT, 0.0d);
 
       // Handle the cases with non-finite Double values on a per store basis
       if (isFiniteDoubleOnly()) {
@@ -1016,7 +1016,7 @@ protected Map<String, Object> buildMetaAlert(String guid, MetaAlertStatus status
     metaAlert.put(Constants.GUID, guid);
     metaAlert.put(SENSOR_TYPE, METAALERT_TYPE);
     metaAlert.put(STATUS_FIELD, status.getStatusString());
-    metaAlert.put(getThreatTriageField(), 100.0d);
+    metaAlert.put(THREAT_FIELD_DEFAULT, 100.0d);
     if (alerts.isPresent()) {
       List<Map<String, Object>> alertsList = alerts.get();
       metaAlert.put(ALERT_FIELD, alertsList);
@@ -1045,10 +1045,6 @@ protected String getTestIndexFullName() {
 
   protected abstract String getMetaAlertIndex();
 
-  protected String getThreatTriageField() {
-    return THREAT_FIELD_DEFAULT;
-  }
-
   // Allow for impls to do any commit they need to do.
   protected void commit() throws IOException {
   }