soc_event=dns_ioc event_type=(\S+)(?:.*?src_ip=([\d.]+))? status, srcip soc_event=correlation event_type=(\S+)(?:.*?user="([^"]+)")?(?:.*?src_ip=([\d.]+))? status, srcuser, srcip