[
    {
        "rulename": "ramnit",
        "if": {
            "malware.name": "ramnit-.*$"
        },
        "then": {
            "classification.identifier": "ramnit"
        }
    },
    {
        "rulename": "default",
        "if": {
            "malware.name": ".*",
            "classification.taxonomy": "malicious code",
            "classification.identifier": ""
        },
        "then": {
            "classification.identifier": "{msg[malware.name]}"
        }
    }
]