You could try
dissect {
mapping => { "message" => "<%{syslog_pri}>%{[@metadata][ts]} %{+[@metadata][ts]} %{} - %{}|%{}|%{}|%{}|%{[@metadata][restOfLine]}" }
remove_field => [ "message" ]
}
date { match => [ "[@metadata][ts]", "YYYY-MM-dd HH:mm:ss,SSS" ] }
kv { source => "[@metadata][restOfLine]" field_split => "|" trim_value => " " }
mutate { gsub => [ "sourceMacAddresses", "[' ]", "", "sourceIpAddresses", "[' ]", "" ] }
mutate { split => { "sourceMacAddresses" => "," "sourceIpAddresses" => "," } }
which will get you
"sourceIpAddresses" => [
[0] "XXX",
[1] "XXX",
[2] "XXX",
[3] "XXX"
],
"accountId" => "472773930102201398",
"syslog_pri" => "14",
"sourceAgentUuid" => "90d77435-6aad-b2e2-61c3-5097e37d1cd0",
"fileName" => "XXX",
"@timestamp" => 2021-10-06T17:23:42.535Z,
"deviceAddress" => "XXX",
"threatMitigatedPreemptively" => "False",
"deviceHostFqdn" => "XXX",
etc.