Mirrors/marcredhat-kql
1
0
Fork 0
mirror of https://github.com/marcredhat/kql synced 2026-06-08 13:23:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial commit: KQL ↔ SDL PowerQuery proof of equivalence

Browse Source
This commit is contained in:
marc
2026-06-01 09:57:14 +02:00
commit 23cbaa9c08
91 changed files with 5966 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
sample_data/events.jsonl
+445
View File
@@ -0,0 +1,445 @@
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T12:10:05.000Z", "ts_epoch_ms": 1780229405000, "UserPrincipalName": "alice@contoso.com", "Identity": "alice@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 0, "IPAddress": "10.0.0.20", "Location": "US", "LocationDetails_country": "US", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T12:50:05.000Z", "ts_epoch_ms": 1780231805000, "UserPrincipalName": "alice@contoso.com", "Identity": "alice@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 0, "IPAddress": "10.0.0.21", "Location": "US", "LocationDetails_country": "US", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T13:30:05.000Z", "ts_epoch_ms": 1780234205000, "UserPrincipalName": "alice@contoso.com", "Identity": "alice@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 0, "IPAddress": "10.0.0.22", "Location": "US", "LocationDetails_country": "US", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T12:10:05.000Z", "ts_epoch_ms": 1780229405000, "UserPrincipalName": "alice@contoso.com", "Identity": "alice@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.20", "Location": "US", "LocationDetails_country": "US", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T12:50:05.000Z", "ts_epoch_ms": 1780231805000, "UserPrincipalName": "alice@contoso.com", "Identity": "alice@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.21", "Location": "US", "LocationDetails_country": "US", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T13:30:05.000Z", "ts_epoch_ms": 1780234205000, "UserPrincipalName": "alice@contoso.com", "Identity": "alice@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.22", "Location": "US", "LocationDetails_country": "US", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T12:15:05.000Z", "ts_epoch_ms": 1780229705000, "UserPrincipalName": "bob@contoso.com", "Identity": "bob@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 0, "IPAddress": "10.0.0.30", "Location": "FR", "LocationDetails_country": "FR", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T12:55:05.000Z", "ts_epoch_ms": 1780232105000, "UserPrincipalName": "bob@contoso.com", "Identity": "bob@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 0, "IPAddress": "10.0.0.31", "Location": "FR", "LocationDetails_country": "FR", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T13:35:05.000Z", "ts_epoch_ms": 1780234505000, "UserPrincipalName": "bob@contoso.com", "Identity": "bob@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 0, "IPAddress": "10.0.0.32", "Location": "FR", "LocationDetails_country": "FR", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T12:15:05.000Z", "ts_epoch_ms": 1780229705000, "UserPrincipalName": "bob@contoso.com", "Identity": "bob@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.30", "Location": "FR", "LocationDetails_country": "FR", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T12:55:05.000Z", "ts_epoch_ms": 1780232105000, "UserPrincipalName": "bob@contoso.com", "Identity": "bob@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.31", "Location": "FR", "LocationDetails_country": "FR", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T13:35:05.000Z", "ts_epoch_ms": 1780234505000, "UserPrincipalName": "bob@contoso.com", "Identity": "bob@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.32", "Location": "FR", "LocationDetails_country": "FR", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T12:20:05.000Z", "ts_epoch_ms": 1780230005000, "UserPrincipalName": "carol@contoso.com", "Identity": "carol@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 0, "IPAddress": "10.0.0.40", "Location": "GB", "LocationDetails_country": "GB", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T13:00:05.000Z", "ts_epoch_ms": 1780232405000, "UserPrincipalName": "carol@contoso.com", "Identity": "carol@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 0, "IPAddress": "10.0.0.41", "Location": "GB", "LocationDetails_country": "GB", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T13:40:05.000Z", "ts_epoch_ms": 1780234805000, "UserPrincipalName": "carol@contoso.com", "Identity": "carol@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 0, "IPAddress": "10.0.0.42", "Location": "GB", "LocationDetails_country": "GB", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T12:20:05.000Z", "ts_epoch_ms": 1780230005000, "UserPrincipalName": "carol@contoso.com", "Identity": "carol@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.40", "Location": "GB", "LocationDetails_country": "GB", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T13:00:05.000Z", "ts_epoch_ms": 1780232405000, "UserPrincipalName": "carol@contoso.com", "Identity": "carol@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.41", "Location": "GB", "LocationDetails_country": "GB", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T13:40:05.000Z", "ts_epoch_ms": 1780234805000, "UserPrincipalName": "carol@contoso.com", "Identity": "carol@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.42", "Location": "GB", "LocationDetails_country": "GB", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T12:25:05.000Z", "ts_epoch_ms": 1780230305000, "UserPrincipalName": "dave@contoso.com", "Identity": "dave@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 0, "IPAddress": "10.0.0.50", "Location": "DE", "LocationDetails_country": "DE", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T13:05:05.000Z", "ts_epoch_ms": 1780232705000, "UserPrincipalName": "dave@contoso.com", "Identity": "dave@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 0, "IPAddress": "10.0.0.51", "Location": "DE", "LocationDetails_country": "DE", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T13:45:05.000Z", "ts_epoch_ms": 1780235105000, "UserPrincipalName": "dave@contoso.com", "Identity": "dave@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 0, "IPAddress": "10.0.0.52", "Location": "DE", "LocationDetails_country": "DE", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T12:25:05.000Z", "ts_epoch_ms": 1780230305000, "UserPrincipalName": "dave@contoso.com", "Identity": "dave@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.50", "Location": "DE", "LocationDetails_country": "DE", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T13:05:05.000Z", "ts_epoch_ms": 1780232705000, "UserPrincipalName": "dave@contoso.com", "Identity": "dave@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.51", "Location": "DE", "LocationDetails_country": "DE", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T13:45:05.000Z", "ts_epoch_ms": 1780235105000, "UserPrincipalName": "dave@contoso.com", "Identity": "dave@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.52", "Location": "DE", "LocationDetails_country": "DE", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T12:30:05.000Z", "ts_epoch_ms": 1780230605000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 0, "IPAddress": "10.0.0.60", "Location": "US", "LocationDetails_country": "US", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T13:10:05.000Z", "ts_epoch_ms": 1780233005000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 0, "IPAddress": "10.0.0.61", "Location": "US", "LocationDetails_country": "US", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T13:50:05.000Z", "ts_epoch_ms": 1780235405000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 0, "IPAddress": "10.0.0.62", "Location": "US", "LocationDetails_country": "US", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T12:30:05.000Z", "ts_epoch_ms": 1780230605000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.60", "Location": "US", "LocationDetails_country": "US", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T13:10:05.000Z", "ts_epoch_ms": 1780233005000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.61", "Location": "US", "LocationDetails_country": "US", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T13:50:05.000Z", "ts_epoch_ms": 1780235405000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.62", "Location": "US", "LocationDetails_country": "US", "LocationDetails_state": "HQ", "LocationDetails_city": "HQ", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:11:05.000Z", "ts_epoch_ms": 1780251065000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Azure Portal", "ResultType": 0, "IPAddress": "203.0.113.10", "Location": "BR", "LocationDetails_country": "BR", "LocationDetails_state": "NA", "LocationDetails_city": "NA", "UserAgent": "curl/8.4.0", "DeviceDetail_os": "Linux"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:11:35.000Z", "ts_epoch_ms": 1780251095000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Azure Portal", "ResultType": 0, "IPAddress": "203.0.113.11", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "NA", "UserAgent": "curl/8.4.0", "DeviceDetail_os": "Linux"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:12:05.000Z", "ts_epoch_ms": 1780251125000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Azure Portal", "ResultType": 0, "IPAddress": "203.0.113.12", "Location": "CN", "LocationDetails_country": "CN", "LocationDetails_state": "NA", "LocationDetails_city": "NA", "UserAgent": "curl/8.4.0", "DeviceDetail_os": "Linux"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:12:35.000Z", "ts_epoch_ms": 1780251155000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Azure Portal", "ResultType": 0, "IPAddress": "203.0.113.13", "Location": "IR", "LocationDetails_country": "IR", "LocationDetails_state": "NA", "LocationDetails_city": "NA", "UserAgent": "curl/8.4.0", "DeviceDetail_os": "Linux"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:13:05.000Z", "ts_epoch_ms": 1780251185000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Azure Portal", "ResultType": 0, "IPAddress": "203.0.113.14", "Location": "NG", "LocationDetails_country": "NG", "LocationDetails_state": "NA", "LocationDetails_city": "NA", "UserAgent": "curl/8.4.0", "DeviceDetail_os": "Linux"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:13:35.000Z", "ts_epoch_ms": 1780251215000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Azure Portal", "ResultType": 0, "IPAddress": "203.0.113.15", "Location": "VN", "LocationDetails_country": "VN", "LocationDetails_state": "NA", "LocationDetails_city": "NA", "UserAgent": "curl/8.4.0", "DeviceDetail_os": "Linux"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:14:05.000Z", "ts_epoch_ms": 1780251245000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Azure Portal", "ResultType": 0, "IPAddress": "203.0.113.16", "Location": "TR", "LocationDetails_country": "TR", "LocationDetails_state": "NA", "LocationDetails_city": "NA", "UserAgent": "curl/8.4.0", "DeviceDetail_os": "Linux"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:14:35.000Z", "ts_epoch_ms": 1780251275000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Azure Portal", "ResultType": 0, "IPAddress": "203.0.113.17", "Location": "ID", "LocationDetails_country": "ID", "LocationDetails_state": "NA", "LocationDetails_city": "NA", "UserAgent": "curl/8.4.0", "DeviceDetail_os": "Linux"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:15:05.000Z", "ts_epoch_ms": 1780251305000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Azure Portal", "ResultType": 0, "IPAddress": "203.0.113.18", "Location": "PK", "LocationDetails_country": "PK", "LocationDetails_state": "NA", "LocationDetails_city": "NA", "UserAgent": "curl/8.4.0", "DeviceDetail_os": "Linux"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:15:35.000Z", "ts_epoch_ms": 1780251335000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Azure Portal", "ResultType": 0, "IPAddress": "203.0.113.19", "Location": "AR", "LocationDetails_country": "AR", "LocationDetails_state": "NA", "LocationDetails_city": "NA", "UserAgent": "curl/8.4.0", "DeviceDetail_os": "Linux"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:12:05.000Z", "ts_epoch_ms": 1780251125000, "UserPrincipalName": "alice@contoso.com", "Identity": "alice@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:12:15.000Z", "ts_epoch_ms": 1780251135000, "UserPrincipalName": "alice@contoso.com", "Identity": "alice@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:12:25.000Z", "ts_epoch_ms": 1780251145000, "UserPrincipalName": "alice@contoso.com", "Identity": "alice@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:12:35.000Z", "ts_epoch_ms": 1780251155000, "UserPrincipalName": "alice@contoso.com", "Identity": "alice@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:13:05.000Z", "ts_epoch_ms": 1780251185000, "UserPrincipalName": "bob@contoso.com", "Identity": "bob@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:13:15.000Z", "ts_epoch_ms": 1780251195000, "UserPrincipalName": "bob@contoso.com", "Identity": "bob@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:13:25.000Z", "ts_epoch_ms": 1780251205000, "UserPrincipalName": "bob@contoso.com", "Identity": "bob@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:13:35.000Z", "ts_epoch_ms": 1780251215000, "UserPrincipalName": "bob@contoso.com", "Identity": "bob@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:14:05.000Z", "ts_epoch_ms": 1780251245000, "UserPrincipalName": "carol@contoso.com", "Identity": "carol@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:14:15.000Z", "ts_epoch_ms": 1780251255000, "UserPrincipalName": "carol@contoso.com", "Identity": "carol@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:14:25.000Z", "ts_epoch_ms": 1780251265000, "UserPrincipalName": "carol@contoso.com", "Identity": "carol@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:14:35.000Z", "ts_epoch_ms": 1780251275000, "UserPrincipalName": "carol@contoso.com", "Identity": "carol@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:15:05.000Z", "ts_epoch_ms": 1780251305000, "UserPrincipalName": "dave@contoso.com", "Identity": "dave@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:15:15.000Z", "ts_epoch_ms": 1780251315000, "UserPrincipalName": "dave@contoso.com", "Identity": "dave@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:15:25.000Z", "ts_epoch_ms": 1780251325000, "UserPrincipalName": "dave@contoso.com", "Identity": "dave@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:15:35.000Z", "ts_epoch_ms": 1780251335000, "UserPrincipalName": "dave@contoso.com", "Identity": "dave@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:16:05.000Z", "ts_epoch_ms": 1780251365000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:16:15.000Z", "ts_epoch_ms": 1780251375000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:16:25.000Z", "ts_epoch_ms": 1780251385000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:16:35.000Z", "ts_epoch_ms": 1780251395000, "UserPrincipalName": "eve@contoso.com", "Identity": "eve@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:17:05.000Z", "ts_epoch_ms": 1780251425000, "UserPrincipalName": "frank@contoso.com", "Identity": "frank@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:17:15.000Z", "ts_epoch_ms": 1780251435000, "UserPrincipalName": "frank@contoso.com", "Identity": "frank@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:17:25.000Z", "ts_epoch_ms": 1780251445000, "UserPrincipalName": "frank@contoso.com", "Identity": "frank@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:17:35.000Z", "ts_epoch_ms": 1780251455000, "UserPrincipalName": "frank@contoso.com", "Identity": "frank@contoso.com", "AppDisplayName": "Office 365 Exchange Online", "ResultType": 50126, "ResultDescription": "Invalid username or password", "IPAddress": "198.51.100.7", "Location": "RU", "LocationDetails_country": "RU", "LocationDetails_state": "NA", "LocationDetails_city": "Moscow", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:10:35.000Z", "ts_epoch_ms": 1780251035000, "UserPrincipalName": "dave@contoso.com", "Identity": "dave@contoso.com", "AppDisplayName": "Azure Portal", "ResultType": 0, "IPAddress": "203.0.113.99", "Location": "DE", "LocationDetails_country": "DE", "LocationDetails_state": "BE", "LocationDetails_city": "Berlin", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:10:25.000Z", "ts_epoch_ms": 1780251025000, "UserPrincipalName": "bob@contoso.com", "Identity": "bob@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.60", "Location": "FR", "LocationDetails_country": "FR", "LocationDetails_state": "NA", "LocationDetails_city": "NA", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:10:30.000Z", "ts_epoch_ms": 1780251030000, "UserPrincipalName": "bob@contoso.com", "Identity": "bob@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.61", "Location": "DE", "LocationDetails_country": "DE", "LocationDetails_state": "NA", "LocationDetails_city": "NA", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:10:35.000Z", "ts_epoch_ms": 1780251035000, "UserPrincipalName": "bob@contoso.com", "Identity": "bob@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.62", "Location": "IT", "LocationDetails_country": "IT", "LocationDetails_state": "NA", "LocationDetails_city": "NA", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "SigninLogs", "TimeGenerated": "2026-05-31T18:10:40.000Z", "ts_epoch_ms": 1780251040000, "UserPrincipalName": "bob@contoso.com", "Identity": "bob@contoso.com", "AppDisplayName": "Microsoft Teams", "ResultType": 0, "IPAddress": "10.0.0.63", "Location": "ES", "LocationDetails_country": "ES", "LocationDetails_state": "NA", "LocationDetails_city": "NA", "UserAgent": "Mozilla/5.0 (Windows NT 10.0) Edge/120.0", "DeviceDetail_os": "Windows 10"}
{"event_type": "AuditLogs", "TimeGenerated": "2026-05-31T12:10:05.000Z", "ts_epoch_ms": 1780229405000, "OperationName": "Update user", "Category": "UserManagement", "CorrelationId": "base-0", "InitiatedBy_app_displayName": "HR-Sync", "InitiatedBy_app_ipAddress": "10.0.0.5", "InitiatedBy_user_userPrincipalName": null, "InitiatedBy_user_ipAddress": null, "TargetResources_0_userPrincipalName": "alice@contoso.com", "TargetResources_0_displayName": "alice"}
{"event_type": "AuditLogs", "TimeGenerated": "2026-05-31T12:40:05.000Z", "ts_epoch_ms": 1780231205000, "OperationName": "Update user", "Category": "UserManagement", "CorrelationId": "base-1", "InitiatedBy_app_displayName": "HR-Sync", "InitiatedBy_app_ipAddress": "10.0.0.5", "InitiatedBy_user_userPrincipalName": null, "InitiatedBy_user_ipAddress": null, "TargetResources_0_userPrincipalName": "alice@contoso.com", "TargetResources_0_displayName": "alice"}
{"event_type": "AuditLogs", "TimeGenerated": "2026-05-31T13:10:05.000Z", "ts_epoch_ms": 1780233005000, "OperationName": "Update user", "Category": "UserManagement", "CorrelationId": "base-2", "InitiatedBy_app_displayName": "HR-Sync", "InitiatedBy_app_ipAddress": "10.0.0.5", "InitiatedBy_user_userPrincipalName": null, "InitiatedBy_user_ipAddress": null, "TargetResources_0_userPrincipalName": "alice@contoso.com", "TargetResources_0_displayName": "alice"}
{"event_type": "AuditLogs", "TimeGenerated": "2026-05-31T13:40:05.000Z", "ts_epoch_ms": 1780234805000, "OperationName": "Update user", "Category": "UserManagement", "CorrelationId": "base-3", "InitiatedBy_app_displayName": "HR-Sync", "InitiatedBy_app_ipAddress": "10.0.0.5", "InitiatedBy_user_userPrincipalName": null, "InitiatedBy_user_ipAddress": null, "TargetResources_0_userPrincipalName": "alice@contoso.com", "TargetResources_0_displayName": "alice"}
{"event_type": "AuditLogs", "TimeGenerated": "2026-05-31T14:10:05.000Z", "ts_epoch_ms": 1780236605000, "OperationName": "Update user", "Category": "UserManagement", "CorrelationId": "base-4", "InitiatedBy_app_displayName": "HR-Sync", "InitiatedBy_app_ipAddress": "10.0.0.5", "InitiatedBy_user_userPrincipalName": null, "InitiatedBy_user_ipAddress": null, "TargetResources_0_userPrincipalName": "alice@contoso.com", "TargetResources_0_displayName": "alice"}
{"event_type": "AuditLogs", "TimeGenerated": "2026-05-31T14:40:05.000Z", "ts_epoch_ms": 1780238405000, "OperationName": "Update user", "Category": "UserManagement", "CorrelationId": "base-5", "InitiatedBy_app_displayName": "HR-Sync", "InitiatedBy_app_ipAddress": "10.0.0.5", "InitiatedBy_user_userPrincipalName": null, "InitiatedBy_user_ipAddress": null, "TargetResources_0_userPrincipalName": "alice@contoso.com", "TargetResources_0_displayName": "alice"}
{"event_type": "AuditLogs", "TimeGenerated": "2026-05-31T15:10:05.000Z", "ts_epoch_ms": 1780240205000, "OperationName": "Update user", "Category": "UserManagement", "CorrelationId": "base-6", "InitiatedBy_app_displayName": "HR-Sync", "InitiatedBy_app_ipAddress": "10.0.0.5", "InitiatedBy_user_userPrincipalName": null, "InitiatedBy_user_ipAddress": null, "TargetResources_0_userPrincipalName": "alice@contoso.com", "TargetResources_0_displayName": "alice"}
{"event_type": "AuditLogs", "TimeGenerated": "2026-05-31T15:40:05.000Z", "ts_epoch_ms": 1780242005000, "OperationName": "Update user", "Category": "UserManagement", "CorrelationId": "base-7", "InitiatedBy_app_displayName": "HR-Sync", "InitiatedBy_app_ipAddress": "10.0.0.5", "InitiatedBy_user_userPrincipalName": null, "InitiatedBy_user_ipAddress": null, "TargetResources_0_userPrincipalName": "alice@contoso.com", "TargetResources_0_displayName": "alice"}
{"event_type": "AuditLogs", "TimeGenerated": "2026-05-31T16:10:05.000Z", "ts_epoch_ms": 1780243805000, "OperationName": "Update user", "Category": "UserManagement", "CorrelationId": "base-8", "InitiatedBy_app_displayName": "HR-Sync", "InitiatedBy_app_ipAddress": "10.0.0.5", "InitiatedBy_user_userPrincipalName": null, "InitiatedBy_user_ipAddress": null, "TargetResources_0_userPrincipalName": "alice@contoso.com", "TargetResources_0_displayName": "alice"}
{"event_type": "AuditLogs", "TimeGenerated": "2026-05-31T16:40:05.000Z", "ts_epoch_ms": 1780245605000, "OperationName": "Update user", "Category": "UserManagement", "CorrelationId": "base-9", "InitiatedBy_app_displayName": "HR-Sync", "InitiatedBy_app_ipAddress": "10.0.0.5", "InitiatedBy_user_userPrincipalName": null, "InitiatedBy_user_ipAddress": null, "TargetResources_0_userPrincipalName": "alice@contoso.com", "TargetResources_0_displayName": "alice"}
{"event_type": "AuditLogs", "TimeGenerated": "2026-05-31T18:13:05.000Z", "ts_epoch_ms": 1780251185000, "OperationName": "Add service principal", "Category": "ApplicationManagement", "CorrelationId": "corr-priv-esc-1", "InitiatedBy_app_displayName": null, "InitiatedBy_app_ipAddress": null, "InitiatedBy_user_userPrincipalName": "dave@contoso.com", "InitiatedBy_user_ipAddress": "203.0.113.99", "TargetResources_0_userPrincipalName": "svcprincipal@contoso.com", "TargetResources_0_displayName": "SuspiciousApp"}
{"event_type": "AuditLogs", "TimeGenerated": "2026-05-31T18:14:05.000Z", "ts_epoch_ms": 1780251245000, "OperationName": "Consent to application", "Category": "ApplicationManagement", "CorrelationId": "corr-consent-1", "InitiatedBy_app_displayName": null, "InitiatedBy_app_ipAddress": null, "InitiatedBy_user_userPrincipalName": "eve@contoso.com", "InitiatedBy_user_ipAddress": "203.0.113.10", "TargetResources_0_userPrincipalName": "eve@contoso.com", "TargetResources_0_displayName": "MaliciousOAuthApp"}
{"event_type": "AzureActivity", "TimeGenerated": "2026-05-31T18:15:05.000Z", "ts_epoch_ms": 1780251305000, "OperationNameValue": "microsoft.compute/snapshots/write", "ActivityStatusValue": "Success", "CallerIpAddress": "198.51.100.50", "Caller": "attacker@external.com", "CorrelationId": "az-corr-0", "ResourceGroup": "prod-rg", "SubscriptionId": "sub-001"}
{"event_type": "AzureActivity", "TimeGenerated": "2026-05-31T18:15:35.000Z", "ts_epoch_ms": 1780251335000, "OperationNameValue": "microsoft.compute/snapshots/write", "ActivityStatusValue": "Success", "CallerIpAddress": "198.51.100.50", "Caller": "attacker@external.com", "CorrelationId": "az-corr-1", "ResourceGroup": "prod-rg", "SubscriptionId": "sub-001"}
{"event_type": "AzureActivity", "TimeGenerated": "2026-05-31T18:16:05.000Z", "ts_epoch_ms": 1780251365000, "OperationNameValue": "microsoft.compute/snapshots/write", "ActivityStatusValue": "Success", "CallerIpAddress": "198.51.100.50", "Caller": "attacker@external.com", "CorrelationId": "az-corr-2", "ResourceGroup": "prod-rg", "SubscriptionId": "sub-001"}
{"event_type": "AzureActivity", "TimeGenerated": "2026-05-31T18:16:35.000Z", "ts_epoch_ms": 1780251395000, "OperationNameValue": "microsoft.compute/snapshots/write", "ActivityStatusValue": "Success", "CallerIpAddress": "198.51.100.50", "Caller": "attacker@external.com", "CorrelationId": "az-corr-3", "ResourceGroup": "prod-rg", "SubscriptionId": "sub-001"}
{"event_type": "AzureActivity", "TimeGenerated": "2026-05-31T18:17:05.000Z", "ts_epoch_ms": 1780251425000, "OperationNameValue": "microsoft.compute/snapshots/write", "ActivityStatusValue": "Success", "CallerIpAddress": "198.51.100.50", "Caller": "attacker@external.com", "CorrelationId": "az-corr-4", "ResourceGroup": "prod-rg", "SubscriptionId": "sub-001"}
{"event_type": "AzureActivity", "TimeGenerated": "2026-05-31T18:17:35.000Z", "ts_epoch_ms": 1780251455000, "OperationNameValue": "microsoft.compute/snapshots/write", "ActivityStatusValue": "Success", "CallerIpAddress": "198.51.100.50", "Caller": "attacker@external.com", "CorrelationId": "az-corr-5", "ResourceGroup": "prod-rg", "SubscriptionId": "sub-001"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T12:10:05.000Z", "ts_epoch_ms": 1780229405000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.10", "SourcePort": 49000, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T12:25:05.000Z", "ts_epoch_ms": 1780230305000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.11", "SourcePort": 49001, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T12:40:05.000Z", "ts_epoch_ms": 1780231205000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.12", "SourcePort": 49002, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T12:55:05.000Z", "ts_epoch_ms": 1780232105000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.13", "SourcePort": 49003, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T13:10:05.000Z", "ts_epoch_ms": 1780233005000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.14", "SourcePort": 49004, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T13:25:05.000Z", "ts_epoch_ms": 1780233905000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.15", "SourcePort": 49005, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T13:40:05.000Z", "ts_epoch_ms": 1780234805000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.16", "SourcePort": 49006, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T13:55:05.000Z", "ts_epoch_ms": 1780235705000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.17", "SourcePort": 49007, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T14:10:05.000Z", "ts_epoch_ms": 1780236605000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.18", "SourcePort": 49008, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T14:25:05.000Z", "ts_epoch_ms": 1780237505000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.19", "SourcePort": 49009, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T14:40:05.000Z", "ts_epoch_ms": 1780238405000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.20", "SourcePort": 49010, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T14:55:05.000Z", "ts_epoch_ms": 1780239305000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.21", "SourcePort": 49011, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T15:10:05.000Z", "ts_epoch_ms": 1780240205000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.22", "SourcePort": 49012, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T15:25:05.000Z", "ts_epoch_ms": 1780241105000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.23", "SourcePort": 49013, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T15:40:05.000Z", "ts_epoch_ms": 1780242005000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.24", "SourcePort": 49014, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T15:55:05.000Z", "ts_epoch_ms": 1780242905000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.25", "SourcePort": 49015, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T16:10:05.000Z", "ts_epoch_ms": 1780243805000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.26", "SourcePort": 49016, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T16:25:05.000Z", "ts_epoch_ms": 1780244705000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.27", "SourcePort": 49017, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T16:40:05.000Z", "ts_epoch_ms": 1780245605000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.28", "SourcePort": 49018, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T16:55:05.000Z", "ts_epoch_ms": 1780246505000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "alice", "SourceIP": "10.0.1.29", "SourcePort": 49019, "DestinationIP": "142.250.74.110", "DestinationPort": 443, "SentBytes": 2048, "ReceivedBytes": 16384, "Message": "allow web access to 142.250.74.110", "DeviceEventClassID": "end", "LogSeverity": 3, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:10:05.000Z", "ts_epoch_ms": 1780251005000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51000, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:11:05.000Z", "ts_epoch_ms": 1780251065000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51001, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:12:05.000Z", "ts_epoch_ms": 1780251125000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51002, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:13:05.000Z", "ts_epoch_ms": 1780251185000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51003, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:14:05.000Z", "ts_epoch_ms": 1780251245000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51004, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:15:05.000Z", "ts_epoch_ms": 1780251305000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51005, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:16:05.000Z", "ts_epoch_ms": 1780251365000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51006, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:17:05.000Z", "ts_epoch_ms": 1780251425000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51007, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:18:05.000Z", "ts_epoch_ms": 1780251485000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51008, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:19:05.000Z", "ts_epoch_ms": 1780251545000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51009, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:20:05.000Z", "ts_epoch_ms": 1780251605000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51010, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:21:05.000Z", "ts_epoch_ms": 1780251665000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51011, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:22:05.000Z", "ts_epoch_ms": 1780251725000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51012, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:23:05.000Z", "ts_epoch_ms": 1780251785000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51013, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:24:05.000Z", "ts_epoch_ms": 1780251845000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51014, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:25:05.000Z", "ts_epoch_ms": 1780251905000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51015, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:26:05.000Z", "ts_epoch_ms": 1780251965000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51016, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:27:05.000Z", "ts_epoch_ms": 1780252025000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51017, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:28:05.000Z", "ts_epoch_ms": 1780252085000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51018, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:29:05.000Z", "ts_epoch_ms": 1780252145000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51019, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:30:05.000Z", "ts_epoch_ms": 1780252205000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51020, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:31:05.000Z", "ts_epoch_ms": 1780252265000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51021, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:32:05.000Z", "ts_epoch_ms": 1780252325000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51022, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:33:05.000Z", "ts_epoch_ms": 1780252385000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51023, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:34:05.000Z", "ts_epoch_ms": 1780252445000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51024, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:35:05.000Z", "ts_epoch_ms": 1780252505000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51025, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:36:05.000Z", "ts_epoch_ms": 1780252565000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51026, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:37:05.000Z", "ts_epoch_ms": 1780252625000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51027, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:38:05.000Z", "ts_epoch_ms": 1780252685000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51028, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:39:05.000Z", "ts_epoch_ms": 1780252745000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51029, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:40:05.000Z", "ts_epoch_ms": 1780252805000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51030, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:41:05.000Z", "ts_epoch_ms": 1780252865000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51031, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:42:05.000Z", "ts_epoch_ms": 1780252925000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51032, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:43:05.000Z", "ts_epoch_ms": 1780252985000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51033, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:44:05.000Z", "ts_epoch_ms": 1780253045000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51034, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:45:05.000Z", "ts_epoch_ms": 1780253105000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51035, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:46:05.000Z", "ts_epoch_ms": 1780253165000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51036, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:47:05.000Z", "ts_epoch_ms": 1780253225000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51037, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:48:05.000Z", "ts_epoch_ms": 1780253285000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51038, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:49:05.000Z", "ts_epoch_ms": 1780253345000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51039, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:50:05.000Z", "ts_epoch_ms": 1780253405000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51040, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:51:05.000Z", "ts_epoch_ms": 1780253465000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51041, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:52:05.000Z", "ts_epoch_ms": 1780253525000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51042, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:53:05.000Z", "ts_epoch_ms": 1780253585000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51043, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:54:05.000Z", "ts_epoch_ms": 1780253645000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51044, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:55:05.000Z", "ts_epoch_ms": 1780253705000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51045, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:56:05.000Z", "ts_epoch_ms": 1780253765000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51046, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:57:05.000Z", "ts_epoch_ms": 1780253825000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51047, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:58:05.000Z", "ts_epoch_ms": 1780253885000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51048, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:59:05.000Z", "ts_epoch_ms": 1780253945000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51049, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T19:00:05.000Z", "ts_epoch_ms": 1780254005000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51050, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T19:01:05.000Z", "ts_epoch_ms": 1780254065000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51051, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T19:02:05.000Z", "ts_epoch_ms": 1780254125000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51052, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T19:03:05.000Z", "ts_epoch_ms": 1780254185000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51053, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T19:04:05.000Z", "ts_epoch_ms": 1780254245000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51054, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T19:05:05.000Z", "ts_epoch_ms": 1780254305000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51055, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T19:06:05.000Z", "ts_epoch_ms": 1780254365000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51056, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T19:07:05.000Z", "ts_epoch_ms": 1780254425000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51057, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T19:08:05.000Z", "ts_epoch_ms": 1780254485000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51058, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T19:09:05.000Z", "ts_epoch_ms": 1780254545000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "dave", "SourceIP": "10.0.2.42", "SourcePort": 51059, "DestinationIP": "185.220.101.7", "DestinationPort": 8443, "SentBytes": 512, "ReceivedBytes": 128, "Message": "beacon to C2 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:18:25.000Z", "ts_epoch_ms": 1780251505000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "carol", "SourceIP": "10.0.3.11", "SourcePort": 49888, "DestinationIP": "185.220.101.7", "DestinationPort": 443, "SentBytes": 1024, "ReceivedBytes": 2048, "Message": "allow access to 185.220.101.7", "DeviceEventClassID": "end", "LogSeverity": 5, "DeviceAction": "allow", "DeviceProduct": "PAN-OS"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:21:45.000Z", "ts_epoch_ms": 1780251705000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "-", "SourceIP": "198.51.100.7", "SourcePort": 44000, "DestinationIP": "10.0.0.10", "DestinationPort": 443, "SentBytes": 256, "ReceivedBytes": 512, "Message": "deny session from 198.51.100.7", "DeviceEventClassID": "deny", "LogSeverity": 6, "DeviceAction": "deny", "DeviceProduct": "PAN-OS", "AdditionalExtensions": "src=198.51.100.7 dst=10.0.0.10"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:22:45.000Z", "ts_epoch_ms": 1780251765000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "-", "SourceIP": "198.51.100.7", "SourcePort": 44001, "DestinationIP": "10.0.0.10", "DestinationPort": 443, "SentBytes": 256, "ReceivedBytes": 512, "Message": "deny session from 198.51.100.7", "DeviceEventClassID": "deny", "LogSeverity": 6, "DeviceAction": "deny", "DeviceProduct": "PAN-OS", "AdditionalExtensions": "src=198.51.100.7 dst=10.0.0.10"}
{"event_type": "CommonSecurityLog", "TimeGenerated": "2026-05-31T18:23:45.000Z", "ts_epoch_ms": 1780251825000, "DeviceVendor": "Palo Alto Networks", "Activity": "TRAFFIC", "DeviceName": "pa-fw-01", "SourceUserID": "-", "SourceIP": "198.51.100.7", "SourcePort": 44002, "DestinationIP": "10.0.0.10", "DestinationPort": 443, "SentBytes": 256, "ReceivedBytes": 512, "Message": "deny session from 198.51.100.7", "DeviceEventClassID": "deny", "LogSeverity": 6, "DeviceAction": "deny", "DeviceProduct": "PAN-OS", "AdditionalExtensions": "src=198.51.100.7 dst=10.0.0.10"}
{"event_type": "ThreatIntelIndicators", "TimeGenerated": "2026-05-31T13:10:05.000Z", "ts_epoch_ms": 1780233005000, "Id": "ti-ioc-001", "ObservableKey": "ipv4-addr:value", "ObservableValue": "185.220.101.7", "IsActive": true, "ValidUntil": "2026-06-30T20:10:05.000Z", "Confidence": 85, "Tags": "c2,tor-exit", "AdditionalFields_TLPLevel": "AMBER"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T12:10:05.000Z", "ts_epoch_ms": 1780229405000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\svchost.exe", "CommandLine": "\"svchost.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T12:18:05.000Z", "ts_epoch_ms": 1780229885000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\explorer.exe", "CommandLine": "\"explorer.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T12:26:05.000Z", "ts_epoch_ms": 1780230365000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\chrome.exe", "CommandLine": "\"chrome.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T12:34:05.000Z", "ts_epoch_ms": 1780230845000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\outlook.exe", "CommandLine": "\"outlook.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T12:42:05.000Z", "ts_epoch_ms": 1780231325000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\svchost.exe", "CommandLine": "\"svchost.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T12:50:05.000Z", "ts_epoch_ms": 1780231805000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\explorer.exe", "CommandLine": "\"explorer.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T12:58:05.000Z", "ts_epoch_ms": 1780232285000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\chrome.exe", "CommandLine": "\"chrome.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T13:06:05.000Z", "ts_epoch_ms": 1780232765000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\outlook.exe", "CommandLine": "\"outlook.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T13:14:05.000Z", "ts_epoch_ms": 1780233245000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\svchost.exe", "CommandLine": "\"svchost.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T13:22:05.000Z", "ts_epoch_ms": 1780233725000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\explorer.exe", "CommandLine": "\"explorer.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T13:30:05.000Z", "ts_epoch_ms": 1780234205000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\chrome.exe", "CommandLine": "\"chrome.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T13:38:05.000Z", "ts_epoch_ms": 1780234685000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\outlook.exe", "CommandLine": "\"outlook.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T13:46:05.000Z", "ts_epoch_ms": 1780235165000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\svchost.exe", "CommandLine": "\"svchost.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T13:54:05.000Z", "ts_epoch_ms": 1780235645000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\explorer.exe", "CommandLine": "\"explorer.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T14:02:05.000Z", "ts_epoch_ms": 1780236125000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\chrome.exe", "CommandLine": "\"chrome.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T14:10:05.000Z", "ts_epoch_ms": 1780236605000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\outlook.exe", "CommandLine": "\"outlook.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T14:18:05.000Z", "ts_epoch_ms": 1780237085000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\svchost.exe", "CommandLine": "\"svchost.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T14:26:05.000Z", "ts_epoch_ms": 1780237565000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\explorer.exe", "CommandLine": "\"explorer.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T14:34:05.000Z", "ts_epoch_ms": 1780238045000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\chrome.exe", "CommandLine": "\"chrome.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T14:42:05.000Z", "ts_epoch_ms": 1780238525000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\outlook.exe", "CommandLine": "\"outlook.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T14:50:05.000Z", "ts_epoch_ms": 1780239005000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\svchost.exe", "CommandLine": "\"svchost.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T14:58:05.000Z", "ts_epoch_ms": 1780239485000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\explorer.exe", "CommandLine": "\"explorer.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T15:06:05.000Z", "ts_epoch_ms": 1780239965000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\chrome.exe", "CommandLine": "\"chrome.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T15:14:05.000Z", "ts_epoch_ms": 1780240445000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\outlook.exe", "CommandLine": "\"outlook.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T15:22:05.000Z", "ts_epoch_ms": 1780240925000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\svchost.exe", "CommandLine": "\"svchost.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T15:30:05.000Z", "ts_epoch_ms": 1780241405000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\explorer.exe", "CommandLine": "\"explorer.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T15:38:05.000Z", "ts_epoch_ms": 1780241885000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\chrome.exe", "CommandLine": "\"chrome.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T15:46:05.000Z", "ts_epoch_ms": 1780242365000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\outlook.exe", "CommandLine": "\"outlook.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T15:54:05.000Z", "ts_epoch_ms": 1780242845000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\svchost.exe", "CommandLine": "\"svchost.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T16:02:05.000Z", "ts_epoch_ms": 1780243325000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\explorer.exe", "CommandLine": "\"explorer.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T16:10:05.000Z", "ts_epoch_ms": 1780243805000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\chrome.exe", "CommandLine": "\"chrome.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T16:18:05.000Z", "ts_epoch_ms": 1780244285000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\outlook.exe", "CommandLine": "\"outlook.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T16:26:05.000Z", "ts_epoch_ms": 1780244765000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\svchost.exe", "CommandLine": "\"svchost.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T16:34:05.000Z", "ts_epoch_ms": 1780245245000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\explorer.exe", "CommandLine": "\"explorer.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T16:42:05.000Z", "ts_epoch_ms": 1780245725000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\chrome.exe", "CommandLine": "\"chrome.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T16:50:05.000Z", "ts_epoch_ms": 1780246205000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\outlook.exe", "CommandLine": "\"outlook.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T16:58:05.000Z", "ts_epoch_ms": 1780246685000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\svchost.exe", "CommandLine": "\"svchost.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T17:06:05.000Z", "ts_epoch_ms": 1780247165000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\explorer.exe", "CommandLine": "\"explorer.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T17:14:05.000Z", "ts_epoch_ms": 1780247645000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\chrome.exe", "CommandLine": "\"chrome.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T17:22:05.000Z", "ts_epoch_ms": 1780248125000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\outlook.exe", "CommandLine": "\"outlook.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T18:25:05.000Z", "ts_epoch_ms": 1780251905000, "EventID": 4688, "Computer": "WIN-WS02", "Account": "CONTOSO\\dave", "NewProcessName": "C:\\Users\\dave\\AppData\\Local\\Temp\\mimikatz.exe", "CommandLine": "mimikatz.exe sekurlsa::logonpasswords", "ParentProcessName": "C:\\Windows\\System32\\cmd.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T18:27:36.000Z", "ts_epoch_ms": 1780252056000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\svchost.exe", "CommandLine": "\"svchost.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T18:27:40.000Z", "ts_epoch_ms": 1780252060000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\explorer.exe", "CommandLine": "\"explorer.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T18:28:20.000Z", "ts_epoch_ms": 1780252100000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\chrome.exe", "CommandLine": "\"chrome.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T18:26:56.000Z", "ts_epoch_ms": 1780252016000, "EventID": 4688, "Computer": "WIN-WS01", "Account": "CONTOSO\\alice", "NewProcessName": "C:\\Windows\\System32\\outlook.exe", "CommandLine": "\"outlook.exe\"", "ParentProcessName": "C:\\Windows\\explorer.exe"}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T12:10:05.000Z", "ts_epoch_ms": 1780229405000, "EventID": 4624, "Activity": "An account was successfully logged on", "LogonTypeName": "2 - Interactive", "AccountType": "User", "TargetUserName": "CONTOSO\\alice", "TargetDomainName": "CONTOSO", "SubjectUserName": "alice", "Computer": "WIN-WS01", "WorkstationName": "WIN-WS01", "IpAddress": "10.0.0.20", "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "PrivilegeList": "-", "Status": "0x0", "SubStatus": "0x0", "is_off_hours": false}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T12:30:05.000Z", "ts_epoch_ms": 1780230605000, "EventID": 4624, "Activity": "An account was successfully logged on", "LogonTypeName": "2 - Interactive", "AccountType": "User", "TargetUserName": "CONTOSO\\alice", "TargetDomainName": "CONTOSO", "SubjectUserName": "alice", "Computer": "WIN-WS01", "WorkstationName": "WIN-WS01", "IpAddress": "10.0.0.20", "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "PrivilegeList": "-", "Status": "0x0", "SubStatus": "0x0", "is_off_hours": false}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T12:50:05.000Z", "ts_epoch_ms": 1780231805000, "EventID": 4624, "Activity": "An account was successfully logged on", "LogonTypeName": "2 - Interactive", "AccountType": "User", "TargetUserName": "CONTOSO\\alice", "TargetDomainName": "CONTOSO", "SubjectUserName": "alice", "Computer": "WIN-WS01", "WorkstationName": "WIN-WS01", "IpAddress": "10.0.0.20", "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "PrivilegeList": "-", "Status": "0x0", "SubStatus": "0x0", "is_off_hours": false}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T13:10:05.000Z", "ts_epoch_ms": 1780233005000, "EventID": 4624, "Activity": "An account was successfully logged on", "LogonTypeName": "2 - Interactive", "AccountType": "User", "TargetUserName": "CONTOSO\\alice", "TargetDomainName": "CONTOSO", "SubjectUserName": "alice", "Computer": "WIN-WS01", "WorkstationName": "WIN-WS01", "IpAddress": "10.0.0.20", "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "PrivilegeList": "-", "Status": "0x0", "SubStatus": "0x0", "is_off_hours": false}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T13:30:05.000Z", "ts_epoch_ms": 1780234205000, "EventID": 4624, "Activity": "An account was successfully logged on", "LogonTypeName": "2 - Interactive", "AccountType": "User", "TargetUserName": "CONTOSO\\alice", "TargetDomainName": "CONTOSO", "SubjectUserName": "alice", "Computer": "WIN-WS01", "WorkstationName": "WIN-WS01", "IpAddress": "10.0.0.20", "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "PrivilegeList": "-", "Status": "0x0", "SubStatus": "0x0", "is_off_hours": false}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T13:50:05.000Z", "ts_epoch_ms": 1780235405000, "EventID": 4624, "Activity": "An account was successfully logged on", "LogonTypeName": "2 - Interactive", "AccountType": "User", "TargetUserName": "CONTOSO\\alice", "TargetDomainName": "CONTOSO", "SubjectUserName": "alice", "Computer": "WIN-WS01", "WorkstationName": "WIN-WS01", "IpAddress": "10.0.0.20", "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "PrivilegeList": "-", "Status": "0x0", "SubStatus": "0x0", "is_off_hours": false}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T14:10:05.000Z", "ts_epoch_ms": 1780236605000, "EventID": 4624, "Activity": "An account was successfully logged on", "LogonTypeName": "2 - Interactive", "AccountType": "User", "TargetUserName": "CONTOSO\\alice", "TargetDomainName": "CONTOSO", "SubjectUserName": "alice", "Computer": "WIN-WS01", "WorkstationName": "WIN-WS01", "IpAddress": "10.0.0.20", "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "PrivilegeList": "-", "Status": "0x0", "SubStatus": "0x0", "is_off_hours": false}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T14:30:05.000Z", "ts_epoch_ms": 1780237805000, "EventID": 4624, "Activity": "An account was successfully logged on", "LogonTypeName": "2 - Interactive", "AccountType": "User", "TargetUserName": "CONTOSO\\alice", "TargetDomainName": "CONTOSO", "SubjectUserName": "alice", "Computer": "WIN-WS01", "WorkstationName": "WIN-WS01", "IpAddress": "10.0.0.20", "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "PrivilegeList": "-", "Status": "0x0", "SubStatus": "0x0", "is_off_hours": false}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T14:50:05.000Z", "ts_epoch_ms": 1780239005000, "EventID": 4624, "Activity": "An account was successfully logged on", "LogonTypeName": "2 - Interactive", "AccountType": "User", "TargetUserName": "CONTOSO\\alice", "TargetDomainName": "CONTOSO", "SubjectUserName": "alice", "Computer": "WIN-WS01", "WorkstationName": "WIN-WS01", "IpAddress": "10.0.0.20", "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "PrivilegeList": "-", "Status": "0x0", "SubStatus": "0x0", "is_off_hours": false}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T15:10:05.000Z", "ts_epoch_ms": 1780240205000, "EventID": 4624, "Activity": "An account was successfully logged on", "LogonTypeName": "2 - Interactive", "AccountType": "User", "TargetUserName": "CONTOSO\\alice", "TargetDomainName": "CONTOSO", "SubjectUserName": "alice", "Computer": "WIN-WS01", "WorkstationName": "WIN-WS01", "IpAddress": "10.0.0.20", "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "PrivilegeList": "-", "Status": "0x0", "SubStatus": "0x0", "is_off_hours": false}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T15:30:05.000Z", "ts_epoch_ms": 1780241405000, "EventID": 4624, "Activity": "An account was successfully logged on", "LogonTypeName": "2 - Interactive", "AccountType": "User", "TargetUserName": "CONTOSO\\alice", "TargetDomainName": "CONTOSO", "SubjectUserName": "alice", "Computer": "WIN-WS01", "WorkstationName": "WIN-WS01", "IpAddress": "10.0.0.20", "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "PrivilegeList": "-", "Status": "0x0", "SubStatus": "0x0", "is_off_hours": false}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T15:50:05.000Z", "ts_epoch_ms": 1780242605000, "EventID": 4624, "Activity": "An account was successfully logged on", "LogonTypeName": "2 - Interactive", "AccountType": "User", "TargetUserName": "CONTOSO\\alice", "TargetDomainName": "CONTOSO", "SubjectUserName": "alice", "Computer": "WIN-WS01", "WorkstationName": "WIN-WS01", "IpAddress": "10.0.0.20", "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "PrivilegeList": "-", "Status": "0x0", "SubStatus": "0x0", "is_off_hours": false}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T16:10:05.000Z", "ts_epoch_ms": 1780243805000, "EventID": 4624, "Activity": "An account was successfully logged on", "LogonTypeName": "2 - Interactive", "AccountType": "User", "TargetUserName": "CONTOSO\\alice", "TargetDomainName": "CONTOSO", "SubjectUserName": "alice", "Computer": "WIN-WS01", "WorkstationName": "WIN-WS01", "IpAddress": "10.0.0.20", "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "PrivilegeList": "-", "Status": "0x0", "SubStatus": "0x0", "is_off_hours": false}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T16:30:05.000Z", "ts_epoch_ms": 1780245005000, "EventID": 4624, "Activity": "An account was successfully logged on", "LogonTypeName": "2 - Interactive", "AccountType": "User", "TargetUserName": "CONTOSO\\alice", "TargetDomainName": "CONTOSO", "SubjectUserName": "alice", "Computer": "WIN-WS01", "WorkstationName": "WIN-WS01", "IpAddress": "10.0.0.20", "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "PrivilegeList": "-", "Status": "0x0", "SubStatus": "0x0", "is_off_hours": false}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T16:50:05.000Z", "ts_epoch_ms": 1780246205000, "EventID": 4624, "Activity": "An account was successfully logged on", "LogonTypeName": "2 - Interactive", "AccountType": "User", "TargetUserName": "CONTOSO\\alice", "TargetDomainName": "CONTOSO", "SubjectUserName": "alice", "Computer": "WIN-WS01", "WorkstationName": "WIN-WS01", "IpAddress": "10.0.0.20", "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "PrivilegeList": "-", "Status": "0x0", "SubStatus": "0x0", "is_off_hours": false}
{"event_type": "SecurityEvent", "TimeGenerated": "2026-05-31T18:11:05.000Z", "ts_epoch_ms": 1780251065000, "EventID": 4624, "Activity": "An account was successfully logged on", "LogonTypeName": "10 - RemoteInteractive", "AccountType": "User", "TargetUserName": "CONTOSO\\alice", "TargetDomainName": "CONTOSO", "SubjectUserName": "alice", "Computer": "WIN-WS01", "WorkstationName": "ATTACKER-PC", "IpAddress": "198.51.100.7", "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "PrivilegeList": "SeDebugPrivilege", "Status": "0x0", "SubStatus": "0x0", "is_off_hours": true}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T13:10:05.000Z", "ts_epoch_ms": 1780233005000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "OneDrive/22.0", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/report.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T14:40:05.000Z", "ts_epoch_ms": 1780238405000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "OneDrive/22.0", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/report.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T16:10:05.000Z", "ts_epoch_ms": 1780243805000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "OneDrive/22.0", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/report.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:05.000Z", "ts_epoch_ms": 1780251305000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-0.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:07.000Z", "ts_epoch_ms": 1780251307000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-1.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:09.000Z", "ts_epoch_ms": 1780251309000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-2.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:11.000Z", "ts_epoch_ms": 1780251311000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-3.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:13.000Z", "ts_epoch_ms": 1780251313000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-4.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:15.000Z", "ts_epoch_ms": 1780251315000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-5.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:17.000Z", "ts_epoch_ms": 1780251317000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-6.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:19.000Z", "ts_epoch_ms": 1780251319000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-7.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:21.000Z", "ts_epoch_ms": 1780251321000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-8.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:23.000Z", "ts_epoch_ms": 1780251323000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-9.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:25.000Z", "ts_epoch_ms": 1780251325000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-10.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:27.000Z", "ts_epoch_ms": 1780251327000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-11.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:29.000Z", "ts_epoch_ms": 1780251329000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-12.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:31.000Z", "ts_epoch_ms": 1780251331000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-13.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:33.000Z", "ts_epoch_ms": 1780251333000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-14.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:35.000Z", "ts_epoch_ms": 1780251335000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-15.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:37.000Z", "ts_epoch_ms": 1780251337000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-16.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:39.000Z", "ts_epoch_ms": 1780251339000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-17.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:41.000Z", "ts_epoch_ms": 1780251341000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-18.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:43.000Z", "ts_epoch_ms": 1780251343000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-19.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:45.000Z", "ts_epoch_ms": 1780251345000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-20.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:47.000Z", "ts_epoch_ms": 1780251347000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-21.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:49.000Z", "ts_epoch_ms": 1780251349000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-22.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:51.000Z", "ts_epoch_ms": 1780251351000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-23.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:53.000Z", "ts_epoch_ms": 1780251353000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-24.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:55.000Z", "ts_epoch_ms": 1780251355000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-25.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:57.000Z", "ts_epoch_ms": 1780251357000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-26.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:15:59.000Z", "ts_epoch_ms": 1780251359000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-27.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:01.000Z", "ts_epoch_ms": 1780251361000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-28.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:03.000Z", "ts_epoch_ms": 1780251363000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-29.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:05.000Z", "ts_epoch_ms": 1780251365000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-30.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:07.000Z", "ts_epoch_ms": 1780251367000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-31.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:09.000Z", "ts_epoch_ms": 1780251369000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-32.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:11.000Z", "ts_epoch_ms": 1780251371000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-33.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:13.000Z", "ts_epoch_ms": 1780251373000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-34.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:15.000Z", "ts_epoch_ms": 1780251375000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-35.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:17.000Z", "ts_epoch_ms": 1780251377000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-36.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:19.000Z", "ts_epoch_ms": 1780251379000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-37.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:21.000Z", "ts_epoch_ms": 1780251381000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-38.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:23.000Z", "ts_epoch_ms": 1780251383000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-39.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:25.000Z", "ts_epoch_ms": 1780251385000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-40.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:27.000Z", "ts_epoch_ms": 1780251387000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-41.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:29.000Z", "ts_epoch_ms": 1780251389000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-42.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:31.000Z", "ts_epoch_ms": 1780251391000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-43.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:33.000Z", "ts_epoch_ms": 1780251393000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-44.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:35.000Z", "ts_epoch_ms": 1780251395000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-45.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:37.000Z", "ts_epoch_ms": 1780251397000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-46.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:39.000Z", "ts_epoch_ms": 1780251399000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-47.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:41.000Z", "ts_epoch_ms": 1780251401000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-48.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:43.000Z", "ts_epoch_ms": 1780251403000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-49.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:45.000Z", "ts_epoch_ms": 1780251405000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-50.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:47.000Z", "ts_epoch_ms": 1780251407000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-51.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:49.000Z", "ts_epoch_ms": 1780251409000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-52.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:51.000Z", "ts_epoch_ms": 1780251411000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-53.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:53.000Z", "ts_epoch_ms": 1780251413000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-54.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:55.000Z", "ts_epoch_ms": 1780251415000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-55.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:57.000Z", "ts_epoch_ms": 1780251417000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-56.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:16:59.000Z", "ts_epoch_ms": 1780251419000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-57.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:01.000Z", "ts_epoch_ms": 1780251421000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-58.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:03.000Z", "ts_epoch_ms": 1780251423000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-59.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:05.000Z", "ts_epoch_ms": 1780251425000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-60.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:07.000Z", "ts_epoch_ms": 1780251427000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-61.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:09.000Z", "ts_epoch_ms": 1780251429000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-62.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:11.000Z", "ts_epoch_ms": 1780251431000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-63.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:13.000Z", "ts_epoch_ms": 1780251433000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-64.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:15.000Z", "ts_epoch_ms": 1780251435000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-65.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:17.000Z", "ts_epoch_ms": 1780251437000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-66.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:19.000Z", "ts_epoch_ms": 1780251439000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-67.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:21.000Z", "ts_epoch_ms": 1780251441000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-68.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:23.000Z", "ts_epoch_ms": 1780251443000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-69.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:25.000Z", "ts_epoch_ms": 1780251445000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-70.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:27.000Z", "ts_epoch_ms": 1780251447000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-71.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:29.000Z", "ts_epoch_ms": 1780251449000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-72.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:31.000Z", "ts_epoch_ms": 1780251451000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-73.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:33.000Z", "ts_epoch_ms": 1780251453000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-74.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:35.000Z", "ts_epoch_ms": 1780251455000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-75.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:37.000Z", "ts_epoch_ms": 1780251457000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-76.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:39.000Z", "ts_epoch_ms": 1780251459000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-77.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:41.000Z", "ts_epoch_ms": 1780251461000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-78.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:43.000Z", "ts_epoch_ms": 1780251463000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-79.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:45.000Z", "ts_epoch_ms": 1780251465000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-80.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:47.000Z", "ts_epoch_ms": 1780251467000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-81.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:49.000Z", "ts_epoch_ms": 1780251469000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-82.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:51.000Z", "ts_epoch_ms": 1780251471000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-83.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:53.000Z", "ts_epoch_ms": 1780251473000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-84.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:55.000Z", "ts_epoch_ms": 1780251475000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-85.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:57.000Z", "ts_epoch_ms": 1780251477000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-86.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:17:59.000Z", "ts_epoch_ms": 1780251479000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-87.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:01.000Z", "ts_epoch_ms": 1780251481000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-88.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:03.000Z", "ts_epoch_ms": 1780251483000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-89.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:05.000Z", "ts_epoch_ms": 1780251485000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-90.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:07.000Z", "ts_epoch_ms": 1780251487000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-91.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:09.000Z", "ts_epoch_ms": 1780251489000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-92.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:11.000Z", "ts_epoch_ms": 1780251491000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-93.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:13.000Z", "ts_epoch_ms": 1780251493000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-94.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:15.000Z", "ts_epoch_ms": 1780251495000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-95.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:17.000Z", "ts_epoch_ms": 1780251497000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-96.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:19.000Z", "ts_epoch_ms": 1780251499000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-97.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:21.000Z", "ts_epoch_ms": 1780251501000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-98.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:23.000Z", "ts_epoch_ms": 1780251503000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-99.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:25.000Z", "ts_epoch_ms": 1780251505000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-100.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:27.000Z", "ts_epoch_ms": 1780251507000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-101.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:29.000Z", "ts_epoch_ms": 1780251509000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-102.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:31.000Z", "ts_epoch_ms": 1780251511000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-103.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:33.000Z", "ts_epoch_ms": 1780251513000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-104.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:35.000Z", "ts_epoch_ms": 1780251515000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-105.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:37.000Z", "ts_epoch_ms": 1780251517000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-106.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:39.000Z", "ts_epoch_ms": 1780251519000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-107.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:41.000Z", "ts_epoch_ms": 1780251521000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-108.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:43.000Z", "ts_epoch_ms": 1780251523000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-109.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:45.000Z", "ts_epoch_ms": 1780251525000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-110.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:47.000Z", "ts_epoch_ms": 1780251527000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-111.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:49.000Z", "ts_epoch_ms": 1780251529000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-112.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:51.000Z", "ts_epoch_ms": 1780251531000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-113.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:53.000Z", "ts_epoch_ms": 1780251533000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-114.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:55.000Z", "ts_epoch_ms": 1780251535000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-115.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:57.000Z", "ts_epoch_ms": 1780251537000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-116.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:18:59.000Z", "ts_epoch_ms": 1780251539000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-117.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:01.000Z", "ts_epoch_ms": 1780251541000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-118.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:03.000Z", "ts_epoch_ms": 1780251543000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-119.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:05.000Z", "ts_epoch_ms": 1780251545000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-120.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:07.000Z", "ts_epoch_ms": 1780251547000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-121.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:09.000Z", "ts_epoch_ms": 1780251549000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-122.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:11.000Z", "ts_epoch_ms": 1780251551000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-123.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:13.000Z", "ts_epoch_ms": 1780251553000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-124.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:15.000Z", "ts_epoch_ms": 1780251555000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-125.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:17.000Z", "ts_epoch_ms": 1780251557000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-126.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:19.000Z", "ts_epoch_ms": 1780251559000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-127.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:21.000Z", "ts_epoch_ms": 1780251561000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-128.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:23.000Z", "ts_epoch_ms": 1780251563000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-129.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:25.000Z", "ts_epoch_ms": 1780251565000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-130.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:27.000Z", "ts_epoch_ms": 1780251567000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-131.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:29.000Z", "ts_epoch_ms": 1780251569000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-132.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:31.000Z", "ts_epoch_ms": 1780251571000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-133.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:33.000Z", "ts_epoch_ms": 1780251573000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-134.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:35.000Z", "ts_epoch_ms": 1780251575000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-135.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:37.000Z", "ts_epoch_ms": 1780251577000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-136.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:39.000Z", "ts_epoch_ms": 1780251579000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-137.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:41.000Z", "ts_epoch_ms": 1780251581000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-138.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:43.000Z", "ts_epoch_ms": 1780251583000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-139.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:45.000Z", "ts_epoch_ms": 1780251585000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-140.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:47.000Z", "ts_epoch_ms": 1780251587000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-141.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:49.000Z", "ts_epoch_ms": 1780251589000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-142.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:51.000Z", "ts_epoch_ms": 1780251591000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-143.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:53.000Z", "ts_epoch_ms": 1780251593000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-144.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:55.000Z", "ts_epoch_ms": 1780251595000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-145.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:57.000Z", "ts_epoch_ms": 1780251597000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-146.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:19:59.000Z", "ts_epoch_ms": 1780251599000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-147.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:01.000Z", "ts_epoch_ms": 1780251601000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-148.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:03.000Z", "ts_epoch_ms": 1780251603000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-149.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:05.000Z", "ts_epoch_ms": 1780251605000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-150.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:07.000Z", "ts_epoch_ms": 1780251607000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-151.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:09.000Z", "ts_epoch_ms": 1780251609000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-152.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:11.000Z", "ts_epoch_ms": 1780251611000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-153.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:13.000Z", "ts_epoch_ms": 1780251613000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-154.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:15.000Z", "ts_epoch_ms": 1780251615000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-155.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:17.000Z", "ts_epoch_ms": 1780251617000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-156.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:19.000Z", "ts_epoch_ms": 1780251619000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-157.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:21.000Z", "ts_epoch_ms": 1780251621000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-158.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:23.000Z", "ts_epoch_ms": 1780251623000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-159.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:25.000Z", "ts_epoch_ms": 1780251625000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-160.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:27.000Z", "ts_epoch_ms": 1780251627000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-161.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:29.000Z", "ts_epoch_ms": 1780251629000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-162.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:31.000Z", "ts_epoch_ms": 1780251631000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-163.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:33.000Z", "ts_epoch_ms": 1780251633000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-164.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:35.000Z", "ts_epoch_ms": 1780251635000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-165.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:37.000Z", "ts_epoch_ms": 1780251637000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-166.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:39.000Z", "ts_epoch_ms": 1780251639000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-167.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:41.000Z", "ts_epoch_ms": 1780251641000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-168.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:43.000Z", "ts_epoch_ms": 1780251643000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-169.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:45.000Z", "ts_epoch_ms": 1780251645000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-170.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:47.000Z", "ts_epoch_ms": 1780251647000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-171.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:49.000Z", "ts_epoch_ms": 1780251649000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-172.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:51.000Z", "ts_epoch_ms": 1780251651000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-173.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:53.000Z", "ts_epoch_ms": 1780251653000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-174.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:55.000Z", "ts_epoch_ms": 1780251655000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-175.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:57.000Z", "ts_epoch_ms": 1780251657000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-176.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:20:59.000Z", "ts_epoch_ms": 1780251659000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-177.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:01.000Z", "ts_epoch_ms": 1780251661000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-178.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:03.000Z", "ts_epoch_ms": 1780251663000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-179.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:05.000Z", "ts_epoch_ms": 1780251665000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-180.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:07.000Z", "ts_epoch_ms": 1780251667000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-181.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:09.000Z", "ts_epoch_ms": 1780251669000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-182.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:11.000Z", "ts_epoch_ms": 1780251671000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-183.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:13.000Z", "ts_epoch_ms": 1780251673000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-184.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:15.000Z", "ts_epoch_ms": 1780251675000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-185.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:17.000Z", "ts_epoch_ms": 1780251677000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-186.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:19.000Z", "ts_epoch_ms": 1780251679000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-187.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:21.000Z", "ts_epoch_ms": 1780251681000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-188.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:23.000Z", "ts_epoch_ms": 1780251683000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-189.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:25.000Z", "ts_epoch_ms": 1780251685000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-190.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:27.000Z", "ts_epoch_ms": 1780251687000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-191.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:29.000Z", "ts_epoch_ms": 1780251689000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-192.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:31.000Z", "ts_epoch_ms": 1780251691000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-193.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:33.000Z", "ts_epoch_ms": 1780251693000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-194.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:35.000Z", "ts_epoch_ms": 1780251695000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-195.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:37.000Z", "ts_epoch_ms": 1780251697000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-196.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:39.000Z", "ts_epoch_ms": 1780251699000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-197.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:41.000Z", "ts_epoch_ms": 1780251701000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-198.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "OfficeActivity", "TimeGenerated": "2026-05-31T18:21:43.000Z", "ts_epoch_ms": 1780251703000, "RecordType": "SharePointFileOperation", "Operation": "FileDownloaded", "UserId": "dave@contoso.com", "UserType": "Regular", "Site_Url": "https://contoso.sharepoint.com/sites/finance", "ClientIP": "10.0.0.30", "UserAgent": "python-requests/2.31", "OfficeObjectId": "https://contoso.sharepoint.com/sites/finance/secret-199.xlsx", "OfficeWorkload": "SharePoint"}
{"event_type": "DeviceFileEvents", "TimeGenerated": "2026-05-31T18:23:25.000Z", "ts_epoch_ms": 1780251805000, "FileName": "Q4-Confidential.docx", "FolderPath": "C:\\Confidential\\Q4-Confidential.docx", "ActionType": "FileAccessed", "InitiatingProcessAccountName": "CONTOSO\\dave", "DeviceName": "WIN-WS02"}
{"event_type": "DeviceFileEvents", "TimeGenerated": "2026-05-31T18:23:25.000Z", "ts_epoch_ms": 1780251805000, "FileName": "Q4-Confidential.docx", "FolderPath": "C:\\Confidential\\Q4-Confidential.docx", "ActionType": "FileCopied", "InitiatingProcessAccountName": "CONTOSO\\dave", "DeviceName": "WIN-WS02"}
{"event_type": "DeviceFileEvents", "TimeGenerated": "2026-05-31T18:23:25.000Z", "ts_epoch_ms": 1780251805000, "FileName": "Q4-Confidential.docx", "FolderPath": "C:\\Confidential\\Q4-Confidential.docx", "ActionType": "FileMoved", "InitiatingProcessAccountName": "CONTOSO\\dave", "DeviceName": "WIN-WS02"}
{"event_type": "DeviceFileEvents", "TimeGenerated": "2026-05-31T18:23:25.000Z", "ts_epoch_ms": 1780251805000, "FileName": "MergerPlan.pdf", "FolderPath": "C:\\Confidential\\MergerPlan.pdf", "ActionType": "FileAccessed", "InitiatingProcessAccountName": "CONTOSO\\dave", "DeviceName": "WIN-WS02"}
{"event_type": "DeviceFileEvents", "TimeGenerated": "2026-05-31T18:23:25.000Z", "ts_epoch_ms": 1780251805000, "FileName": "MergerPlan.pdf", "FolderPath": "C:\\Confidential\\MergerPlan.pdf", "ActionType": "FileCopied", "InitiatingProcessAccountName": "CONTOSO\\dave", "DeviceName": "WIN-WS02"}
{"event_type": "DeviceFileEvents", "TimeGenerated": "2026-05-31T18:23:25.000Z", "ts_epoch_ms": 1780251805000, "FileName": "MergerPlan.pdf", "FolderPath": "C:\\Confidential\\MergerPlan.pdf", "ActionType": "FileMoved", "InitiatingProcessAccountName": "CONTOSO\\dave", "DeviceName": "WIN-WS02"}
{"event_type": "DeviceFileEvents", "TimeGenerated": "2026-05-31T18:23:25.000Z", "ts_epoch_ms": 1780251805000, "FileName": "RestrictedSalary.xlsx", "FolderPath": "C:\\Confidential\\RestrictedSalary.xlsx", "ActionType": "FileAccessed", "InitiatingProcessAccountName": "CONTOSO\\dave", "DeviceName": "WIN-WS02"}
{"event_type": "DeviceFileEvents", "TimeGenerated": "2026-05-31T18:23:25.000Z", "ts_epoch_ms": 1780251805000, "FileName": "RestrictedSalary.xlsx", "FolderPath": "C:\\Confidential\\RestrictedSalary.xlsx", "ActionType": "FileCopied", "InitiatingProcessAccountName": "CONTOSO\\dave", "DeviceName": "WIN-WS02"}
{"event_type": "DeviceFileEvents", "TimeGenerated": "2026-05-31T18:23:25.000Z", "ts_epoch_ms": 1780251805000, "FileName": "RestrictedSalary.xlsx", "FolderPath": "C:\\Confidential\\RestrictedSalary.xlsx", "ActionType": "FileMoved", "InitiatingProcessAccountName": "CONTOSO\\dave", "DeviceName": "WIN-WS02"}
sample_data/generate.py
+340
View File
@@ -0,0 +1,340 @@
#!/usr/bin/env python3
"""Generate deterministic sample events for the KQL <-> PowerQuery proof.
Time windows (anchored to real wall-clock now so SDL accepts the events):
BASELINE : NOW - 8h .. NOW - 2h
RECENT : NOW - 2h .. NOW
A `time_anchor.json` is written alongside the events so rules.py uses the
same NOW / RECENT_START as the generator.
"""
from __future__ import annotations
import json
import random
from datetime import datetime, timedelta, timezone
from pathlib import Path
random.seed(20260531)
HERE = Path(__file__).parent
OUT = HERE / "events.jsonl"
ANCHOR = HERE / "time_anchor.json"
NOW = datetime.now(timezone.utc).replace(microsecond=0)
RECENT_START = NOW - timedelta(hours=2)
BASELINE_START = NOW - timedelta(hours=8)
BASELINE_END = RECENT_START
ANCHOR.write_text(json.dumps({
"now": NOW.isoformat(),
"recent_start": RECENT_START.isoformat(),
"baseline_start": BASELINE_START.isoformat(),
}, indent=2))
def iso(dt):
return dt.strftime("%Y-%m-%dT%H:%M:%S.000Z")
events: list[dict] = []
def emit(event_type, ts, **fields):
events.append({
"event_type": event_type,
"TimeGenerated": iso(ts),
"ts_epoch_ms": int(ts.timestamp() * 1000),
**fields,
})
def in_baseline(offset_min: int):
"""Pick a time inside the baseline window using a minute offset."""
span = (BASELINE_END - BASELINE_START).total_seconds() / 60
return BASELINE_START + timedelta(minutes=offset_min % int(span))
def in_recent(offset_sec: int):
return RECENT_START + timedelta(seconds=offset_sec)
# ---------------------------------------------------------------------------
# SigninLogs
# ---------------------------------------------------------------------------
USERS = ["alice@contoso.com", "bob@contoso.com", "carol@contoso.com",
"dave@contoso.com", "eve@contoso.com"]
APPS = ["Office 365 Exchange Online", "Microsoft Teams", "Azure Portal"]
USER_HOME = {"alice@contoso.com": "US", "bob@contoso.com": "FR",
"carol@contoso.com": "GB", "dave@contoso.com": "DE",
"eve@contoso.com": "US"}
# Baseline (8h..2h ago): each user signs in 3x per app from their home country
for upn in USERS:
home = USER_HOME[upn]
for app in APPS[:2]:
for i in range(3):
emit("SigninLogs", in_baseline(i * 40 + 5 * USERS.index(upn)),
UserPrincipalName=upn, Identity=upn,
AppDisplayName=app, ResultType=0,
IPAddress=f"10.0.0.{20 + USERS.index(upn) * 10 + i}",
Location=home,
LocationDetails_country=home,
LocationDetails_state="HQ", LocationDetails_city="HQ",
UserAgent="Mozilla/5.0 (Windows NT 10.0) Edge/120.0",
DeviceDetail_os="Windows 10")
# Recent: eve burst across 10 NEW countries (anomalous + suspicious-travel +
# new-locations + rare-UA)
EVE_COUNTRIES = ["BR", "RU", "CN", "IR", "NG", "VN", "TR", "ID", "PK", "AR"]
for i, c in enumerate(EVE_COUNTRIES):
emit("SigninLogs", in_recent(60 + i * 30),
UserPrincipalName="eve@contoso.com", Identity="eve@contoso.com",
AppDisplayName="Azure Portal", ResultType=0,
IPAddress=f"203.0.113.{10 + i}", Location=c,
LocationDetails_country=c,
LocationDetails_state="NA", LocationDetails_city="NA",
UserAgent="curl/8.4.0", DeviceDetail_os="Linux")
# Recent: slow brute force from one IP across many users (fires brute-force)
ATTACKER_IP = "198.51.100.7"
ATTACKER_TARGETS = USERS + ["frank@contoso.com"]
for u_idx, u in enumerate(ATTACKER_TARGETS):
for k in range(4):
emit("SigninLogs", in_recent(120 + u_idx * 60 + k * 10),
UserPrincipalName=u, Identity=u,
AppDisplayName="Office 365 Exchange Online", ResultType=50126,
ResultDescription="Invalid username or password",
IPAddress=ATTACKER_IP, Location="RU",
LocationDetails_country="RU",
LocationDetails_state="NA", LocationDetails_city="Moscow",
UserAgent="Mozilla/5.0 (Windows NT 10.0) Edge/120.0",
DeviceDetail_os="Windows 10")
# Recent: dave normal signin (joins with audit log priv-escalation)
emit("SigninLogs", in_recent(30),
UserPrincipalName="dave@contoso.com", Identity="dave@contoso.com",
AppDisplayName="Azure Portal", ResultType=0,
IPAddress="203.0.113.99", Location="DE",
LocationDetails_country="DE",
LocationDetails_state="BE", LocationDetails_city="Berlin",
UserAgent="Mozilla/5.0 (Windows NT 10.0) Edge/120.0",
DeviceDetail_os="Windows 10")
# Recent: bob travels to 4 countries today (suspicious travel - small ambit
# of just dailies could fire on >3 countries threshold)
for i, c in enumerate(["FR", "DE", "IT", "ES"]):
emit("SigninLogs", in_recent(20 + i * 5),
UserPrincipalName="bob@contoso.com", Identity="bob@contoso.com",
AppDisplayName="Microsoft Teams", ResultType=0,
IPAddress=f"10.0.0.{60 + i}", Location=c,
LocationDetails_country=c,
LocationDetails_state="NA", LocationDetails_city="NA",
UserAgent="Mozilla/5.0 (Windows NT 10.0) Edge/120.0",
DeviceDetail_os="Windows 10")
# ---------------------------------------------------------------------------
# AuditLogs
# ---------------------------------------------------------------------------
# Baseline: HR-Sync "Update user"
for i in range(10):
emit("AuditLogs", in_baseline(i * 30),
OperationName="Update user", Category="UserManagement",
CorrelationId=f"base-{i}",
InitiatedBy_app_displayName="HR-Sync",
InitiatedBy_app_ipAddress="10.0.0.5",
InitiatedBy_user_userPrincipalName=None,
InitiatedBy_user_ipAddress=None,
TargetResources_0_userPrincipalName="alice@contoso.com",
TargetResources_0_displayName="alice")
# Recent: rare ops
emit("AuditLogs", in_recent(180),
OperationName="Add service principal", Category="ApplicationManagement",
CorrelationId="corr-priv-esc-1",
InitiatedBy_app_displayName=None,
InitiatedBy_app_ipAddress=None,
InitiatedBy_user_userPrincipalName="dave@contoso.com",
InitiatedBy_user_ipAddress="203.0.113.99",
TargetResources_0_userPrincipalName="svcprincipal@contoso.com",
TargetResources_0_displayName="SuspiciousApp")
emit("AuditLogs", in_recent(240),
OperationName="Consent to application", Category="ApplicationManagement",
CorrelationId="corr-consent-1",
InitiatedBy_app_displayName=None,
InitiatedBy_app_ipAddress=None,
InitiatedBy_user_userPrincipalName="eve@contoso.com",
InitiatedBy_user_ipAddress="203.0.113.10",
TargetResources_0_userPrincipalName="eve@contoso.com",
TargetResources_0_displayName="MaliciousOAuthApp")
# ---------------------------------------------------------------------------
# AzureActivity
# ---------------------------------------------------------------------------
for i in range(6):
emit("AzureActivity", in_recent(300 + i * 30),
OperationNameValue="microsoft.compute/snapshots/write",
ActivityStatusValue="Success",
CallerIpAddress="198.51.100.50",
Caller="attacker@external.com",
CorrelationId=f"az-corr-{i}",
ResourceGroup="prod-rg", SubscriptionId="sub-001")
# ---------------------------------------------------------------------------
# CommonSecurityLog
# ---------------------------------------------------------------------------
# Normal baseline traffic
for i in range(20):
emit("CommonSecurityLog", in_baseline(i * 15),
DeviceVendor="Palo Alto Networks", Activity="TRAFFIC",
DeviceName="pa-fw-01", SourceUserID="alice",
SourceIP=f"10.0.1.{10 + i}", SourcePort=49000 + i,
DestinationIP="142.250.74.110", DestinationPort=443,
SentBytes=2048, ReceivedBytes=16384,
Message="allow web access to 142.250.74.110",
DeviceEventClassID="end", LogSeverity=3,
DeviceAction="allow", DeviceProduct="PAN-OS")
# Beacon: 60 evenly-spaced events
for i in range(60):
emit("CommonSecurityLog", in_recent(60 * i),
DeviceVendor="Palo Alto Networks", Activity="TRAFFIC",
DeviceName="pa-fw-01", SourceUserID="dave",
SourceIP="10.0.2.42", SourcePort=51000 + i,
DestinationIP="185.220.101.7", DestinationPort=8443,
SentBytes=512, ReceivedBytes=128,
Message="beacon to C2 185.220.101.7",
DeviceEventClassID="end", LogSeverity=5,
DeviceAction="allow", DeviceProduct="PAN-OS")
# IOC match
emit("CommonSecurityLog", in_recent(500),
DeviceVendor="Palo Alto Networks", Activity="TRAFFIC",
DeviceName="pa-fw-01", SourceUserID="carol",
SourceIP="10.0.3.11", SourcePort=49888,
DestinationIP="185.220.101.7", DestinationPort=443,
SentBytes=1024, ReceivedBytes=2048,
Message="allow access to 185.220.101.7",
DeviceEventClassID="end", LogSeverity=5,
DeviceAction="allow", DeviceProduct="PAN-OS")
# Firewall logs for brute-force enrichment
for i in range(3):
emit("CommonSecurityLog", in_recent(700 + i * 60),
DeviceVendor="Palo Alto Networks", Activity="TRAFFIC",
DeviceName="pa-fw-01", SourceUserID="-",
SourceIP=ATTACKER_IP, SourcePort=44000 + i,
DestinationIP="10.0.0.10", DestinationPort=443,
SentBytes=256, ReceivedBytes=512,
Message=f"deny session from {ATTACKER_IP}",
DeviceEventClassID="deny", LogSeverity=6,
DeviceAction="deny", DeviceProduct="PAN-OS",
AdditionalExtensions=f"src={ATTACKER_IP} dst=10.0.0.10")
# ---------------------------------------------------------------------------
# ThreatIntelIndicators
# ---------------------------------------------------------------------------
emit("ThreatIntelIndicators", in_baseline(60),
Id="ti-ioc-001", ObservableKey="ipv4-addr:value",
ObservableValue="185.220.101.7",
IsActive=True,
ValidUntil=iso(NOW + timedelta(days=30)),
Confidence=85, Tags="c2,tor-exit",
AdditionalFields_TLPLevel="AMBER")
# ---------------------------------------------------------------------------
# SecurityEvent
# ---------------------------------------------------------------------------
# Baseline 4688: stable processes
for i in range(40):
proc = ["svchost.exe", "explorer.exe", "chrome.exe", "outlook.exe"][i % 4]
emit("SecurityEvent", in_baseline(i * 8),
EventID=4688, Computer="WIN-WS01",
Account="CONTOSO\\alice",
NewProcessName=f"C:\\Windows\\System32\\{proc}",
CommandLine=f"\"{proc}\"",
ParentProcessName="C:\\Windows\\explorer.exe")
# Recent NEW process
emit("SecurityEvent", in_recent(900),
EventID=4688, Computer="WIN-WS02",
Account="CONTOSO\\dave",
NewProcessName="C:\\Users\\dave\\AppData\\Local\\Temp\\mimikatz.exe",
CommandLine="mimikatz.exe sekurlsa::logonpasswords",
ParentProcessName="C:\\Windows\\System32\\cmd.exe")
# Recent normal processes
for proc in ["svchost.exe", "explorer.exe", "chrome.exe", "outlook.exe"]:
emit("SecurityEvent", in_recent(1000 + hash(proc) % 100),
EventID=4688, Computer="WIN-WS01", Account="CONTOSO\\alice",
NewProcessName=f"C:\\Windows\\System32\\{proc}",
CommandLine=f"\"{proc}\"",
ParentProcessName="C:\\Windows\\explorer.exe")
# Baseline 4624: alice logs in at "business hours" (use the actual hour
# values seen in baseline window so off-hours later fires properly)
# In our compressed model, "business hours" = hour within first 4h of
# baseline window; recent off-hours = a fixed flag we set explicitly.
for i in range(15):
emit("SecurityEvent", in_baseline(i * 20),
EventID=4624, Activity="An account was successfully logged on",
LogonTypeName="2 - Interactive", AccountType="User",
TargetUserName="CONTOSO\\alice", TargetDomainName="CONTOSO",
SubjectUserName="alice", Computer="WIN-WS01",
WorkstationName="WIN-WS01", IpAddress="10.0.0.20",
ProcessName="C:\\Windows\\System32\\winlogon.exe",
PrivilegeList="-", Status="0x0", SubStatus="0x0",
is_off_hours=False)
# Recent off-hours logon (we mark it via a dedicated boolean so neither
# engine has to know real clock semantics)
emit("SecurityEvent", in_recent(60),
EventID=4624, Activity="An account was successfully logged on",
LogonTypeName="10 - RemoteInteractive", AccountType="User",
TargetUserName="CONTOSO\\alice", TargetDomainName="CONTOSO",
SubjectUserName="alice", Computer="WIN-WS01",
WorkstationName="ATTACKER-PC", IpAddress="198.51.100.7",
ProcessName="C:\\Windows\\System32\\winlogon.exe",
PrivilegeList="SeDebugPrivilege", Status="0x0", SubStatus="0x0",
is_off_hours=True)
# ---------------------------------------------------------------------------
# OfficeActivity (SharePoint anomaly)
# ---------------------------------------------------------------------------
for i in range(3):
emit("OfficeActivity", in_baseline(60 + i * 90),
RecordType="SharePointFileOperation", Operation="FileDownloaded",
UserId="dave@contoso.com", UserType="Regular",
Site_Url="https://contoso.sharepoint.com/sites/finance",
ClientIP="10.0.0.30", UserAgent="OneDrive/22.0",
OfficeObjectId="https://contoso.sharepoint.com/sites/finance/report.xlsx",
OfficeWorkload="SharePoint")
for i in range(200):
emit("OfficeActivity", in_recent(300 + i * 2),
RecordType="SharePointFileOperation", Operation="FileDownloaded",
UserId="dave@contoso.com", UserType="Regular",
Site_Url="https://contoso.sharepoint.com/sites/finance",
ClientIP="10.0.0.30", UserAgent="python-requests/2.31",
OfficeObjectId=f"https://contoso.sharepoint.com/sites/finance/secret-{i}.xlsx",
OfficeWorkload="SharePoint")
# ---------------------------------------------------------------------------
# DeviceFileEvents
# ---------------------------------------------------------------------------
for fn in ["Q4-Confidential.docx", "MergerPlan.pdf", "RestrictedSalary.xlsx"]:
for action in ["FileAccessed", "FileCopied", "FileMoved"]:
emit("DeviceFileEvents", in_recent(800),
FileName=fn, FolderPath=f"C:\\Confidential\\{fn}",
ActionType=action,
InitiatingProcessAccountName="CONTOSO\\dave",
DeviceName="WIN-WS02")
OUT.write_text("\n".join(json.dumps(e, default=str) for e in events) + "\n")
print(f"NOW = {NOW.isoformat()}")
print(f"BASELINE = {BASELINE_START.isoformat()} .. {BASELINE_END.isoformat()}")
print(f"RECENT = {RECENT_START.isoformat()} .. {NOW.isoformat()}")
print(f"Wrote {len(events)} events -> {OUT}")
print(f"Wrote anchor -> {ANCHOR}")
sample_data/runnable_examples_run_id.txt
+1
View File
@@ -0,0 +1 @@
run-runnable-43835d3315
sample_data/time_anchor.json
+5
View File
@@ -0,0 +1,5 @@
{
"now": "2026-05-31T20:10:05+00:00",
"recent_start": "2026-05-31T18:10:05+00:00",
"baseline_start": "2026-05-31T12:10:05+00:00"
}