{
  searches: [
    {
      title: "marc - Impossible traveller 2",
      url: "/events/pq?_scopeId=2387775029058663326&_scopeLevel=site&_categoryId=eventSearch&startTime=4+hours&endTime=NOW&filter=%7C+sql+join+baseline+%3D+%28%0AdataSource.vendor%3D%27Microsoft%27+dataSource.category+%3D+%27security%27+event.type%3D%27Logon%27%0A%7C+columns+actor.user.email_addr%2C+device.ip%2C+geo_ip_state%28device.ip%29%0A%7C+group+login_freq_by_state%3Dcount%28%29+by+email_addr%3Dlower%28actor.user.email_addr%29%2Cstate%3Dgeo_ip_state%28device.ip%29%0A%7C+columns+email_addr%2Cstate%2Clogin_freq_by_state%0A%2F%2Fthe+sort+below+is+necessary+because+it+ensure+that+the+order+of+rows+is+preserved+when+using+array_ag++%0A%7C+sort+%2Bemail_addr%2C-login_freq_by_state%0A%7C+group+baseline_login_freq_by_state%3Dmax%28login_freq_by_state%29%2C+states%3Darray_agg%28state%29+by+email_addr%0A%7C+columns+email_addr%2Cstate%3Darray_get%28states%2C0%29%2Cbaseline_login_freq_by_state%0A%29%2C%0Alogons+%3D+%28%0AdataSource.vendor%3D%27Microsoft%27+dataSource.category+%3D+%27security%27+event.type%3D%27Logon%27%0A%2F%2F%7C+columns+actor.user.email_addr%2C+unmapped.UserId%2C+event.type%2C+device.ip%2C+geo_ip_state%28device.ip%29%0A%7C+group+deviation_login_count%3Dcount%28event.type%29%2Cdeviation_ip_addresses%3Darray_agg_distinct%28device.ip%29+by+email_addr%3Dlower%28actor.user.email_addr%29%2C+deviation_country%3Dgeo_ip_country%28device.ip%29%2C+state%3Dgeo_ip_state%28device.ip%29%0A%29+on+baseline.email_addr%3D%3Dlogons.email_addr%0A%7Cfilter+baseline.state%21%3Dlogons.state%0A%7C+columns+email_addr%2Cbaseline.state%2C+baseline_login_freq_by_state%2Cdeviation_login_source%3Dformat%28%22%25s+%28%25s%29%22%2Clogons.state%2Cdeviation_country%29%2Cdeviation_login_count%2C+deviation_ip_addresses"
    },
    {
      title: "marc - Impossible traveller IP tets",
      url: "/events/pq?_scopeId=2387775029058663326&_scopeLevel=site&_categoryId=eventSearch&startTime=72+hours&endTime=NOW&filter=%7C+sql+join+baseline+%3D+%28%0AdataSource.vendor%3D%27Microsoft%27+dataSource.category+%3D+%27security%27+event.type%3D%27Logon%27%0A%7C+columns+actor.user.email_addr%2C+device.ip%0A%7C+group+login_freq_by_ip%3Dcount%28%29+by+email_addr%3Dlower%28actor.user.email_addr%29%2Cdevice.ip%0A%7C+columns+email_addr%2Cdevice.ip%2Clogin_freq_by_ip%0A%2F%2Fthe+sort+below+is+necessary+because+it+ensure+that+the+order+of+rows+is+preserved+when+using+array_ag++%0A%7C+sort+%2Bemail_addr%2C-login_freq_by_ip%0A%7C+group+baseline_login_freq_by_ip%3Dmax%28login_freq_by_ip%29%2C+ips%3Darray_agg%28device.ip%29+by+email_addr%0A%7C+columns+email_addr%2Cip%3Darray_get%28ips%2C0%29%2Cbaseline_login_freq_by_ip%0A%29%2C%0Alogons+%3D+%28%0AdataSource.vendor%3D%27Microsoft%27+dataSource.category+%3D+%27security%27+event.type%3D%27Logon%27%0A%2F%2F%7C+columns+actor.user.email_addr%2C+unmapped.UserId%2C+event.type%2C+device.ip%0A%7C+group+deviation_login_count%3Dcount%28event.type%29%2Cdeviation_ip_addresses%3Darray_agg_distinct%28device.ip%29+by+email_addr%3Dlower%28actor.user.email_addr%29%2C+deviation_ip%3Ddevice.ip%29+on+baseline.email_addr%3D%3Dlogons.email_addr%0A"
    }
  ]
}