diff --git a/.gitignore b/.gitignore index 974e1ac..ef704ef 100644 --- a/.gitignore +++ b/.gitignore @@ -6,5 +6,8 @@ node_modules/ .next/ frontend/out/ pgdata/ -parsers/*.json data/ + +# Parsers ARE committed in this fork (snapshot of the demo tenant). +# .env still excluded for safety. +tools/stormshield-verify/config.json diff --git a/CHANGES.md b/CHANGES.md new file mode 100644 index 0000000..869cfb2 --- /dev/null +++ b/CHANGES.md @@ -0,0 +1,104 @@ +# Changes vs upstream `mickbrowns1/SIEM-Toolkit` + +All edits are confined to a handful of files; everything else is untouched. + +## `backend/services/s1_client.py` + +### PowerQuery client +- All raised exceptions now include the request body / status / query so the + UI never shows a blank `"PowerQuery error: "`. +- Non-JSON responses (HTML 5xx gateway pages) surface as a readable error + string instead of crashing on `resp.json()`. + +### Detection library: site-scope fallback (`get_platform_rules`) +- Upstream hardcoded **account scope** which 403s with site-scoped API + tokens. Added `get_scope_for_platform_rules()` that probes `/accounts` + first, then `/sites`, returning whichever scope the token can access. +- `get_account_id()` now also reads `accountId` from the `/sites` payload as + a fallback for site-scoped tokens. + +### SDL parser sync helpers +- `list_sdl_parsers()` — rewritten to use the real **SDL Configuration File + API** (`POST /api/listFiles` with `pathPrefix=/logParsers/`). Previously + it hit a 404 path on the mgmt console. +- `get_sdl_parser()` — rewritten to `POST /api/getFile` with `{path}`. +- New `_sdl_config_headers()` helper that uses `SDL_CONFIG_READ_KEY` (a + separate scope from `SDL_LOG_READ_KEY`). + +## `backend/routers/ingest.py` + +- `/api/ingest/simulate-filter`: + * Rebuilt the query into valid SDL syntax — was generating + `| group events=count()` (dangling pipe) for empty bodies; now uses a + proper base expression and falls back to `dataSource.name!=''` baseline. + * Field name corrected from `src.name` → `dataSource.name`. + * Surfaces both `result["error"]` and exception text so blank + `"PowerQuery error: "` messages are gone. + +## `backend/routers/quality.py` + +- `GET /api/quality/parsers`: lists actual parser filenames in + `/app/parsers/` (drives the Test Runner dropdown). +- **New `POST /api/quality/sync-from-sdl`**: downloads every parser file + under `/logParsers/` on the SDL tenant into `/app/parsers/`. After this + call returns, the Parser Test Runner dropdown automatically reflects all + tenant parsers (including custom OCSF parsers like + `Avelios-Medical-OCSF`). Requires `SDL_CONFIG_READ_KEY` in `.env`. +- `_flatten_event`: when a PowerQuery row only carries a JSON-stringified + payload in `message` (i.e. the parser isn't applied at query time), parse + and flatten that JSON inline so the Field Population tool can measure real + coverage. +- `POST /api/quality/test-parser`: + * Detects SDL JSON-mode parsers (`$=json{parse=json}$`) and parses log + lines as JSON. + * Applies parser `rewrites: [{input,output,match,replace}]` blocks with + correct `$0/$N` backreference translation (`$0` was being mangled to a + null byte). + * Accepts single JSON object, JSON array, or NDJSON multi-line input. + * Returns mode badge data + per-payload counters for the UI. + +## `frontend/index.html` + +- Parser Test Runner dropdown now loads from `/api/quality/parsers` instead + of filtering the coverage map (which only has `detected in data` + placeholders). +- Field Population and Sample Events: added **Last 7d** lookback option. +- Parser Test Runner UI: mode badge (`JSON auto-extract` vs `regex format`), + payload counter for multi-line input, separate tables for extracted vs + derived/rewritten fields. + +## `docker-compose.yml` + +- Pass `SDL_CONFIG_READ_KEY` through to the backend container. + +## `.env.example` / `.gitignore` + +- Document the new `SDL_CONFIG_READ_KEY` variable. +- Broaden `.gitignore` so `parsers/*` (tenant-specific synced content) is + not committed. + +## New helper scripts (`tools/`) + +- `sync_sdl_parsers.py` — pull all `/logParsers/*` from the tenant. +- `probe_pq_syntax.py` — probe which PowerQuery syntaxes the tenant accepts. +- `probe_avelios{,_wide,_fields}.py` — inspect a source's event presence, + columns, and embedded JSON fields. +- `test_avelios_parser.py`, `test_avelios_multi.py` — smoke-test the patched + `/api/quality/test-parser` endpoint with single-line and multi-line input. +- `probe_simulate_filter.py` — smoke-test the patched + `/api/ingest/simulate-filter` endpoint with progressively larger windows. +- `probe_sync_from_sdl.py` — call `/api/quality/sync-from-sdl` and verify + that `/api/quality/parsers` then reflects the downloaded parsers. +- `sdl_config.example.json` — template config (the toolkit's `.env` is + separate from the SDL config used by these helper scripts). + +## New `.env` knobs + +```bash +# PowerQuery transport tuning (both optional; defaults work for most tenants) +SDL_PQ_TIMEOUT=600 # PowerQuery read timeout in seconds (default 600) +SDL_PQ_TIMEOUT_RETRIES=1 # extra retries on ReadTimeout (default 1) + +# Required for /api/quality/sync-from-sdl +SDL_CONFIG_READ_KEY=... # Data Lake API key with Configuration Read scope +``` diff --git a/PATCHES.md b/PATCHES.md new file mode 100644 index 0000000..31d3d15 --- /dev/null +++ b/PATCHES.md @@ -0,0 +1,168 @@ +# SIEM-Toolkit Patches & Helper Scripts + +A drop-in patch set that fixes several issues in the upstream +[`mickbrowns1/SIEM-Toolkit`](https://github.com/mickbrowns1/SIEM-Toolkit) and +adds helper scripts for syncing parsers from a SentinelOne SDL tenant and +probing PowerQuery / event data. + +## What's fixed in the upstream code + +| File | Fix | +|---|---| +| `backend/routers/ingest.py` | **Filter Simulator** PowerQuery rewritten — replaced legacy `count() as events` and `src.name` field with valid SDL `\| filter dataSource.name=='X' \| group events=count()` | +| `backend/routers/quality.py` | New `GET /api/quality/parsers` endpoint lists actual parser files; `_flatten_event` now JSON-parses nested `message` payloads so the **Field Population** tool reports real coverage (was always 0% for sources where the parser isn't applied at query time) | +| `backend/routers/quality.py` (Parser Test Runner) | Detects SDL JSON auto-extract format `$=json{parse=json}$` and parses log lines as JSON; applies parser `rewrites` (`input/output/match/replace` blocks) with correct `$0`/`$N` backreference handling; accepts **single JSON / JSON array / NDJSON** input | +| `frontend/index.html` | Parser dropdown now loads from `/api/quality/parsers` (was filtering `coverage/map` which only has `detected in data` placeholders); added **Last 7d** lookback to both Field Population and Sample Events; Test Runner UI now shows mode badge (`JSON auto-extract` vs `regex format`), payload count for multi-line input, and separate tables for extracted vs derived/rewritten fields | + +## What's NOT fixed in the upstream code (configuration) + +The repo's `docker-compose.yml` interpolates `S1_BASE_URL` etc. from +`.env` at compose-up time. **A `docker compose restart` does NOT pick up +`.env` changes** — always use `docker compose up -d --force-recreate backend`. + +`S1_BASE_URL` must be the **per-tenant management console subdomain** (e.g. +`usea1-XXXX.sentinelone.net`), not the regional SDL/XDR endpoint. If you +only know the XDR URL, you can probe candidates with curl: + +```bash +TOKEN=$(jq -r .api_token < ~/.../mgmt-config.json) +for H in usea1-yourtenant usea1-purple usea1-partners; do + printf "%-45s %s\\n" "$H" \\ + "$(curl -s -o /dev/null -w '%{http_code}' \\ + \"https://$H.sentinelone.net/web/api/v2.1/cloud-detection/rules?limit=1\" \\ + -H \"Authorization: ApiToken $TOKEN\")" +done +# 200 = correct host +``` + +## Contents + +``` +. +├── README.md (this file) +├── env.example template for the toolkit's .env +├── sdl_config.example.json template for helper scripts' SDL config +├── patched-files/ +│ ├── backend/routers/ +│ │ ├── ingest.py <- copy over upstream +│ │ └── quality.py <- copy over upstream +│ └── frontend/ +│ └── index.html <- copy over upstream +└── scripts/ + ├── sync_sdl_parsers.py pull all /logParsers/* from the tenant into ./parsers/ + ├── probe_pq_syntax.py test what PowerQuery dialect the tenant accepts + ├── probe_avelios.py sample probe: find a source's events + columns + ├── probe_avelios_wide.py same, sweeping 1d/3d/7d + ├── probe_avelios_fields.py parse JSON `message` payloads & count fields + ├── test_avelios_parser.py hit /api/quality/test-parser with one JSON line + └── test_avelios_multi.py same, with multi-line NDJSON +``` + +## Applying the patches + +1. Clone the upstream repo: + ```bash + git clone https://github.com/mickbrowns1/SIEM-Toolkit.git + cd SIEM-Toolkit + ``` +2. Overlay the patched files: + ```bash + PATCH=/path/to/this/dir + cp "$PATCH"/patched-files/backend/routers/quality.py backend/routers/quality.py + cp "$PATCH"/patched-files/backend/routers/ingest.py backend/routers/ingest.py + cp "$PATCH"/patched-files/frontend/index.html frontend/index.html + ``` +3. Configure: + ```bash + cp "$PATCH"/env.example .env + $EDITOR .env # fill in your real values + ``` +4. Start the stack: + ```bash + docker compose up -d --build + open http://localhost:3001 + ``` + +## Helper-script setup + +The helper scripts read a small JSON config (separate from the toolkit's `.env`) +containing your SDL log-read / config-read keys: + +```bash +cp sdl_config.example.json scripts/sdl_config.json +$EDITOR scripts/sdl_config.json +# or set the env var +export SDL_CONFIG=/somewhere/sdl_config.json +``` + +## Helper-script usage + +### Sync parsers from the SDL tenant into the toolkit's `parsers/` dir + +```bash +PARSERS_DIR=/path/to/SIEM-Toolkit/parsers \\ + python3 scripts/sync_sdl_parsers.py +``` + +By default `PARSERS_DIR` defaults to `../parsers` relative to the script. + +### Probe PowerQuery syntax compatibility on your tenant + +```bash +python3 scripts/probe_pq_syntax.py +``` + +Output tells you which command shapes (`| group ...`, `filter ...`, `count() as`, etc.) +work on the active deployment. + +### Inspect what a given source's events actually look like + +```bash +python3 scripts/probe_avelios.py # finds a source's name + 1-line sample +python3 scripts/probe_avelios_wide.py # sweeps 1d/3d/7d top sources +python3 scripts/probe_avelios_fields.py # if `message` is JSON, flatten & count fields +``` + +The scripts are named `*_avelios` for the original use case but work for **any +source** — open the file and change the `dataSource.name` filter. + +### Smoke-test the patched Parser Test Runner endpoint + +```bash +python3 scripts/test_avelios_parser.py # single-line JSON +python3 scripts/test_avelios_multi.py # multi-line NDJSON +``` + +These hit `http://localhost:8001/api/quality/test-parser` directly so you can +verify the backend without using the UI. + +## Common pitfalls + +- **Parser dropdown is empty** → run `sync_sdl_parsers.py`. The upstream "Load + SDL Parsers" button only indexes whatever already exists in `parsers/`. +- **Field Population shows 0% everywhere** → the source's parser isn't being + applied at query time, so PowerQuery returns just `timestamp`+`message`. + This patch's `_flatten_event` parses JSON inside `message`. Also try widening + the window (the new **Last 7d** option) — some sources are low-volume. +- **PowerQuery 400 "Unknown command [count]"** → fixed in `ingest.py`. If you + hit it elsewhere, the rule is: SDL PowerQuery requires `\| group events=count()`, + never `\| count() as events`, and `count()` must be inside a `group`. +- **STAR rules → 302 to /404** → `S1_BASE_URL` is pointed at the SDL/XDR URL + instead of the management-console subdomain. + +## Verification + +After applying patches and recreating containers: + +```bash +curl http://localhost:8001/health +curl http://localhost:8001/api/quality/parsers | python3 -m json.tool # count > 0 +curl 'http://localhost:8001/api/ingest/top-sources?hours=24' # real numbers +curl -X POST http://localhost:8001/api/coverage/load-star-rules # not 502 +``` + +In the UI: +- **Coverage Map**: shows `parsers_loaded` and `rules_loaded` > 0 +- **Ingest → Filter Simulator**: returns matched events + projected GB/month +- **Parser Quality → Parser Test Runner**: dropdown lists all parsers +- **Parser Quality → Field Population**: real coverage rates (not all 0%) diff --git a/backend/routers/ingest.py b/backend/routers/ingest.py index 146e5f3..a665731 100644 --- a/backend/routers/ingest.py +++ b/backend/routers/ingest.py @@ -90,28 +90,21 @@ async def simulate_filter(rule: FilterRule): """Estimate how many events and GB would be eliminated by an exclusion filter.""" from_dt, to_dt = _date_range(rule.days) - # Build Scalyr filter expression clauses (uses = not ==, SDL syntax) clauses = [] if rule.source: - clauses.append(f"dataSource.name = '{rule.source}'") + clauses.append(f"dataSource.name=='{rule.source}'") if rule.event_type: - clauses.append(f"event.type = '{rule.event_type}'") + clauses.append(f"event.type=='{rule.event_type}'") if clauses: - filter_expr = " ".join(clauses) - query = f"{filter_expr} | group events=count()" + filter_expr = " and ".join(clauses) + query = f"| filter {filter_expr} | group events=count()" else: - query = "dataSource.name != '' | group events=count()" + query = "| group events=count()" try: result = await s1_client.run_powerquery(query, from_dt, to_dt) - err = result.get("error") if isinstance(result, dict) else None - if err: - raise HTTPException(502, f"PowerQuery error: {err}") - rows = result.get("events") or [] - events = rows[0].get("events", 0) if rows else 0 - except HTTPException: - raise + events = (result.get("events") or [{}])[0].get("events", 0) if isinstance(result.get("events"), list) else 0 except Exception as e: raise HTTPException(502, f"PowerQuery error: {e}") diff --git a/backend/routers/quality.py b/backend/routers/quality.py index 996b0d2..a7d68f5 100644 --- a/backend/routers/quality.py +++ b/backend/routers/quality.py @@ -8,13 +8,15 @@ import re router = APIRouter() +PARSERS_DIR = "/app/parsers" + + @router.get("/parsers") def list_parser_files(): """List parser filenames available under /app/parsers/ for the Test Runner.""" - parsers_dir = "/app/parsers" try: names = sorted( - e.name for e in os.scandir(parsers_dir) + e.name for e in os.scandir(PARSERS_DIR) if e.is_file() and not e.name.startswith(".") ) except FileNotFoundError: @@ -22,6 +24,54 @@ def list_parser_files(): return {"parsers": names, "count": len(names)} +@router.post("/sync-from-sdl") +async def sync_parsers_from_sdl(): + """Download every parser file under /logParsers/ on the SDL tenant into + /app/parsers/. After this call returns, the Parser Test Runner dropdown + will include all tenant parsers (including custom ones). + + Requires SDL_CONFIG_READ_KEY in .env (Configuration Read scope on the + Data Lake API key). + """ + if not s1_client.SDL_CONFIG_READ_KEY: + raise HTTPException( + 400, + "SDL_CONFIG_READ_KEY is not set in .env. Generate a Data Lake API key " + "with 'Configuration Read' scope in the S1 console and add it to .env." + ) + + try: + names = await s1_client.list_sdl_parsers() + except Exception as e: + raise HTTPException(502, f"SDL listFiles failed: {e}") + + os.makedirs(PARSERS_DIR, exist_ok=True) + downloaded: list[str] = [] + errors: list[dict] = [] + + for name in names: + # The path on SDL is /logParsers/; we write to /app/parsers/. + safe_name = name.replace("/", "_") + try: + resp = await s1_client.get_sdl_parser(name) + content = resp.get("content") + if content is None: + errors.append({"parser": name, "error": "no content field in response"}) + continue + with open(os.path.join(PARSERS_DIR, safe_name), "w", encoding="utf-8") as fh: + fh.write(content) + downloaded.append(safe_name) + except Exception as e: + errors.append({"parser": name, "error": str(e) or e.__class__.__name__}) + + return { + "downloaded": len(downloaded), + "parsers": downloaded, + "errors": errors, + "directory": PARSERS_DIR, + } + + def _date_range_hours(hours: int) -> tuple[str, str]: now = datetime.utcnow() return ( @@ -38,7 +88,6 @@ class SampleEventsRequest(BaseModel): source: str limit: int = 20 hours: int = 1 - filter_mode: str = "broad" # reserved for future use class FieldPopulationRequest(BaseModel): @@ -108,41 +157,22 @@ def _flatten_event(event: dict) -> dict: def _extract_format_strings(content: str) -> list[str]: """ Extract SDL format string values from augmented-JSON parser content. - Handles both: - - quoted keys: "format": "..." (valid JSON) - - unquoted keys: format: "..." (SDL augmented-JSON) - Skips commented-out lines (// ...). + Matches: format: "..." or "format": "..." (SDL parser files are + JS-style JSON: keys may or may not be quoted). Supports escaped quotes. """ - pattern = re.compile(r'(? tuple[re.Pattern, dict[str, str]]: """ Convert an SDL format string to a compiled Python regex. - SDL format strings may start with '.*,' to absorb a syslog header. When - used with re.search that prefix is redundant AND harmful (it forces a comma - before the first named field, which won't exist when the log starts with - the field directly). We strip the leading '.*,' so re.search can anchor - to the first real field at any position in the line. + Returns (compiled_pattern, py_group_to_sdl_field) mapping so callers can + translate group names back to the original SDL field names. - Internal '.*' wildcards (field separators for skipped fields) are kept as - non-greedy '.*?' so they don't consume adjacent named-field values. - - Returns (compiled_pattern, py_group_to_sdl_field). Raises re.error if the resulting pattern cannot be compiled. """ - # Strip leading/trailing .* wildcards — re.search handles positioning - fmt = re.sub(r'^(\.\*,?)+', '', fmt) - fmt = re.sub(r'(,?\.\*)+$', '', fmt) - # Split on $...$ tokens token_pattern = re.compile(r'\$([^$]+)\$') parts = token_pattern.split(fmt) @@ -152,25 +182,19 @@ def _sdl_format_to_regex(fmt: str) -> tuple[re.Pattern, dict[str, str]]: py_group_to_sdl: dict[str, str] = {} seen_groups: dict[str, int] = {} - def _escape_literal(s: str) -> str: - """Escape literal text but keep internal .* as non-greedy wildcards.""" - segments = re.split(r'(\.\*)', s) - return ''.join(r'.*?' if seg == '.*' else re.escape(seg) for seg in segments) - for i, part in enumerate(parts): if i % 2 == 0: - # Literal text (possibly containing .* wildcards) - regex_parts.append(_escape_literal(part)) + # Literal text + regex_parts.append(re.escape(part)) else: # Token: either "field.name=PATTERN" or just "field.name" if '=' in part: field_name, pattern = part.split('=', 1) else: field_name = part - # Default: match any non-comma chars (SDL CSV fields) - pattern = r'[^,]*' + pattern = r'[^\s]+' - # Build a valid Python named-group identifier + # Build a valid Python group name safe = re.sub(r'[.\-]', '_', field_name) if safe in seen_groups: seen_groups[safe] += 1 @@ -181,53 +205,95 @@ def _sdl_format_to_regex(fmt: str) -> tuple[re.Pattern, dict[str, str]]: py_group_to_sdl[safe] = field_name regex_parts.append(f'(?P<{safe}>{pattern})') - compiled = re.compile(''.join(regex_parts), re.IGNORECASE | re.DOTALL) + compiled = re.compile(''.join(regex_parts), re.IGNORECASE) return compiled, py_group_to_sdl +# --------------------------------------------------------------------------- +# SDL parser helpers: pattern refs, key=value scanner, rewrites +# --------------------------------------------------------------------------- + +def _extract_patterns_block(content: str) -> dict[str, str]: + """Extract the top-level `patterns: { name: "regex", ... }` block.""" + m = re.search(r'patterns\s*:\s*\{', content) + if not m: + return {} + depth, i = 1, m.end() + while i < len(content) and depth > 0: + c = content[i] + if c == '{': + depth += 1 + elif c == '}': + depth -= 1 + i += 1 + block = content[m.end():i - 1] + return dict(re.findall(r'([A-Za-z_]\w*)\s*:\s*"((?:[^"\\]|\\.)*)"', block)) + + +def _resolve_pattern_refs(fmt: str, patterns: dict[str, str]) -> str: + """Replace $var=PatternName$ with $var=$ when PatternName is defined.""" + if not patterns: + return fmt + + def sub(m: re.Match) -> str: + token = m.group(1) + if '=' in token: + name, pat = token.split('=', 1) + if pat in patterns: + return f"${name}={patterns[pat]}$" + return m.group(0) + return re.sub(r'\$([^$]+)\$', sub, fmt) + + +_KV_TOKEN_RE = re.compile(r'\$_\$=\$([^$]+)\._\$') +_KV_SCAN_RE = re.compile(r'([A-Za-z_][\w.-]*)=(?:"((?:[^"\\]|\\.)*)"|([^\s"]+))') + + +def _is_kv_format(fmt: str) -> bool: + """SDL key=value scanner idiom: $_$=$._$.""" + return bool(_KV_TOKEN_RE.search(fmt)) + + +def _scan_kv(line: str, fmt: str) -> dict[str, str]: + """Extract key=value pairs (supports quoted values) and prefix the keys.""" + m = _KV_TOKEN_RE.search(fmt) + prefix = m.group(1) if m else "unmapped" + out: dict[str, str] = {} + for km in _KV_SCAN_RE.finditer(line): + k = km.group(1) + v = km.group(2) if km.group(2) is not None else km.group(3) + out[f"{prefix}.{k}"] = v + return out + + +_REWRITE_RE = re.compile( + # JS-style or strict JSON: keys may or may not be quoted, in any order with + # commas between. We assume the canonical SDL ordering input/output/match/replace. + r'\{\s*(?:"input"|input)\s*:\s*"([^"]+)"\s*,' + r'\s*(?:"output"|output)\s*:\s*"([^"]+)"\s*,' + r'\s*(?:"match"|match)\s*:\s*"((?:[^"\\]|\\.)*)"\s*,' + r'\s*(?:"replace"|replace)\s*:\s*"((?:[^"\\]|\\.)*)"', + re.DOTALL, +) + + +def _extract_rewrites(content: str) -> list[dict]: + return [ + {"input": m.group(1), "output": m.group(2), + "match": m.group(3), "replace": m.group(4)} + for m in _REWRITE_RE.finditer(content) + ] + + +def _to_py_backref(s: str) -> str: + """Translate SDL $0/$N backrefs to Python \\g<0>/\\g.""" + return re.sub(r"\$(\d+)", lambda mm: f"\\g<{mm.group(1)}>", s) + + # --------------------------------------------------------------------------- # Endpoints # --------------------------------------------------------------------------- -@router.post("/sample-unlabelled") -async def sample_unlabelled(req: SampleEventsRequest): - """Return a sample of events that have no dataSource.name — these need parsers. - Also runs a count query so the caller can update the banner with the real total. - """ - import asyncio - from routers import coverage as _coverage - - filter_expr = "!(dataSource.name = *) !(source = 'scalyr')" - from_dt, to_dt = _date_range_hours(req.hours) - - sample_result, count_result = await asyncio.gather( - s1_client.run_powerquery(f"{filter_expr} | limit {req.limit}", from_dt, to_dt), - s1_client.run_powerquery(f"{filter_expr} | group events=count()", from_dt, to_dt, max_count=50_000_000), - ) - - rows = sample_result if isinstance(sample_result, list) else (sample_result.get("rows") or sample_result.get("events") or []) - - events = [_flatten_event(row) for row in rows] - non_empty_keys: set = set() - for ev in events: - for k, v in ev.items(): - if v is not None and v != "" and v != "null": - non_empty_keys.add(k) - events = [{k: v for k, v in ev.items() if k in non_empty_keys} for ev in events] - - count_rows = count_result.get("events", []) if isinstance(count_result, dict) else [] - total = count_rows[0].get("events", 0) if count_rows else 0 - _coverage._unlabelled_event_count = total - - return { - "events": events, - "count": len(events), - "total": total, - "hours": req.hours, - "columns_seen": sorted(non_empty_keys), - } - - @router.post("/sample-events") async def sample_events(req: SampleEventsRequest): """Return a sample of raw events from a given data source.""" @@ -262,39 +328,21 @@ async def field_population(req: FieldPopulationRequest): events = [_flatten_event(row) for row in rows] if not events: - return { - "source": req.source, - "total_sampled": 0, - "hours": req.hours, - "fields": [], - "fields_seen_in_sample": [], - "message": f"No events found for source '{req.source}' in the last {req.hours} hours.", - } + raise HTTPException(status_code=404, detail=f"No events found for source '{req.source}' in the last {req.hours} hours.") total = len(events) - _empty_scalars = {None, "", "null"} - - def _is_empty(val): - """Return True if the value counts as unpopulated.""" - if val is None: - return True - if isinstance(val, list): - return len(val) == 0 - if isinstance(val, dict): - return len(val) == 0 - return val in _empty_scalars + _empty = {None, "", "null"} # Collect all field names seen across the sample (useful for surfacing what IS there) all_seen_fields = sorted({k for ev in events for k in ev}) - all_seen_fields_set = set(all_seen_fields) - field_stats = [] for field in req.fields: - # Skip fields that don't appear anywhere in the sample - if field not in all_seen_fields_set: - continue - populated = sum(1 for ev in events if not _is_empty(ev.get(field))) + # dataSource.name is always 100% — we filtered by it; Scalyr just doesn't echo it back + if field == "dataSource.name": + populated = total + else: + populated = sum(1 for ev in events if ev.get(field) not in _empty) rate = round((populated / total) * 100, 1) field_stats.append({ "field": field, @@ -303,8 +351,8 @@ async def field_population(req: FieldPopulationRequest): "rate": rate, }) - # Sort descending by rate (best coverage first) - field_stats.sort(key=lambda x: x["rate"], reverse=True) + # Sort ascending by rate (worst coverage first) + field_stats.sort(key=lambda x: x["rate"]) return { "source": req.source, @@ -339,10 +387,7 @@ async def test_parser(req: TestParserRequest): # The regex-based path can't model that — handle it explicitly so users # can test JSON-shaped logs against JSON-mode parsers. log_input = req.log_line.strip() - # Only enter JSON mode if the log content actually looks like JSON. - # Don't force it based on the parser type alone — a JSON-capable parser - # should still fall through to regex matching for non-JSON inputs. - is_json_mode = log_input.startswith("{") or log_input.startswith("[") + is_json_mode = any("parse=json" in f for f in format_strings) or log_input.startswith("{") if is_json_mode: import json as _json # Support multi-line input (one JSON object per line, or a JSON array) @@ -394,24 +439,18 @@ async def test_parser(req: TestParserRequest): # Use the first payload for the detail table; report totals. payload = payloads[0] extracted = _flatten_dict(payload) - # SDL's parse=json puts all keys into unmapped.* namespace first, then - # rewrites map unmapped.X -> ocsf.field. Mirror that so rewrites fire. - unmapped_aliases = {f"unmapped.{k}": v for k, v in extracted.items()} - extracted_with_unmapped = {**extracted, **unmapped_aliases} - # Apply lightweight rewrites if present (input/output/match/replace blocks). # We only handle simple literal/regex matches with $0 or string replacements; # this is best-effort, intended for quick visual verification. rewrites_applied = [] - # Handle both quoted keys ("input":) and unquoted keys (input:) rewrite_re = re.compile( - r'\{\s*"?input"?\s*:\s*"([^"]+)"\s*,\s*"?output"?\s*:\s*"([^"]+)"\s*,\s*"?match"?\s*:\s*"((?:[^"\\]|\\.)*)"\s*,\s*"?replace"?\s*:\s*"((?:[^"\\]|\\.)*)"\s*\}', + r'\{\s*input:\s*"([^"]+)"\s*,\s*output:\s*"([^"]+)"\s*,\s*match:\s*"((?:[^"\\]|\\.)*)"\s*,\s*replace:\s*"((?:[^"\\]|\\.)*)"\s*\}', re.DOTALL, ) derived: dict[str, str] = {} for m in rewrite_re.finditer(content): in_field, out_field, match_pat, replace_val = m.group(1), m.group(2), m.group(3), m.group(4) - src_val = extracted_with_unmapped.get(in_field) + src_val = extracted.get(in_field) if src_val is None: continue try: @@ -420,10 +459,7 @@ async def test_parser(req: TestParserRequest): continue if not m2: continue - # SDL uses $0 for whole match, $1.. for groups. Translate to Python - # \g<0>, \g<1>, ... so re.sub doesn't read \0 as a null byte. - def _to_py_backref(s: str) -> str: - return re.sub(r"\$(\d+)", lambda mm: f"\\g<{mm.group(1)}>", s) + # SDL uses $0/$N backrefs; module-level _to_py_backref translates them. try: val = re.sub(match_pat, _to_py_backref(replace_val), str(src_val), count=1) except re.error: @@ -452,57 +488,82 @@ async def test_parser(req: TestParserRequest): "showing_payload": 1, } - # ── Regex format-string path ───────────────────────────────────────────── - def _try_prefix_match(compiled: re.Pattern, py_to_sdl: dict, log_line: str): - """ - Try the full pattern; if it doesn't match, progressively shorten from - the right (group by group) until we get a match. This handles logs - that don't include all the trailing optional fields the parser defines. - Returns (match, truncated) or (None, False). - """ - m = compiled.search(log_line) - if m: - return m, False - - # Shorten pattern by removing trailing named groups one at a time - p = compiled.pattern - # Find all (?P...) group end positions (right to left) - group_ends = [m2.end() for m2 in re.finditer(r'\(\?P<[^>]+>[^)]*\)', p)] - for end in reversed(group_ends[1:]): # keep at least 1 group - try: - shorter = re.compile(p[:end], re.IGNORECASE | re.DOTALL) - m2 = shorter.search(log_line) - if m2: - return m2, True - except re.error: - continue - return None, False + # ── Regex / KV / pattern-ref path ─────────────────────────────────────── + # Accumulate fields across all matching formats so that a parser like + # Stormshield (one format for the timestamp + a KV scanner for the rest + + # a third format to drive rewrites) returns a complete picture. + patterns_block = _extract_patterns_block(content) + extracted_fields: dict[str, str] = {} + formats_matched: list[str] = [] for fmt in format_strings: + resolved = _resolve_pattern_refs(fmt, patterns_block) + + # SDL key=value scanner idiom (handles `$_$=$prefix._$` w/ repeat:true) + if _is_kv_format(resolved): + kv = _scan_kv(req.log_line, resolved) + if kv: + extracted_fields.update(kv) + formats_matched.append(fmt) + continue + try: - compiled, py_to_sdl = _sdl_format_to_regex(fmt) + compiled, py_to_sdl = _sdl_format_to_regex(resolved) except re.error: continue - match, truncated = _try_prefix_match(compiled, py_to_sdl, req.log_line) + match = compiled.search(req.log_line) if match: - fields = [ - {"field": py_to_sdl.get(group, group), "value": value} - for group, value in match.groupdict().items() - if value is not None and value != "" - ] - return { - "parser_name": req.parser_name, - "matched": True, - "mode": "regex", - "format_matched": fmt[:120] + ("…" if len(fmt) > 120 else ""), - "fields": fields, - "note": "Partial match — log has fewer fields than the full parser format" if truncated else None, - } + for group, value in match.groupdict().items(): + if value is None: + continue + extracted_fields[py_to_sdl.get(group, group)] = value + formats_matched.append(fmt) + if not extracted_fields: + return { + "parser_name": req.parser_name, + "matched": False, + "message": ( + "No format pattern matched. This parser may use SDL features " + "the test runner doesn't model (e.g. dottedJson, grok, multi-line). " + "Fields can still be parsed correctly at ingest time." + ), + "fields": [], + } + + # Apply rewrites declared anywhere in the parser file. + derived: dict[str, str] = {} + rewrites_applied = [] + for rw in _extract_rewrites(content): + src_val = extracted_fields.get(rw["input"]) + if src_val is None: + continue + try: + if not re.search(rw["match"], str(src_val)): + continue + val = re.sub(rw["match"], _to_py_backref(rw["replace"]), str(src_val), count=1) + except re.error: + continue + derived[rw["output"]] = val + rewrites_applied.append({ + "input": rw["input"], "input_value": src_val, + "output": rw["output"], "matched_on": rw["match"], "result": val, + }) + + fields = ( + [{"field": k, "value": v, "source": "extract"} + for k, v in sorted(extracted_fields.items())] + + [{"field": k, "value": v, "source": "rewrite"} + for k, v in sorted(derived.items())] + ) return { "parser_name": req.parser_name, - "matched": False, - "message": "No format pattern matched. Check that the log includes the log-type keyword (e.g. TRAFFIC, THREAT) and enough comma-separated fields.", - "fields": [], + "matched": True, + "mode": "regex", + "format_matched": " + ".join(formats_matched) or "(none)", + "fields": fields, + "rewrites_applied": rewrites_applied, + "extracted_count": len(extracted_fields), + "derived_count": len(derived), } diff --git a/parsers/Avelios-Medical-OCSF b/parsers/Avelios-Medical-OCSF new file mode 100644 index 0000000..b11d684 --- /dev/null +++ b/parsers/Avelios-Medical-OCSF @@ -0,0 +1,77 @@ +{ + // Avelios Medical OCSF Parser - OCSF v1.3.0 + // Hospital Information System (HIS) - BSI / NIS2 compliance events + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Avelios", + "metadata.product.name": "Avelios Medical HIS", + "metadata.log_provider": "hec", + "Category": "healthcare", + "dataSource.vendor": "Avelios", + "dataSource.name": "Avelios Medical", + "dataSource.category": "Healthcare" + }, + + formats: [ + { + // Auto-extract every JSON top-level field as an attribute + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + // ─── OCSF classification by event_category ────────────────────── + { input: "event_category", output: "category_uid", match: "authentication", replace: "3" }, + { input: "event_category", output: "category_name", match: "authentication", replace: "Identity & Access Management" }, + { input: "event_category", output: "class_uid", match: "authentication", replace: "3002" }, + { input: "event_category", output: "class_name", match: "authentication", replace: "Authentication" }, + + { input: "event_category", output: "category_uid", match: "patient_access", replace: "6" }, + { input: "event_category", output: "category_name", match: "patient_access", replace: "Application Activity" }, + { input: "event_category", output: "class_uid", match: "patient_access", replace: "6001" }, + { input: "event_category", output: "class_name", match: "patient_access", replace: "Web Resources Activity" }, + + { input: "event_category", output: "category_uid", match: "administrative", replace: "6" }, + { input: "event_category", output: "category_name", match: "administrative", replace: "Application Activity" }, + { input: "event_category", output: "class_uid", match: "administrative", replace: "6001" }, + { input: "event_category", output: "class_name", match: "administrative", replace: "Web Resources Activity" }, + + { input: "event_category", output: "category_uid", match: "data_transfer", replace: "4" }, + { input: "event_category", output: "category_name", match: "data_transfer", replace: "Network Activity" }, + { input: "event_category", output: "class_uid", match: "data_transfer", replace: "4001" }, + { input: "event_category", output: "class_name", match: "data_transfer", replace: "Network Activity" }, + + { input: "event_category", output: "category_uid", match: "security", replace: "2" }, + { input: "event_category", output: "category_name", match: "security", replace: "Findings" }, + { input: "event_category", output: "class_uid", match: "security", replace: "2001" }, + { input: "event_category", output: "class_name", match: "security", replace: "Security Finding" }, + + { input: "event_category", output: "category_uid", match: "system", replace: "6" }, + { input: "event_category", output: "category_name", match: "system", replace: "Application Activity" }, + { input: "event_category", output: "class_uid", match: "system", replace: "6007" }, + { input: "event_category", output: "class_name", match: "system", replace: "Application Lifecycle" }, + + // ─── Severity mapping (string + OCSF int 0-6) ─────────────────── + { input: "severity", output: "severity_id", match: "(?i)critical", replace: "6" }, + { input: "severity", output: "severity_id", match: "(?i)high", replace: "5" }, + { input: "severity", output: "severity_id", match: "(?i)medium", replace: "4" }, + { input: "severity", output: "severity_id", match: "(?i)low", replace: "2" }, + { input: "severity", output: "severity_id", match: "(?i)info", replace: "1" }, + { input: "severity", output: "severity_str", match: ".*", replace: "$0" }, + + // ─── Status mapping ───────────────────────────────────────────── + { input: "outcome", output: "status_id", match: "success", replace: "1" }, + { input: "outcome", output: "status_id", match: "failure", replace: "2" }, + { input: "outcome", output: "status_id", match: "detected", replace: "2" }, + { input: "outcome", output: "status", match: ".*", replace: "$0" }, + + // ─── Activity / message ───────────────────────────────────────── + { input: "event_type", output: "activity_name", match: ".*", replace: "$0" }, + { input: "event_type", output: "finding_info.title", match: ".*", replace: "$0" }, + { input: "event_id", output: "finding_info.uid", match: ".*", replace: "$0" }, + { input: "timestamp", output: "finding_info.created_time_dt", match: ".*", replace: "$0" }, + + // ─── Compliance tags (BSI / NIS2 / GDPR) ──────────────────────── + { input: "event_category", output: "compliance.standard", match: ".*", replace: "BSI-Grundschutz,NIS2,GDPR" } + ] + } + ] +} diff --git a/parsers/CheckPoint-OCSF b/parsers/CheckPoint-OCSF new file mode 100644 index 0000000..0322516 --- /dev/null +++ b/parsers/CheckPoint-OCSF @@ -0,0 +1,277 @@ +{ + // Check Point pipe-delimited parser — OCSF v1.3.0 (v3: Gateway + Mgmt) + // + // Discrimination is done via the `format:` string (Scalyr ignores `match:`). + // Rules are ordered most-specific → most-generic with halt:true. + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Check Point", + "metadata.product.name": "Quantum Security", + "metadata.log_provider": "syslog", + "Category": "security", + "dataSource.vendor": "Check Point", + "dataSource.name": "Check Point" + }, + + patterns: { + word: "[^|]+", + num: "\\d+", + ip: "\\d+\\.\\d+\\.\\d+\\.\\d+" + }, + + formats: [ + + // 1. MGMT — SmartCenter Server + { + id: "cp_mgmt_smartcenter", + attributes: { + "dataSource.category": "management", + category_uid: 6, category_name: "Application Activity", + class_uid: 6003, class_name: "API Activity", + activity_id: 3, activity_name: "Update", + type_uid: 600303, + severity_id: 2, severity: "Low", + status_id: 1, status: "Success" + }, + format: ".*[|]product=SmartCenter Server.*", + halt: true, + rewrites: [ + { input: "message", output: "user_name", match: ".*[|]administrator=([^|]*).*", replace: "$1" }, + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "device_host", match: ".*[|]origin=([^|]+).*", replace: "$1" }, + { input: "message", output: "object_name", match: ".*[|]objectname=([^|]+).*", replace: "$1" }, + { input: "message", output: "object_type", match: ".*[|]objecttype=([^|]+).*", replace: "$1" }, + { input: "message", output: "client_name", match: ".*[|]client_name=([^|]+).*", replace: "$1" }, + { input: "message", output: "operation", match: ".*[|]operation=([^|]+).*", replace: "$1" }, + { input: "operation", output: "finding_title", match: "(.*)", replace: "Check Point Management Audit: $1" } + ] + }, + + // 2. MGMT — Multi-Domain Server + { + id: "cp_mgmt_mds", + attributes: { + "dataSource.category": "management", + category_uid: 6, category_name: "Application Activity", + class_uid: 6003, class_name: "API Activity", + activity_id: 1, activity_name: "Create", + type_uid: 600301, + severity_id: 2, severity: "Low", + status_id: 1, status: "Success" + }, + format: ".*[|]product=Multi-Domain Server.*", + halt: true, + rewrites: [ + { input: "message", output: "user_name", match: ".*[|]administrator=([^|]*).*", replace: "$1" }, + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "device_host", match: ".*[|]origin=([^|]+).*", replace: "$1" }, + { input: "message", output: "operation", match: ".*[|]operation=([^|]+).*", replace: "$1" }, + { input: "operation", output: "finding_title", match: "(.*)", replace: "Check Point Management Audit: $1" } + ] + }, + + // 3. MGMT — Endpoint Security Mgmt + { + id: "cp_mgmt_endpoint", + attributes: { + "dataSource.category": "management", + category_uid: 6, category_name: "Application Activity", + class_uid: 6003, class_name: "API Activity", + activity_id: 3, activity_name: "Update", + type_uid: 600303, + severity_id: 2, severity: "Low", + status_id: 1, status: "Success" + }, + format: ".*[|]product=Endpoint Security Management.*", + halt: true, + rewrites: [ + { input: "message", output: "user_name", match: ".*[|]administrator=([^|]*).*", replace: "$1" }, + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "device_host", match: ".*[|]origin=([^|]+).*", replace: "$1" }, + { input: "message", output: "object_name", match: ".*[|]objectname=([^|]+).*", replace: "$1" }, + { input: "message", output: "operation", match: ".*[|]operation=([^|]+).*", replace: "$1" }, + { input: "operation", output: "finding_title", match: "(.*)", replace: "Check Point Management Audit: $1" } + ] + }, + + // 4. IPS — discriminator: protection_type=ips + { + id: "cp_ips", + attributes: { + "dataSource.category": "ids", + category_uid: 2, category_name: "Findings", + class_uid: 2004, class_name: "Detection Finding", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + severity_id: 4, severity: "High", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*[|]protection_type=ips.*", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" }, + { input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" }, + { input: "message", output: "attack", match: ".*[|]attack=([^|]+).*", replace: "$1" }, + { input: "message", output: "protection", match: ".*[|]protection_name=([^|]+).*", replace: "$1" }, + { input: "message", output: "cp_severity", match: ".*[|]severity=([^|]+).*", replace: "$1" }, + { input: "cp_severity", output: "severity", match: "(?si)^\\s*critical\\s*$", replace: "Critical" }, + { input: "cp_severity", output: "severity_id", match: "(?si)^\\s*critical\\s*$", replace: "5" }, + { input: "attack", output: "finding_title", match: "(?i).*", replace: "Check Point IPS: $0" } + ] + }, + + // 5. ANTI-BOT / AV / TE — discriminator: malware_family=… + { + id: "cp_antibot_av", + attributes: { + "dataSource.category": "antivirus", + category_uid: 2, category_name: "Findings", + class_uid: 2004, class_name: "Detection Finding", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*[|]malware_family=$malware_family=word$.*", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "malware_name", match: ".*[|]malware_name=([^|]+).*", replace: "$1" }, + { input: "message", output: "malware_action", match: ".*[|]malware_action=([^|]+).*", replace: "$1" }, + { input: "message", output: "ioc_url", match: ".*[|]resource=([^|]+).*", replace: "$1" }, + { input: "message", output: "cp_action", match: ".*[|]action=([^|]+).*", replace: "$1" }, + { input: "cp_action", output: "disposition", match: "(?i)^detect$", replace: "Allowed" }, + { input: "cp_action", output: "disposition_id", match: "(?i)^detect$", replace: "1" }, + { input: "malware_name", output: "finding_title", match: "(?i).*", replace: "Check Point Malware: $0" } + ] + }, + + // 6. APP CTRL / URL FILTERING — discriminator: app_name=… + { + id: "cp_app_control", + attributes: { + "dataSource.category": "application", + category_uid: 4, category_name: "Network Activity", + class_uid: 4002, class_name: "HTTP Activity", + activity_id: 1, activity_name: "Connection", + type_uid: 400201, + severity_id: 2, severity: "Low", + disposition_id: 1, disposition: "Allowed" + }, + format: ".*[|]app_name=$app_name=word$.*", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" }, + { input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" }, + { input: "message", output: "app_category", match: ".*[|]app_category=([^|]+).*", replace: "$1" }, + { input: "message", output: "app_risk", match: ".*[|]app_risk=([^|]+).*", replace: "$1" }, + { input: "message", output: "user_name", match: ".*[|]user=([^|]+).*", replace: "$1" }, + { input: "message", output: "url", match: ".*[|]resource=([^|]+).*", replace: "$1" }, + { input: "message", output: "cp_action", match: ".*[|]action=([^|]+).*", replace: "$1" }, + { input: "cp_action", output: "disposition", match: "(?i)^drop$|^reject$", replace: "Blocked" }, + { input: "cp_action", output: "disposition_id", match: "(?i)^drop$|^reject$", replace: "2" } + ] + }, + + // 7. FW Drop fallback — discriminator: action=Drop + { + id: "cp_drop", + attributes: { + "dataSource.category": "firewall", + category_uid: 2, category_name: "Findings", + class_uid: 2004, class_name: "Detection Finding", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + finding_title: "Check Point Firewall Drop", + severity_id: 3, severity: "Medium", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*[|]action=Drop.*", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" }, + { input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" }, + { input: "message", output: "protocol", match: ".*[|]proto=([^|]+).*", replace: "$1" } + ] + }, + + // 8. FW Reject — discriminator: action=Reject + { + id: "cp_reject", + attributes: { + "dataSource.category": "firewall", + category_uid: 2, category_name: "Findings", + class_uid: 2004, class_name: "Detection Finding", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + finding_title: "Check Point Firewall Reject", + severity_id: 3, severity: "Medium", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*[|]action=Reject.*", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" }, + { input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" }, + { input: "message", output: "protocol", match: ".*[|]proto=([^|]+).*", replace: "$1" } + ] + }, + + // 9. FW Accept — discriminator: action=Accept + { + id: "cp_accept", + attributes: { + "dataSource.category": "firewall", + category_uid: 4, category_name: "Network Activity", + class_uid: 4001, class_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106, + disposition_id: 1, disposition: "Allowed", + severity_id: 1, severity: "Informational" + }, + format: ".*[|]action=Accept.*", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" }, + { input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" }, + { input: "message", output: "protocol", match: ".*[|]proto=([^|]+).*", replace: "$1" } + ] + }, + + // 10. CATCH-ALL — any Check Point log not matched above + { + id: "cp_catchall", + attributes: { + "dataSource.category": "security", + category_uid: 5, category_name: "Discovery", + class_uid: 5001, class_name: "Device Inventory Info", + activity_id: 1, activity_name: "Log", + type_uid: 500101, + severity_id: 1, severity: "Informational" + }, + format: ".*time=\\d+[|].*", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" }, + { input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" }, + { input: "message", output: "protocol", match: ".*[|]proto=([^|]+).*", replace: "$1" }, + { input: "message", output: "cp_product", match: ".*[|]product=([^|]+).*", replace: "$1" }, + { input: "message", output: "cp_action", match: ".*[|]action=([^|]+).*", replace: "$1" } + ] + } + + ] +} diff --git a/parsers/Darktrace-JSON-OCSF b/parsers/Darktrace-JSON-OCSF new file mode 100644 index 0000000..2d50d61 --- /dev/null +++ b/parsers/Darktrace-JSON-OCSF @@ -0,0 +1,135 @@ +{ + // Darktrace JSON parser - OCSF v1.3.0 + // Handles JSON-formatted Darktrace events from serverHost='darktrace_darktrace_logs-latest' + // + // Supports: + // 1. Model Breach events (with "model.name", "device.*", "score") + // 2. AI Analyst Incidents (with "summary", "title", "incidentId", "groupSeverity") + // + // Maps to OCSF Detection Finding (class_uid 2004) for Library Detection compatibility. + + attributes: { + "marc_ocsf_signature": "MARC-OCSF-PARSER-ACTIVE-77777", + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Darktrace", + "metadata.product.name": "Enterprise Immune System", + "metadata.log_provider": "darktrace-integration", + + "dataSource.vendor": "Darktrace", + "dataSource.name": "Darktrace", + "dataSource.category": "ndr", + + "category_uid": 2, + "category_name": "Findings", + "class_uid": 2004, + "class_name": "Detection Finding", + "type_uid": 200401, + "activity_id": 1, + + "event.type": "Create", + "event.category": "security", + + "status_id": 1, + "status": "New" + }, + + formats: [ + // ============================================================ + // 1. Model Breach (has "model.name" and "pbid") + // ============================================================ + { + id: "dt_model_breach_json", + attributes: { + finding_title: "Darktrace Model Breach" + }, + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + // Extract nested JSON fields via regex on raw message (parse=json doesn't flatten nested) + { input: "message", output: "unmapped.model.then.name", + match: ".*\"model\"\\s*:\\s*\\{[^}]*\"name\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "model_name", + match: ".*\"model\"\\s*:\\s*\\{[^}]*\"name\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "finding_title", + match: ".*\"model\"\\s*:\\s*\\{[^}]*\"name\"\\s*:\\s*\"([^\"]+)\".*", replace: "Darktrace: $1" }, + + // Device → asset/host fields (extract from nested device object) + { input: "message", output: "src_ip", + match: ".*\"device\"\\s*:\\s*\\{[^}]*\"ip\"\\s*:\\s*\"([0-9.]+)\".*", replace: "$1" }, + { input: "message", output: "src_hostname", + match: ".*\"device\"\\s*:\\s*\\{[^}]*\"hostname\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "endpoint.name", + match: ".*\"device\"\\s*:\\s*\\{[^}]*\"hostname\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "endpoint.os", + match: ".*\"device\"\\s*:\\s*\\{[^}]*\"os\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "src_mac", + match: ".*\"device\"\\s*:\\s*\\{[^}]*\"mac\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + + // Score (0.0-1.0) → severity_id (OCSF 0-6) + { input: "score", output: "severity_id", match: "^0\\.[0-1].*", replace: "1" }, // Info + { input: "score", output: "severity_id", match: "^0\\.[2-3].*", replace: "2" }, // Low + { input: "score", output: "severity_id", match: "^0\\.[4-5].*", replace: "3" }, // Medium + { input: "score", output: "severity_id", match: "^0\\.[6-7].*", replace: "4" }, // High + { input: "score", output: "severity_id", match: "^0\\.[8-9].*", replace: "5" }, // Critical + { input: "score", output: "severity_id", match: "^1(\\.0)?$", replace: "5" }, // Critical + + { input: "score", output: "severity", match: "^0\\.[0-1].*", replace: "Informational" }, + { input: "score", output: "severity", match: "^0\\.[2-3].*", replace: "Low" }, + { input: "score", output: "severity", match: "^0\\.[4-5].*", replace: "Medium" }, + { input: "score", output: "severity", match: "^0\\.[6-7].*", replace: "High" }, + { input: "score", output: "severity", match: "^0\\.[8-9].*", replace: "Critical" }, + { input: "score", output: "severity", match: "^1(\\.0)?$", replace: "Critical" }, + + // IDs (top-level pbid works, nested model.id/uuid via regex) + { input: "pbid", output: "external_id", match: ".*", replace: "$0" }, + { input: "message", output: "rule_uid", + match: ".*\"model\"\\s*:\\s*\\{[^}]*\"id\"\\s*:\\s*([0-9]+).*", replace: "$1" }, + { input: "message", output: "rule_uuid", + match: ".*\"model\"\\s*:\\s*\\{[^}]*\"uuid\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + + // Timestamps + { input: "creationTime", output: "finding_info.created_time", match: ".*", replace: "$0" }, + { input: "time", output: "finding_info.last_seen_time", match: ".*", replace: "$0" } + ] + }, + + // ============================================================ + // 2. AI Analyst Incident (has "title", "summary", "incidentId") + // ============================================================ + { + id: "dt_aianalyst_json", + attributes: { + finding_title: "Darktrace AI Analyst Incident", + severity_id: 4, + severity: "High" + }, + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + // Title → model name (so Library Detections can match) + { input: "title", output: "unmapped.model.then.name", match: ".*", replace: "AI Analyst / $0" }, + { input: "title", output: "model_name", match: ".*", replace: "AI Analyst / $0" }, + { input: "title", output: "finding_title", match: ".*", replace: "Darktrace AI Analyst: $0" }, + { input: "summary", output: "finding_info.desc", match: ".*", replace: "$0" }, + + // groupSeverity (0-100) → severity_id + { input: "groupSeverity", output: "severity_id", match: "^[0-1]?[0-9]$", replace: "1" }, // 0-19 = Info + { input: "groupSeverity", output: "severity_id", match: "^[2-3][0-9]$", replace: "2" }, // 20-39 = Low + { input: "groupSeverity", output: "severity_id", match: "^[4-5][0-9]$", replace: "3" }, // 40-59 = Medium + { input: "groupSeverity", output: "severity_id", match: "^[6-7][0-9]$", replace: "4" }, // 60-79 = High + { input: "groupSeverity", output: "severity_id", match: "^([8-9][0-9]|100)$", replace: "5" }, // 80-100 = Critical + + // First device IP/hostname from devices array (regex on raw message) + { input: "message", output: "src_ip", + match: ".*\"devices\"\\s*:\\s*\\[\\s*\\{[^}]*\"ip\"\\s*:\\s*\"([0-9.]+)\".*", replace: "$1" }, + { input: "message", output: "src_hostname", + match: ".*\"devices\"\\s*:\\s*\\[\\s*\\{[^}]*\"hostname\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "endpoint.name", + match: ".*\"devices\"\\s*:\\s*\\[\\s*\\{[^}]*\"hostname\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + + // IDs + { input: "incidentId", output: "external_id", match: ".*", replace: "$0" } + ] + } + ] +} diff --git a/parsers/Darktrace-OCSF b/parsers/Darktrace-OCSF new file mode 100644 index 0000000..997ca38 --- /dev/null +++ b/parsers/Darktrace-OCSF @@ -0,0 +1,173 @@ +{ + // Darktrace CEF / syslog parser — OCSF v1.3.0 + // + // Supports the four canonical Darktrace log streams: + // 1. Model Breach → Detection Finding (severity from score) + // 2. AI Analyst Incident → Detection Finding (Critical) + // 3. Antigena (autonomous response) → Detection Finding (action: Blocked) + // 4. Admin / authentication events → Authentication (3002) + // + // Wire format is CEF: pipe-separated header + space-separated key=value extension. + // CEF:0|Darktrace|||||| + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Darktrace", + "metadata.product.name": "Enterprise Immune System", + "metadata.log_provider": "syslog", + "Category": "security", + "dataSource.vendor": "Darktrace", + "dataSource.name": "Darktrace", + "dataSource.category": "ndr", + "event.type": "Alert", + "event.category": "security", + "category_uid": 2, + "category_name": "Findings", + "class_uid": 2004, + "class_name": "Detection Finding", + "activity_id": 1, + "type_uid": 200401, + "severity_id": 3 + }, + + patterns: { + word: "[^ |]+", + phrase: "[^|]+", + rest: ".*", + num: "\\d+", + ip: "\\d+\\.\\d+\\.\\d+\\.\\d+", + ext: ".*" + }, + + formats: [ + // ============================================================ + // 1. MODEL BREACH — sigID 100, name="Model Breach" + // Example: + // CEF:0|Darktrace|DCIP|6.1|100|Model Breach|7|src=10.1.1.5 dst=8.8.8.8 + // spt=54321 dpt=443 cs1=Anomalous Connection / Suspicious Self-Signed SSL + // cs1Label=Model cn1=85 cn1Label=Score duser=jsmith deviceExternalId=12345 + // cs2=Compliance cs2Label=Category act=alert + // ============================================================ + { + id: "dt_model_breach", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Darktrace Model Breach", + "event.type": "Alert", "event.category": "security", + severity_id: 4, + severity: "High", + disposition_id: 1, disposition: "Allowed", + status_id: 1, status: "Detected" + }, + format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]100[|]Model Breach[|]$cef_severity=num$[|]$cef_extension=ext$", + halt: true, + rewrites: [ + // Pull common fields out of the CEF extension key=value bag + { input: "message", output: "src_ip", match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "src_port", match: ".*spt=(\\d+).*", replace: "$1" }, + { input: "message", output: "dst_port", match: ".*dpt=(\\d+).*", replace: "$1" }, + { input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "device_id", match: ".*deviceExternalId=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "model_name", match: ".*cs1=([^=\\n]+?)\\s+\\w+=.*", replace: "$1" }, + { input: "message", output: "model_category",match: ".*cs2=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "score", match: ".*cn1=(\\d+).*", replace: "$1" }, + { input: "model_name", output: "finding_title", match: "(?i).*", + replace: "Darktrace Model Breach: $0" } + ] + }, + + // ============================================================ + // 2. AI ANALYST INCIDENT — sigID 200, name contains "AI Analyst" + // ============================================================ + { + id: "dt_aianalyst", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Darktrace AI Analyst Incident", + "event.type": "Alert", "event.category": "security", + severity_id: 5, severity: "Critical", + disposition_id: 1, disposition: "Allowed", + status_id: 1, status: "Detected" + }, + format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]200[|]$incident_name=phrase$[|]$cef_severity=num$[|]$cef_extension=ext$", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "device_id", match: ".*deviceExternalId=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "incident_id", match: ".*externalId=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "summary", match: ".*msg=([^=\\n]+?)(?:\\s+\\w+=.*|$)", replace: "$1" }, + { input: "incident_name", output: "finding_title",match: ".*", replace: "Darktrace $0" } + ] + }, + + // ============================================================ + // 3. ANTIGENA (Autonomous Response) — sigID 300 + // ============================================================ + { + id: "dt_antigena", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Darktrace Antigena Autonomous Action", + "event.type": "Action", "event.category": "security", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked", + status_id: 1, status: "Detected" + }, + format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]300[|]Antigena Action[|]$cef_severity=num$[|]$cef_extension=ext$", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "device_id", match: ".*deviceExternalId=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "action", match: ".*act=([^ \\n]+).*", replace: "$1" } + ] + }, + + // ============================================================ + // 4. ADMIN / AUTH EVENTS — sigID 400 (login success/failure) + // ============================================================ + { + id: "dt_auth_fail", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + type_uid: 300201, activity_id: 1, + "event.type": "Login", "event.category": "authentication", + status_id: 2, status: "Failure", + finding_title: "Darktrace Admin Login Failure" + }, + format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]400[|]Admin Login Failure[|]$cef_severity=num$[|]$cef_extension=ext$", + halt: true, + rewrites: [ + { input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "src_ip", match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" } + ] + }, + + { + id: "dt_auth_ok", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + type_uid: 300201, activity_id: 1, + "event.type": "Login", "event.category": "authentication", + status_id: 1, status: "Success" + }, + format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]400[|]Admin Login Success[|]$cef_severity=num$[|]$cef_extension=ext$", + halt: true, + rewrites: [ + { input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "src_ip", match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" } + ] + } + ] +} diff --git a/parsers/Developer-Workstation-OCSF b/parsers/Developer-Workstation-OCSF new file mode 100644 index 0000000..81c4291 --- /dev/null +++ b/parsers/Developer-Workstation-OCSF @@ -0,0 +1,118 @@ +{ + // Developer-Workstation OCSF Parser — OCSF v1.3.0 + // Endpoint EDR-style events for software-supply-chain hunts (H1..H18) + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Synthetic", + "metadata.product.name": "Developer Workstation EDR", + "metadata.log_provider": "hec", + "Category": "endpoint", + "dataSource.vendor": "Synthetic", + "dataSource.name": "Developer Workstation", + "dataSource.category": "Endpoint" + }, + + formats: [ + { + // Auto-extract every JSON top-level + nested field as attributes. + // Nested objects flatten with dot-notation: process.image_name, + // endpoint.name, file.path, dns.query, registry.key_path, etc. + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + // ─── OCSF classification by event_type ────────────────────────── + { input: "event_type", output: "category_uid", match: "PROCESS_START", replace: "1" }, + { input: "event_type", output: "category_name", match: "PROCESS_START", replace: "System Activity" }, + { input: "event_type", output: "class_uid", match: "PROCESS_START", replace: "1007" }, + { input: "event_type", output: "class_name", match: "PROCESS_START", replace: "Process Activity" }, + + { input: "event_type", output: "category_uid", match: "FILE_CREATE", replace: "1" }, + { input: "event_type", output: "category_name", match: "FILE_CREATE", replace: "System Activity" }, + { input: "event_type", output: "class_uid", match: "FILE_CREATE", replace: "1001" }, + { input: "event_type", output: "class_name", match: "FILE_CREATE", replace: "File System Activity" }, + + { input: "event_type", output: "category_uid", match: "FILE_WRITE", replace: "1" }, + { input: "event_type", output: "category_name", match: "FILE_WRITE", replace: "System Activity" }, + { input: "event_type", output: "class_uid", match: "FILE_WRITE", replace: "1001" }, + { input: "event_type", output: "class_name", match: "FILE_WRITE", replace: "File System Activity" }, + + { input: "event_type", output: "category_uid", match: "FILE_READ", replace: "1" }, + { input: "event_type", output: "category_name", match: "FILE_READ", replace: "System Activity" }, + { input: "event_type", output: "class_uid", match: "FILE_READ", replace: "1001" }, + { input: "event_type", output: "class_name", match: "FILE_READ", replace: "File System Activity" }, + + { input: "event_type", output: "category_uid", match: "DNS_QUERY", replace: "4" }, + { input: "event_type", output: "category_name", match: "DNS_QUERY", replace: "Network Activity" }, + { input: "event_type", output: "class_uid", match: "DNS_QUERY", replace: "4003" }, + { input: "event_type", output: "class_name", match: "DNS_QUERY", replace: "DNS Activity" }, + + { input: "event_type", output: "category_uid", match: "REGISTRY_SET", replace: "1" }, + { input: "event_type", output: "category_name", match: "REGISTRY_SET", replace: "System Activity" }, + { input: "event_type", output: "class_uid", match: "REGISTRY_SET", replace: "201101" }, + { input: "event_type", output: "class_name", match: "REGISTRY_SET", replace: "Registry Key Activity" }, + + // ─── Severity mapping (string + OCSF int 0-6) ─────────────────── + { input: "severity", output: "severity_id", match: "(?i)critical", replace: "6" }, + { input: "severity", output: "severity_id", match: "(?i)high", replace: "5" }, + { input: "severity", output: "severity_id", match: "(?i)medium", replace: "4" }, + { input: "severity", output: "severity_id", match: "(?i)low", replace: "2" }, + { input: "severity", output: "severity_id", match: "(?i)info", replace: "1" }, + { input: "severity", output: "severity_str", match: ".*", replace: "$0" }, + + // ─── Activity / finding ───────────────────────────────────────── + { input: "event_type", output: "activity_name", match: ".*", replace: "$0" }, + { input: "event_id", output: "finding_info.uid", match: ".*", replace: "$0" }, + { input: "timestamp", output: "finding_info.created_time_dt", match: ".*", replace: "$0" }, + + // ─── Compliance tags ───────────────────────────────────────── + { input: "event_type", output: "compliance.standard", match: ".*", replace: "NIS2,SLSA,SSDF" }, + + // ─── Explicit extraction of nested fields from the raw message blob + // (the auto-flatten only handles top-level keys; nested objects like + // process.image_name remain inside `message`). + { input: "message", output: "endpoint.name", + match: "^.*?\"endpoint\":\\s*\\{\"name\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "endpoint.os", + match: "^.*?\"endpoint\":\\s*\\{\"name\":\\s*\"[^\"]+\",\\s*\"os\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "actor.user.name", + match: "^.*?\"actor\":\\s*\\{\"user\":\\s*\\{\"name\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "process.image_name", + match: "^.*?\"process\":\\s*\\{\"image_name\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "process.image_path", + match: "^.*?\"process\":\\s*\\{\"image_name\":\\s*\"[^\"]+\",\\s*\"image_path\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "process.command_line", + match: "^.*?\"image_path\":\\s*\"[^\"]+\",\\s*\"command_line\":\\s*\"((?:[^\"\\\\]|\\\\.)*)\".*$", + replace: "$1" }, + { input: "message", output: "process.parent.image_name", + match: "^.*?\"parent\":\\s*\\{\"image_name\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "process.parent.command_line", + match: "^.*?\"parent\":\\s*\\{\"image_name\":\\s*\"[^\"]+\",\\s*\"command_line\":\\s*\"((?:[^\"\\\\]|\\\\.)*)\".*$", + replace: "$1" }, + { input: "message", output: "file.path", + match: "^.*?\"file\":\\s*\\{\"path\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "file.action", + match: "^.*?\"file\":\\s*\\{\"path\":\\s*\"[^\"]+\",\\s*\"action\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "file.content", + match: "^.*?\"content_sample\":\\s*\"((?:[^\"\\\\]|\\\\.)*)\".*$", + replace: "$1" }, + { input: "message", output: "dns.query", + match: "^.*?\"dns\":\\s*\\{\"query\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "registry.key_path", + match: "^.*?\"registry\":\\s*\\{\"key_path\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "scenario", + match: "^.*?\"_scenario\":\\s*\"([^\"]+)\".*$", + replace: "$1" } + ] + } + ] +} diff --git a/parsers/EntraID-OCSF b/parsers/EntraID-OCSF new file mode 100644 index 0000000..2123b19 --- /dev/null +++ b/parsers/EntraID-OCSF @@ -0,0 +1,87 @@ +{ + // Microsoft Entra ID (Azure AD) JSON parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Microsoft", + "metadata.product.name": "Entra ID", + "metadata.log_provider": "azure-monitor", + "Category": "iam", + "dataSource.vendor": "Microsoft", + "dataSource.name": "Entra ID", + "dataSource.category": "identity", + "category_uid": 3, + "category_name": "IAM", + "class_uid": 3002, + "class_name": "Authentication", + "activity_id": 1, + "activity_name": "Logon", + "type_uid": 300201, + "status_id": 1, + "status": "Success", + "severity_id": 1, + "severity": "Informational" + }, + + formats: [ + { + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + // Top-level fields + { input: "callerIpAddress", output: "src_endpoint.ip", match: ".*", replace: "$0" }, + { input: "callerIpAddress", output: "src_ip", match: ".*", replace: "$0" }, + { input: "tenantId", output: "tenant_id", match: ".*", replace: "$0" }, + { input: "correlationId", output: "correlation_id", match: ".*", replace: "$0" }, + { input: "category", output: "metadata.event_type", match: ".*", replace: "$0" }, + { input: "resultType", output: "result_code", match: ".*", replace: "$0" }, + { input: "resultDescription", output: "status_detail", match: ".*", replace: "$0" }, + { input: "identity", output: "actor.user.name", match: ".*", replace: "$0" }, + + // Status: errorCode 0 = Success, anything else = Failure + { input: "resultType", output: "status_id", match: "^0$", replace: "1" }, + { input: "resultType", output: "status", match: "^0$", replace: "Success" }, + { input: "resultType", output: "status_id", match: "^[1-9].*", replace: "2" }, + { input: "resultType", output: "status", match: "^[1-9].*", replace: "Failure" }, + { input: "resultType", output: "status_id", match: "^Success$", replace: "1" }, + { input: "resultType", output: "status", match: "^Success$", replace: "Success" }, + + // ═══════════ DETECTION FINDING PROMOTION ═══════════ + + // 1) High risk sign-in + { input: "riskLevelAggregated", output: "class_uid", match: "^high$", replace: "2004" }, + { input: "riskLevelAggregated", output: "class_name", match: "^high$", replace: "Detection Finding" }, + { input: "riskLevelAggregated", output: "category_uid", match: "^high$", replace: "2" }, + { input: "riskLevelAggregated", output: "category_name", match: "^high$", replace: "Findings" }, + { input: "riskLevelAggregated", output: "type_uid", match: "^high$", replace: "200401" }, + { input: "riskLevelAggregated", output: "finding_title", match: "^high$", replace: "Entra ID High-Risk Sign-In" }, + { input: "riskLevelAggregated", output: "finding_info.title", match: "^high$", replace: "Entra ID High-Risk Sign-In" }, + { input: "riskLevelAggregated", output: "severity_id", match: "^high$", replace: "5" }, + { input: "riskLevelAggregated", output: "severity", match: "^high$", replace: "Critical" }, + { input: "riskLevelAggregated", output: "severity_id", match: "^medium$", replace: "4" }, + { input: "riskLevelAggregated", output: "severity", match: "^medium$", replace: "High" }, + + // 2) Tor exit node detected (riskDetail field) + { input: "riskDetail", output: "class_uid", match: "(?i)^.*Tor.*$", replace: "2004" }, + { input: "riskDetail", output: "class_name", match: "(?i)^.*Tor.*$", replace: "Detection Finding" }, + { input: "riskDetail", output: "category_uid", match: "(?i)^.*Tor.*$", replace: "2" }, + { input: "riskDetail", output: "category_name", match: "(?i)^.*Tor.*$", replace: "Findings" }, + { input: "riskDetail", output: "type_uid", match: "(?i)^.*Tor.*$", replace: "200401" }, + { input: "riskDetail", output: "finding_title", match: "(?i)^.*Tor.*$", replace: "Entra ID Tor Exit Node Sign-In" }, + { input: "riskDetail", output: "finding_info.title", match: "(?i)^.*Tor.*$", replace: "Entra ID Tor Exit Node Sign-In" }, + { input: "riskDetail", output: "severity_id", match: "(?i)^.*Tor.*$", replace: "5" }, + { input: "riskDetail", output: "severity", match: "(?i)^.*Tor.*$", replace: "Critical" }, + + // 3) Failed authentication (resultType non-zero) + { input: "resultDescription", output: "class_uid", match: "(?i)^.*Invalid username or password.*$", replace: "2004" }, + { input: "resultDescription", output: "class_name", match: "(?i)^.*Invalid username or password.*$", replace: "Detection Finding" }, + { input: "resultDescription", output: "category_uid", match: "(?i)^.*Invalid username or password.*$", replace: "2" }, + { input: "resultDescription", output: "category_name", match: "(?i)^.*Invalid username or password.*$", replace: "Findings" }, + { input: "resultDescription", output: "type_uid", match: "(?i)^.*Invalid username or password.*$", replace: "200401" }, + { input: "resultDescription", output: "finding_title", match: "(?i)^.*Invalid username or password.*$", replace: "Entra ID Authentication Failure" }, + { input: "resultDescription", output: "finding_info.title", match: "(?i)^.*Invalid username or password.*$", replace: "Entra ID Authentication Failure" }, + { input: "resultDescription", output: "severity_id", match: "(?i)^.*Invalid username or password.*$", replace: "4" }, + { input: "resultDescription", output: "severity", match: "(?i)^.*Invalid username or password.*$", replace: "High" } + ] + } + ] +} diff --git a/parsers/F5APM-OCSF b/parsers/F5APM-OCSF new file mode 100644 index 0000000..d362b78 --- /dev/null +++ b/parsers/F5APM-OCSF @@ -0,0 +1,84 @@ +{ + // F5 BIG-IP APM (VPN/Access) parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "F5", + "metadata.product.name": "BIG-IP APM", + "metadata.log_provider": "syslog", + "Category": "iam", + "dataSource.vendor": "F5", + "dataSource.name": "BIG-IP APM", + "dataSource.category": "vpn", + "category_uid": 3, + "category_name": "IAM", + "class_uid": 3005, + "class_name": "User Access Management", + "activity_id": 1, + "type_uid": 300501, + "status_id": 1, + "severity_id": 1 + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + word: "\\S+", + untilC: "[^\\n]*?", + rest: ".*" + }, + + formats: [ + // Session authentication failed → Detection Finding (HIGH) + { + id: "apm_auth_fail", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "F5 APM Authentication Failure", + severity_id: 4, severity: "High", + disposition_id: 2, disposition: "Blocked", + status_id: 2, status: "Failure" + }, + format: ".*Session authentication failed - User: $user_name=word$ Client IP: $src_ip=ipv4$.*", + halt: true + }, + + // Access policy denied → Detection Finding + { + id: "apm_access_deny", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "F5 APM Access Policy Deny", + severity_id: 4, severity: "High", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*Access policy result: Deny.*$reason=rest$", + halt: true + }, + + // New session created + { + id: "apm_new_session", + attributes: { + class_uid: 3005, class_name: "User Access Management", + type_uid: 300501 + }, + format: ".*New session created - Client IP: $src_ip=ipv4$.*", + halt: true + }, + + // Successful AD auth + { + id: "apm_ad_success", + attributes: { + class_uid: 3002, class_name: "Authentication", + activity_id: 1, type_uid: 300201, + status_id: 1, status: "Success" + }, + format: ".*AD Auth query - User: $user_name=word$ Domain: $domain=word$.*Result: Success.*", + halt: true + } + ] +} diff --git a/parsers/F5BigIP-OCSF b/parsers/F5BigIP-OCSF new file mode 100644 index 0000000..86738ff --- /dev/null +++ b/parsers/F5BigIP-OCSF @@ -0,0 +1,86 @@ +{ + // F5 BIG-IP LTM iRule + ASM parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "F5", + "metadata.product.name": "BIG-IP LTM", + "metadata.log_provider": "syslog", + "Category": "network", + "dataSource.vendor": "F5", + "dataSource.name": "BIG-IP LTM", + "dataSource.category": "load-balancer", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4002, + "class_name": "HTTP Activity", + "activity_id": 1, + "type_uid": 400201, + "status_id": 1, + "severity_id": 1 + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + word: "\\S+", + untilSpace: "[^ ]+", + untilC: "[^\\n]*?", + rest: ".*" + }, + + formats: [ + // BLOCKED iRule WAF event → Detection Finding (CRITICAL) + { + id: "f5_blocked", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "F5 BIG-IP WAF Block", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*BLOCKED.*Client $src_ip=ipv4$:$src_port=word$.*", + halt: true + }, + + // SSL handshake failed → Detection Finding (MEDIUM) + { + id: "f5_ssl_fail", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "F5 SSL Handshake Failure", + severity_id: 3, severity: "Medium" + }, + format: ".*SSL Handshake failed for TCP $src_ip=ipv4$:$src_port=word$.*", + halt: true + }, + + // ASM violation (key=value style) + { + id: "f5_asm_violation", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "F5 ASM Web Application Attack", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*ASM:.*ip_client=\"$src_ip=ipv4$\".*", + halt: true + }, + + // Standard HTTP request (informational) + { + id: "f5_http", + attributes: { + class_uid: 4002, class_name: "HTTP Activity", + type_uid: 400201 + }, + format: ".*Client $src_ip=ipv4$:$src_port=word$ -> VIP $vip_ip=ipv4$:$vip_port=word$.*", + halt: true + } + ] +} diff --git a/parsers/FortiGate-OCSF b/parsers/FortiGate-OCSF new file mode 100644 index 0000000..43310a3 --- /dev/null +++ b/parsers/FortiGate-OCSF @@ -0,0 +1,72 @@ +{ + // FortiGate KV-format parser — OCSF v1.3.0 + // Uses explicit anchors around each KV pair instead of generic kv type + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Fortinet", + "metadata.product.name": "FortiGate", + "metadata.log_provider": "syslog", + "Category": "network", + "dataSource.vendor": "Fortinet", + "dataSource.name": "FortiGate", + "dataSource.category": "firewall", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4001, + "class_name": "Network Activity", + "activity_id": 6, + "type_uid": 400106, + "status_id": 1, + "severity_id": 1 + }, + + patterns: { + qval: "(\"[^\"]*\"|\\S+)", + word: "\\S+", + rest: ".*" + }, + + formats: [ + // IPS / UTM threat → Detection Finding + { + id: "fgt_ips", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "FortiGate IPS Detection", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*type=\"ips\".* srcip=$src_ip=word$ .*dstip=$dst_ip=word$ .*attack=\"$attack=qval$\".*", + halt: true + }, + + // Forward traffic - Deny + { + id: "fgt_deny", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "FortiGate Firewall Deny", + severity_id: 3, severity: "Medium", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*action=\"deny\".* srcip=$src_ip=word$ .*srcport=$src_port=word$ .*dstip=$dst_ip=word$ .*dstport=$dst_port=word$ .*proto=$protocol=word$.*", + halt: true + }, + + // Forward traffic - Allow (passes through to default) + { + id: "fgt_traffic", + attributes: { + class_uid: 4001, class_name: "Network Activity", + type_uid: 400106, + disposition_id: 1, disposition: "Allowed" + }, + format: ".* srcip=$src_ip=word$ .*srcport=$src_port=word$ .*dstip=$dst_ip=word$ .*dstport=$dst_port=word$ .*proto=$protocol=word$ .*action=\"$action=qval$\".*", + halt: true + } + ] +} diff --git a/parsers/HANADatabase-OCSF b/parsers/HANADatabase-OCSF new file mode 100644 index 0000000..f92408a --- /dev/null +++ b/parsers/HANADatabase-OCSF @@ -0,0 +1,170 @@ +{ + // SAP HANA Database SDL Parser + // OCSF v1.3.0 — emits Detection Finding (2004) for risky events + // so they appear in XDR / AI SIEM Findings UI + + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "SAP", + "metadata.product.name": "HANA Database", + "metadata.log_provider": "hana-audit", + "Category": "database", + "dataSource.vendor": "SAP", + "dataSource.name": "HANA Database", + "dataSource.category": "database", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4001, + "class_name": "Database Activity", + "activity_id": 0, + "activity_name": "Unknown", + "type_uid": 400100, + "status_id": 1, + "status": "Success", + "severity_id": 1, + "severity": "Informational", + "disposition_id": 0, + "disposition": "Unknown" + }, + + formats: [ + { + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + // Field extraction + { input: "user_name", output: "actor.user.name", match: ".*", replace: "$0" }, + { input: "user_name", output: "user.name", match: ".*", replace: "$0" }, + { input: "application_user", output: "actor.user.account.name", match: ".*", replace: "$0" }, + { input: "application_name", output: "app_name", match: ".*", replace: "$0" }, + { input: "client_ip", output: "src_endpoint.ip", match: ".*", replace: "$0" }, + { input: "client_ip", output: "src_ip", match: ".*", replace: "$0" }, + { input: "client_port", output: "src_endpoint.port", match: ".*", replace: "$0" }, + { input: "host", output: "device.hostname", match: ".*", replace: "$0" }, + { input: "component", output: "device.type", match: ".*", replace: "$0" }, + { input: "connection_id", output: "actor.session.uid", match: ".*", replace: "$0" }, + { input: "connection_id", output: "session.uid", match: ".*", replace: "$0" }, + { input: "transaction_id", output: "transaction.uid", match: ".*", replace: "$0" }, + { input: "statement_id", output: "query_info.uid", match: ".*", replace: "$0" }, + { input: "statement", output: "query_info.query_string", match: ".*", replace: "$0" }, + { input: "executed_statement", output: "query_info.executed_query", match: ".*", replace: "$0" }, + { input: "rows_affected", output: "query_info.rows_affected", match: ".*", replace: "$0" }, + { input: "execution_time_ms", output: "query_info.duration", match: ".*", replace: "$0" }, + { input: "audit_action", output: "activity_name", match: ".*", replace: "$0" }, + { input: "audit_action", output: "query_info.query_type", match: ".*", replace: "$0" }, + { input: "audit_policy_name", output: "policy.name", match: ".*", replace: "$0" }, + { input: "comment", output: "raw_data", match: ".*", replace: "$0" }, + + // Status + { input: "error_code", output: "status_id", match: "^0$", replace: "1" }, + { input: "error_code", output: "status", match: "^0$", replace: "Success" }, + { input: "error_code", output: "status_id", match: "^[1-9].*", replace: "2" }, + { input: "error_code", output: "status", match: "^[1-9].*", replace: "Failure" }, + { input: "error_code", output: "status_code", match: ".*", replace: "$0" }, + { input: "error_message", output: "status_detail", match: ".*", replace: "$0" }, + + // OCSF class routing by audit_action — Authentication + { input: "audit_action", output: "class_uid", match: "^(CONNECT|DISCONNECT)$", replace: "3002" }, + { input: "audit_action", output: "class_name", match: "^(CONNECT|DISCONNECT)$", replace: "Authentication" }, + { input: "audit_action", output: "category_uid", match: "^(CONNECT|DISCONNECT)$", replace: "3" }, + { input: "audit_action", output: "category_name", match: "^(CONNECT|DISCONNECT)$", replace: "IAM" }, + { input: "audit_action", output: "activity_id", match: "^CONNECT$", replace: "1" }, + { input: "audit_action", output: "type_uid", match: "^CONNECT$", replace: "300201" }, + { input: "audit_action", output: "activity_id", match: "^DISCONNECT$", replace: "2" }, + { input: "audit_action", output: "type_uid", match: "^DISCONNECT$", replace: "300202" }, + + // Authorization (GRANT / REVOKE) + { input: "audit_action", output: "class_uid", match: "^(GRANT|REVOKE)$", replace: "3003" }, + { input: "audit_action", output: "class_name", match: "^(GRANT|REVOKE)$", replace: "Authorization" }, + { input: "audit_action", output: "category_uid", match: "^(GRANT|REVOKE)$", replace: "3" }, + { input: "audit_action", output: "category_name", match: "^(GRANT|REVOKE)$", replace: "IAM" }, + { input: "audit_action", output: "activity_id", match: "^GRANT$", replace: "1" }, + { input: "audit_action", output: "type_uid", match: "^GRANT$", replace: "300301" }, + { input: "audit_action", output: "activity_id", match: "^REVOKE$", replace: "2" }, + + // Database Activity (DML / DDL / Backup) + { input: "audit_action", output: "class_uid", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "4001" }, + { input: "audit_action", output: "class_name", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "Database Activity" }, + { input: "audit_action", output: "category_uid", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "4" }, + { input: "audit_action", output: "category_name", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "Network Activity" }, + { input: "audit_action", output: "activity_id", match: "^SELECT$", replace: "1" }, + { input: "audit_action", output: "activity_id", match: "^INSERT$", replace: "2" }, + { input: "audit_action", output: "activity_id", match: "^UPDATE$", replace: "3" }, + { input: "audit_action", output: "activity_id", match: "^DELETE$", replace: "4" }, + { input: "audit_action", output: "activity_id", match: "^BACKUP DATA$", replace: "5" }, + + // Severity from audit_level + { input: "audit_level", output: "severity_id", match: "(?i)info", replace: "1" }, + { input: "audit_level", output: "severity", match: "(?i)info", replace: "Informational" }, + { input: "audit_level", output: "severity_id", match: "(?i)warning", replace: "3" }, + { input: "audit_level", output: "severity", match: "(?i)warning", replace: "Medium" }, + { input: "audit_level", output: "severity_id", match: "(?i)alert", replace: "4" }, + { input: "audit_level", output: "severity", match: "(?i)alert", replace: "High" }, + { input: "audit_level", output: "severity_id", match: "(?i)critical", replace: "5" }, + { input: "audit_level", output: "severity", match: "(?i)critical", replace: "Critical" }, + + // Promote risky events to Detection Finding (2004) so they show in XDR + + // 1) Failed authentication + { input: "error_code", output: "class_uid", match: "^[1-9].*", replace: "2004" }, + { input: "error_code", output: "class_name", match: "^[1-9].*", replace: "Detection Finding" }, + { input: "error_code", output: "category_uid", match: "^[1-9].*", replace: "2" }, + { input: "error_code", output: "category_name", match: "^[1-9].*", replace: "Findings" }, + { input: "error_code", output: "activity_id", match: "^[1-9].*", replace: "1" }, + { input: "error_code", output: "type_uid", match: "^[1-9].*", replace: "200401" }, + { input: "error_code", output: "finding_title", match: "^[1-9].*", replace: "HANA Authentication Failure" }, + { input: "error_code", output: "finding_info.title", match: "^[1-9].*", replace: "HANA Authentication Failure" }, + { input: "error_code", output: "disposition_id", match: "^[1-9].*", replace: "2" }, + { input: "error_code", output: "disposition", match: "^[1-9].*", replace: "Blocked" }, + { input: "error_code", output: "severity_id", match: "^[1-9].*", replace: "4" }, + { input: "error_code", output: "severity", match: "^[1-9].*", replace: "High" }, + + // 2) Mass data extraction (rows_affected >= 10000) + { input: "rows_affected", output: "class_uid", match: "^[1-9][0-9]{4,}$", replace: "2004" }, + { input: "rows_affected", output: "class_name", match: "^[1-9][0-9]{4,}$", replace: "Detection Finding" }, + { input: "rows_affected", output: "category_uid", match: "^[1-9][0-9]{4,}$", replace: "2" }, + { input: "rows_affected", output: "category_name", match: "^[1-9][0-9]{4,}$", replace: "Findings" }, + { input: "rows_affected", output: "type_uid", match: "^[1-9][0-9]{4,}$", replace: "200401" }, + { input: "rows_affected", output: "finding_title", match: "^[1-9][0-9]{4,}$", replace: "HANA Mass Data Extraction" }, + { input: "rows_affected", output: "finding_info.title", match: "^[1-9][0-9]{4,}$", replace: "HANA Mass Data Extraction" }, + { input: "rows_affected", output: "severity_id", match: "^[1-9][0-9]{4,}$", replace: "5" }, + { input: "rows_affected", output: "severity", match: "^[1-9][0-9]{4,}$", replace: "Critical" }, + + // 3) SQL injection signature (more specific than mass extraction — wins on overlap) + { input: "statement", output: "class_uid", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "2004" }, + { input: "statement", output: "class_name", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Detection Finding" }, + { input: "statement", output: "category_uid", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "2" }, + { input: "statement", output: "category_name", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Findings" }, + { input: "statement", output: "type_uid", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "200401" }, + { input: "statement", output: "finding_title", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "HANA SQL Injection Detected" }, + { input: "statement", output: "finding_info.title", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "HANA SQL Injection Detected" }, + { input: "statement", output: "severity_id", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "5" }, + { input: "statement", output: "severity", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Critical" }, + { input: "statement", output: "disposition_id", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "2" }, + { input: "statement", output: "disposition", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Blocked" }, + + // 4) GRANT ALL PRIVILEGES (anchor with ^...$) + { input: "statement", output: "class_uid", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "2004" }, + { input: "statement", output: "class_name", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "Detection Finding" }, + { input: "statement", output: "category_uid", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "2" }, + { input: "statement", output: "category_name", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "Findings" }, + { input: "statement", output: "type_uid", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "200401" }, + { input: "statement", output: "finding_title", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "HANA Privilege Escalation" }, + { input: "statement", output: "finding_info.title", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "HANA Privilege Escalation" }, + { input: "statement", output: "severity_id", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "5" }, + { input: "statement", output: "severity", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "Critical" }, + + // 5) Backup to /tmp/ (anchor with ^...$) + { input: "statement", output: "class_uid", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "2004" }, + { input: "statement", output: "class_name", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "Detection Finding" }, + { input: "statement", output: "category_uid", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "2" }, + { input: "statement", output: "category_name", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "Findings" }, + { input: "statement", output: "type_uid", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "200401" }, + { input: "statement", output: "finding_title", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "HANA Suspicious Backup Location" }, + { input: "statement", output: "finding_info.title", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "HANA Suspicious Backup Location" }, + { input: "statement", output: "severity_id", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "5" }, + { input: "statement", output: "severity", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "Critical" } + ] + } + ] +} diff --git a/parsers/ISCBIND-OCSF b/parsers/ISCBIND-OCSF new file mode 100644 index 0000000..24816a1 --- /dev/null +++ b/parsers/ISCBIND-OCSF @@ -0,0 +1,90 @@ +{ + // ISC BIND DNS query log parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "ISC", + "metadata.product.name": "BIND", + "metadata.log_provider": "syslog", + "Category": "network", + "dataSource.vendor": "ISC", + "dataSource.name": "BIND", + "dataSource.category": "dns", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4003, + "class_name": "DNS Activity", + "activity_id": 1, + "activity_name": "Query", + "type_uid": 400301, + "status_id": 1, + "status": "Success", + "severity_id": 1, + "severity": "Informational" + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + word: "\\S+", + rest: ".*" + }, + + formats: [ + // Standard query log + { + id: "bind_query", + attributes: { + class_uid: 4003, class_name: "DNS Activity", + category_uid: 4, activity_id: 1, type_uid: 400301 + }, + format: ".*queries: info: client @$session_handle=word$ $src_ip=ipv4$#$src_port=word$ \\($query_name=word$\\): query: $query_name2=word$ IN $query_type=word$ .*", + halt: true, + rewrites: [ + // AXFR zone transfer attempt → Detection Finding + { input: "query_type", output: "class_uid", match: "^AXFR$", replace: "2004" }, + { input: "query_type", output: "class_name", match: "^AXFR$", replace: "Detection Finding" }, + { input: "query_type", output: "category_uid", match: "^AXFR$", replace: "2" }, + { input: "query_type", output: "category_name", match: "^AXFR$", replace: "Findings" }, + { input: "query_type", output: "type_uid", match: "^AXFR$", replace: "200401" }, + { input: "query_type", output: "finding_title", match: "^AXFR$", replace: "BIND DNS Zone Transfer Attempt" }, + { input: "query_type", output: "finding_info.title", match: "^AXFR$", replace: "BIND DNS Zone Transfer Attempt" }, + { input: "query_type", output: "severity_id", match: "^AXFR$", replace: "4" }, + { input: "query_type", output: "severity", match: "^AXFR$", replace: "High" }, + + // Long base64-looking query → DNS tunneling + { input: "query_name", output: "class_uid", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "2004" }, + { input: "query_name", output: "class_name", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "Detection Finding" }, + { input: "query_name", output: "category_uid", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "2" }, + { input: "query_name", output: "category_name", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "Findings" }, + { input: "query_name", output: "type_uid", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "200401" }, + { input: "query_name", output: "finding_title", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "BIND DNS Tunneling Suspected" }, + { input: "query_name", output: "finding_info.title", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "BIND DNS Tunneling Suspected" }, + { input: "query_name", output: "severity_id", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "5" }, + { input: "query_name", output: "severity", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "Critical" }, + + // Known-bad TLDs (dyndns, no-ip, etc.) → Suspicious DNS + { input: "query_name", output: "class_uid", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "2004" }, + { input: "query_name", output: "class_name", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "Detection Finding" }, + { input: "query_name", output: "category_uid", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "2" }, + { input: "query_name", output: "category_name", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "Findings" }, + { input: "query_name", output: "type_uid", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "200401" }, + { input: "query_name", output: "finding_title", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "BIND Suspicious Dynamic DNS Query" }, + { input: "query_name", output: "finding_info.title", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "BIND Suspicious Dynamic DNS Query" }, + { input: "query_name", output: "severity_id", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "4" }, + { input: "query_name", output: "severity", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "High" } + ] + }, + + // Security warning (zone transfer denied, etc) + { + id: "bind_security", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, type_uid: 200401, + finding_title: "BIND Security Warning", + severity_id: 4, severity: "High" + }, + format: ".*security: warning: $detail=rest$", + halt: true + } + ] +} diff --git a/parsers/LinuxOS-OCSF b/parsers/LinuxOS-OCSF new file mode 100644 index 0000000..5d2290f --- /dev/null +++ b/parsers/LinuxOS-OCSF @@ -0,0 +1,152 @@ +{ + // Linux syslog/auditd parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Linux", + "metadata.product.name": "Linux OS", + "metadata.log_provider": "syslog", + "Category": "host", + "dataSource.vendor": "Linux", + "dataSource.name": "Linux OS", + "dataSource.category": "host", + "category_uid": 1, + "category_name": "System Activity", + "class_uid": 1001, + "class_name": "File System Activity", + "activity_id": 0, + "activity_name": "Unknown", + "type_uid": 100100, + "status_id": 1, + "status": "Success", + "severity_id": 1, + "severity": "Informational" + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + word: "\\S+", + rest: ".*", + creds: "(mimikatz|hashdump|secretsdump|kerbrute)", + revshell: ".*socket\\.socket.*" + }, + + formats: [ + // SSH failed authentication + { + id: "ssh_failed", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + finding_title: "Linux SSH Authentication Failure", + severity_id: 4, severity: "High", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*Failed password for $user_name=word$ from $src_ip=ipv4$ port $src_port=word$.*", + halt: true + }, + + // SSH successful authentication + { + id: "ssh_success", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "IAM", + activity_id: 1, activity_name: "Logon", + type_uid: 300201, + status_id: 1, status: "Success" + }, + format: ".*Accepted password for $user_name=word$ from $src_ip=ipv4$ port $src_port=word$.*", + halt: true + }, + + // sudo NOT in sudoers (priv-esc attempt) + { + id: "sudo_not_in_sudoers", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + finding_title: "Linux Sudo Not In Sudoers", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*sudo: $user_name=word$ : user NOT in sudoers ; TTY=$tty=word$ ; PWD=$pwd=word$ ; USER=$target_user=word$ ; COMMAND=$process_cmd_line=rest$", + halt: true + }, + + // useradd — new user account created + { + id: "useradd", + attributes: { + class_uid: 3001, class_name: "Account Change", + category_uid: 3, category_name: "IAM", + activity_id: 1, activity_name: "Create", + type_uid: 300101, + finding_title: "Linux New User Account Created", + severity_id: 4, severity: "High" + }, + format: ".*useradd\\[$pid=word$\\]: new user: name=$new_user=word$, UID=$uid=word$, GID=$gid=word$.*", + halt: true + }, + + // Mimikatz / credential dumping signatures + { + id: "credential_dump", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Linux Credential Dumping Tool", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*$tool=creds$.*", + halt: true + }, + + // Reverse shell (python -c socket) + { + id: "reverse_shell", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Linux Reverse Shell Execution", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*python$ver=word$ -c $cmd=revshell$.*", + halt: true + }, + + // Generic auditd EXECVE + { + id: "auditd_execve", + attributes: { + class_uid: 1007, class_name: "Process Activity", + category_uid: 1, category_name: "System Activity", + activity_id: 1, activity_name: "Launch", + type_uid: 100701 + }, + format: ".*auditd\\[$pid=word$\\]: EXECVE argc=$argc=word$ a0=\"$process_name=word$\" $cmdline=rest$", + halt: true + }, + + // Cron job executed (suspicious if from /tmp/.hidden) + { + id: "cron_suspicious", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Linux Suspicious Cron Job", + severity_id: 4, severity: "High" + }, + format: ".*cron\\[$pid=word$\\]: \\($cron_user=word$\\) CMD \\($cron_cmd=rest$\\)", + halt: true + } + ] +} diff --git a/parsers/MicrosoftDHCP-OCSF b/parsers/MicrosoftDHCP-OCSF new file mode 100644 index 0000000..a8cd7f7 --- /dev/null +++ b/parsers/MicrosoftDHCP-OCSF @@ -0,0 +1,61 @@ +{ + // Microsoft DHCP server CSV parser — OCSF v1.3.0 + // Format: ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name,... + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Microsoft", + "metadata.product.name": "DHCP Server", + "Category": "network", + "dataSource.vendor": "Microsoft", + "dataSource.name": "DHCP Server", + "dataSource.category": "network", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4004, + "class_name": "DHCP Activity", + "activity_id": 1, + "type_uid": 400401, + "status_id": 1, + "severity_id": 1 + }, + + patterns: { + csv: "[^,]*" + }, + + formats: [ + // Standard DHCP event + { + id: "dhcp_event", + attributes: { + class_uid: 4004, class_name: "DHCP Activity", + type_uid: 400401 + }, + format: "$event_id=csv$,$date=csv$,$time=csv$,$action=csv$,$client_ip=csv$,$host_name=csv$,$mac=csv$,$user_name=csv$,.*", + halt: true, + rewrites: [ + { input: "client_ip", output: "src_endpoint.ip", match: ".*", replace: "$0" }, + { input: "client_ip", output: "src_ip", match: ".*", replace: "$0" }, + { input: "mac", output: "src_endpoint.mac", match: ".*", replace: "$0" }, + { input: "host_name", output: "device.hostname", match: ".*", replace: "$0" }, + { input: "user_name", output: "actor.user.name", match: ".*", replace: "$0" }, + { input: "action", output: "activity_name", match: ".*", replace: "$0" }, + + // Activity ID by event_id + { input: "event_id", output: "activity_id", match: "^10$", replace: "1" }, // Assign + { input: "event_id", output: "activity_id", match: "^11$", replace: "2" }, // Renew + { input: "event_id", output: "activity_id", match: "^12$", replace: "3" }, // Release + { input: "event_id", output: "activity_id", match: "^13$", replace: "4" }, // Conflict + + // Detection Finding: rogue DHCP / IP conflict + { input: "event_id", output: "class_uid", match: "^13$", replace: "2004" }, + { input: "event_id", output: "class_name", match: "^13$", replace: "Detection Finding" }, + { input: "event_id", output: "category_uid", match: "^13$", replace: "2" }, + { input: "event_id", output: "type_uid", match: "^13$", replace: "200401" }, + { input: "event_id", output: "finding_title", match: "^13$", replace: "DHCP IP Address Conflict" }, + { input: "event_id", output: "severity_id", match: "^13$", replace: "4" }, + { input: "event_id", output: "severity", match: "^13$", replace: "High" } + ] + } + ] +} diff --git a/parsers/MicrosoftDNS-OCSF b/parsers/MicrosoftDNS-OCSF new file mode 100644 index 0000000..1a7c717 --- /dev/null +++ b/parsers/MicrosoftDNS-OCSF @@ -0,0 +1,48 @@ +{ + // Microsoft DNS debug log parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Microsoft", + "metadata.product.name": "DNS Server", + "Category": "network", + "dataSource.vendor": "Microsoft", + "dataSource.name": "DNS Server", + "dataSource.category": "dns", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4003, + "class_name": "DNS Activity", + "activity_id": 1, + "type_uid": 400301, + "status_id": 1, + "severity_id": 1 + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + word: "\\S+", + rest: ".*" + }, + + formats: [ + { + id: "msdns_query", + attributes: { + class_uid: 4003, class_name: "DNS Activity", + type_uid: 400301 + }, + format: ".* $proto=word$ $direction=word$ $src_ip=ipv4$ .* Q .* $query_type=word$ .* $query_name=rest$", + halt: true, + rewrites: [ + // DNS tunneling (very long query) + { input: "query_name", output: "class_uid", match: "^.{120,}$", replace: "2004" }, + { input: "query_name", output: "class_name", match: "^.{120,}$", replace: "Detection Finding" }, + { input: "query_name", output: "category_uid", match: "^.{120,}$", replace: "2" }, + { input: "query_name", output: "type_uid", match: "^.{120,}$", replace: "200401" }, + { input: "query_name", output: "finding_title", match: "^.{120,}$", replace: "MS-DNS Suspected Tunneling (long query)" }, + { input: "query_name", output: "severity_id", match: "^.{120,}$", replace: "4" }, + { input: "query_name", output: "severity", match: "^.{120,}$", replace: "High" } + ] + } + ] +} diff --git a/parsers/Omniconnect-OCSF b/parsers/Omniconnect-OCSF new file mode 100644 index 0000000..7d06ebc --- /dev/null +++ b/parsers/Omniconnect-OCSF @@ -0,0 +1,88 @@ +{ + // Omniconnect TI Gateway OCSF Parser - OCSF v1.3.0 + // Secures HIS <-> German Telematics Infrastructure (TI) traffic + // BSI / NIS2 / gematik compliance events + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Omniconnect", + "metadata.product.name": "Omniconnect TI Gateway", + "metadata.log_provider": "hec", + "Category": "healthcare", + "dataSource.vendor": "Omniconnect", + "dataSource.name": "Omniconnect", + "dataSource.category": "Healthcare" + }, + + formats: [ + { + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + // ─── OCSF classification by event_category ────────────────────── + { input: "event_category", output: "category_uid", match: "ti_connection", replace: "4" }, + { input: "event_category", output: "category_name", match: "ti_connection", replace: "Network Activity" }, + { input: "event_category", output: "class_uid", match: "ti_connection", replace: "4001" }, + { input: "event_category", output: "class_name", match: "ti_connection", replace: "Network Activity" }, + + { input: "event_category", output: "category_uid", match: "card_operations", replace: "3" }, + { input: "event_category", output: "category_name", match: "card_operations", replace: "Identity & Access Management" }, + { input: "event_category", output: "class_uid", match: "card_operations", replace: "3002" }, + { input: "event_category", output: "class_name", match: "card_operations", replace: "Authentication" }, + + { input: "event_category", output: "category_uid", match: "vsdm", replace: "6" }, + { input: "event_category", output: "category_name", match: "vsdm", replace: "Application Activity" }, + { input: "event_category", output: "class_uid", match: "vsdm", replace: "6001" }, + { input: "event_category", output: "class_name", match: "vsdm", replace: "Web Resources Activity" }, + + { input: "event_category", output: "category_uid", match: "erezept", replace: "6" }, + { input: "event_category", output: "category_name", match: "erezept", replace: "Application Activity" }, + { input: "event_category", output: "class_uid", match: "erezept", replace: "6001" }, + { input: "event_category", output: "class_name", match: "erezept", replace: "Web Resources Activity" }, + + { input: "event_category", output: "category_uid", match: "epa", replace: "6" }, + { input: "event_category", output: "category_name", match: "epa", replace: "Application Activity" }, + { input: "event_category", output: "class_uid", match: "epa", replace: "6001" }, + { input: "event_category", output: "class_name", match: "epa", replace: "Web Resources Activity" }, + + { input: "event_category", output: "category_uid", match: "kim", replace: "4" }, + { input: "event_category", output: "category_name", match: "kim", replace: "Network Activity" }, + { input: "event_category", output: "class_uid", match: "kim", replace: "4009" }, + { input: "event_category", output: "class_name", match: "kim", replace: "Email Activity" }, + + { input: "event_category", output: "category_uid", match: "security", replace: "2" }, + { input: "event_category", output: "category_name", match: "security", replace: "Findings" }, + { input: "event_category", output: "class_uid", match: "security", replace: "2001" }, + { input: "event_category", output: "class_name", match: "security", replace: "Security Finding" }, + + { input: "event_category", output: "category_uid", match: "system", replace: "6" }, + { input: "event_category", output: "category_name", match: "system", replace: "Application Activity" }, + { input: "event_category", output: "class_uid", match: "system", replace: "6007" }, + { input: "event_category", output: "class_name", match: "system", replace: "Application Lifecycle" }, + + // ─── Severity ─────────────────────────────────────────────────── + { input: "severity", output: "severity_id", match: "(?i)critical", replace: "6" }, + { input: "severity", output: "severity_id", match: "(?i)high", replace: "5" }, + { input: "severity", output: "severity_id", match: "(?i)medium", replace: "4" }, + { input: "severity", output: "severity_id", match: "(?i)low", replace: "2" }, + { input: "severity", output: "severity_id", match: "(?i)info", replace: "1" }, + { input: "severity", output: "severity_str", match: ".*", replace: "$0" }, + + // ─── Status ───────────────────────────────────────────────────── + { input: "outcome", output: "status_id", match: "success", replace: "1" }, + { input: "outcome", output: "status_id", match: "failure", replace: "2" }, + { input: "outcome", output: "status_id", match: "detected", replace: "2" }, + { input: "outcome", output: "status_id", match: "revoked", replace: "3" }, + { input: "outcome", output: "status", match: ".*", replace: "$0" }, + + // ─── Activity / finding ───────────────────────────────────────── + { input: "event_type", output: "activity_name", match: ".*", replace: "$0" }, + { input: "event_type", output: "finding_info.title", match: ".*", replace: "$0" }, + { input: "event_id", output: "finding_info.uid", match: ".*", replace: "$0" }, + { input: "timestamp", output: "finding_info.created_time_dt", match: ".*", replace: "$0" }, + + // ─── Compliance tags (BSI / NIS2 / gematik / GDPR) ────────────── + { input: "event_category", output: "compliance.standard", match: ".*", replace: "BSI-Grundschutz,NIS2,gematik-TI,GDPR" } + ] + } + ] +} diff --git a/parsers/OracleRDBMS-OCSF b/parsers/OracleRDBMS-OCSF new file mode 100644 index 0000000..2cd24bf --- /dev/null +++ b/parsers/OracleRDBMS-OCSF @@ -0,0 +1,62 @@ +{ + // Oracle RDBMS audit trail parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Oracle", + "metadata.product.name": "Database", + "Category": "database", + "dataSource.vendor": "Oracle", + "dataSource.name": "Oracle Database", + "dataSource.category": "database", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4001, + "class_name": "Database Activity", + "activity_id": 1, + "type_uid": 400101, + "status_id": 1, + "severity_id": 1 + }, + + patterns: { + word: "\\S+", + rest: ".*" + }, + + formats: [ + { + id: "oracle_audit", + attributes: { + class_uid: 4001, class_name: "Database Activity", + type_uid: 400101 + }, + format: "Audit trail: ACTION: $action_id=word$ TIMESTAMP: $ts=word$ $tz=word$ SESSIONID: $session_id=word$ ENTRYID: $entry_id=word$ STATEMENT: $stmt_id=word$ USERID: $user_name=word$ USERHOST: $user_host=word$ TERMINAL: $terminal=word$ ACTION_NAME: $activity_name=word$ RETURNCODE: $return_code=word$ $rest=rest$", + halt: true, + rewrites: [ + { input: "user_name", output: "actor.user.name", match: ".*", replace: "$0" }, + { input: "user_host", output: "device.hostname", match: ".*", replace: "$0" }, + { input: "session_id", output: "actor.session.uid", match: ".*", replace: "$0" }, + + // Failed (return_code != 0) → Detection Finding + { input: "return_code", output: "class_uid", match: "^[1-9].*", replace: "2004" }, + { input: "return_code", output: "class_name", match: "^[1-9].*", replace: "Detection Finding" }, + { input: "return_code", output: "category_uid", match: "^[1-9].*", replace: "2" }, + { input: "return_code", output: "type_uid", match: "^[1-9].*", replace: "200401" }, + { input: "return_code", output: "finding_title", match: "^[1-9].*", replace: "Oracle Database Failed Operation" }, + { input: "return_code", output: "severity_id", match: "^[1-9].*", replace: "4" }, + { input: "return_code", output: "severity", match: "^[1-9].*", replace: "High" }, + { input: "return_code", output: "status_id", match: "^[1-9].*", replace: "2" }, + { input: "return_code", output: "status", match: "^[1-9].*", replace: "Failure" }, + + // Privilege grants → Detection Finding + { input: "activity_name", output: "class_uid", match: "^GRANT$", replace: "2004" }, + { input: "activity_name", output: "class_name", match: "^GRANT$", replace: "Detection Finding" }, + { input: "activity_name", output: "category_uid", match: "^GRANT$", replace: "2" }, + { input: "activity_name", output: "type_uid", match: "^GRANT$", replace: "200401" }, + { input: "activity_name", output: "finding_title", match: "^GRANT$", replace: "Oracle Privilege Grant" }, + { input: "activity_name", output: "severity_id", match: "^GRANT$", replace: "4" }, + { input: "activity_name", output: "severity", match: "^GRANT$", replace: "High" } + ] + } + ] +} diff --git a/parsers/PaloAlto-OCSF b/parsers/PaloAlto-OCSF new file mode 100644 index 0000000..e9732ca --- /dev/null +++ b/parsers/PaloAlto-OCSF @@ -0,0 +1,72 @@ +{ + // Palo Alto PAN-OS CSV parser — OCSF v1.3.0 + // Format: domain,receive_time,serial,type,subtype,...,src_ip,dst_ip,natsrc_ip,natdst_ip,rule,... + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.product.name": "PAN-OS", + "Category": "network", + "dataSource.vendor": "Palo Alto Networks", + "dataSource.name": "PAN-OS", + "dataSource.category": "firewall", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4001, + "class_name": "Network Activity", + "activity_id": 6, + "type_uid": 400106, + "status_id": 1, + "status": "Success", + "severity_id": 1 + }, + + patterns: { + word: "[^,]*", + csv: "[^,]+" + }, + + formats: [ + // TRAFFIC log + { + id: "panos_traffic", + attributes: { + class_uid: 4001, class_name: "Network Activity", + type_uid: 400106 + }, + format: "$domain=csv$,$receive_time=csv$,$serial=csv$,TRAFFIC,$subtype=csv$,$config_ver=csv$,$gen_time=csv$,$src_ip=csv$,$dst_ip=csv$,$natsrc_ip=word$,$natdst_ip=word$,$rule=csv$,$src_user=word$,$dst_user=word$,$application=csv$,.*", + halt: true + }, + + // THREAT log → Detection Finding + { + id: "panos_threat", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Palo Alto Threat Detected", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: "$domain=csv$,$receive_time=csv$,$serial=csv$,THREAT,$threat_subtype=csv$,$config_ver=csv$,$gen_time=csv$,$src_ip=csv$,$dst_ip=csv$,$natsrc_ip=word$,$natdst_ip=word$,$rule=csv$,$src_user=word$,$dst_user=word$,$application=csv$,.*", + halt: true, + rewrites: [ + { input: "threat_subtype", output: "finding_title", match: "(?i)^.*vulnerability.*$", replace: "Palo Alto Vulnerability Exploit Attempt" }, + { input: "threat_subtype", output: "finding_title", match: "(?i)^.*virus.*$", replace: "Palo Alto Malware Detected" }, + { input: "threat_subtype", output: "finding_title", match: "(?i)^.*spyware.*$", replace: "Palo Alto Spyware/C2 Detected" }, + { input: "threat_subtype", output: "finding_title", match: "(?i)^.*url.*$", replace: "Palo Alto Malicious URL" } + ] + }, + + // URL filtering log + { + id: "panos_url", + attributes: { + class_uid: 4002, class_name: "HTTP Activity", + type_uid: 400201 + }, + format: "$domain=csv$,$receive_time=csv$,$serial=csv$,URL,.*", + halt: true + } + ] +} diff --git a/parsers/QRadar-OCSF b/parsers/QRadar-OCSF new file mode 100644 index 0000000..bbf7328 --- /dev/null +++ b/parsers/QRadar-OCSF @@ -0,0 +1,58 @@ +{ + // QRadar JSON parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "IBM", + "metadata.product.name": "QRadar", + "Category": "siem", + "dataSource.vendor": "IBM", + "dataSource.name": "QRadar", + "dataSource.category": "siem", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4001, + "class_name": "Network Activity", + "activity_id": 6, + "type_uid": 400106, + "status_id": 1, + "status": "Success", + "severity_id": 1, + "severity": "Informational" + }, + + formats: [ + { + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + { input: "sourceIP", output: "src_endpoint.ip", match: ".*", replace: "$0" }, + { input: "sourceIP", output: "src_ip", match: ".*", replace: "$0" }, + { input: "sourcePort", output: "src_endpoint.port", match: ".*", replace: "$0" }, + { input: "destinationIP", output: "dst_endpoint.ip", match: ".*", replace: "$0" }, + { input: "destinationIP", output: "dst_ip", match: ".*", replace: "$0" }, + { input: "destinationPort", output: "dst_endpoint.port", match: ".*", replace: "$0" }, + { input: "protocol", output: "connection_info.protocol_name", match: ".*", replace: "$0" }, + { input: "username", output: "actor.user.name", match: ".*", replace: "$0" }, + { input: "username", output: "user_name", match: ".*", replace: "$0" }, + { input: "category", output: "metadata.event_type", match: ".*", replace: "$0" }, + + // QRadar magnitude → severity + { input: "magnitude", output: "severity_id", match: "^[1-3]$", replace: "2" }, + { input: "magnitude", output: "severity_id", match: "^[4-6]$", replace: "3" }, + { input: "magnitude", output: "severity_id", match: "^[7-8]$", replace: "4" }, + { input: "magnitude", output: "severity_id", match: "^(9|10)$", replace: "5" }, + + // Detection Finding for "Suspicious" / "Authentication" categories + { input: "category", output: "class_uid", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "2004" }, + { input: "category", output: "class_name", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "Detection Finding" }, + { input: "category", output: "category_uid", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "2" }, + { input: "category", output: "category_name", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "Findings" }, + { input: "category", output: "type_uid", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "200401" }, + { input: "category", output: "finding_title", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "$0" }, + { input: "category", output: "finding_info.title", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "$0" }, + { input: "category", output: "severity_id", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "4" }, + { input: "category", output: "severity", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "High" } + ] + } + ] +} diff --git a/parsers/SIMGeneric-OCSF b/parsers/SIMGeneric-OCSF new file mode 100644 index 0000000..e9949c5 --- /dev/null +++ b/parsers/SIMGeneric-OCSF @@ -0,0 +1,74 @@ +{ + // Generic SIM application syslog parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Generic", + "metadata.product.name": "SIM Generic Application", + "Category": "application", + "dataSource.vendor": "Generic", + "dataSource.name": "Generic Application", + "dataSource.category": "application", + "category_uid": 3, + "category_name": "IAM", + "class_uid": 3002, + "class_name": "Authentication", + "activity_id": 1, + "type_uid": 300201, + "status_id": 1, + "severity_id": 1 + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + word: "\\S+", + rest: ".*" + }, + + formats: [ + // Successful login + { + id: "generic_login_success", + attributes: { + class_uid: 3002, class_name: "Authentication", + type_uid: 300201, + status_id: 1, status: "Success" + }, + format: ".*INFO User login successful user=$user_name=word$ src_ip=$src_ip=ipv4$ session_id=$session_id=word$", + halt: true + }, + + // Failed authentication → Detection Finding + { + id: "generic_auth_fail", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, type_uid: 200401, + finding_title: "Generic Application Authentication Failure", + severity_id: 4, severity: "High", + disposition_id: 2, disposition: "Blocked", + status_id: 2, status: "Failure" + }, + format: ".*WARNING Failed authentication attempt user=$user_name=word$ src_ip=$src_ip=ipv4$ reason=$reason=word$ attempts=$attempts=word$", + halt: true, + rewrites: [ + // Bump severity if attempts >= 5 (likely brute force) + { input: "attempts", output: "finding_title", match: "^[5-9]$|^\\d{2,}$", replace: "Generic Application Brute Force" }, + { input: "attempts", output: "severity_id", match: "^[5-9]$|^\\d{2,}$", replace: "5" }, + { input: "attempts", output: "severity", match: "^[5-9]$|^\\d{2,}$", replace: "Critical" } + ] + }, + + // Generic ERROR + { + id: "generic_error", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, type_uid: 200401, + finding_title: "Generic Application Error", + severity_id: 3, severity: "Medium" + }, + format: ".*ERROR $detail=rest$", + halt: true + } + ] +} diff --git a/parsers/WatchGuard-OCSF b/parsers/WatchGuard-OCSF new file mode 100644 index 0000000..4fa13cd --- /dev/null +++ b/parsers/WatchGuard-OCSF @@ -0,0 +1,70 @@ +{ + // WatchGuard Fireware syslog parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "WatchGuard", + "metadata.product.name": "Fireware", + "Category": "network", + "dataSource.vendor": "WatchGuard", + "dataSource.name": "Fireware", + "dataSource.category": "firewall", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4001, + "class_name": "Network Activity", + "activity_id": 6, + "type_uid": 400106, + "status_id": 1, + "status": "Success", + "severity_id": 1 + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + word: "\\S+", + rest: ".*" + }, + + formats: [ + // Allowed traffic + { + id: "wg_allow", + attributes: { + class_uid: 4001, class_name: "Network Activity", + type_uid: 400106, + disposition_id: 1, disposition: "Allowed" + }, + format: "$ts=rest$ firewall Allow $src_ip=ipv4$ $dst_ip=ipv4$ $service=word$ $src_port=word$ $dst_port=word$ .*", + halt: true + }, + + // Denied traffic → Detection Finding + { + id: "wg_deny", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "WatchGuard Firewall Deny", + severity_id: 3, severity: "Medium", + disposition_id: 2, disposition: "Blocked" + }, + format: "$ts=rest$ firewall Deny $src_ip=ipv4$ $dst_ip=ipv4$ $service=word$ $src_port=word$ $dst_port=word$ .*", + halt: true + }, + + // IPS detection (proxy) + { + id: "wg_ips", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, type_uid: 200401, + finding_title: "WatchGuard IPS Detection", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*IPS-detected $detail=rest$", + halt: true + } + ] +} diff --git a/parsers/WindowsSecurity-OCSF b/parsers/WindowsSecurity-OCSF new file mode 100644 index 0000000..54ddcfb --- /dev/null +++ b/parsers/WindowsSecurity-OCSF @@ -0,0 +1,103 @@ +{ + // Windows Security Event XML parser — OCSF v1.3.0 + // Uses non-greedy patterns that stop at the next XML tag/quote + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Microsoft", + "metadata.product.name": "Windows Security", + "metadata.log_provider": "winlogbeat", + "Category": "host", + "dataSource.vendor": "Microsoft", + "dataSource.name": "Windows Security", + "dataSource.category": "endpoint", + "category_uid": 3, + "category_name": "IAM", + "class_uid": 3002, + "class_name": "Authentication", + "activity_id": 1, + "type_uid": 300201, + "status_id": 1, + "severity_id": 1 + }, + + patterns: { + // Anything until next "<" — perfect for XML content + untilLT: "[^<]*", + // Anything until next ">" + untilGT: "[^>]*", + word: "\\S+", + rest: ".*" + }, + + formats: [ + // 4625 = Failed logon → Detection Finding (HIGH) + { + id: "win_4625", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Windows Logon Failure (4625)", + severity_id: 4, severity: "High", + disposition_id: 2, disposition: "Blocked", + status_id: 2, status: "Failure" + }, + format: ".*4625.*$user_name=untilLT$.*$src_ip=untilLT$.*", + halt: true + }, + + // 4720 = User account created → Detection Finding (HIGH) + { + id: "win_4720", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Windows New User Account Created (4720)", + severity_id: 4, severity: "High" + }, + format: ".*4720.*$new_user=untilLT$.*", + halt: true + }, + + // 4732 = User added to security group → Detection Finding (CRITICAL) + { + id: "win_4732", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Windows User Added to Privileged Group (4732)", + severity_id: 5, severity: "Critical" + }, + format: ".*4732.*$member=untilLT$.*$group_name=untilLT$.*", + halt: true + }, + + // 1102 = Audit log cleared (anti-forensics) → Detection Finding (CRITICAL) + { + id: "win_1102", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Windows Audit Log Cleared (1102)", + severity_id: 5, severity: "Critical" + }, + format: ".*1102.*", + halt: true + }, + + // 4624 = Successful logon (informational) + { + id: "win_4624", + attributes: { + class_uid: 3002, class_name: "Authentication", + activity_id: 1, type_uid: 300201, + status_id: 1, status: "Success" + }, + format: ".*4624.*$user_name=untilLT$.*$src_ip=untilLT$.*", + halt: true + } + ] +} diff --git a/parsers/alerts b/parsers/alerts new file mode 100644 index 0000000..101a84d --- /dev/null +++ b/parsers/alerts @@ -0,0 +1,106 @@ +{ + "alerts": [ + { + "trigger": "class_uid='2004' AND severity_id='5' | group n=count() by serverHost, finding_title | filter n >= 1", + "alertTime": 300, + "renotifyPeriodMinutes": 60, + "description": "[Critical] Critical OCSF Detection Findings (any source) \u2014 Fires when any data source reports a Detection Finding with severity_id=5 (Critical). Catches HANA Mass Exfil, SQL Injection, Linux reverse shells, Windows audit clearing, F5 WAF blocks, Palo Alto threats." + }, + { + "trigger": "class_uid='2004' AND severity_id='4' | group n=count() by serverHost, finding_title | filter n >= 1", + "alertTime": 300, + "renotifyPeriodMinutes": 120, + "description": "[High] High-Severity Detection Findings \u2014 All HIGH severity OCSF findings \u2014 SSH brute force, sudo not in sudoers, F5 auth failures, Windows logon failures, Entra ID risky sign-ins." + }, + { + "trigger": "serverHost='linux-ocsf' | parse 'Failed password for $f_user$ from $f_ip$' | parse 'Accepted password for $a_user$ from $a_ip$' | group fails=count(f_user), success=count(a_user) by serverHost, f_ip | filter fails >= 3 and success >= 1", + "alertTime": 600, + "renotifyPeriodMinutes": 60, + "description": "[Critical] Linux SSH Brute-Force Then Successful Logon (Correlation) \u2014 Detects 3+ failed SSH logins followed by a successful logon from the same source IP \u2014 classic credential stuffing kill chain." + }, + { + "trigger": "class_uid='2004' AND src_ip != null | group sources=count() by src_ip | filter sources >= 5", + "alertTime": 3600, + "renotifyPeriodMinutes": 60, + "description": "[Critical] Multi-Source Coordinated Attack (Correlation) \u2014 Same source IP triggers Detection Findings across 2+ different data sources within 1h \u2014 indicates coordinated multi-stage attack (e.g., port scan + brute force + exfil)." + }, + { + "trigger": "serverHost='hana-ocsf' AND class_uid='2004' AND (finding_title contains 'SQL Injection' OR finding_title contains 'Mass Data Extraction')", + "alertTime": 300, + "renotifyPeriodMinutes": 30, + "description": "[Critical] HANA Database SQL Injection or Mass Exfiltration \u2014 Critical SAP HANA detection: SQL injection patterns OR rows_affected > 1000 indicating data exfiltration." + }, + { + "trigger": "(serverHost='bind-ocsf' OR serverHost='msdns-ocsf') AND class_uid='2004' | group n=count() by finding_title | filter n >= 1", + "alertTime": 600, + "renotifyPeriodMinutes": 60, + "description": "[High] DNS Suspicious Activity (BIND or Microsoft DNS) \u2014 BIND or Microsoft DNS detected suspicious query \u2014 security warnings, AXFR zone transfers, base64 tunneling, or dynamic DNS." + }, + { + "trigger": "serverHost='entra-ocsf' AND class_uid='2004' | group n=count() by finding_title | filter n >= 1", + "alertTime": 300, + "renotifyPeriodMinutes": 30, + "description": "[High] Cloud Identity Risky Sign-In \u2014 Microsoft Entra ID flagged a sign-in failure or risky activity (auth failure, high-risk, Tor exit node, etc.)." + }, + { + "trigger": "serverHost='f5ltm-ocsf' AND class_uid='2004' AND (finding_title contains 'WAF' OR finding_title contains 'ASM')", + "alertTime": 300, + "renotifyPeriodMinutes": 30, + "description": "[Critical] Web Application Attack (F5 WAF) \u2014 F5 BIG-IP WAF blocked SQL injection, XSS, or other web attack pattern." + }, + { + "trigger": "serverHost='paloalto-ocsf' AND class_uid='2004'", + "alertTime": 300, + "renotifyPeriodMinutes": 30, + "description": "[Critical] Palo Alto Threat / C2 Detection \u2014 Palo Alto IPS/threat engine detected vulnerability exploit, spyware/C2, or malware." + }, + { + "trigger": "serverHost='windows-ocsf' AND class_uid='2004' | group n=count() by finding_title | filter n >= 1", + "alertTime": 300, + "renotifyPeriodMinutes": 30, + "description": "[High] Windows Security Detection Finding \u2014 Any Windows Security Detection Finding \u2014 failed logons (4625), new accounts (4720), privileged group changes (4732), or audit log clearing (1102)." + }, + { + "trigger": "serverHost='windows-ocsf' AND class_uid='2004' AND (finding_title contains '4720' OR finding_title contains '4732')", + "alertTime": 600, + "renotifyPeriodMinutes": 60, + "description": "[High] Windows New User Account Or Privilege Escalation \u2014 EventID 4720 (new user) or 4732 (added to privileged group) \u2014 persistence + privesc." + }, + { + "trigger": "class_uid='3002' AND status_id='2' | group attempts=count() by user_name | filter attempts >= 10", + "alertTime": 300, + "renotifyPeriodMinutes": 30, + "description": "[High] Authentication Failure Burst (Cross-Source) \u2014 10+ authentication failures (class_uid=3002 status=Failure) across all IAM sources within 5 min \u2014 likely brute force." + }, + { + "trigger": "serverHost='linux-ocsf' AND class_uid='2004' AND (finding_title contains 'Reverse Shell' OR finding_title contains 'Credential Dumping')", + "alertTime": 300, + "renotifyPeriodMinutes": 30, + "description": "[Critical] Linux Reverse Shell or Credential Dumping Tool \u2014 Linux process activity detected mimikatz / hashdump / kerbrute / python socket reverse shell." + }, + { + "trigger": "(serverHost='fortigate-ocsf' OR serverHost='checkpoint-ocsf') AND class_uid='2004' | group n=count() by serverHost, src_ip | filter n >= 10", + "alertTime": 600, + "renotifyPeriodMinutes": 60, + "description": "[High] Network Firewall Deny / Block (Spike) \u2014 FortiGate or Check Point firewall denied 10+ connections \u2014 likely port scan, lateral movement attempt, or C2 callback." + }, + { + "trigger": "serverHost='darktrace-ocsf' AND class_uid='2004' AND finding_title contains 'AI Analyst' | group n=count() by finding_title | filter n >= 1", + "alertTime": 300, + "renotifyPeriodMinutes": 30, + "description": "[Critical] Darktrace AI Analyst Incident \u2014 Darktrace AI Analyst raised an incident (lateral movement, data exfil, suspicious SaaS activity, etc.) \u2014 top-priority NDR alert." + }, + { + "trigger": "serverHost='darktrace-ocsf' AND class_uid='2004' AND finding_title contains 'Antigena' | group n=count() by finding_title | filter n >= 1", + "alertTime": 300, + "renotifyPeriodMinutes": 60, + "description": "[High] Darktrace Antigena Autonomous Response Triggered \u2014 Darktrace Antigena autonomously blocked traffic \u2014 confirms a high-confidence threat that the system already mitigated." + }, + { + "trigger": "serverHost='darktrace-ocsf' AND class_uid='2004' AND finding_title contains 'Model Breach' | group n=count() by finding_title | filter n >= 1", + "alertTime": 600, + "renotifyPeriodMinutes": 60, + "description": "[High] Darktrace Model Breach High Score (>=80) \u2014 Darktrace Model Breach with anomaly score >=80 (out of 100) \u2014 high-confidence behavioural anomaly worth investigating." + } + ] +} \ No newline at end of file diff --git a/parsers/bsi-nis2-healthcare-overview b/parsers/bsi-nis2-healthcare-overview new file mode 100644 index 0000000..0ae8c30 --- /dev/null +++ b/parsers/bsi-nis2-healthcare-overview @@ -0,0 +1,585 @@ +{ + "configType": "TABBED", + "duration": "24h", + "description": "BSI / NIS2 healthcare compliance \u2014 Avelios Medical HIS + Omniconnect TI Gateway", + "tabs": [ + { + "tabName": "Overview", + "graphs": [ + { + "title": "BSI / NIS2 Healthcare Compliance \u2014 Overview", + "graphStyle": "markdown", + "markdown": "**Scope:** Avelios Medical Hospital Information System (HIS) + Omniconnect HIS\u2194Telematics Infrastructure (TI) gateway.\n\n**Frameworks:** BSI-Grundschutz \u00b7 NIS2 \u00b7 GDPR \u00b7 gematik TI.\n\nAll events are OCSF-enriched (v1.3.0) by the deployed parsers `Avelios-Medical-OCSF` and `Omniconnect-OCSF`.", + "layout": { + "w": 60, + "h": 4, + "x": 0, + "y": 0 + } + }, + { + "title": "Total Healthcare Events", + "graphStyle": "number", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": " events" + }, + "layout": { + "w": 15, + "h": 8, + "x": 0, + "y": 4 + } + }, + { + "title": "Avelios Events", + "graphStyle": "number", + "query": "serverHost='avelios-medical' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 15, + "y": 4 + } + }, + { + "title": "Omniconnect Events", + "graphStyle": "number", + "query": "serverHost='omniconnect' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 30, + "y": 4 + } + }, + { + "title": "Critical Findings", + "graphStyle": "number", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') severity_id='6' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 45, + "y": 4 + } + }, + { + "title": "Events by Source", + "graphStyle": "donut", + "maxPieSlices": 10, + "dataLabelType": "PERCENTAGE", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') | group ct=count() by serverHost", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 12 + } + }, + { + "title": "OCSF Severity Distribution", + "graphStyle": "donut", + "maxPieSlices": 10, + "dataLabelType": "PERCENTAGE", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') severity_str=* | group ct=count() by severity_str", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 12 + } + }, + { + "title": "Events by OCSF Class (per source)", + "graphStyle": "stacked_bar", + "xAxis": "grouped_data", + "yScale": "linear", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') class_name=* | group ct=count() by class_name, serverHost | sort -ct", + "layout": { + "w": 60, + "h": 16, + "x": 0, + "y": 26 + } + }, + { + "title": "Recent HIGH / CRITICAL events", + "graphStyle": "table", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') (severity_str='HIGH' or severity_str='CRITICAL') | columns timestamp, serverHost, event_category, event_type, severity_str | sort -timestamp | limit 25", + "layout": { + "w": 60, + "h": 18, + "x": 0, + "y": 42 + } + } + ] + }, + { + "tabName": "Avelios HIS", + "graphs": [ + { + "title": "Avelios Medical \u2014 Hospital Information System", + "graphStyle": "markdown", + "markdown": "Patient-data access (PHI / GDPR Art. 32), authentication, administrative changes and security findings.\n\n**Relevant BSI controls:** ORP.4 (Identity Management), OPS.1.1 (Logging), CON.3 (Data Protection), DER.1 (Detection).", + "layout": { + "w": 60, + "h": 4, + "x": 0, + "y": 0 + } + }, + { + "title": "Total Avelios Events", + "graphStyle": "number", + "query": "serverHost='avelios-medical' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 0, + "y": 4 + } + }, + { + "title": "PHI Access Events", + "graphStyle": "number", + "query": "serverHost='avelios-medical' event_category='patient_access' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 15, + "y": 4 + } + }, + { + "title": "Auth Failures", + "graphStyle": "number", + "query": "serverHost='avelios-medical' event_category='authentication' outcome='failure' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 30, + "y": 4 + } + }, + { + "title": "Security Findings", + "graphStyle": "number", + "query": "serverHost='avelios-medical' category_uid='2' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 45, + "y": 4 + } + }, + { + "title": "Avelios \u2014 Event Categories", + "graphStyle": "donut", + "maxPieSlices": 10, + "dataLabelType": "PERCENTAGE", + "query": "serverHost='avelios-medical' event_category=* | group ct=count() by event_category", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 12 + } + }, + { + "title": "Avelios \u2014 Severity Mix", + "graphStyle": "donut", + "maxPieSlices": 10, + "dataLabelType": "PERCENTAGE", + "query": "serverHost='avelios-medical' severity_str=* | group ct=count() by severity_str", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 12 + } + }, + { + "title": "PHI Access (BSI CON.3 / GDPR Art. 32)", + "graphStyle": "table", + "query": "serverHost='avelios-medical' event_category='patient_access' | group ct=count() by event_type, severity_str | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 26 + } + }, + { + "title": "Authentication Outcomes", + "graphStyle": "table", + "query": "serverHost='avelios-medical' event_category='authentication' | group ct=count() by event_type, outcome | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 26 + } + }, + { + "title": "Administrative Changes (BSI ORP.4)", + "graphStyle": "table", + "query": "serverHost='avelios-medical' event_category='administrative' | group ct=count() by event_type, outcome | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 40 + } + }, + { + "title": "Avelios Security Findings", + "graphStyle": "table", + "query": "serverHost='avelios-medical' category_uid='2' | columns timestamp, event_type, severity_str | sort -timestamp | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 40 + } + } + ] + }, + { + "tabName": "Omniconnect", + "graphs": [ + { + "title": "Omniconnect \u2014 HIS \u2194 Telematics Infrastructure (TI)", + "graphStyle": "markdown", + "markdown": "Konnektor health, eGK / HBA / SMC-B card operations, eRezept, ePA, VSDM and KIM secure messaging.\n\n**Relevant frameworks:** gematik TI, BSI TR-03116, NIS2 Annex II.", + "layout": { + "w": 60, + "h": 4, + "x": 0, + "y": 0 + } + }, + { + "title": "Total Omniconnect Events", + "graphStyle": "number", + "query": "serverHost='omniconnect' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 0, + "y": 4 + } + }, + { + "title": "TI Connection Events", + "graphStyle": "number", + "query": "serverHost='omniconnect' event_category='ti_connection' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 15, + "y": 4 + } + }, + { + "title": "Card Operations", + "graphStyle": "number", + "query": "serverHost='omniconnect' event_category='card_operations' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 30, + "y": 4 + } + }, + { + "title": "Cert / Crypto Failures", + "graphStyle": "number", + "query": "serverHost='omniconnect' (event_type='CERTIFICATE_EXPIRED' or event_type='CERTIFICATE_VALIDATION_FAILED' or event_type='ENCRYPTION_FAILED' or event_type='SIGNATURE_VERIFICATION_FAILED') | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 45, + "y": 4 + } + }, + { + "title": "Omniconnect \u2014 Event Categories", + "graphStyle": "donut", + "maxPieSlices": 10, + "dataLabelType": "PERCENTAGE", + "query": "serverHost='omniconnect' event_category=* | group ct=count() by event_category", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 12 + } + }, + { + "title": "Omniconnect \u2014 Severity Mix", + "graphStyle": "donut", + "maxPieSlices": 10, + "dataLabelType": "PERCENTAGE", + "query": "serverHost='omniconnect' severity_str=* | group ct=count() by severity_str", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 12 + } + }, + { + "title": "TI Connection Issues", + "graphStyle": "table", + "query": "serverHost='omniconnect' event_category='ti_connection' outcome!='success' | group ct=count() by event_type, severity_str | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 26 + } + }, + { + "title": "Card Operations (eGK / HBA / SMC-B)", + "graphStyle": "table", + "query": "serverHost='omniconnect' event_category='card_operations' | group ct=count() by event_type, outcome | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 26 + } + }, + { + "title": "eRezept Activity", + "graphStyle": "table", + "query": "serverHost='omniconnect' event_category='erezept' | group ct=count() by event_type, outcome | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 40 + } + }, + { + "title": "ePA / KIM Activity", + "graphStyle": "table", + "query": "serverHost='omniconnect' (event_category='epa' or event_category='kim') | group ct=count() by event_category, event_type | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 40 + } + } + ] + }, + { + "tabName": "Compliance", + "graphs": [ + { + "title": "BSI / NIS2 Compliance Findings", + "graphStyle": "markdown", + "markdown": "OCSF Security Findings (`category_uid=2`) across both healthcare platforms, mapped to BSI-Grundschutz controls and NIS2 Annex II obligations (incident handling, encryption, access control, supply-chain security).", + "layout": { + "w": 60, + "h": 4, + "x": 0, + "y": 0 + } + }, + { + "title": "Total Findings", + "graphStyle": "number", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') category_uid='2' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 0, + "y": 4 + } + }, + { + "title": "CRITICAL Findings", + "graphStyle": "number", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') category_uid='2' severity_str='CRITICAL' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 15, + "y": 4 + } + }, + { + "title": "HIGH Findings", + "graphStyle": "number", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') category_uid='2' severity_str='HIGH' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 30, + "y": 4 + } + }, + { + "title": "Auth Failures (24h)", + "graphStyle": "number", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type='USER_LOGIN_FAILURE' or event_type='CARD_AUTHENTICATION_FAILED' or event_type='CARD_PIN_FAILED') | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 45, + "y": 4 + } + }, + { + "title": "Findings by Type per Source (NIS2 Annex II)", + "graphStyle": "stacked_bar", + "xAxis": "grouped_data", + "yScale": "linear", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') category_uid='2' | group ct=count() by event_type, serverHost | sort -ct", + "layout": { + "w": 60, + "h": 18, + "x": 0, + "y": 12 + } + }, + { + "title": "BSI ORP.4 \u2014 Identity & Access Anomalies", + "graphStyle": "table", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type='ACCOUNT_LOCKED' or event_type='UNAUTHORIZED_ACCESS_ATTEMPT' or event_type='PRIVILEGE_ESCALATION_ATTEMPT' or event_type='CARD_PIN_BLOCKED') | group ct=count() by serverHost, event_type, severity_str | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 30 + } + }, + { + "title": "BSI CON.1 \u2014 Crypto / Certificate Issues", + "graphStyle": "table", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type contains 'CERTIFICATE' or event_type contains 'ENCRYPTION' or event_type contains 'SIGNATURE') outcome!='success' | group ct=count() by serverHost, event_type, severity_str | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 30 + } + }, + { + "title": "BSI DER.1 \u2014 Threats & Intrusions", + "graphStyle": "table", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type='MALWARE_DETECTED' or event_type='INTRUSION_DETECTED' or event_type='TAMPER_DETECTION' or event_type='SECURITY_POLICY_VIOLATION') | columns timestamp, serverHost, event_type, severity_str | sort -timestamp | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 44 + } + }, + { + "title": "GDPR Art. 32 \u2014 Data-Processing Events", + "graphStyle": "table", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type='EMERGENCY_ACCESS_OVERRIDE' or event_type='PATIENT_RECORD_DELETE' or event_type='DATA_EXPORT_INITIATED' or event_type='AUDIT_LOG_EXPORT' or event_type='EPA_EMERGENCY_ACCESS') | group ct=count() by serverHost, event_type | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 44 + } + }, + { + "title": "Compliance Control Mapping", + "graphStyle": "markdown", + "markdown": "| Control | BSI / NIS2 ref | Evidence query |\n|---|---|---|\n| Identity & Access | BSI ORP.4 / NIS2 Art. 21(2)(i) | `event_category in (authentication, card_operations)` |\n| Logging & Audit | BSI OPS.1.1 / NIS2 Art. 21(2)(b) | All ingested events |\n| Cryptography | BSI CON.1 / NIS2 Art. 21(2)(h) | `event_type contains CERTIFICATE/ENCRYPTION/SIGNATURE` |\n| Incident Detection | BSI DER.1 / NIS2 Art. 21(2)(c) | `category_uid=2` |\n| Data Protection | BSI CON.3 / GDPR Art. 32 | `event_category=patient_access OR epa` |\n| Supply Chain (TI) | BSI TR-03116 / NIS2 Art. 21(2)(d) | `event_category=ti_connection` |", + "layout": { + "w": 60, + "h": 12, + "x": 0, + "y": 58 + } + } + ] + } + ] +} \ No newline at end of file diff --git a/parsers/checkpoint b/parsers/checkpoint new file mode 100644 index 0000000..818ed87 --- /dev/null +++ b/parsers/checkpoint @@ -0,0 +1,385 @@ +{ + attributes: { + "metadata.version": "3.0.0", + "dataSource.vendor": "Check Point", + "dataSource.name": "Check Point Firewall", + "dataSource.category": "security", + "metadata.product.vendor_name": "Check Point", + "metadata.product.name": "Next Generation Firewall", + "metadata.log_provider": "syslog", + "severity_id": 1, + "severity": "Informational" + }, + + patterns: { + ip: "\\d+\\.\\d+\\.\\d+\\.\\d+", + num: "\\d+", + word: "[\\w-]+", + qval: "[^;\"]+", + uuid: "\\{[^}]+\\}", + rest: ".*" + }, + + formats: [ + // ═══════════════════════════════════════════════════════════════════════════ + // PIPE-DELIMITED: time=...|action=...|src=...|dst=... + // ═══════════════════════════════════════════════════════════════════════════ + + // PIPE - Firewall Accept + { + id: "cp_pipe_accept", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106, + disposition_id: 1, disposition: "Allowed" + }, + format: "time=$time_epoch=num$[|]hostname=$cp_hostname=word$[|]product=$cp_product=word$[|]layer_name=$layer_name=word$[|]action=Accept[|]rule_uid=$rule_uid=qval$[|]ifdir=$iface_dir=word$[|]ifname=$iface_name=word$[|]loguid=$log_uid=uuid$[|]origin=$origin_ip=ip$[|]src=$src_ip=ip$[|]dst=$dst_ip=ip$[|]proto=$proto_num=num$[|]s_port=$src_port=num$[|]service=$dst_port=num$.*", + halt: true + }, + + // PIPE - Firewall Drop + { + id: "cp_pipe_drop", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + disposition_id: 2, disposition: "Blocked", + severity_id: 3, severity: "Medium", + "finding_info.title": "Check Point Firewall Block", + confidence_id: 3, confidence: "High" + }, + format: "time=$time_epoch=num$[|]hostname=$cp_hostname=word$[|]product=$cp_product=word$.*action=Drop.*src=$src_ip=ip$[|]dst=$dst_ip=ip$[|]proto=$proto_num=num$.*", + halt: true + }, + + // PIPE - Generic firewall fallback (any pipe format with src/dst) + { + id: "cp_pipe_fw", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106 + }, + format: "time=$time_epoch=num$[|].*src=$src_ip=ip$[|]dst=$dst_ip=ip$.*", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // SEMICOLON FORMAT: [field:"value"; ...] + // Fields appear in alphabetical order in CP Log Exporter + // ═══════════════════════════════════════════════════════════════════════════ + + // IDENTITY AWARENESS - Auth Success (no dst field, must precede generic Accept) + { + id: "cp_auth_ok", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 1, activity_name: "Logon", + type_uid: 300201, + status_id: 1, status: "Success" + }, + format: ".*action:\"Accept\";.*product:\"Identity Awareness\";.*user:\"$user_name=qval$\";.*auth_method:\"$auth_method=qval$\";.*identity_src:\"$identity_src=qval$\";.*src:\"$src_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // IDENTITY AWARENESS - Auth Failure + { + id: "cp_auth_fail", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 1, activity_name: "Logon", + type_uid: 300201, + status_id: 2, status: "Failure", + severity_id: 3, severity: "Medium" + }, + format: ".*action:\"Reject\";.*product:\"Identity Awareness\";.*user:\"$user_name=qval$\";.*auth_method:\"$auth_method=qval$\";.*reason:\"$status_detail=qval$\";.*src:\"$src_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // ANTI-BOT + { + id: "cp_antibot", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + severity_id: 5, severity: "Critical", + "finding_info.title": "Check Point Anti-Bot Detection", + confidence_id: 3, confidence: "High" + }, + format: ".*action:\"$cp_action=word$\";.*product:\"Anti-Bot\";.*malware_name:\"$malware_name=qval$\";.*protection_name:\"$protection=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // ANTI-VIRUS + { + id: "cp_antivirus", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + severity_id: 5, severity: "Critical", + "finding_info.title": "Check Point Anti-Virus Detection", + confidence_id: 3, confidence: "High" + }, + format: ".*action:\"$cp_action=word$\";.*product:\"Anti-Virus\";.*malware:\"$malware_name=qval$\";.*file_name:\"$file_name=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // THREAT EMULATION + { + id: "cp_te", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + severity_id: 6, severity: "Fatal", + "finding_info.title": "Check Point Threat Emulation", + confidence_id: 3, confidence: "High" + }, + format: ".*action:\"$cp_action=word$\";.*product:\"Threat Emulation\";.*malware:\"$malware_name=qval$\";.*file_name:\"$file_name=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // IPS + { + id: "cp_ips", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + severity_id: 4, severity: "High", + "finding_info.title": "Check Point IPS Detection", + confidence_id: 3, confidence: "High" + }, + format: ".*action:\"$cp_action=word$\";.*product:\"IPS\";.*attack:\"$attack=qval$\";.*protection_name:\"$protection=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // SMARTDEFENSE (Legacy IPS) + { + id: "cp_smartdef", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + severity_id: 4, severity: "High", + "finding_info.title": "Check Point SmartDefense" + }, + format: ".*action:\"$cp_action=word$\";.*product:\"SmartDefense\";.*attack:\"$attack=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // URL FILTERING - Block + { + id: "cp_urlf_block", + attributes: { + class_uid: 4002, class_name: "HTTP Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400206, + disposition_id: 2, disposition: "Blocked", + severity_id: 2, severity: "Low" + }, + format: ".*action:\"Block\";.*product:\"URL Filtering\";.*resource:\"$url=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // URL FILTERING - Allow + { + id: "cp_urlf_allow", + attributes: { + class_uid: 4002, class_name: "HTTP Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400206, + disposition_id: 1, disposition: "Allowed" + }, + format: ".*action:\"$cp_action=word$\";.*product:\"URL Filtering\";.*resource:\"$url=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // APPLICATION CONTROL + { + id: "cp_appc", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106 + }, + format: ".*action:\"$cp_action=word$\";.*product:\"Application Control\";.*appi_name:\"$app_name=qval$\";.*app_category:\"$app_cat=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // VPN + { + id: "cp_vpn", + attributes: { + class_uid: 4014, class_name: "Tunnel Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Open", + type_uid: 401401, + status_id: 1, status: "Success" + }, + format: ".*action:\"$cp_action=qval$\";.*product:\"VPN\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*user:\"$user_name=qval$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // DLP + { + id: "cp_dlp", + attributes: { + class_uid: 2006, class_name: "Data Security Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200601, + severity_id: 4, severity: "High", + "finding_info.title": "Check Point DLP Violation" + }, + format: ".*action:\"$cp_action=word$\";.*product:\"DLP\";.*dlp_rule_name:\"$dlp_rule=qval$\";.*file_name:\"$file_name=qval$\";.*src:\"$src_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // SMARTCONSOLE Audit + { + id: "cp_audit", + attributes: { + class_uid: 3004, class_name: "Entity Management", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 0, activity_name: "Unknown", + type_uid: 300400 + }, + format: ".*product:\"SmartConsole\";.*administrator:\"$admin_user=qval$\";.*operation:\"$operation=qval$\";.*object_name:\"$obj_name=qval$\";.*object_type:\"$obj_type=qval$\";.*src:\"$src_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // FIREWALL ACCEPT - generic with rule_name + { + id: "cp_fw_accept", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106, + disposition_id: 1, disposition: "Allowed" + }, + format: ".*action:\"Accept\";.*loguid:\"$log_uid=uuid$\";.*origin:\"$origin_ip=ip$\";.*product:\"$cp_product=qval$\";.*proto:\"$proto_num=num$\";.*rule_name:\"$rule_name=qval$\";.*s_port:\"$src_port=num$\";.*service:\"$dst_port=num$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*", + halt: true + }, + + // FIREWALL ACCEPT - without rule_name + { + id: "cp_fw_accept_norule", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106, + disposition_id: 1, disposition: "Allowed" + }, + format: ".*action:\"Accept\";.*loguid:\"$log_uid=uuid$\";.*origin:\"$origin_ip=ip$\";.*product:\"$cp_product=qval$\";.*proto:\"$proto_num=num$\";.*s_port:\"$src_port=num$\";.*service:\"$dst_port=num$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*", + halt: true + }, + + // FIREWALL DROP + { + id: "cp_fw_drop", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + disposition_id: 2, disposition: "Blocked", + severity_id: 3, severity: "Medium", + "finding_info.title": "Check Point Firewall Block", + confidence_id: 3, confidence: "High" + }, + format: ".*action:\"Drop\";.*loguid:\"$log_uid=uuid$\";.*origin:\"$origin_ip=ip$\";.*product:\"$cp_product=qval$\";.*proto:\"$proto_num=num$\";.*rule_name:\"$rule_name=qval$\";.*s_port:\"$src_port=num$\";.*service:\"$dst_port=num$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*", + halt: true + }, + + // FIREWALL REJECT + { + id: "cp_fw_reject", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + disposition_id: 2, disposition: "Blocked", + severity_id: 3, severity: "Medium", + "finding_info.title": "Check Point Firewall Reject", + confidence_id: 3, confidence: "High" + }, + format: ".*action:\"Reject\";.*loguid:\"$log_uid=uuid$\";.*origin:\"$origin_ip=ip$\";.*product:\"$cp_product=qval$\";.*proto:\"$proto_num=num$\";.*rule_name:\"$rule_name=qval$\";.*s_port:\"$src_port=num$\";.*service:\"$dst_port=num$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*", + halt: true + }, + + // GENERIC FALLBACK - just extract src/dst if present + { + id: "cp_fallback", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 0, activity_name: "Unknown", + type_uid: 400100 + }, + format: ".*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*" + } + ], + + mappings: { + version: 1, + mappings: [ + { + transformations: [ + { rename: { from: "src_ip", to: "src_endpoint.ip" } }, + { rename: { from: "dst_ip", to: "dst_endpoint.ip" } }, + { rename: { from: "src_port", to: "src_endpoint.port" } }, + { rename: { from: "dst_port", to: "dst_endpoint.port" } }, + { rename: { from: "iface_name", to: "src_endpoint.interface_name" } }, + { rename: { from: "proto_num", to: "connection_info.protocol_num" } }, + { rename: { from: "iface_dir", to: "connection_info.direction" } }, + { rename: { from: "user_name", to: "actor.user.name" } }, + { rename: { from: "admin_user", to: "actor.user.name" } }, + { rename: { from: "rule_name", to: "firewall_rule.name" } }, + { rename: { from: "rule_uid", to: "firewall_rule.uid" } }, + { rename: { from: "app_name", to: "app.name" } }, + { rename: { from: "app_cat", to: "app.category" } }, + { rename: { from: "url", to: "http_request.url.original" } }, + { rename: { from: "malware_name", to: "malware.name" } }, + { rename: { from: "attack", to: "finding_info.title" } }, + { rename: { from: "protection", to: "finding_info.desc" } }, + { rename: { from: "file_name", to: "file.name" } }, + { rename: { from: "auth_method", to: "auth_protocol" } }, + { rename: { from: "dlp_rule", to: "policy.name" } }, + { rename: { from: "operation", to: "activity_name" } }, + { rename: { from: "obj_name", to: "entity.name" } }, + { rename: { from: "obj_type", to: "entity.type" } }, + { rename: { from: "status_detail", to: "status_detail" } }, + { rename: { from: "origin_ip", to: "device.ip" } }, + { rename: { from: "cp_hostname", to: "device.hostname" } }, + { rename: { from: "cp_product", to: "metadata.product.feature.name" } }, + { rename: { from: "log_uid", to: "metadata.uid" } }, + { rename: { from: "cp_action", to: "unmapped.action" } }, + { rename: { from: "layer_name", to: "unmapped.layer_name" } }, + { rename: { from: "identity_src", to: "unmapped.identity_source" } }, + { rename: { from: "time_epoch", to: "unmapped.time_epoch" } } + ] + } + ] + } +} diff --git a/parsers/cisco_ise_logs-latest b/parsers/cisco_ise_logs-latest new file mode 100644 index 0000000..49ad85a --- /dev/null +++ b/parsers/cisco_ise_logs-latest @@ -0,0 +1,77 @@ +{ + attributes: { + "dataSource.category": "security", + "dataSource.name": "Cisco ISE", + "dataSource.vendor": "Cisco", + "metadata.product.name": "Cisco Identity Services Engine", + "metadata.product.vendor_name": "Cisco", + "metadata.version": "1.0.0" + }, + patterns: { + timestamp: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{3})?[+-]\\d{2}:\\d{2}|\\w{3}\\s+\\d{1,2}\\s+\\d{2}:\\d{2}:\\d{2}", + ipv4: "(?:\\d{1,3}\\.){3}\\d{1,3}", + macaddr: "([0-9a-fA-F]{2}[:-]){5}[0-9a-fA-F]{2}" + }, + formats: [ + { + attributes: { + class_uid: "3002", + category_uid: "3", + severity_id: "1", + class_name: "Authentication", + category_name: "Identity & Access Management", + "metadata.product.name": "Cisco Identity Services Engine", + "metadata.product.vendor_name": "Cisco", + "dataSource.category": "security", + "dataSource.name": "Cisco ISE", + "dataSource.vendor": "Cisco" + }, + format: "$timestamp=timestamp$ $hostname$ CISE_System_Alarms $log_id$,$log_id2$,$severity$,$category$,$message$,$user$,$ip=ipv4$,$mac=macaddr$,$endpoint_id$,$auth_method$,$auth_protocol$" + }, + { + attributes: { + class_uid: "3002", + category_uid: "3", + severity_id: "2", + class_name: "Authentication", + category_name: "Identity & Access Management", + "metadata.product.name": "Cisco Identity Services Engine", + "metadata.product.vendor_name": "Cisco", + "dataSource.category": "security", + "dataSource.name": "Cisco ISE", + "dataSource.vendor": "Cisco" + }, + format: "$timestamp=timestamp$ $hostname$ CISE_Passed_Authentications $log_id$,$log_id2$,$severity$,$category$,User-Name=$user$,NAS-IP-Address=$nas_ip=ipv4$,Calling-Station-Id=$mac=macaddr$,Framed-IP-Address=$ip=ipv4$,Authentication passed" + }, + { + attributes: { + class_uid: "3002", + category_uid: "3", + severity_id: "4", + class_name: "Authentication", + category_name: "Identity & Access Management", + "metadata.product.name": "Cisco Identity Services Engine", + "metadata.product.vendor_name": "Cisco", + "dataSource.category": "security", + "dataSource.name": "Cisco ISE", + "dataSource.vendor": "Cisco" + }, + format: "$timestamp=timestamp$ $hostname$ CISE_Failed_Attempts $log_id$,$log_id2$,$severity$,$category$,User-Name=$user$,NAS-IP-Address=$nas_ip=ipv4$,Calling-Station-Id=$mac=macaddr$,Authentication failed,$failure_reason$" + }, + { + attributes: { + class_uid: "3001", + category_uid: "3", + severity_id: "2", + class_name: "Account Change", + category_name: "Identity & Access Management", + "metadata.product.name": "Cisco Identity Services Engine", + "metadata.product.vendor_name": "Cisco", + "dataSource.category": "security", + "dataSource.name": "Cisco ISE", + "dataSource.vendor": "Cisco" + }, + format: "$timestamp=timestamp$ $hostname$ CISE_Administrator $log_id$,$log_id2$,$severity$,$category$,Admin-Name=$admin_user$,Admin-Session-Id=$session_id$,Object-Name=$object_name$,Change-Type=$change_type$,Object-Type=$object_type$" + } + ] +} \ No newline at end of file diff --git a/parsers/cisco_umbrella-latest b/parsers/cisco_umbrella-latest new file mode 100644 index 0000000..e8e5ea5 --- /dev/null +++ b/parsers/cisco_umbrella-latest @@ -0,0 +1,25 @@ +{ + // specify a time zone if the timestamps in your log are not in GMT + // timezone: "GMT-0800" + + patterns: { + tsPattern: "\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}" + }, + formats: [ + { + format: "\"$timestamp=tsPattern$\",\"$PolicyIdentityLabel$\",\"$InternalClientIP$\",\"$ExternalClientIP$\",\"$DestinationIP$\",\"$ContentType$\",\"$Action$\",\"$url$\",\"$Referer$\",\"$UserAgent$\",\"$StatusCode$\",\"$RequestSize$\",\"$ResponseSize$\",\"$ResponseBodySize$\",\"$SHA-SHA256$\",\"$Categories$\",\"$AVDetections$\",\"$PUAs$\",\"$AMPDisposition$\",\"$AMPMalwareName$\",\"$AMPScore$\",\"$PolicyIdentityType$\",\"$BlockedCategories$\",\"$Identities$\",\"$IdentityTypes$\",\"$RequestMethod$\",\"$DLPStatus$\",\"$CertificateErrors$\",\"$Filename$\",\"$RulesetID$\",\"$RuleID$\",\"$DestinationsListIDs$\"", + attributes: {"dataSource.vendor": "Cisco", "dataSource.name": "Cisco Umbrella", "LogType": "proxylogs"}, + halt: true + }, + { + format: "\"$timestamp=tsPattern$\",\"$MostGranularIdentity$\",\"$Identities$\",\"$InternalIP$\",\"$ExternalIP$\",\"$Action$\",\"$QueryType$\",\"$ResponseCode$\",\"$Domain$\",\"$Categories$\",\"$MostGranularIdentityType$\",\"$IdentityTypes$\",\"$BlockedCategories$\"", + attributes: {"dataSource.vendor": "Cisco", "dataSource.name": "Cisco Umbrella", "LogType": "dnslogs"}, + halt: true + }, + { + format: "\"$ID$\",\"$timestamp=tsPattern$\",\"$Email$\",\"$User$\",\"$Type$\",\"$Action$\",\"$LoggedInFrom$\",\"$Before$\",\"$After$\"", + attributes: {"dataSource.vendor": "Cisco", "dataSource.name": "Cisco Umbrella", "LogType": "auditlogs"}, + halt: true + } + ] +} \ No newline at end of file diff --git a/parsers/claude_test_mikrotik b/parsers/claude_test_mikrotik new file mode 100644 index 0000000..7ec859c --- /dev/null +++ b/parsers/claude_test_mikrotik @@ -0,0 +1,136 @@ +{ + attributes: { + // Required pipeline defaults + "metadata.version": "1.1.0", + "dataSource.vendor": "MikroTik", + "dataSource.name": "MikroTik RouterOS", + "dataSource.category": "network", + // Product metadata + "metadata.product.vendor_name": "MikroTik", + "metadata.product.name": "RouterOS", + "metadata.log_provider": "syslog" + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + mac: "[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}", + number: "\\d+", + word: "\\w+", + iface: "[\\w.-]+" + }, + + formats: [ + // ───────────────────────────────────────────────────────────────────────── + // FIREWALL (Network Activity 4001) + // ───────────────────────────────────────────────────────────────────────── + { + // forward in:ether1 out:ether2, src-mac 00:11:22:33:44:55, proto TCP, 192.168.1.10:54321->8.8.8.8:443, len 64 + id: "firewall_full", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic" + }, + format: + "$disposition=word$ in:$src_endpoint.interface_name=iface$ out:$dst_endpoint.interface_name=iface$, " + + "src-mac $src_endpoint.mac=mac$, proto $connection_info.protocol_name=word$, " + + "$src_endpoint.ip=ipv4$:$src_endpoint.port=number$->$dst_endpoint.ip=ipv4$:$dst_endpoint.port=number$, len $traffic.bytes=number$", + halt: true + }, + { + // forward: in:ether1 out:ether2, src-address 192.168.1.10, dst-address 8.8.8.8 + id: "firewall_simple", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic" + }, + format: + "$disposition=word$: in:$src_endpoint.interface_name=iface$ out:$dst_endpoint.interface_name=iface$, " + + "src-address $src_endpoint.ip=ipv4$, dst-address $dst_endpoint.ip=ipv4$", + halt: true + }, + + // ───────────────────────────────────────────────────────────────────────── + // DHCP (DHCP Activity 4004) + // ───────────────────────────────────────────────────────────────────────── + { + // dhcp,info leased 192.168.1.100 for 00:11:22:33:44:55 + id: "dhcp_lease", + attributes: { + class_uid: 4004, class_name: "DHCP Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Lease" + }, + format: "$dhcp.action=word$ $dst_endpoint.ip=ipv4$ for $dst_endpoint.mac=mac$", + halt: true + }, + + // ───────────────────────────────────────────────────────────────────────── + // WIRELESS (Network Activity 4001) + // ───────────────────────────────────────────────────────────────────────── + { + // connected, 00:11:22:33:44:55@wlan1, signal-strength=-65 + id: "wireless", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Open" + }, + format: "$status=word$, $src_endpoint.mac=mac$@$src_endpoint.interface_name=iface$, signal-strength=$unmapped.wireless_signal$", + halt: true + }, + + // ───────────────────────────────────────────────────────────────────────── + // AUTHENTICATION (Authentication 3002) + // ───────────────────────────────────────────────────────────────────────── + { + // user admin logged in from 192.168.1.5 via winbox + id: "login", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 1, activity_name: "Logon" + }, + format: "user $actor.user.name=word$ $status$ from $src_endpoint.ip=ipv4$ via $auth_protocol=word$", + halt: true + }, + { + // connected from 203.0.113.50 + id: "vpn_connect", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 1, activity_name: "Logon", + auth_protocol: "PPP" + }, + format: "<$actor.user.name$> $status=word$ from $src_endpoint.ip=ipv4$", + halt: true + }, + { + // disconnected, uptime 1h30m, bytes-in=12345, bytes-out=67890 + id: "vpn_disconnect", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 2, activity_name: "Logoff", + auth_protocol: "PPP" + }, + format: "<$actor.user.name$> disconnected, uptime $session.duration$, bytes-in=$traffic.bytes_in=number$, bytes-out=$traffic.bytes_out=number$", + halt: true + }, + + // ───────────────────────────────────────────────────────────────────────── + // GENERIC FALLBACK + // ───────────────────────────────────────────────────────────────────────── + { + id: "generic", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 0, activity_name: "Unknown" + }, + format: "$unmapped.facility=word$,$unmapped.topic=word$: $unmapped.body$" + } + ] +} diff --git a/parsers/darktrace_darktrace_logs-latest b/parsers/darktrace_darktrace_logs-latest new file mode 100644 index 0000000..6a6d85b --- /dev/null +++ b/parsers/darktrace_darktrace_logs-latest @@ -0,0 +1,70 @@ +{ + "attributes": { + "dataSource.vendor": "Darktrace", + "dataSource.name": "Darktrace", + "marc_test_signature": "MARC-PARSER-ACTIVE-99999", + "dataSource.category": "ndr", + "metadata.product.vendor_name": "Darktrace", + "metadata.product.name": "Enterprise Immune System", + "metadata.version": "1.3.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { "constant": { "value": 2, "field": "category_uid" } }, + { "constant": { "value": "Findings", "field": "category_name" } }, + { "constant": { "value": 2004, "field": "class_uid" } }, + { "constant": { "value": "Detection Finding", "field": "class_name" } }, + { "constant": { "value": 200401, "field": "type_uid" } }, + { "constant": { "value": "Detection Finding: Create", "field": "type_name" } }, + { "constant": { "value": 1, "field": "activity_id" } }, + { "constant": { "value": "Create", "field": "activity_name" } }, + { "constant": { "value": 1, "field": "status_id" } }, + { "constant": { "value": "New", "field": "status" } }, + + { "copy": { "from": "unmapped.creationTime", "to": "time" } }, + { "copy": { "from": "unmapped.creationTime", "to": "finding_info.created_time" } }, + { "copy": { "from": "unmapped.time", "to": "finding_info.last_seen_time" } }, + + { "copy": { "from": "unmapped.pbid", "to": "external_id" } }, + { "copy": { "from": "unmapped.pbid", "to": "metadata.correlation_uid" } }, + { "copy": { "from": "unmapped.incidentId", "to": "external_id" } }, + + { "copy": { "from": "unmapped.title", "to": "finding_title" } }, + { "copy": { "from": "unmapped.title", "to": "finding.title" } }, + { "copy": { "from": "unmapped.summary", "to": "finding_info.desc" } }, + { "copy": { "from": "unmapped.category", "to": "metadata.product.feature.uid" } }, + + { "copy": { "from": "unmapped.model.name", "to": "finding_title" } }, + { "copy": { "from": "unmapped.model.name", "to": "finding.title" } }, + { "copy": { "from": "unmapped.model.uuid", "to": "finding_uid" } }, + { "copy": { "from": "unmapped.model.uuid", "to": "finding.uid" } }, + { "copy": { "from": "unmapped.model.description", "to": "finding_info.description" } }, + + { "copy": { "from": "unmapped.device.ip", "to": "src_ip" } }, + { "copy": { "from": "unmapped.device.ip", "to": "src_endpoint.ip" } }, + { "copy": { "from": "unmapped.device.ip", "to": "device.ip" } }, + { "copy": { "from": "unmapped.device.hostname", "to": "src_endpoint.hostname" } }, + { "copy": { "from": "unmapped.device.hostname", "to": "device.hostname" } }, + { "copy": { "from": "unmapped.device.hostname", "to": "device.name" } }, + { "copy": { "from": "unmapped.device.mac", "to": "src_endpoint.mac" } }, + { "copy": { "from": "unmapped.device.mac", "to": "device.mac" } }, + { "copy": { "from": "unmapped.device.os", "to": "device.os.name" } }, + { "copy": { "from": "unmapped.device.type", "to": "device.type" } }, + + { "copy": { "from": "unmapped.score", "to": "risk_score" } }, + { "copy": { "from": "unmapped.score", "to": "confidence_score" } } + ] + } + ] + } +} diff --git a/parsers/f5_networks_logs-latest b/parsers/f5_networks_logs-latest new file mode 100644 index 0000000..a748cb8 --- /dev/null +++ b/parsers/f5_networks_logs-latest @@ -0,0 +1,26 @@ +{ + attributes: { + class_uid: "5002", + category_uid: "4", + severity_id: "0", + class_name: "F5 Web Traffic", + category_name: "F5 HTTP Access Logs", + "metadata.product.name": "F5 BIG-IP", + "metadata.product.vendor_name": "F5 Networks", + "dataSource.category": "network", + "dataSource.name": "F5 BIG-IP", + "dataSource.vendor": "F5" + }, + patterns: { + timestamp: "\\d{4}/\\d{2}/\\d{2}\\s+\\d{2}:\\d{2}:\\d{2}", + ipv4: "(?:\\d{1,3}\\.){3}\\d{1,3}", + quote: "\"[^\"]*\"", + number: "\\d+" + }, + formats: [ + { + format: ".*$_=identifier$=$_$(?:\\,|\\r)", + repeat: true + } + ] +} \ No newline at end of file diff --git a/parsers/fortinet_fortigate_candidate_logs-latest b/parsers/fortinet_fortigate_candidate_logs-latest new file mode 100644 index 0000000..6c8a052 --- /dev/null +++ b/parsers/fortinet_fortigate_candidate_logs-latest @@ -0,0 +1,316 @@ +{ + /* + * A parser for Fortigate syslog. + * + * It will split every key/value pair to a field 'fortinet.fieldname' + * Uses rewrites to rewrite the field to OCSF field used by SentinelOne SDL + * + * Instructions: + * + * - Use the format "default" in FortiGate configuration: + * - ssh to fg device + * commands: + * config log syslogd settings + * set format default + * end + * + * - fill in site ID if you want the data to be surfaced in the context of a SITE, or remove the attribute below. + * + * + * Contributors: Mischa Deden , Jan Tietze (original parser) + */ + "patterns": + { + "dateTimePattern": "date=\\d+-\\d+-\\d+ time=\\d+:\\d+:\\d+" + }, + + "attributes": + { + "dataSource.category": "security", + "dataSource.name": "Fortigate", + "dataSource.vendor": "Fortinet" + }, + + "formats": [ + { + "format": "^<$syslog.priority{parse=syslogPriority}$>$datetime=dateTimePattern$", + "rewrites": [ + { + "input": "datetime", + "output": "timestamp", + "match": "date=(\\d+-\\d+-\\d+) time=(\\d+:\\d+:\\d+)", + "replace": "$1 $2" + } + ] + }, { + "format": ".*$_=identifier$=$fortinet._=quoteOrSpace$", + "repeat": true, + "rewrites": [ + { + "input": "fortinet.action", + "output": "event.network.connectionStatus", + "match": ".*", + "replace": "$0" + }, + { + "input": "fortinet.subtype", + "output": "event.network.direction", + "match": ".*", + "replace": "$0" + }, + { + "input": "fortinet.service", + "output": "event.network.protocolName", + "match": ".*", + "replace": "$0" + }, + { + "input": "fortinet.srcip", + "match": ".*", + "output": "event.source", + "replace": "$0" + }, + { + "input": "fortinet.srcip", + "match": ".*", + "output": "src_endpoint.ip", + "replace": "$0" + }, + { + "input": "fortinet.srcport", + "match": ".*", + "output": "src_endpoint.port", + "replace": "$0" + }, + { + "input": "fortinet.srcmac", + "match": ".*", + "output": "src_endpoint.mac", + "replace": "$0" + }, + { + "input": "fortinet.dstip", + "match": ".*", + "output": "dst_endpoint.ip", + "replace": "$0" + }, + { + "input": "fortinet.dstip", + "match": ".*", + "output": "dst.ipaddress", + "replace": "$0" + }, + { + "input": "fortinet.dstip", + "match": ".*", + "output": "event.target", + "replace": "$0" + }, + { + "input": "fortinet.dstport", + "match": ".*", + "output": "dst_endpoint.port", + "replace": "$0" + }, + { + "input": "fortinet.dstport", + "match": ".*", + "output": "dst.port.number", + "replace": "$0" + }, + { + "input": "fortinet.dstmac", + "match": ".*", + "output": "dst_endpoint.mac", + "replace": "$0" + }, + { + "input": "fortinet.subtype", + "match": ".*", + "output": "activity_name", + "replace": "$0" + }, + { + "input": "fortinet.subtype", + "match": ".*", + "output": "activity_id", + "replace": "$0" + }, + { + "input": "fortinet.subtype", + "match": ".*", + "output": "event.type", + "replace": "$0" + }, + { + "input": "fortinet.severity", + "match": ".*", + "output": "severity_id", + "replace": "99" + }, + { + "input": "fortinet.severity", + "match": "^information$", + "output": "severity_id", + "replace": "1" + }, + { + "input": "fortinet.severity", + "match": "^critical$", + "output": "severity_id", + "replace": "5" + }, + { + "input": "fortinet.severity", + "match": "^Emergency$", + "output": "severity_id", + "replace": "6" + }, + { + "input": "fortinet.severity", + "match": "^information$", + "output": "severity_id", + "replace": "1" + }, + { + "input": "fortinet.severity", + "match": "^critical$", + "output": "severity_id", + "replace": "5" + }, + { + "input": "fortinet.severity", + "match": "^Emergency$", + "output": "severity_id", + "replace": "6" + }, + { + "input": "fortinet.action", + "match": ".*", + "output": "activity_name", + "replace": "$0" + }, + { + "input": "fortinet.action", + "match": "^(accept|permit)$", + "output": "activity_name", + "replace": "Open" + }, + { + "input": "fortinet.action", + "match": "^(dropped|close|shutdown)$", + "output": "activity_name", + "replace": "Close" + }, + { + "input": "fortinet.action", + "match": "^clear_session", + "output": "activity_name", + "replace": "Reset" + }, + { + "input": "fortinet.action", + "match": "^(block|blocked)$", + "output": "activity_name", + "replace": "Refuse" + }, + { + "input": "activity_name", + "match": ".*", + "output": "activity_id", + "replace": "99" + }, + { + "input": "activity_name", + "match": "^Open", + "output": "activity_id", + "replace": "1" + }, + { + "input": "activity_name", + "match": "^Close", + "output": "activity_id", + "replace": "2" + }, + { + "input": "activity_name", + "match": "^Reset", + "output": "activity_id", + "replace": "3" + }, + { + "input": "activity_name", + "match": "^Refuse", + "output": "activity_id", + "replace": "5" + }, + { + "input": "activity_name", + "match": ".*", + "output": "event.type", + "replace": "$0" + }, + { + "input": "fortinet.severity", + "match": ".*", + "output": "severity_id", + "replace": "99" + }, + { + "input": "fortinet.severity", + "match": "^(information|Information)$", + "output": "severity_id", + "replace": "1" + }, + { + "input": "fortinet.severity", + "match": "^(critical|Critical)$", + "output": "severity_id", + "replace": "5" + }, + { + "input": "fortinet.severity", + "match": "^(emergency|Emergency)$", + "output": "severity_id", + "replace": "6" + }, + { + "input": "activity_id", + "match": "(.*)", + "output": "type_uid", + "replace": "40010$0" + }, + { + "input": "activity_id", + "match": "99", + "output": "type_uid", + "replace": "400199" + }, + { + "input": "activity_name", + "match": "(.*)", + "output": "type_name", + "replace": "Network Activity: $0" + }, + { + "input": "fortinet.sentbyte", + "match": "(.*)", + "output": "traffic.bytes_in", + "replace": "$0" + }, + { + "input": "fortinet.rcvdbyte", + "match": "(.*)", + "output": "traffic.bytes_out", + "replace": "$0" + }, + { + "input": "message", + "match": ".*srcip\\=(\\S+)\\s.*dstip\\=(\\S+)\\s.*dstmac\\=\"(.*?)\"\\s.*", + "output": "observables", + "replace": "\\[\\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"fortinet.srcip\"\\, \"value\"\\: \"$1\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"fortinet.dstip\"\\, \"value\"\\: \"$2\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"fortinet.dstmac\"\\, \"value\"\\: \"$3\"\\}\\]" + } + ] + } + ] + } diff --git a/parsers/github_audit-latest b/parsers/github_audit-latest new file mode 100644 index 0000000..0bfd4b1 --- /dev/null +++ b/parsers/github_audit-latest @@ -0,0 +1,75 @@ +{ + "attributes": { + "dataSource.vendor": "GitHub", + "dataSource.name": "GitHub Audit", + "dataSource.category": "security", + "dataSource.technology": "source_control" + }, + + "formats": [ + { + "id": "github_audit_json", + "format": "$unmapped.{parse=gron}$", + "attributes": { + "class_uid": 8001, + "class_name": "DevOps Activity", + "category_uid": 8, + "category_name": "System Activity", + "type_uid": 800101, + "activity_id": 1, + "activity_name": "Repository Activity", + "severity_id": 1 + }, + "rewrites": [ + { + "input": "timestamp", + "output": "time", + "match": ".*", + "replace": "$0" + }, + { + "input": "actor", + "output": "user.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "source_ip", + "output": "src_endpoint.ip", + "match": ".*", + "replace": "$0" + }, + { + "input": "org", + "output": "metadata.tenant_uid", + "match": ".*", + "replace": "$0" + }, + { + "input": "repository", + "output": "resource.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "action", + "output": "activity_name", + "match": ".*", + "replace": "$0" + }, + { + "input": "outcome", + "output": "status", + "match": ".*", + "replace": "$0" + }, + { + "input": "description", + "output": "message", + "match": ".*", + "replace": "$0" + } + ] + } + ] +} \ No newline at end of file diff --git a/parsers/harness_ci-latest b/parsers/harness_ci-latest new file mode 100644 index 0000000..e9c3ebc --- /dev/null +++ b/parsers/harness_ci-latest @@ -0,0 +1,261 @@ +{ + "attributes": { + "dataSource.vendor": "Harness", + "dataSource.name": "Harness CI/CD", + "dataSource.category": "security", + "metadata.product.vendor_name": "Harness", + "metadata.product.name": "Harness CI/CD", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$timestamp$ Harness pipelineId=\"$pipeline_id$\" executionId=\"$execution_id$\" status=\"$status$\" trigger=\"$trigger$\" initiator=\"$initiator$\" message=\"$message$\"", + "rewrites": [ + { + "input": "timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "pipeline_id", + "output": "job.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "execution_id", + "output": "job.uid", + "match": ".*", + "replace": "$0" + }, + { + "input": "status", + "output": "status_detail", + "match": ".*", + "replace": "$0" + }, + { + "input": "trigger", + "output": "job.run_type", + "match": ".*", + "replace": "$0" + }, + { + "input": "initiator", + "output": "actor.user.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "message", + "output": "message", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "status_detail = *", + "transformations": [ + { + "constant": { + "value": 6003, + "field": "class_uid" + } + }, + { + "constant": { + "value": "Job Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": 6, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Application Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "status_detail = 'STARTED' OR status_detail = 'RUNNING'" + } + }, + { + "constant": { + "value": "Start", + "field": "activity_name", + "predicate": "status_detail = 'STARTED' OR status_detail = 'RUNNING'" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id", + "predicate": "status_detail = 'SUCCEEDED'" + } + }, + { + "constant": { + "value": "Complete", + "field": "activity_name", + "predicate": "status_detail = 'SUCCEEDED'" + } + }, + { + "constant": { + "value": 3, + "field": "activity_id", + "predicate": "status_detail = 'CANCELLED' OR status_detail = 'PAUSED'" + } + }, + { + "constant": { + "value": "Cancel", + "field": "activity_name", + "predicate": "status_detail = 'CANCELLED' OR status_detail = 'PAUSED'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "status_detail = 'FAILED'" + } + }, + { + "constant": { + "value": "Other", + "field": "activity_name", + "predicate": "status_detail = 'FAILED'" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "status_detail = 'SUCCEEDED' OR status_detail = 'STARTED' OR status_detail = 'RUNNING'" + } + }, + { + "constant": { + "value": "Success", + "field": "status", + "predicate": "status_detail = 'SUCCEEDED' OR status_detail = 'STARTED' OR status_detail = 'RUNNING'" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "status_detail = 'FAILED'" + } + }, + { + "constant": { + "value": "Failure", + "field": "status", + "predicate": "status_detail = 'FAILED'" + } + }, + { + "constant": { + "value": 99, + "field": "status_id", + "predicate": "status_detail = 'CANCELLED' OR status_detail = 'PAUSED'" + } + }, + { + "constant": { + "value": "Other", + "field": "status", + "predicate": "status_detail = 'CANCELLED' OR status_detail = 'PAUSED'" + } + }, + { + "constant": { + "value": 1, + "field": "severity_id" + } + }, + { + "constant": { + "value": "Informational", + "field": "severity" + } + }, + { + "constant": { + "value": 600301, + "field": "type_uid" + } + }, + { + "copy": { + "from": "job.name", + "to": "job.name" + } + }, + { + "copy": { + "from": "job.uid", + "to": "job.uid" + } + }, + { + "copy": { + "from": "job.run_type", + "to": "job.run_type" + } + }, + { + "copy": { + "from": "actor.user.name", + "to": "actor.user.name" + } + }, + { + "copy": { + "from": "status_detail", + "to": "status_detail" + } + }, + { + "copy": { + "from": "message", + "to": "message" + } + } + ] + } + ] + }, + "observables": { + "fields": [ + { + "name": "actor.user.name", + "type": "User" + }, + { + "name": "job.name", + "type": "Other" + }, + { + "name": "job.uid", + "type": "Other" + } + ] + } +} \ No newline at end of file diff --git a/parsers/hashicorp_vault-latest b/parsers/hashicorp_vault-latest new file mode 100644 index 0000000..b717200 --- /dev/null +++ b/parsers/hashicorp_vault-latest @@ -0,0 +1,287 @@ +{ + "attributes": { + "dataSource.vendor": "HashiCorp", + "dataSource.name": "HashiCorp Vault", + "dataSource.category": "security", + "metadata.product.vendor_name": "HashiCorp", + "metadata.product.name": "HashiCorp Vault", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [ + { + "input": "unmapped.time", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "constant": { + "value": 6001, + "field": "class_uid" + } + }, + { + "constant": { + "value": "Vault Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": 6, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Application Activity", + "field": "category_name" + } + }, + { + "copy": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "copy": { + "from": "unmapped.timestamp", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "copy": { + "from": "unmapped.request.id", + "to": "metadata.uid" + } + }, + { + "copy": { + "from": "unmapped.type", + "to": "message" + } + }, + { + "copy": { + "from": "unmapped.request.operation", + "to": "activity_name" + } + }, + { + "copy": { + "from": "unmapped.auth.display_name", + "to": "user.name" + } + }, + { + "copy": { + "from": "unmapped.auth.entity_id", + "to": "user.uid" + } + }, + { + "copy": { + "from": "unmapped.auth.token_type", + "to": "user.type" + } + }, + { + "copy": { + "from": "unmapped.request.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "copy": { + "from": "unmapped.request.client_token", + "to": "session.uid" + } + }, + { + "copy": { + "from": "unmapped.request.path", + "to": "http_request.url.path" + } + }, + { + "copy": { + "from": "unmapped.request.namespace.path", + "to": "http_request.url.path" + } + }, + { + "copy": { + "from": "unmapped.response.data.accessor", + "to": "dst_endpoint.uid" + } + }, + { + "copy": { + "from": "unmapped.response.data.entity_id", + "to": "dst_endpoint.uid" + } + }, + { + "copy": { + "from": "unmapped.error", + "to": "status_detail" + } + }, + { + "copy": { + "from": "unmapped.auth.policies", + "to": "metadata.extensions.policies" + } + }, + { + "copy": { + "from": "unmapped.request.mount_type", + "to": "metadata.extensions.mount_type" + } + }, + { + "copy": { + "from": "unmapped.request.mount_point", + "to": "metadata.extensions.mount_point" + } + }, + { + "copy": { + "from": "unmapped.response.mount_type", + "to": "metadata.extensions.mount_type" + } + }, + { + "copy": { + "from": "unmapped.response.secret", + "to": "metadata.extensions.secret" + } + }, + { + "copy": { + "from": "unmapped.response.data.lease_id", + "to": "metadata.extensions.lease_id" + } + }, + { + "copy": { + "from": "unmapped.response.data.lease_duration", + "to": "metadata.extensions.lease_duration" + } + }, + { + "copy": { + "from": "unmapped.response.data.renewable", + "to": "metadata.extensions.renewable" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.error == \"\"" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id", + "predicate": "unmapped.error != \"\"" + } + }, + { + "constant": { + "value": 1, + "field": "severity_id", + "predicate": "unmapped.error == \"\"" + } + }, + { + "constant": { + "value": 3, + "field": "severity_id", + "predicate": "unmapped.error != \"\"" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "unmapped.error == \"\"" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "unmapped.error != \"\"" + } + }, + { + "constant": { + "value": "Success", + "field": "status", + "predicate": "unmapped.error == \"\"" + } + }, + { + "constant": { + "value": "Failure", + "field": "status", + "predicate": "unmapped.error != \"\"" + } + } + ] + } + ] + }, + "observables": { + "fields": [ + { + "name": "user.name", + "type": "User" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address" + }, + { + "name": "session.uid", + "type": "Other" + }, + { + "name": "http_request.url.path", + "type": "Other" + }, + { + "name": "metadata.extensions.lease_id", + "type": "Other" + } + ] + } +} \ No newline at end of file diff --git a/parsers/imperva_waf_logs-latest b/parsers/imperva_waf_logs-latest new file mode 100644 index 0000000..e598b35 --- /dev/null +++ b/parsers/imperva_waf_logs-latest @@ -0,0 +1,84 @@ +{ + // specify a time zone if the timestamps in your log are not in GMT + // timezone: "GMT-0800" + attributes: { + "dataSource.name": "Imperva WAF", + "dataSource.vendor": "Imperva", + "dataSource.category": "security" + "metadata.product.name": "Imperva WAF", + "metadata.product.vendor_name": "Imperva" + }, + + patterns: { + tsPattern: "\\d+", + value: "[^\\s]+", + toDrop: "^(?!CEF).*$" + }, + + formats: [ + //drop logs + { + id: "drop", + format: "$unwanted=toDrop$", + discard: true + }, + + { + format: "$unmapped.cef.version$\\|$metadata.vendor_name$\\|$metadata.product$\\|$metadata.product.version$\\|$unmapped.signature$\\|$event.type$\\|$severity$\\|", + }, + { + format: ".*\\sstart=$timestamp=tsPattern$", + }, + { + format: ".*requestClientApplication=$unmapped.requestClientApplication$\\sdeviceFacility", + }, + { + format: ".*\\scs2=$unmapped.cs2$\\scs2Label=$unmapped.cs2Label$\\scs3=$unmapped.cs3$\\scs3Label=$unmapped.cs3Label$\\scs1=$unmapped.cs1$\\scs1Label=$unmapped.cs1Label$\\scs4=$unmapped.cs4$\\scs4Label=$unmapped.cs4Label$\\scs5=$unmapped.cs5$\\scs5Label=$unmapped.cs5Label$\\scs6=$unmapped.cs6$\\scs6Label=$unmapped.cs6Label$\\scs7=$unmapped.cs7$\\scs7Label=$unmapped.cs7Label$\\scs8=$unmapped.cs8$\\scs8Label=$unmapped.cs8Label$\\sCustomer", + }, + { + format: ".*\\scs10=$unmapped.cs10$\\scs10Label=$unmapped.cs10Label$\\scpt", + }, + { + format: ".*\\sver=$unmapped.ver$\\s$unmapped.cipher$\\s", + }, + { + format: ".*$_=identifier$=$unmapped._=value$", + repeat: true + } + ], + mappings: { + version: 0, + mappings: [ + { + predicate: "", + renames: [ + { + inputs : ["unmapped.dst"], + output : "dst_endpoint.ip", + type: "string" + }, + { + inputs: ["unmapped.dpt"], + output: "dst_endpoint.port", + type: "string" + }, + { + inputs: ["unmapped.src"], + output: "src_endpoint.ip", + type: "string" + }, + { + inputs: ["unmapped.spt"], + output: "src_endpoint.port", + type: "string" + }, + { + inputs: ["unmapped.Customer"], + output: "Account Name", + type: "string" + } + ] + } + ] + } +} \ No newline at end of file diff --git a/parsers/json-app-logs b/parsers/json-app-logs new file mode 100644 index 0000000..7466161 --- /dev/null +++ b/parsers/json-app-logs @@ -0,0 +1,80 @@ +{ + // OCSF-compliant parser for JSON application logs + // Schema: OCSF v1.3.0 - Security Finding (class_uid 2001) + // https://schema.ocsf.io/1.3.0/classes/security_finding + + attributes: { + // ─── OCSF Metadata ────────────────────────────────────────────── + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "GenericApp", + "metadata.product.name": "Application Logger", + "metadata.product.version": "1.0.0", + "metadata.log_provider": "hec", + + // ─── OCSF Classification (Security Finding) ────────────────────── + "category_uid": 2, + "category_name": "Findings", + "class_uid": 2001, + "class_name": "Security Finding", + "activity_id": 1, + "activity_name": "Create", + "type_uid": 200101, + "type_name": "Security Finding: Create", + + // ─── OCSF Finding state defaults (overridable via rewrites) ───── + "status_id": 1, // 1=New + "status": "New", + "disposition_id": 0, // 0=Unknown + "disposition": "Unknown", + + // ─── SDL/S1 routing fields (non-OCSF) ─────────────────────────── + "Category": "security", + "dataSource.vendor": "GenericApp", + "dataSource.name": "alert", + "dataSource.category": "security", + "finding_info.types": ["Authentication"] + }, + + formats: [ + { + // Auto-extract every JSON top-level field as an attribute + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + // ─── Time handling ───────────────────────────────────────────── + // Source JSON uses `event_iso` (ISO string). NEVER use the bare + // `time` attr (SDL reserved, expects epoch ms) or any `*_time` + // suffix (AI SIEM auto-parses as date, shows "Invalid Date" for + // ISO strings). + { input: "event_iso", output: "finding_info.created_time_dt", match: ".*", replace: "$0" }, + + // ─── Actor (user) ─────────────────────────────────────────── + { input: "user", output: "actor.user.name", match: ".*", replace: "$0" }, + { input: "user", output: "actor.user.uid", match: ".*", replace: "$0" }, + + // ─── Finding info ─────────────────────────────────────────── + { input: "msg", output: "finding_info.title", match: ".*", replace: "$0" }, + { input: "msg", output: "finding_info.desc", match: ".*", replace: "$0" }, + // finding_info.uid: use the original log line hash; SDL has no hash fn, + // so fall back to msg+user concatenation (callers SHOULD add an `id` field) + { input: "msg", output: "finding_info.uid", match: ".*", replace: "$0" }, + + // ─── Raw log preservation (OCSF: raw_data) ────────────────── + { input: "msg", output: "raw_data", match: ".*", replace: "$0" }, + + // ─── Severity (string + int, OCSF v1.3.0 ranges) ──────────── + // NOTE: SDL reserves the bare `severity` field name and renames our + // attribute to `severity_`. We populate `severity_str` (queryable) and + // `severity_id` (OCSF integer 0-6). + { input: "level", output: "severity_id", match: "(?i)error", replace: "5" }, + { input: "level", output: "severity_id", match: "(?i)warn", replace: "4" }, + { input: "level", output: "severity_id", match: "(?i)info", replace: "3" }, + { input: "level", output: "severity_id", match: "(?i)debug", replace: "1" }, + { input: "level", output: "severity_str", match: "(?i)error", replace: "Critical" }, + { input: "level", output: "severity_str", match: "(?i)warn", replace: "High" }, + { input: "level", output: "severity_str", match: "(?i)info", replace: "Informational" }, + { input: "level", output: "severity_str", match: "(?i)debug", replace: "Other" } + ] + } + ] +} diff --git a/parsers/marcparser b/parsers/marcparser new file mode 100644 index 0000000..01b91d1 --- /dev/null +++ b/parsers/marcparser @@ -0,0 +1,59 @@ +{ + attributes: { + "dataSource.vendor": "pfSense", + "dataSource.name": "pfSense Firewall", + "dataSource.category": "security" + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + ipv6: "[0-9A-Fa-f:]+", + ipv46: "(\\d+\\.\\d+\\.\\d+\\.\\d+|[0-9A-Fa-f:]+)", + number: "\\d+" + }, + + formats: [ + { + // ACCEPT TCP 4f48:...:55177 -> f7b0:...:10680 - Rule: 4891 - Bytes: 1234 + id: "flow", + format: + "$pf_action$ $network_protocol$ " + + "$src_ip=ipv46$:$src_port=number$ -> " + + "$dst_ip=ipv46$:$dst_port=number$ - Rule: " + + "$fw_rule_id=number$ - Bytes: $bytes=number$", + halt: true + }, + { + // INTRUSION DETECTED: DDoS from 92.191.154.186 - Blocked by rule 7936 - Severity: HIGH + id: "ids", + format: + "INTRUSION DETECTED: $attack_type$ from " + + "$src_ip=ipv4$ - Blocked by rule $fw_rule_id=number$ - Severity: $severity$", + halt: true + } + ], + + mappings: { + version: 1, + mappings: [ + { + predicate: "true", + transformations: [ + { "rename": { "from": "src_ip", "to": "src.ip.address" } }, + { "rename": { "from": "dst_ip", "to": "dst.ip.address" } }, + { "rename": { "from": "src_port", "to": "src.port.number" } }, + { "rename": { "from": "dst_port", "to": "dst.port.number" } }, + { "rename": { "from": "network_protocol", "to": "network.protocol" } }, + { "rename": { "from": "fw_rule_id", "to": "unmapped.firewall.rule_id" } }, + { "rename": { "from": "bytes", "to": "network.bytes" } }, + { "rename": { "from": "pf_action", "to": "event.outcome" } }, + { "rename": { "from": "severity", "to": "severity" } }, + { "rename": { "from": "attack_type", "to": "unmapped.attack.type" } }, + + { "constant": { "field": "event.category", "value": "network" } }, + { "constant": { "field": "class_name", "value": "Network Activity" } } + ] + } + ] + } +} \ No newline at end of file diff --git a/parsers/marcpfsense b/parsers/marcpfsense new file mode 100644 index 0000000..7c1b220 --- /dev/null +++ b/parsers/marcpfsense @@ -0,0 +1,63 @@ +{ + attributes: { + "dataSource.vendor": "pfSense", + "dataSource.name": "pfSense", + "dataSource.category": "security" + }, + + patterns: { + tsPattern: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2}", + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + ipv6: "[a-fA-F0-9:]+", + ipv46: "(\\d+\\.\\d+\\.\\d+\\.\\d+|[a-zA-Z0-9:]+)", + ipv: "(4|6)", + hex: "([a-f0-9]+x[a-f0-9]+){0,1}", + tcpflags: "[SA\\.FRPUEW]+", + numberOrNone: "[0-9]{0,}", + textOrNone: "[a-zA-Z-\\.0-9]{0,}" + }, + + formats: [ + { + // Base filterlog header + format: "$timestamp=tsPattern$ $hostname=ipv46$ filterlog: " + + "$pfRule=numberOrNone$,$pfSubRule=numberOrNone$," + + "$pfAnchor=textOrNone$,$pfTracker=numberOrNone$," + + "$pfInterface$,$pfReason=identifier$," + + "$pfAction=identifier$,$pfDirection=identifier$,.*" + }, + { + // IPv4 header-specific fields + attributes: { pfIpv: 4 }, + format: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2} " + + "(\\d+\\.\\d+\\.\\d+\\.\\d+|[a-zA-Z0-9:]+) filterlog: " + + "([a-zA-Z0-9-\\.]+,|,){8}4," + + "$pfTos=hex$,$pfEcn$,$pfTtl=numberOrNone$," + + "$pfPacketId=numberOrNone$,$pfOffset=numberOrNone$," + + "$pfIPFlags=identifier$,$pfProtocolID$,$msg$" + }, + { + // TCP flow + attributes: { pfProtocol: "tcp" }, + format: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2} " + + "(\\d+\\.\\d+\\.\\d+\\.\\d+|[a-zA-Z0-9:]+) filterlog: " + + "([a-zA-Z0-9-\\.]+,|,){16}tcp," + + "$pfPacketLen=number$,$pfSourceIP=ipv4$,$pfDestIP=ipv4$," + + "$pfSourcePort=number$,$pfDestPort=number$," + + "$pfDataLen=number$,$pfTCPFlags=tcpflags$," + + "$pfSeq=numberOrNone$,$pfAck=numberOrNone$," + + "$pfWindow=numberOrNone$,$pfUrg=textOrNone$,$pfTcpOptions$", + halt: true + }, + { + // UDP flow + attributes: { pfProtocol: "udp" }, + format: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2} " + + "(\\d+\\.\\d+\\.\\d+\\.\\d+|[a-zA-Z0-9:]+) filterlog: " + + "([a-zA-Z0-9-\\.]+,|,){16}udp," + + "$pfPacketLen=number$,$pfSourceIP=ipv4$,$pfDestIP=ipv4$," + + "$pfSourcePort=number$,$pfDestPort=number$,$pfDataLen=number$", + halt: true + } + ] +} \ No newline at end of file diff --git a/parsers/microsoft_365_collaboration-latest b/parsers/microsoft_365_collaboration-latest new file mode 100644 index 0000000..29e2a89 --- /dev/null +++ b/parsers/microsoft_365_collaboration-latest @@ -0,0 +1,147 @@ +{ + "attributes": { + "dataSource.name": "Microsoft 365 Collaboration", + "dataSource.vendor": "Microsoft", + "dataSource.category": "security", + "metadata.product.name": "Microsoft 365 SharePoint/OneDrive", + "metadata.product.vendor_name": "Microsoft", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.TimeStamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "constant": { + "value": 1, + "field": "activity_id" + } + }, + { + "constant": { + "value": "Create", + "field": "activity_name" + } + }, + { + "constant": { + "value": 1, + "field": "category_uid" + } + }, + { + "constant": { + "value": 1006, + "field": "class_uid" + } + }, + { + "constant": { + "value": "File Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "System Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 100601, + "field": "type_uid" + } + }, + { + "constant": { + "value": "File Activity: Create", + "field": "type_name" + } + }, + { + "copy": { + "from": "unmapped.TimeStamp", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.UserId", + "to": "actor.user.email_addr" + } + }, + { + "rename": { + "from": "unmapped.Operation", + "to": "activity_name" + } + }, + { + "rename": { + "from": "unmapped.SiteUrl", + "to": "src_endpoint.url.url_string" + } + }, + { + "rename": { + "from": "unmapped.ObjectId", + "to": "file.path" + } + }, + { + "rename": { + "from": "unmapped.FileName", + "to": "file.name" + } + }, + { + "rename": { + "from": "unmapped.TargetUser", + "to": "user.email_addr" + } + }, + { + "rename": { + "from": "unmapped.RequestedBy", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.Details", + "to": "message" + } + }, + { + "constant": { + "value": "Microsoft 365", + "field": "cloud.provider" + } + } + ] + } + ] + } +} \ No newline at end of file diff --git a/parsers/microsoft_windows_eventlog-latest b/parsers/microsoft_windows_eventlog-latest new file mode 100644 index 0000000..37a730e --- /dev/null +++ b/parsers/microsoft_windows_eventlog-latest @@ -0,0 +1,39 @@ +{ + // Default Attributes + attributes: { + "dataSource.category": "security", + "dataSource.name": "Windows Event Logs", + "dataSource.vendor": "Microsoft", + "event.type": "Windows Event Log Creation" + }, + patterns: { + SystemTimePattern: "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{7}Z" + }, + formats: [ + { + // Match Event ID : 4743 + format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":null,\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",\"Correlation\":$winEventLog.correlation$,\"Computer\":\"$endpoint.name$\",\"Channel\":\"$winEventLog.channel$\"},\"RenderingInfo\":\\{\"Task\":\"$winEventLog.rendering_info.task$\",\"Provider\":\"$winEventLog.rendering_info.provider$\",\"Opcode\":\"$winEventLog.rendering_info.opcode$\",\"Message\":\"$winEventLog.message$\",\"Level\":\"$winEventLog.rendering_info.level$\",\"Keywords\":\\{\"Keyword\":\"$winEventLog.rendering_info.keywords.keyword$\"},\"Channel\":\"$winEventLog.rendering_info.channel$\",\"Culture\":\"$winEventLog.rendering_info.culture$\"},\"EventData\":\\{\"Data\":\\{\"SubjectUserSid\":\\{\"Text\":\"$winEventLog.EventData.userSID$\"},\"SubjectUserName\":\\{\"Text\":\"$winEventLog.EventData.userName$\"},\"SubjectLogonId\":\\{\"Text\":\"$winEventLog.EventData.logonId$\"},\"SubjectDomainName\":\\{\"Text\":\"$winEventLog.EventData.domainName$\"},\"PrivilegeList\":\\{\"Text\":\"$winEventLog.EventData.PrivilegeList$\"}}},\"xmlns\":\"$winEventLog.xmlns$\"},\"timestamp\":\"$winEventLog.timestamp=SystemTimePattern$\",\"name\":\"$winEventLog.name$\",\"monitor\":\"$winEventLog.monitor$\"}" + halt: true + }, + { + // Match Event ID : 4742 + format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":null,\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",\"Correlation\":$winEventLog.correlation$,\"Computer\":\"$endpoint.name$\",\"Channel\":\"$winEventLog.channel$\"},\"RenderingInfo\":\\{\"Task\":\"$winEventLog.rendering_info.Task$\",\"Provider\":\"$winEventLog.rendering_info.Provider$\",\"Opcode\":\"$winEventLog.rendering_info.Opcode$\",\"Message\":\"$winEventLog.rendering_info.Message$\",\"Level\":\"$winEventLog.rendering_info.Level$\",\"Keywords\":\\{\"Keyword\":\"$winEventLog.rendering_info.Keywords.Keyword$\"},\"Channel\":\"$winEventLog.rendering_info.channel$\",\"Culture\":\"$winEventLog.rendering_info.Culture$\"},\"EventData\":\\{\"Data\":\\{\"UserWorkstations\":\\{\"Text\":\"$winEventLog.EventData.UserWorkstations$\"},\"UserPrincipalName\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"UserParameters\":\\{\"Text\":\"$winEventLog.EventData.UserParameters$\"},\"UserAccountControl\":\\{\"Text\":\"$winEventLog.EventData.UserAccountControl$\"},\"TargetUserName\":\\{\"Text\":\"$winEventLog.EventData.TargetUserName$\"},\"TargetSid\":\\{\"Text\":\"$winEventLog.EventData.TargetSid$\"},\"TargetDomainName\":\\{\"Text\":\"$winEventLog.EventData.TargetDomainName$\"},\"SubjectUserSid\":\\{\"Text\":\"$winEventLog.EventData.SubjectUserSid$\"},\"SubjectUserName\":\\{\"Text\":\"$winEventLog.EventData.SubjectUserName$\"},\"SubjectLogonId\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"SubjectDomainName\":\\{\"Text\":\"$winEventLog.EventData.SubjectDomainName$\"},\"SidHistory\":\\{\"Text\":\"$winEventLog.EventData.SidHistory$\"},\"ServicePrincipalNames\":\\{\"Text\":\"$winEventLog.EventData.ServicePrincipalNames$\"},\"ScriptPath\":\\{\"Text\":\"$winEventLog.EventData.ScriptPath$\"},\"SamAccountName\":\\{\"Text\":\"$winEventLog.EventData.SamAccountName$\"},\"ProfilePath\":\\{\"Text\":\"$winEventLog.EventData.ProfilePath$\"},\"PrivilegeList\":\\{\"Text\":\"$winEventLog.EventData.PrivilegeList$\"},\"PrimaryGroupId\":\\{\"Text\":\"$winEventLog.EventData.PrimaryGroupId$\"},\"PasswordLastSet\":\\{\"Text\":\"$winEventLog.EventData.PasswordLastSet$\"},\"OldUacValue\":\\{\"Text\":\"$winEventLog.EventData.OldUacValue$\"},\"NewUacValue\":\\{\"Text\":\"$winEventLog.EventData.NewUacValue$\"},\"LogonHours\":\\{\"Text\":\"$winEventLog.EventData.LogonHours$\"},\"HomePath\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"HomeDirectory\":\\{\"Text\":\"$winEventLog.EventData.HomeDirectory$\"},\"DnsHostName\":\\{\"Text\":\"$winEventLog.EventData.DnsHostName$\"},\"DisplayName\":\\{\"Text\":\"$winEventLog.EventData.DisplayName$\"},\"ComputerAccountChange\":\\{\"Text\":\"$winEventLog.EventData.ComputerAccountChange$\"},\"AllowedToDelegateTo\":\\{\"Text\":\"$winEventLog.EventData.AllowedToDelegateTo$\"},\"AccountExpires\":\\{\"Text\":\"$winEventLog.EventData.AccountExpires$\"}}},\"xmlns\":\"$winEventLog.xmlns$\"},\"timestamp\":\"$winEventLog.timestamp=SystemTimePattern$\",\"name\":\"$winEventLog.name$\",\"monitor\":\"$winEventLog.monitor$\"}" + halt: true + }, + { + // Match Event ID : 4741 + format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":null,\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",\"Correlation\":$winEventLog.correlation$,\"Computer\":\"$endpoint.name$\",\"Channel\":\"$winEventLog.channel$\"},\"RenderingInfo\":\\{\"Task\":\"$winEventLog.rendering_info.task$\",\"Provider\":\"$winEventLog.rendering_info.provider$\",\"Opcode\":\"$winEventLog.rendering_info.opcode$\",\"Message\":\"$winEventLog.message$\",\"Level\":\"$winEventLog.rendering_info.level$\",\"Keywords\":\\{\"Keyword\":\"$winEventLog.rendering_info.keywords.keyword$\"},\"Channel\":\"$winEventLog.rendering_info.channel$\",\"Culture\":\"$winEventLog.rendering_info.culture$\"},\"EventData\":\\{\"Data\":\\{\"UserWorkstations\":\\{\"Text\":\"$winEventLog.EventData.UserWorkstations$\"},\"UserPrincipalName\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"UserParameters\":\\{\"Text\":\"$winEventLog.EventData.UserParameters$\"},\"UserAccountControl\":\\{\"Text\":\"$winEventLog.EventData.UserAccountControl$\"},\"TargetUserName\":\\{\"Text\":\"$winEventLog.EventData.TargetUserName$\"},\"TargetSid\":\\{\"Text\":\"$winEventLog.EventData.TargetSid$\"},\"TargetDomainName\":\\{\"Text\":\"$winEventLog.EventData.TargetDomainName$\"},\"SubjectUserSid\":\\{\"Text\":\"$winEventLog.EventData.userSID$\"},\"SubjectUserName\":\\{\"Text\":\"$winEventLog.EventData.SubjectUserName$\"},\"SubjectLogonId\":\\{\"Text\":\"$winEventLog.EventData.logonId$\"},\"SubjectDomainName\":\\{\"Text\":\"$winEventLog.EventData.SubjectDomainName$\"},\"SidHistory\":\\{\"Text\":\"$winEventLog.EventData.SidHistory$\"},\"ServicePrincipalNames\":\\{\"Text\":\"$winEventLog.EventData.ServicePrincipalNames$\"},\"ScriptPath\":\\{\"Text\":\"$winEventLog.EventData.ScriptPath$\"},\"SamAccountName\":\\{\"Text\":\"$winEventLog.EventData.SamAccountName$\"},\"ProfilePath\":\\{\"Text\":\"$winEventLog.EventData.ProfilePath$\"},\"PrivilegeList\":\\{\"Text\":\"$winEventLog.EventData.PrivilegeList$\"},\"PrimaryGroupId\":\\{\"Text\":\"$winEventLog.EventData.PrimaryGroupId$\"},\"PasswordLastSet\":\\{\"Text\":\"$winEventLog.EventData.PasswordLastSet$\"},\"OldUacValue\":\\{\"Text\":\"$winEventLog.EventData.OldUacValue$\"},\"NewUacValue\":\\{\"Text\":\"$winEventLog.EventData.NewUacValue$\"},\"LogonHours\":\\{\"Text\":\"$winEventLog.EventData.LogonHours$\"},\"HomePath\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"HomeDirectory\":\\{\"Text\":\"$winEventLog.EventData.HomeDirectory$\"},\"DnsHostName\":\\{\"Text\":\"$winEventLog.EventData.DnsHostName$\"},\"DisplayName\":\\{\"Text\":\"$winEventLog.EventData.DisplayName$\"},\"AllowedToDelegateTo\":\\{\"Text\":\"$winEventLog.EventData.AllowedToDelegateTo$\"},\"AccountExpires\":\\{\"Text\":\"$winEventLog.EventData.AccountExpires$\"}}},\"xmlns\":\"$winEventLog.xmlns$\"},\"timestamp\":\"$winEventLog.timestamp=SystemTimePattern$\",\"name\":\"$winEventLog.name$\",\"monitor\":\"$winEventLog.monitor$\"}" + halt: true + }, + { + // Match Event ID : 8002 + format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":\\{\"UserID\":\"$winEventLog.user_id$\"},\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",\"Correlation\":$winEventLog.correlation$,\"Computer\":\"$endpoint.name$\",\"Channel\":\"$winEventLog.channel$\"},\"RenderingInfo\":\\{\"Task\":\"$winEventLog.rendering_info.task$\",\"Provider\":\"$winEventLog.rendering_info.provider$\",\"Opcode\":\"$winEventLog.rendering_info.opcode$\",\"Message\":\"$winEventLog.message$\",\"Level\":\"$winEventLog.rendering_info.level$\",\"Keywords\":$winEventLog.rendering_info.keywords$,\"Channel\":\"$winEventLog.rendering_info.channel$\",\"Culture\":\"$winEventLog.rendering_info.culture$\"},\"EventData\":\\{\"Data\":\\{\"ProcessName\":\\{\"Text\":\"$src.process.name$\"},\"MechanismOID\":\\{\"Text\":\"$src.process.mechanism_oid$\"},\"ClientUserName\":\\{\"Text\":\"$src.process.user$\"},\"ClientLUID\":\\{\"Text\":\"$src.process.uid$\"},\"ClientDomainName\":\\{\"Text\":\"$src.process.domain$\"},\"CallerPID\":\\{\"Text\":\"$src.process.callerid$\"}}},\"xmlns\":\"$winEventLog.xmlns$\"},\"timestamp\":\"$winEventLog.timestamp=SystemTimePattern$\",\"name\":\"$winEventLog.name$\",\"monitor\":\"$winEventLog.monitor$\"}" + halt: true + }, + { + // Match all rest + format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":null,\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",$winEventLog.rest$" + } + ] +} + diff --git a/parsers/mikrotik b/parsers/mikrotik new file mode 100644 index 0000000..931e11b --- /dev/null +++ b/parsers/mikrotik @@ -0,0 +1,436 @@ +{ + attributes: { + "metadata.version": "2.0.0", + "dataSource.vendor": "MikroTik", + "dataSource.name": "MikroTik RouterOS", + "dataSource.category": "security", + "Category": "security", + "metadata.product.vendor_name": "MikroTik", + "metadata.product.name": "RouterOS", + "metadata.log_provider": "syslog", + "severity_id": 1, + "severity": "Informational" + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + ipv6: "[0-9a-fA-F:]+", + mac: "[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}", + num: "\\d+", + word: "\\w+", + iface: "[\\w().-]+", + proto: "[A-Z]+", + signal: "-?\\d+", + ts: "\\w+/\\d+/\\d+ \\d+:\\d+:\\d+|\\d+:\\d+:\\d+", + rest: ".*" + }, + + formats: [ + // ═══════════════════════════════════════════════════════════════════════════ + // FIREWALL (Network Activity 4001) + // ═══════════════════════════════════════════════════════════════════════════ + + // input: in:ether1 out:(none), src-mac 00:21:29:6d:82:07, proto UDP, 10.1.101.1:520->10.1.101.255:520, len 452 + { + id: "firewall_full", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106 + }, + format: "$chain=word$: in:$in_iface=iface$ out:$out_iface=iface$, src-mac $src_mac=mac$, proto $protocol=proto$, $src_ip=ipv4$:$src_port=num$->$dst_ip=ipv4$:$dst_port=num$, len $pkt_len=num$", + halt: true + }, + + // forward: in:ether1 out:ether2, connection-state:established, src-mac 00:11:22:33:44:55 + { + id: "firewall_conntrack", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106 + }, + format: "$chain=word$: in:$in_iface=iface$ out:$out_iface=iface$, connection-state:$conn_state=word$, src-mac $src_mac=mac$", + halt: true + }, + + // Firewall DROP - appears in XDR as Detection Finding + // drop: in:ether1 out:(none), src-mac 00:21:29:6d:82:07, proto TCP, 10.1.101.1:12345->10.1.101.255:22, len 64 + { + id: "firewall_drop", + attributes: { + class_uid: 4002, class_name: "Detection Finding", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Create", + type_uid: 400201, + disposition_id: 2, disposition: "Blocked", + severity_id: 3, severity: "Medium", + "finding_info.title": "MikroTik Firewall Drop", + "finding_info.types": ["Network"], + confidence_id: 3, confidence: "High" + }, + format: "drop: in:$in_iface=iface$ out:$out_iface=iface$, src-mac $src_mac=mac$, proto $protocol=proto$, $src_ip=ipv4$:$src_port=num$->$dst_ip=ipv4$:$dst_port=num$, len $pkt_len=num$", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // DHCP (DHCP Activity 4004) + // ═══════════════════════════════════════════════════════════════════════════ + + // defconf deassigned 192.168.88.37 for B0:E4:5C:27:EF:F2 Samsung + { + id: "dhcp_deassign", + attributes: { + class_uid: 4004, class_name: "DHCP Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 2, activity_name: "Release", + type_uid: 400402 + }, + format: "$dhcp_server=word$ deassigned $client_ip=ipv4$ for $client_mac=mac$ $hostname=rest$", + halt: true + }, + + // defconf assigned 192.168.88.37 for B0:E4:5C:27:EF:F2 Samsung + { + id: "dhcp_assign", + attributes: { + class_uid: 4004, class_name: "DHCP Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Lease", + type_uid: 400401 + }, + format: "$dhcp_server=word$ assigned $client_ip=ipv4$ for $client_mac=mac$ $hostname=rest$", + halt: true + }, + + // dhcp1 got address 192.168.1.100 from 192.168.1.1 + { + id: "dhcp_client", + attributes: { + class_uid: 4004, class_name: "DHCP Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Lease", + type_uid: 400401 + }, + format: "$dhcp_client=word$ got address $client_ip=ipv4$ from $dhcp_server_ip=ipv4$", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // AUTHENTICATION (Authentication 3002) + // ═══════════════════════════════════════════════════════════════════════════ + + // user admin logged in from 10.1.101.212 via winbox + { + id: "login", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 1, activity_name: "Logon", + type_uid: 300201, + status_id: 1, status: "Success" + }, + format: "user $user=word$ logged in from $src_ip=ipv4$ via $method=word$", + halt: true + }, + + // user admin logged out from 10.1.101.212 via telnet + { + id: "logout", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 2, activity_name: "Logoff", + type_uid: 300202, + status_id: 1, status: "Success" + }, + format: "user $user=word$ logged out from $src_ip=ipv4$ via $method=word$", + halt: true + }, + + // login failure for user admin from 10.1.101.50 via ssh + // Using Detection Finding class for XDR visibility + { + id: "login_failure", + attributes: { + class_uid: 4002, class_name: "Detection Finding", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Create", + type_uid: 400201, + status_id: 2, status: "Failure", + severity_id: 3, severity: "Medium", + "finding_info.title": "MikroTik Login Failure", + "finding_info.types": ["Authentication"], + confidence_id: 3, confidence: "High" + }, + format: "login failure for user $user=word$ from $src_ip=ipv4$ via $method=word$", + halt: true + }, + + // connected from 203.0.113.50 + { + id: "ppp_connect", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 1, activity_name: "Logon", + type_uid: 300201, + status_id: 1, status: "Success", + auth_protocol: "PPP" + }, + format: "<$user$> connected from $src_ip=ipv4$", + halt: true + }, + + // disconnected + { + id: "ppp_disconnect", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 2, activity_name: "Logoff", + type_uid: 300202, + auth_protocol: "PPP" + }, + format: "<$user$> disconnected", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // CONFIGURATION (Entity Management 5004) + // ═══════════════════════════════════════════════════════════════════════════ + + // mangle rule added by admin + { + id: "config_added", + attributes: { + class_uid: 5004, class_name: "Entity Management", + category_uid: 5, category_name: "Discovery", + activity_id: 1, activity_name: "Create", + type_uid: 500401 + }, + format: "$object=rest$ added by $user=word$", + halt: true + }, + + // mangle rule changed by admin + { + id: "config_changed", + attributes: { + class_uid: 5004, class_name: "Entity Management", + category_uid: 5, category_name: "Discovery", + activity_id: 3, activity_name: "Update", + type_uid: 500403 + }, + format: "$object=rest$ changed by $user=word$", + halt: true + }, + + // mangle rule moved by admin + { + id: "config_moved", + attributes: { + class_uid: 5004, class_name: "Entity Management", + category_uid: 5, category_name: "Discovery", + activity_id: 3, activity_name: "Update", + type_uid: 500403 + }, + format: "$object=rest$ moved by $user=word$", + halt: true + }, + + // item removed by admin + { + id: "config_removed", + attributes: { + class_uid: 5004, class_name: "Entity Management", + category_uid: 5, category_name: "Discovery", + activity_id: 2, activity_name: "Delete", + type_uid: 500402 + }, + format: "$object=rest$ removed by $user=word$", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // SYSTEM (Operating System Patch State 6003) + // ═══════════════════════════════════════════════════════════════════════════ + + // router rebooted + { + id: "system_reboot", + attributes: { + class_uid: 6003, class_name: "Operating System Patch State", + category_uid: 6, category_name: "Application Activity", + activity_id: 0, activity_name: "Unknown", + type_uid: 600300, + severity_id: 2, severity: "Low" + }, + format: "router rebooted", + halt: true + }, + + // system,error,critical kernel failure + { + id: "system_critical", + attributes: { + class_uid: 6003, class_name: "Operating System Patch State", + category_uid: 6, category_name: "Application Activity", + activity_id: 0, activity_name: "Unknown", + type_uid: 600300, + severity_id: 5, severity: "Critical" + }, + format: "kernel $error_msg=rest$", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // WIRELESS (Network Activity 4001) + // ═══════════════════════════════════════════════════════════════════════════ + + // connected, 00:11:22:33:44:55@wlan1, signal-strength=-65 + { + id: "wireless_connect", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Open", + type_uid: 400101 + }, + format: "connected, $client_mac=mac$@$iface=iface$, signal-strength=$signal=signal$", + halt: true + }, + + // disconnected, 00:11:22:33:44:55@wlan1 + { + id: "wireless_disconnect", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 2, activity_name: "Close", + type_uid: 400102 + }, + format: "disconnected, $client_mac=mac$@$iface=iface$", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // DNS (DNS Activity 4003) + // ═══════════════════════════════════════════════════════════════════════════ + + // dns query from 192.168.1.10: example.com A + { + id: "dns_query", + attributes: { + class_uid: 4003, class_name: "DNS Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Query", + type_uid: 400301 + }, + format: "dns query from $src_ip=ipv4$: $query_hostname=rest$", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // ROUTING (Network Activity 4001) + // ═══════════════════════════════════════════════════════════════════════════ + + // ospf neighbor 10.0.0.1 state changed to Full + { + id: "ospf_neighbor", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 5, activity_name: "Update", + type_uid: 400105 + }, + format: "ospf neighbor $neighbor_ip=ipv4$ state changed to $neighbor_state=word$", + halt: true + }, + + // bgp peer 10.0.0.2 established + { + id: "bgp_established", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Open", + type_uid: 400101 + }, + format: "bgp peer $peer_ip=ipv4$ established", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // IPSEC/VPN (Tunnel Activity 4014) + // ═══════════════════════════════════════════════════════════════════════════ + + // ipsec,info phase1 negotiation succeeded for 203.0.113.1 + { + id: "ipsec_phase1", + attributes: { + class_uid: 4014, class_name: "Tunnel Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Open", + type_uid: 401401 + }, + format: "phase1 negotiation $ipsec_result=word$ for $peer_ip=ipv4$", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // GENERIC FALLBACK + // ═══════════════════════════════════════════════════════════════════════════ + { + id: "generic", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 0, activity_name: "Unknown", + type_uid: 400100 + }, + format: "$body=rest$" + } + ], + + mappings: { + version: 1, + mappings: [ + { + transformations: [ + { rename: { from: "src_ip", to: "src_endpoint.ip" } }, + { rename: { from: "dst_ip", to: "dst_endpoint.ip" } }, + { rename: { from: "src_port", to: "src_endpoint.port" } }, + { rename: { from: "dst_port", to: "dst_endpoint.port" } }, + { rename: { from: "src_mac", to: "src_endpoint.mac" } }, + { rename: { from: "in_iface", to: "src_endpoint.interface_name" } }, + { rename: { from: "out_iface", to: "dst_endpoint.interface_name" } }, + { rename: { from: "protocol", to: "connection_info.protocol_name" } }, + { rename: { from: "pkt_len", to: "traffic.bytes" } }, + { rename: { from: "client_ip", to: "dst_endpoint.ip" } }, + { rename: { from: "client_mac", to: "dst_endpoint.mac" } }, + { rename: { from: "user", to: "actor.user.name" } }, + { rename: { from: "method", to: "auth_protocol" } }, + { rename: { from: "iface", to: "src_endpoint.interface_name" } }, + { rename: { from: "signal", to: "unmapped.wireless_signal" } }, + { rename: { from: "chain", to: "unmapped.firewall_chain" } }, + { rename: { from: "dhcp_server", to: "unmapped.dhcp_server" } }, + { rename: { from: "dhcp_server_ip", to: "unmapped.dhcp_server_ip" } }, + { rename: { from: "dhcp_client", to: "unmapped.dhcp_client" } }, + { rename: { from: "hostname", to: "dst_endpoint.hostname" } }, + { rename: { from: "object", to: "unmapped.config_object" } }, + { rename: { from: "conn_state", to: "connection_info.state" } }, + { rename: { from: "neighbor_ip", to: "dst_endpoint.ip" } }, + { rename: { from: "neighbor_state", to: "unmapped.ospf_state" } }, + { rename: { from: "peer_ip", to: "dst_endpoint.ip" } }, + { rename: { from: "query_hostname", to: "query.hostname" } }, + { rename: { from: "ipsec_result", to: "unmapped.ipsec_result" } }, + { rename: { from: "error_msg", to: "unmapped.error_message" } }, + { rename: { from: "body", to: "unmapped.raw_body" } } + ] + } + ] + } +} diff --git a/parsers/npm_typosquats b/parsers/npm_typosquats new file mode 100644 index 0000000..a60fcf2 --- /dev/null +++ b/parsers/npm_typosquats @@ -0,0 +1,30 @@ +{ + "columnNames": ["suspect_name", "known_target"], + "rows": [ + ["expres", "express"], + ["loadash", "lodash"], + ["colorss", "colors"], + ["requesst", "request"], + ["eslint-config-airbnb-pro", "eslint-config-airbnb"], + ["event-stream-helper", "event-stream"], + ["ua-parser-utils", "ua-parser-js"], + ["lodash-utils", "lodash"], + ["lodaash", "lodash"], + ["expresss", "express"], + ["axios-lib", "axios"], + ["axioss", "axios"], + ["reactt", "react"], + ["react-utility", "react"], + ["vuetify-utils", "vuetify"], + ["commaander", "commander"], + ["yargs-plus", "yargs"], + ["chalkk", "chalk"], + ["chalk-cli", "chalk"], + ["nextt", "next"], + ["webpackk", "webpack"], + ["typescriptt", "typescript"], + ["debugg", "debug"], + ["moment-tz", "moment"], + ["uuid-gen", "uuid"] + ] +} \ No newline at end of file diff --git a/parsers/ocsf-checkpoint b/parsers/ocsf-checkpoint new file mode 100644 index 0000000..f8cc2cf --- /dev/null +++ b/parsers/ocsf-checkpoint @@ -0,0 +1,197 @@ +// SentinelOne AI SIEM Parser: Check Point Security Gateway +// OCSF Schema Version: 1.1.0 +// Maps Check Point pipe-delimited logs to OCSF classes +// Primary Classes: Network Activity (4001), Security Finding (2001), Detection Finding (2004) + +{ + "parserName": "CheckPoint-OCSF", + "version": "1.0.0", + "vendor": "Check Point", + "product": "Security Gateway", + "format": "kv", + "delimiter": "|", + "kvSeparator": "=", + + "patterns": [ + // Firewall Traffic logs + { + "pattern": "product=VPN-1 & FireWall-1", + "rewrites": [ + {"set": "class_uid", "value": "4001"}, + {"set": "class_name", "value": "Network Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + // Activity mapping + {"lookup": "action", "map": { + "Accept": 1, "Drop": 2, "Reject": 2, "Block": 2, "Log": 0, "Detect": 1 + }, "to": "activity_id"}, + {"lookup": "action", "map": { + "Accept": "Traffic Allowed", "Drop": "Traffic Denied", "Reject": "Traffic Rejected", + "Block": "Traffic Blocked", "Log": "Traffic Logged", "Detect": "Traffic Detected" + }, "to": "activity_name"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Check Point Firewall"}, + {"set": "metadata.product.vendor_name", "value": "Check Point"}, + {"copy": "loguid", "to": "metadata.uid"}, + {"copy": "origin", "to": "device.ip"}, + {"copy": "originsicname", "to": "device.name"}, + {"copy": "sequencenum", "to": "metadata.sequence"}, + + // Time + {"copy": "time", "to": "time", "transform": "epochToISO"}, + + // Source endpoint + {"copy": "src", "to": "src_endpoint.ip"}, + {"copy": "s_port", "to": "src_endpoint.port"}, + {"copy": "ifname", "to": "src_endpoint.interface_name"}, + + // Destination endpoint + {"copy": "dst", "to": "dst_endpoint.ip"}, + {"copy": "service", "to": "dst_endpoint.port"}, + + // Connection info + {"copy": "proto", "to": "connection_info.protocol_num"}, + {"lookup": "proto", "map": {"6": "TCP", "17": "UDP", "1": "ICMP"}, "to": "connection_info.protocol_name"}, + {"copy": "conn_direction", "to": "connection_info.direction"}, + + // NAT + {"copy": "xlatesrc", "to": "proxy.ip"}, + {"copy": "xlatesport", "to": "proxy.port"}, + {"copy": "xlatedst", "to": "dst_endpoint.intermediate_ips"}, + + // Policy + {"copy": "rule_uid", "to": "policy.uid"}, + {"copy": "rule_name", "to": "policy.name"}, + {"copy": "layer_name", "to": "policy.group.name"}, + {"copy": "rule_action", "to": "policy.rule.action"}, + + // Status + {"lookup": "action", "map": {"Accept": 1, "Drop": 2, "Reject": 2, "Block": 2}, "to": "status_id"}, + {"lookup": "action", "map": {"Accept": "Success", "Drop": "Failure", "Reject": "Failure", "Block": "Failure"}, "to": "status"} + ] + }, + + // IPS/SmartDefense logs + { + "pattern": "product=SmartDefense", + "rewrites": [ + {"set": "class_uid", "value": "2004"}, + {"set": "class_name", "value": "Detection Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Check Point IPS"}, + {"set": "metadata.product.vendor_name", "value": "Check Point"}, + + // Finding info + {"copy": "attack", "to": "finding_info.title"}, + {"copy": "attack_info", "to": "finding_info.desc"}, + {"copy": "protection_id", "to": "finding_info.uid"}, + {"copy": "protection_name", "to": "finding_info.types"}, + {"copy": "protection_type", "to": "finding_info.type_uid"}, + + // Severity + {"lookup": "severity", "map": {"Critical": 5, "High": 4, "Medium": 3, "Low": 2, "Info": 1}, "to": "severity_id"}, + {"copy": "severity", "to": "severity"}, + + // Confidence + {"lookup": "confidence_level", "map": {"High": 3, "Medium": 2, "Low": 1}, "to": "confidence_id"}, + {"copy": "confidence_level", "to": "confidence"}, + + // Performance impact + {"copy": "performance_impact", "to": "impact_score"}, + + // Endpoints + {"copy": "src", "to": "src_endpoint.ip"}, + {"copy": "s_port", "to": "src_endpoint.port"}, + {"copy": "dst", "to": "dst_endpoint.ip"}, + {"copy": "service", "to": "dst_endpoint.port"}, + + // Action + {"lookup": "action", "map": {"Drop": 2, "Detect": 1, "Prevent": 2, "Log": 0}, "to": "activity_id"} + ] + }, + + // Management/Audit logs + { + "pattern": "product=SmartCenter Server", + "rewrites": [ + {"set": "class_uid", "value": "6002"}, + {"set": "class_name", "value": "API Activity"}, + {"set": "category_uid", "value": "6"}, + {"set": "category_name", "value": "Application Activity"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Check Point SmartCenter"}, + {"set": "metadata.product.vendor_name", "value": "Check Point"}, + + // Actor + {"copy": "administrator", "to": "actor.user.name"}, + {"copy": "client_name", "to": "actor.app_name"}, + {"copy": "client_version", "to": "actor.app_version"}, + {"copy": "src", "to": "actor.session.ip"}, + + // Operation + {"copy": "operation", "to": "activity_name"}, + {"copy": "objectname", "to": "resources.name"}, + {"copy": "objecttype", "to": "resources.type"}, + {"copy": "fieldschanges", "to": "resources.data"} + ] + }, + + // Application Control logs + { + "pattern": "product=Application Control", + "rewrites": [ + {"set": "class_uid", "value": "4002"}, + {"set": "class_name", "value": "HTTP Activity"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Check Point Application Control"}, + {"set": "metadata.product.vendor_name", "value": "Check Point"}, + + // Application + {"copy": "app_name", "to": "app_name"}, + {"copy": "app_id", "to": "app.uid"}, + {"copy": "app_category", "to": "app.category"}, + {"copy": "app_risk", "to": "app.risk_level"}, + {"copy": "appi_name", "to": "app.feature.name"}, + + // User + {"copy": "user", "to": "actor.user.name"}, + {"copy": "matched_category", "to": "http_request.url.categories"} + ] + }, + + // Anti-Bot/Threat Prevention logs + { + "pattern": "product=Anti-Bot", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "finding_info.types", "value": ["Malware", "Command and Control"]}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Check Point Anti-Bot"}, + {"set": "metadata.product.vendor_name", "value": "Check Point"}, + + // Malware info + {"copy": "malware_name", "to": "malware.name"}, + {"copy": "malware_family", "to": "malware.classification.family"}, + {"copy": "malware_action", "to": "activity_name"}, + {"copy": "resource", "to": "malware.path"}, + + // Severity + {"lookup": "severity", "map": {"Critical": 5, "High": 4, "Medium": 3, "Low": 2}, "to": "severity_id"}, + {"copy": "severity", "to": "severity"}, + + // Confidence + {"copy": "confidence_level", "to": "confidence"} + ] + } + ] +} diff --git a/parsers/ocsf-entra-id b/parsers/ocsf-entra-id new file mode 100644 index 0000000..7caac88 --- /dev/null +++ b/parsers/ocsf-entra-id @@ -0,0 +1,242 @@ +// SentinelOne AI SIEM Parser: Microsoft Entra ID (Azure AD) +// OCSF Schema Version: 1.1.0 +// Maps Entra ID JSON audit/sign-in logs to OCSF classes +// Primary Classes: Authentication (3002), Account Change (3001), Group Membership (3004) + +{ + "parserName": "EntraID-OCSF", + "version": "1.0.0", + "vendor": "Microsoft", + "product": "Entra ID", + "format": "json", + + "patterns": [ + // Sign-in logs (successful) + { + "pattern": "\"category\":\\s*\"SignInLogs\".*\"resultType\":\\s*\"0\"", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "type_uid", "value": "300201"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft Entra ID"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + {"jsonPath": "$.tenantId", "to": "metadata.tenant_uid"}, + {"jsonPath": "$.correlationId", "to": "metadata.correlation_uid"}, + {"jsonPath": "$.properties.id", "to": "metadata.uid"}, + + // Time + {"jsonPath": "$.time", "to": "time"}, + + // User + {"jsonPath": "$.properties.userDisplayName", "to": "user.full_name"}, + {"jsonPath": "$.properties.userPrincipalName", "to": "user.email_addr"}, + {"jsonPath": "$.properties.userId", "to": "user.uid"}, + + // Source endpoint + {"jsonPath": "$.callerIpAddress", "to": "src_endpoint.ip"}, + {"jsonPath": "$.properties.ipAddress", "to": "src_endpoint.ip"}, + {"jsonPath": "$.properties.deviceDetail.displayName", "to": "src_endpoint.name"}, + {"jsonPath": "$.properties.deviceDetail.deviceId", "to": "src_endpoint.uid"}, + {"jsonPath": "$.properties.deviceDetail.operatingSystem", "to": "src_endpoint.os.name"}, + {"jsonPath": "$.properties.deviceDetail.browser", "to": "src_endpoint.browser"}, + + // Device compliance + {"jsonPath": "$.properties.deviceDetail.isCompliant", "to": "src_endpoint.is_compliant"}, + {"jsonPath": "$.properties.deviceDetail.isManaged", "to": "src_endpoint.is_managed"}, + {"jsonPath": "$.properties.deviceDetail.trustType", "to": "src_endpoint.trust_type"}, + + // Location + {"jsonPath": "$.properties.location.city", "to": "src_endpoint.location.city"}, + {"jsonPath": "$.properties.location.state", "to": "src_endpoint.location.region"}, + {"jsonPath": "$.properties.location.countryOrRegion", "to": "src_endpoint.location.country"}, + {"jsonPath": "$.properties.location.geoCoordinates.latitude", "to": "src_endpoint.location.lat"}, + {"jsonPath": "$.properties.location.geoCoordinates.longitude", "to": "src_endpoint.location.long"}, + + // Application + {"jsonPath": "$.properties.appDisplayName", "to": "app_name"}, + {"jsonPath": "$.properties.appId", "to": "app.uid"}, + {"jsonPath": "$.properties.clientAppUsed", "to": "auth_protocol"}, + {"jsonPath": "$.properties.userAgent", "to": "http_request.user_agent"}, + + // MFA + {"jsonPath": "$.properties.mfaDetail.authMethod", "to": "mfa.method"}, + {"jsonPath": "$.properties.mfaDetail.authDetail", "to": "mfa.detail"}, + + // Conditional Access + {"jsonPath": "$.properties.conditionalAccessStatus", "to": "policy.result"}, + + // Risk + {"jsonPath": "$.properties.riskDetail", "to": "risk_detail"}, + {"jsonPath": "$.properties.riskLevelAggregated", "to": "risk_level"}, + {"jsonPath": "$.properties.riskLevelDuringSignIn", "to": "risk_level_signin"}, + {"jsonPath": "$.properties.riskState", "to": "risk_state"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Sign-in logs (failed) + { + "pattern": "\"category\":\\s*\"SignInLogs\".*\"resultType\":\\s*\"[^0]", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft Entra ID"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + + {"jsonPath": "$.time", "to": "time"}, + {"jsonPath": "$.properties.userPrincipalName", "to": "user.email_addr"}, + {"jsonPath": "$.callerIpAddress", "to": "src_endpoint.ip"}, + {"jsonPath": "$.resultType", "to": "status_code"}, + {"jsonPath": "$.resultDescription", "to": "status_detail"}, + {"jsonPath": "$.properties.status.errorCode", "to": "error.code"}, + {"jsonPath": "$.properties.status.failureReason", "to": "error.message"}, + + // Location + {"jsonPath": "$.properties.location.countryOrRegion", "to": "src_endpoint.location.country"}, + + // Risk + {"jsonPath": "$.properties.riskLevelAggregated", "to": "risk_level"}, + + // Severity based on risk + {"lookup": "risk_level", "map": {"high": 4, "medium": 3, "low": 2, "none": 1}, "to": "severity_id"}, + {"lookup": "risk_level", "map": {"high": "High", "medium": "Medium", "low": "Low", "none": "Informational"}, "to": "severity"} + ] + }, + + // Risky sign-ins + { + "pattern": "\"category\":\\s*\"RiskySignIns\"", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + {"set": "finding_info.types", "value": ["Identity Risk"]}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft Entra ID Protection"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + + {"jsonPath": "$.time", "to": "time"}, + {"jsonPath": "$.properties.userDisplayName", "to": "user.full_name"}, + {"jsonPath": "$.properties.userPrincipalName", "to": "user.email_addr"}, + {"jsonPath": "$.properties.userId", "to": "user.uid"}, + {"jsonPath": "$.callerIpAddress", "to": "src_endpoint.ip"}, + + // Risk details + {"jsonPath": "$.properties.riskDetail", "to": "finding_info.title"}, + {"jsonPath": "$.properties.riskEventTypes", "to": "finding_info.types"}, + {"jsonPath": "$.properties.riskLevelAggregated", "to": "risk_level"}, + {"jsonPath": "$.properties.riskState", "to": "risk_state"}, + + // Location + {"jsonPath": "$.properties.location.countryOrRegion", "to": "src_endpoint.location.country"}, + + // Severity + {"lookup": "risk_level", "map": {"high": 5, "medium": 4, "low": 3}, "to": "severity_id"}, + {"lookup": "risk_level", "map": {"high": "Critical", "medium": "High", "low": "Medium"}, "to": "severity"} + ] + }, + + // Audit logs - Group membership + { + "pattern": "\"category\":\\s*\"AuditLogs\".*\"activityDisplayName\":\\s*\"Add member to group\"", + "rewrites": [ + {"set": "class_uid", "value": "3004"}, + {"set": "class_name", "value": "Group Membership"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Add"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft Entra ID"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + + {"jsonPath": "$.time", "to": "time"}, + + // Actor + {"jsonPath": "$.properties.initiatedBy.user.displayName", "to": "actor.user.full_name"}, + {"jsonPath": "$.properties.initiatedBy.user.userPrincipalName", "to": "actor.user.email_addr"}, + {"jsonPath": "$.properties.initiatedBy.user.id", "to": "actor.user.uid"}, + {"jsonPath": "$.properties.initiatedBy.user.ipAddress", "to": "src_endpoint.ip"}, + + // Group + {"jsonPath": "$.properties.targetResources[0].displayName", "to": "group.name"}, + {"jsonPath": "$.properties.targetResources[0].id", "to": "group.uid"}, + + // User added + {"jsonPath": "$.properties.targetResources[1].displayName", "to": "user.full_name"}, + {"jsonPath": "$.properties.targetResources[1].userPrincipalName", "to": "user.email_addr"}, + {"jsonPath": "$.properties.targetResources[1].id", "to": "user.uid"}, + + // Status + {"jsonPath": "$.properties.result", "to": "status"}, + {"lookup": "status", "map": {"success": 1, "failure": 2}, "to": "status_id"} + ] + }, + + // Audit logs - Password reset + { + "pattern": "\"category\":\\s*\"AuditLogs\".*\"activityDisplayName\":\\s*\"Reset user password\"", + "rewrites": [ + {"set": "class_uid", "value": "3001"}, + {"set": "class_name", "value": "Account Change"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "3"}, + {"set": "activity_name", "value": "Password Reset"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft Entra ID"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + + {"jsonPath": "$.time", "to": "time"}, + + // Actor + {"jsonPath": "$.properties.initiatedBy.user.displayName", "to": "actor.user.full_name"}, + {"jsonPath": "$.properties.initiatedBy.user.userPrincipalName", "to": "actor.user.email_addr"}, + {"jsonPath": "$.properties.initiatedBy.user.ipAddress", "to": "src_endpoint.ip"}, + + // Target user + {"jsonPath": "$.properties.targetResources[0].displayName", "to": "user.full_name"}, + {"jsonPath": "$.properties.targetResources[0].userPrincipalName", "to": "user.email_addr"}, + {"jsonPath": "$.properties.targetResources[0].id", "to": "user.uid"}, + + // Status + {"jsonPath": "$.properties.result", "to": "status"}, + {"lookup": "status", "map": {"success": 1, "failure": 2}, "to": "status_id"}, + + // Severity for password changes + {"set": "severity_id", "value": "3"}, + {"set": "severity", "value": "Medium"} + ] + } + ], + + "error_code_mappings": { + "50126": "Invalid username or password", + "50053": "Account locked", + "50057": "Account disabled", + "50055": "Password expired", + "50076": "MFA required", + "50074": "Strong authentication required", + "53003": "Blocked by Conditional Access" + } +} diff --git a/parsers/ocsf-f5-apm b/parsers/ocsf-f5-apm new file mode 100644 index 0000000..692ccc8 --- /dev/null +++ b/parsers/ocsf-f5-apm @@ -0,0 +1,312 @@ +// SentinelOne AI SIEM Parser: F5 Networks BIG-IP APM +// OCSF Schema Version: 1.1.0 +// Maps F5 BIG-IP APM access policy logs to OCSF classes +// Primary Classes: Authentication (3002), Session Activity (3005) + +{ + "parserName": "F5APM-OCSF", + "version": "1.0.0", + "vendor": "F5 Networks", + "product": "BIG-IP APM", + "format": "syslog", + + "patterns": [ + // Session created + { + "pattern": "apmd\\[\\d+\\]:\\s+(\\d+):(\\d+):\\s+(/\\S+):Common:(\\S+):\\s+(?:New\\s+)?[Ss]ession\\s+created", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "type_uid", "value": "300201"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + {"group": 1, "to": "metadata.log_level"}, + {"group": 2, "to": "metadata.facility"}, + + // Policy and session + {"group": 3, "to": "policy.name"}, + {"group": 4, "to": "session.uid"}, + + // Extract client IP + {"regex": "Client IP:\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + + // Extract user agent + {"regex": "User Agent:\\s+(.+?)(?:\\s+$|\\s+\\w+:)", "group": 1, "to": "http_request.user_agent"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Session variable set (username) + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Session variable\\s+'session\\.logon\\.last\\.username'\\s+set to\\s+'([^']+)'", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "0"}, + {"set": "activity_name", "value": "Session Update"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "user.name"} + ] + }, + + // AD Authentication + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+AD Auth query\\s+-\\s+User:\\s+(\\S+)\\s+Domain:\\s+(\\S+)\\s+Server:\\s+(\\S+)\\s+Result:\\s+(\\w+)", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "user.name"}, + {"group": 4, "to": "user.domain"}, + {"group": 5, "to": "auth_server"}, + {"group": 6, "to": "auth_result"}, + + {"set": "auth_protocol", "value": "Active Directory"}, + + // Status + {"lookup": "auth_result", "map": {"Success": 1, "Failure": 2, "Failed": 2}, "to": "status_id"}, + {"lookup": "auth_result", "map": {"Success": "Success", "Failure": "Failure", "Failed": "Failure"}, "to": "status"} + ] + }, + + // AD Group query + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+AD Group query\\s+-\\s+User:\\s+(\\S+)\\s+Groups:\\s+(.+?)$", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "0"}, + {"set": "activity_name", "value": "Group Query"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "user.name"}, + {"group": 4, "to": "user.groups", "transform": "splitComma"} + ] + }, + + // MFA Challenge + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+MFA\\s+(Challenge sent|Response received)\\s+-\\s+(?:Method:\\s+(\\S+))?\\s*(?:Server:\\s+(\\S+))?\\s*(?:Result:\\s+(\\w+))?", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "99"}, + {"set": "activity_name", "value": "MFA"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "mfa.status"}, + {"group": 4, "to": "mfa.method"}, + {"group": 5, "to": "mfa.server"}, + {"group": 6, "to": "mfa.result"}, + + // Status + {"lookup": "mfa.result", "map": {"Success": 1, "Failure": 2}, "to": "status_id"}, + {"lookup": "mfa.result", "map": {"Success": "Success", "Failure": "Failure"}, "to": "status"} + ] + }, + + // Access policy result + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Access policy result:\\s+(\\w+)(?:\\s+-\\s+(.+))?", + "rewrites": [ + {"set": "class_uid", "value": "3003"}, + {"set": "class_name", "value": "Authorization"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "policy.result"}, + {"group": 4, "to": "policy.detail"}, + + // Activity + {"lookup": "policy.result", "map": {"Allow": 1, "Deny": 2}, "to": "activity_id"}, + {"lookup": "policy.result", "map": {"Allow": "Grant", "Deny": "Deny"}, "to": "activity_name"}, + + // Status + {"lookup": "policy.result", "map": {"Allow": 1, "Deny": 2}, "to": "status_id"}, + {"lookup": "policy.result", "map": {"Allow": "Success", "Deny": "Failure"}, "to": "status"}, + + // Extract assigned resources + {"regex": "Assigned resources:\\s+(.+?)$", "group": 1, "to": "resources.names"} + ] + }, + + // Network Access tunnel + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Network Access tunnel established\\s+-\\s+Assigned IP:\\s+([\\d.]+)\\s+Lease Pool:\\s+(\\S+)", + "rewrites": [ + {"set": "class_uid", "value": "4001"}, + {"set": "class_name", "value": "Network Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "VPN Connect"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "src_endpoint.ip"}, + {"group": 4, "to": "connection_info.pool"}, + + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Session authentication failed + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Session authentication failed\\s+-\\s+User:\\s+(\\S+)\\s+Client IP:\\s+([\\d.]+)\\s+Reason:\\s+(.+?)$", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "user.name"}, + {"group": 4, "to": "src_endpoint.ip"}, + {"group": 5, "to": "status_detail"}, + + {"set": "severity_id", "value": "3"}, + {"set": "severity", "value": "Medium"} + ] + }, + + // Session terminated + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Session terminated\\s+-\\s+User:\\s+(\\S+)\\s+Reason:\\s+(\\S+)\\s+Duration:\\s+(\\d+)\\s+seconds\\s+Bytes In:\\s+(\\d+)\\s+Bytes Out:\\s+(\\d+)", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Logoff"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "user.name"}, + {"group": 4, "to": "logoff_type"}, + {"group": 5, "to": "session.duration"}, + {"group": 6, "to": "traffic.bytes_in"}, + {"group": 7, "to": "traffic.bytes_out"}, + + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Anomaly detected + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Anomaly detected\\s+-\\s+User:\\s+(\\S+)\\s+Client IP:\\s+([\\d.]+)\\s+Risk:\\s+(.+?)$", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + {"set": "finding_info.types", "value": ["User Behavior Anomaly"]}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "user.name"}, + {"group": 4, "to": "src_endpoint.ip"}, + {"group": 5, "to": "finding_info.title"}, + + {"set": "severity_id", "value": "4"}, + {"set": "severity", "value": "High"} + ] + }, + + // Endpoint inspection + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Endpoint inspection\\s+-\\s+OS:\\s+(\\S+)\\s+Antivirus:\\s+([^)]+\\))\\s+Firewall:\\s+(\\w+)\\s+Compliant:\\s+(\\w+)", + "rewrites": [ + {"set": "class_uid", "value": "5002"}, + {"set": "class_name", "value": "Compliance"}, + {"set": "category_uid", "value": "5"}, + {"set": "category_name", "value": "Discovery"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Endpoint Check"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "device.os.name"}, + {"group": 4, "to": "device.antivirus"}, + {"group": 5, "to": "device.firewall_status"}, + {"group": 6, "to": "compliance.status"}, + + // Status + {"lookup": "compliance.status", "map": {"Yes": 1, "No": 2}, "to": "status_id"}, + {"lookup": "compliance.status", "map": {"Yes": "Compliant", "No": "Non-Compliant"}, "to": "status"} + ] + } + ], + + "transforms": { + "splitComma": { + "delimiter": ", ", + "type": "array" + } + } +} diff --git a/parsers/ocsf-f5-bigip b/parsers/ocsf-f5-bigip new file mode 100644 index 0000000..e0f4b6f --- /dev/null +++ b/parsers/ocsf-f5-bigip @@ -0,0 +1,223 @@ +// SentinelOne AI SIEM Parser: AMS - F5 Network Big IP +// OCSF Schema Version: 1.1.0 +// Maps F5 BIG-IP LTM/ASM/APM logs to OCSF classes +// Primary Classes: HTTP Activity (4002), Security Finding (2001), Network Activity (4001) + +{ + "parserName": "F5BigIP-OCSF", + "version": "1.0.0", + "vendor": "F5 Networks", + "product": "BIG-IP", + "format": "syslog", + + "patterns": [ + // iRule HTTP Request logs + { + "pattern": "Rule\\s+(/\\S+)\\s+:", + "rewrites": [ + {"set": "class_uid", "value": "4002"}, + {"set": "class_name", "value": "HTTP Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Request"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP LTM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + {"group": 1, "to": "policy.name"}, + + // Client + {"regex": "Client\\s+([\\d.]+):(\\d+)", "group": 1, "to": "src_endpoint.ip"}, + {"regex": "Client\\s+([\\d.]+):(\\d+)", "group": 2, "to": "src_endpoint.port"}, + + // VIP + {"regex": "VIP\\s+([\\d.]+):(\\d+)", "group": 1, "to": "dst_endpoint.ip"}, + {"regex": "VIP\\s+([\\d.]+):(\\d+)", "group": 2, "to": "dst_endpoint.port"}, + + // Pool/Member + {"regex": "Pool\\s+(\\S+)", "group": 1, "to": "dst_endpoint.svc_name"}, + {"regex": "Member\\s+([\\d.]+):(\\d+)", "group": 1, "to": "dst_endpoint.intermediate_ips"}, + + // HTTP details + {"regex": "URI\\s+(\\S+)", "group": 1, "to": "http_request.url.path"}, + {"regex": "Method\\s+(\\w+)", "group": 1, "to": "http_request.http_method"}, + {"regex": "Host\\s+(\\S+)", "group": 1, "to": "http_request.url.hostname"}, + {"regex": "User-Agent\\s+(.+?)(?:\\s+\\w+=|$)", "group": 1, "to": "http_request.user_agent"} + ] + }, + + // iRule Security blocks + { + "pattern": "Rule\\s+(/\\S+)\\s+:\\s+BLOCKED", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Block"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP iRule"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + // Extract attack info + {"regex": "BLOCKED\\s+-\\s+(.+?)\\s+Client", "group": 1, "to": "finding_info.title"}, + {"regex": "Client\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + {"regex": "URI\\s+(\\S+)", "group": 1, "to": "finding_info.src_url"}, + {"regex": "Pattern matched:\\s+(.+?)$", "group": 1, "to": "finding_info.desc"}, + + {"set": "severity_id", "value": "4"}, + {"set": "severity", "value": "High"} + ] + }, + + // SSL Handshake failures + { + "pattern": "SSL Handshake failed", + "rewrites": [ + {"set": "class_uid", "value": "4001"}, + {"set": "class_name", "value": "Network Activity"}, + {"set": "activity_id", "value": "6"}, + {"set": "activity_name", "value": "Fail"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP SSL"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 1, "to": "src_endpoint.ip"}, + {"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 2, "to": "src_endpoint.port"}, + {"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 3, "to": "dst_endpoint.ip"}, + {"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 4, "to": "dst_endpoint.port"}, + + {"regex": "-\\s+(.+)$", "group": 1, "to": "status_detail"}, + + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + {"set": "severity_id", "value": "3"}, + {"set": "severity", "value": "Medium"} + ] + }, + + // APM Session events + { + "pattern": "apmd\\[\\d+\\]:", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + // Session + {"regex": ":Common:(\\w+):", "group": 1, "to": "session.uid"}, + + // User + {"regex": "User:\\s+(\\S+)", "group": 1, "to": "user.name"}, + + // Client IP + {"regex": "Client IP:\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + + // Activity based on message + {"set": "activity_id", "value": "1", "if": "Session created|session created"}, + {"set": "activity_name", "value": "Logon", "if": "Session created|session created"}, + {"set": "activity_id", "value": "2", "if": "Session terminated|terminated"}, + {"set": "activity_name", "value": "Logoff", "if": "Session terminated|terminated"}, + + // Status + {"set": "status_id", "value": "1", "if": "Allow|Success|success"}, + {"set": "status", "value": "Success", "if": "Allow|Success|success"}, + {"set": "status_id", "value": "2", "if": "Deny|failed|failure"}, + {"set": "status", "value": "Failure", "if": "Deny|failed|failure"} + ] + }, + + // ASM (WAF) logs + { + "pattern": "ASM:", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP ASM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + // Parse ASM fields + {"regex": "unit_hostname=\"([^\"]+)\"", "group": 1, "to": "device.hostname"}, + {"regex": "management_ip_address=\"([^\"]+)\"", "group": 1, "to": "device.ip"}, + {"regex": "policy_name=\"([^\"]+)\"", "group": 1, "to": "policy.name"}, + {"regex": "violations=\"([^\"]+)\"", "group": 1, "to": "finding_info.title"}, + {"regex": "request_status=\"([^\"]+)\"", "group": 1, "to": "activity_name"}, + {"regex": "response_code=\"([^\"]+)\"", "group": 1, "to": "http_response.code"}, + {"regex": "ip_client=\"([^\"]+)\"", "group": 1, "to": "src_endpoint.ip"}, + {"regex": "method=\"([^\"]+)\"", "group": 1, "to": "http_request.http_method"}, + {"regex": "protocol=\"([^\"]+)\"", "group": 1, "to": "connection_info.protocol_name"}, + {"regex": "uri=\"([^\"]+)\"", "group": 1, "to": "http_request.url.path"}, + {"regex": "sig_ids=\"([^\"]+)\"", "group": 1, "to": "finding_info.uid"}, + {"regex": "sig_names=\"([^\"]+)\"", "group": 1, "to": "finding_info.desc"}, + {"regex": "severity=\"([^\"]+)\"", "group": 1, "to": "severity"}, + {"regex": "attack_type=\"([^\"]+)\"", "group": 1, "to": "finding_info.types"}, + + // Severity mapping + {"lookup": "severity", "map": {"Critical": 5, "High": 4, "Medium": 3, "Low": 2, "Informational": 1}, "to": "severity_id"}, + + // Activity + {"lookup": "activity_name", "map": {"blocked": 2, "passed": 1, "alarmed": 1}, "to": "activity_id"} + ] + }, + + // Pool member status + { + "pattern": "Pool\\s+(/\\S+)\\s+member\\s+([\\d.]+):(\\d+)\\s+monitor status\\s+(\\w+)", + "rewrites": [ + {"set": "class_uid", "value": "4001"}, + {"set": "class_name", "value": "Network Activity"}, + {"set": "activity_id", "value": "99"}, + {"set": "activity_name", "value": "Health Check"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP LTM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "dst_endpoint.svc_name"}, + {"group": 2, "to": "dst_endpoint.ip"}, + {"group": 3, "to": "dst_endpoint.port"}, + {"group": 4, "to": "status"}, + + {"lookup": "status", "map": {"up": 1, "down": 2}, "to": "status_id"} + ] + }, + + // Audit logs + { + "pattern": "AUDIT\\s+-\\s+user\\s+(\\S+)", + "rewrites": [ + {"set": "class_uid", "value": "6002"}, + {"set": "class_name", "value": "API Activity"}, + {"set": "category_uid", "value": "6"}, + {"set": "category_name", "value": "Application Activity"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "actor.user.name"}, + {"regex": "from host\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + {"regex": "modified object\\s+(\\S+)", "group": 1, "to": "resources.name"}, + {"regex": "state from\\s+(\\w+)\\s+to\\s+(\\w+)", "group": 1, "to": "prev_state"}, + {"regex": "state from\\s+(\\w+)\\s+to\\s+(\\w+)", "group": 2, "to": "state"}, + + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Update"} + ] + } + ] +} diff --git a/parsers/ocsf-fortigate b/parsers/ocsf-fortigate new file mode 100644 index 0000000..4826849 --- /dev/null +++ b/parsers/ocsf-fortigate @@ -0,0 +1,169 @@ +// SentinelOne AI SIEM Parser: Fortinet FortiGate Security Gateway +// OCSF Schema Version: 1.1.0 +// Maps FortiGate key=value logs to OCSF classes +// Primary Classes: Network Activity (4001), Security Finding (2001), Detection Finding (2004) + +{ + "parserName": "FortiGate-OCSF", + "version": "1.0.0", + "vendor": "Fortinet", + "product": "FortiGate", + "format": "kv", + "delimiter": " ", + "kvSeparator": "=", + + "patterns": [ + // Traffic logs + { + "pattern": "type=\"traffic\"", + "rewrites": [ + {"set": "class_uid", "value": "4001"}, + {"set": "class_name", "value": "Network Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + // Activity mapping + {"lookup": "action", "map": {"accept": 1, "deny": 2, "drop": 5, "close": 4}, "to": "activity_id"}, + {"lookup": "action", "map": {"accept": "Traffic Allowed", "deny": "Traffic Denied", "drop": "Traffic Dropped", "close": "Connection Closed"}, "to": "activity_name"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "FortiGate"}, + {"set": "metadata.product.vendor_name", "value": "Fortinet"}, + {"copy": "devname", "to": "metadata.product.feature.uid"}, + {"copy": "devid", "to": "device.uid"}, + {"copy": "logid", "to": "metadata.log_name"}, + + // Time + {"parseTimestamp": "date time", "format": "yyyy-MM-dd HH:mm:ss", "to": "time"}, + {"copy": "eventtime", "to": "time", "transform": "epochToISO"}, + + // Source endpoint + {"copy": "srcip", "to": "src_endpoint.ip"}, + {"copy": "srcport", "to": "src_endpoint.port"}, + {"copy": "srcintf", "to": "src_endpoint.interface_name"}, + {"copy": "srccountry", "to": "src_endpoint.location.country"}, + + // Destination endpoint + {"copy": "dstip", "to": "dst_endpoint.ip"}, + {"copy": "dstport", "to": "dst_endpoint.port"}, + {"copy": "dstintf", "to": "dst_endpoint.interface_name"}, + {"copy": "dstcountry", "to": "dst_endpoint.location.country"}, + + // Connection info + {"copy": "proto", "to": "connection_info.protocol_num"}, + {"lookup": "proto", "map": {"6": "TCP", "17": "UDP", "1": "ICMP"}, "to": "connection_info.protocol_name"}, + {"copy": "sessionid", "to": "connection_info.session.uid"}, + {"copy": "duration", "to": "connection_info.session.duration"}, + + // Traffic stats + {"copy": "sentbyte", "to": "traffic.bytes_out"}, + {"copy": "rcvdbyte", "to": "traffic.bytes_in"}, + {"copy": "sentpkt", "to": "traffic.packets_out"}, + {"copy": "rcvdpkt", "to": "traffic.packets_in"}, + + // Policy + {"copy": "policyid", "to": "policy.uid"}, + {"copy": "policyname", "to": "policy.name"}, + + // Application + {"copy": "app", "to": "app_name"}, + {"copy": "appcat", "to": "app.category"}, + {"copy": "apprisk", "to": "app.risk_level"}, + + // NAT + {"copy": "transip", "to": "proxy.ip"}, + {"copy": "transport", "to": "proxy.port"}, + + // Status + {"set": "status_id", "value": "1"}, + {"lookup": "action", "map": {"accept": "Success", "deny": "Failure", "drop": "Failure"}, "to": "status"} + ] + }, + + // IPS/UTM logs + { + "pattern": "type=\"utm\" subtype=\"ips\"", + "rewrites": [ + {"set": "class_uid", "value": "2004"}, + {"set": "class_name", "value": "Detection Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "FortiGate IPS"}, + {"set": "metadata.product.vendor_name", "value": "Fortinet"}, + + // Finding info + {"copy": "attack", "to": "finding_info.title"}, + {"copy": "attackid", "to": "finding_info.uid"}, + {"copy": "ref", "to": "finding_info.src_url"}, + {"copy": "msg", "to": "finding_info.desc"}, + + // Severity + {"lookup": "severity", "map": {"critical": 5, "high": 4, "medium": 3, "low": 2, "info": 1}, "to": "severity_id"}, + {"copy": "severity", "to": "severity"}, + + // Endpoints + {"copy": "srcip", "to": "src_endpoint.ip"}, + {"copy": "srcport", "to": "src_endpoint.port"}, + {"copy": "dstip", "to": "dst_endpoint.ip"}, + {"copy": "dstport", "to": "dst_endpoint.port"}, + + // Action + {"lookup": "action", "map": {"dropped": 2, "blocked": 2, "detected": 1, "pass": 0}, "to": "activity_id"} + ] + }, + + // Virus/Malware logs + { + "pattern": "type=\"utm\" subtype=\"virus\"", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "finding_info.types", "value": ["Malware"]}, + + {"copy": "virusname", "to": "malware.name"}, + {"copy": "filename", "to": "file.name"}, + {"copy": "analyticscksum", "to": "file.hashes.sha256"}, + {"copy": "dtype", "to": "file.type_id"}, + + {"lookup": "action", "map": {"blocked": 2, "detected": 1, "quarantined": 3}, "to": "activity_id"} + ] + }, + + // Web filter logs + { + "pattern": "type=\"utm\" subtype=\"webfilter\"", + "rewrites": [ + {"set": "class_uid", "value": "4002"}, + {"set": "class_name", "value": "HTTP Activity"}, + + {"copy": "hostname", "to": "http_request.url.hostname"}, + {"copy": "url", "to": "http_request.url.path"}, + {"copy": "method", "to": "http_request.http_method"}, + {"copy": "cat", "to": "http_request.url.category_ids"}, + {"copy": "catdesc", "to": "http_request.url.categories"}, + + {"lookup": "action", "map": {"blocked": 2, "passthrough": 1, "warning": 3}, "to": "activity_id"} + ] + }, + + // System/Auth logs + { + "pattern": "type=\"event\" subtype=\"system\"", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + + {"copy": "user", "to": "actor.user.name"}, + {"copy": "ui", "to": "src_endpoint.name"}, + {"copy": "action", "to": "activity_name"}, + + {"lookup": "status", "map": {"success": 1, "failed": 2}, "to": "status_id"}, + {"copy": "reason", "to": "status_detail"}, + {"copy": "msg", "to": "message"} + ] + } + ] +} diff --git a/parsers/ocsf-hana-db b/parsers/ocsf-hana-db new file mode 100644 index 0000000..1b6b3e3 --- /dev/null +++ b/parsers/ocsf-hana-db @@ -0,0 +1,308 @@ +// SentinelOne AI SIEM Parser: SAP HANA Database +// OCSF Schema Version: 1.1.0 +// Maps SAP HANA audit JSON logs to OCSF classes +// Primary Classes: Database Activity (4003), Authentication (3002), Authorization (3003) + +{ + "parserName": "HANADatabase-OCSF", + "version": "1.0.0", + "vendor": "SAP", + "product": "HANA Database", + "format": "json", + + "patterns": [ + // Connection events (CONNECT/DISCONNECT) + { + "pattern": "\"audit_action\":\\s*\"CONNECT\"", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "type_uid", "value": "300201"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "SAP HANA"}, + {"set": "metadata.product.vendor_name", "value": "SAP"}, + {"jsonPath": "$.host", "to": "device.hostname"}, + {"jsonPath": "$.component", "to": "metadata.product.feature.name"}, + {"jsonPath": "$.source_file", "to": "metadata.log_name"}, + {"jsonPath": "$.source_line", "to": "metadata.log_line"}, + {"jsonPath": "$.thread_id", "to": "metadata.uid"}, + + // Time + {"jsonPath": "$.timestamp", "to": "time"}, + + // User + {"jsonPath": "$.user_name", "to": "user.name"}, + {"jsonPath": "$.application_user", "to": "actor.user.name"}, + {"jsonPath": "$.application_name", "to": "app_name"}, + + // Session + {"jsonPath": "$.connection_id", "to": "session.uid"}, + + // Source endpoint + {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"}, + {"jsonPath": "$.client_port", "to": "src_endpoint.port"}, + + // Audit policy + {"jsonPath": "$.audit_policy_name", "to": "policy.name"}, + {"jsonPath": "$.audit_level", "to": "severity"}, + + // Comment + {"jsonPath": "$.comment", "to": "message"}, + + // Status - check for error + {"set": "status_id", "value": "1", "if": "\"error_code\":\\s*null|\"error_code\":\\s*0"}, + {"set": "status", "value": "Success", "if": "\"error_code\":\\s*null|\"error_code\":\\s*0"} + ] + }, + + // Failed connection + { + "pattern": "\"audit_action\":\\s*\"CONNECT\".*\"error_code\":\\s*[1-9]", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "SAP HANA"}, + {"set": "metadata.product.vendor_name", "value": "SAP"}, + + {"jsonPath": "$.timestamp", "to": "time"}, + {"jsonPath": "$.user_name", "to": "user.name"}, + {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"}, + {"jsonPath": "$.error_code", "to": "status_code"}, + {"jsonPath": "$.error_message", "to": "status_detail"}, + + // Severity + {"set": "severity_id", "value": "3"}, + {"set": "severity", "value": "Medium"} + ] + }, + + // Disconnect + { + "pattern": "\"audit_action\":\\s*\"DISCONNECT\"", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Logoff"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "SAP HANA"}, + {"set": "metadata.product.vendor_name", "value": "SAP"}, + + {"jsonPath": "$.timestamp", "to": "time"}, + {"jsonPath": "$.user_name", "to": "user.name"}, + {"jsonPath": "$.connection_id", "to": "session.uid"}, + {"jsonPath": "$.session_duration_seconds", "to": "session.duration"}, + + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // SELECT queries + { + "pattern": "\"audit_action\":\\s*\"SELECT\"", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "Database Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Query"}, + {"set": "type_uid", "value": "400301"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "SAP HANA"}, + {"set": "metadata.product.vendor_name", "value": "SAP"}, + + {"jsonPath": "$.timestamp", "to": "time"}, + {"jsonPath": "$.user_name", "to": "actor.user.name"}, + {"jsonPath": "$.connection_id", "to": "actor.session.uid"}, + {"jsonPath": "$.transaction_id", "to": "transaction.uid"}, + {"jsonPath": "$.statement_id", "to": "query_info.uid"}, + + // Query details + {"jsonPath": "$.statement", "to": "query_info.query_string"}, + {"jsonPath": "$.executed_statement", "to": "query_info.executed_query"}, + {"set": "query_info.query_type", "value": "SELECT"}, + + // Performance + {"jsonPath": "$.rows_affected", "to": "query_info.rows_affected"}, + {"jsonPath": "$.execution_time_ms", "to": "query_info.duration"}, + + // Source + {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"}, + {"jsonPath": "$.application_name", "to": "app_name"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Data modification (INSERT/UPDATE/DELETE) + { + "pattern": "\"audit_action\":\\s*\"(INSERT|UPDATE|DELETE)\"", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "Database Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + {"jsonPath": "$.audit_action", "to": "activity_name"}, + {"lookup": "activity_name", "map": {"INSERT": 2, "UPDATE": 3, "DELETE": 4}, "to": "activity_id"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "SAP HANA"}, + {"set": "metadata.product.vendor_name", "value": "SAP"}, + + {"jsonPath": "$.timestamp", "to": "time"}, + {"jsonPath": "$.user_name", "to": "actor.user.name"}, + {"jsonPath": "$.connection_id", "to": "actor.session.uid"}, + {"jsonPath": "$.transaction_id", "to": "transaction.uid"}, + + // Query + {"jsonPath": "$.statement", "to": "query_info.query_string"}, + {"jsonPath": "$.executed_statement", "to": "query_info.executed_query"}, + {"jsonPath": "$.rows_affected", "to": "query_info.rows_affected"}, + {"jsonPath": "$.execution_time_ms", "to": "query_info.duration"}, + + // Source + {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"}, + + // Severity for data modification + {"set": "severity_id", "value": "2"}, + {"set": "severity", "value": "Low"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // GRANT/REVOKE (privilege changes) + { + "pattern": "\"audit_action\":\\s*\"GRANT\"", + "rewrites": [ + {"set": "class_uid", "value": "3003"}, + {"set": "class_name", "value": "Authorization"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Grant"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "SAP HANA"}, + {"set": "metadata.product.vendor_name", "value": "SAP"}, + + {"jsonPath": "$.timestamp", "to": "time"}, + {"jsonPath": "$.user_name", "to": "actor.user.name"}, + {"jsonPath": "$.connection_id", "to": "actor.session.uid"}, + + // Privilege details + {"jsonPath": "$.statement", "to": "message"}, + {"jsonPath": "$.executed_statement", "to": "privileges"}, + + // Source + {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"}, + + // Severity for privilege grants + {"set": "severity_id", "value": "4"}, + {"set": "severity", "value": "High"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Backup operations + { + "pattern": "\"audit_action\":\\s*\"BACKUP DATA\"", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "Database Activity"}, + {"set": "activity_id", "value": "5"}, + {"set": "activity_name", "value": "Backup"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "SAP HANA"}, + {"set": "metadata.product.vendor_name", "value": "SAP"}, + + {"jsonPath": "$.timestamp", "to": "time"}, + {"jsonPath": "$.user_name", "to": "actor.user.name"}, + {"jsonPath": "$.application_user", "to": "actor.user.account.name"}, + {"jsonPath": "$.application_name", "to": "app_name"}, + + // Backup details + {"jsonPath": "$.statement", "to": "message"}, + {"jsonPath": "$.backup_id", "to": "backup.uid"}, + {"jsonPath": "$.backup_size_mb", "to": "backup.size"}, + + // Source + {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Critical audit level events + { + "pattern": "\"audit_level\":\\s*\"CRITICAL\"", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + {"set": "finding_info.types", "value": ["Database Security Event"]}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "SAP HANA"}, + {"set": "metadata.product.vendor_name", "value": "SAP"}, + + {"jsonPath": "$.timestamp", "to": "time"}, + {"jsonPath": "$.user_name", "to": "actor.user.name"}, + {"jsonPath": "$.audit_action", "to": "finding_info.title"}, + {"jsonPath": "$.comment", "to": "finding_info.desc"}, + {"jsonPath": "$.statement", "to": "finding_info.data_sources"}, + + // Source + {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"}, + + // Severity + {"set": "severity_id", "value": "5"}, + {"set": "severity", "value": "Critical"} + ] + } + ], + + "audit_action_mappings": { + "CONNECT": {"class": "Authentication", "activity": "Logon"}, + "DISCONNECT": {"class": "Authentication", "activity": "Logoff"}, + "SELECT": {"class": "Database Activity", "activity": "Query"}, + "INSERT": {"class": "Database Activity", "activity": "Insert"}, + "UPDATE": {"class": "Database Activity", "activity": "Update"}, + "DELETE": {"class": "Database Activity", "activity": "Delete"}, + "CREATE": {"class": "Database Activity", "activity": "Create"}, + "DROP": {"class": "Database Activity", "activity": "Delete"}, + "ALTER": {"class": "Database Activity", "activity": "Update"}, + "GRANT": {"class": "Authorization", "activity": "Grant"}, + "REVOKE": {"class": "Authorization", "activity": "Revoke"}, + "BACKUP DATA": {"class": "Database Activity", "activity": "Backup"}, + "RESTORE": {"class": "Database Activity", "activity": "Restore"} + } +} diff --git a/parsers/ocsf-isc-bind b/parsers/ocsf-isc-bind new file mode 100644 index 0000000..f96b017 --- /dev/null +++ b/parsers/ocsf-isc-bind @@ -0,0 +1,259 @@ +// SentinelOne AI SIEM Parser: ISC BIND DNS Server +// OCSF Schema Version: 1.1.0 +// Maps ISC BIND query/security logs to OCSF classes +// Primary Class: DNS Activity (4003) + +{ + "parserName": "ISCBIND-OCSF", + "version": "1.0.0", + "vendor": "ISC", + "product": "BIND", + "format": "syslog", + + "patterns": [ + // Query logs + { + "pattern": "queries:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+query:\\s+(\\S+)\\s+IN\\s+(\\w+)", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "DNS Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Query"}, + {"set": "type_uid", "value": "400301"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "ISC BIND"}, + {"set": "metadata.product.vendor_name", "value": "ISC"}, + {"group": 1, "to": "metadata.uid"}, + + // Time (from syslog header) + {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"}, + + // Client + {"group": 2, "to": "src_endpoint.ip"}, + {"group": 3, "to": "src_endpoint.port"}, + + // Query info + {"group": 4, "to": "query_info.opcode"}, + {"group": 5, "to": "query_info.hostname"}, + {"group": 6, "to": "query_info.type"}, + + // DNS server + {"regex": "\\(([\\d.]+)\\)$", "group": 1, "to": "dst_endpoint.ip"}, + + // Observables + {"array": "observables", "append": {"type": "IP Address", "type_id": 2, "value": "$2"}}, + {"array": "observables", "append": {"type": "Hostname", "type_id": 1, "value": "$5"}}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Security - Zone transfer denied + { + "pattern": "security:\\s+warning:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+zone transfer\\s+'([^']+)'\\s+denied", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + {"set": "finding_info.types", "value": ["DNS Zone Transfer Attempt"]}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "ISC BIND"}, + {"set": "metadata.product.vendor_name", "value": "ISC"}, + + // Time + {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"}, + + // Client + {"group": 2, "to": "src_endpoint.ip"}, + {"group": 3, "to": "src_endpoint.port"}, + + // Zone + {"group": 5, "to": "finding_info.title"}, + {"set": "finding_info.desc", "value": "Unauthorized zone transfer attempt"}, + + // Severity + {"set": "severity_id", "value": "4"}, + {"set": "severity", "value": "High"}, + + // Status + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Deny"} + ] + }, + + // Security - Query denied + { + "pattern": "security:\\s+error:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+query\\s+\\(cache\\)\\s+'([^']+)'\\s+denied", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "DNS Activity"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Query Denied"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "ISC BIND"}, + {"set": "metadata.product.vendor_name", "value": "ISC"}, + + // Time + {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"}, + + // Client + {"group": 2, "to": "src_endpoint.ip"}, + {"group": 3, "to": "src_endpoint.port"}, + + // Query + {"group": 5, "to": "query_info.hostname"}, + + // Status + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + {"set": "rcode", "value": "REFUSED"}, + + // Severity + {"set": "severity_id", "value": "3"}, + {"set": "severity", "value": "Medium"} + ] + }, + + // Zone transfer (AXFR) - successful + { + "pattern": "xfer-out:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+transfer of\\s+'([^']+)':\\s+AXFR\\s+(started|ended)", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "DNS Activity"}, + + {"group": 6, "to": "transfer_status"}, + {"lookup": "transfer_status", "map": {"started": 3, "ended": 4}, "to": "activity_id"}, + {"lookup": "transfer_status", "map": {"started": "Zone Transfer Start", "ended": "Zone Transfer Complete"}, "to": "activity_name"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "ISC BIND"}, + {"set": "metadata.product.vendor_name", "value": "ISC"}, + + // Time + {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"}, + + // Client (secondary DNS) + {"group": 2, "to": "dst_endpoint.ip"}, + {"group": 3, "to": "dst_endpoint.port"}, + + // Zone + {"group": 5, "to": "query_info.hostname"}, + {"set": "query_info.type", "value": "AXFR"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Dynamic update + { + "pattern": "update:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+updating zone\\s+'([^']+)':\\s+(adding|deleting)\\s+an RR at\\s+'([^']+)'\\s+(\\w+)\\s+(\\S+)", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "DNS Activity"}, + + {"group": 6, "to": "update_action"}, + {"lookup": "update_action", "map": {"adding": 5, "deleting": 6}, "to": "activity_id"}, + {"lookup": "update_action", "map": {"adding": "Record Add", "deleting": "Record Delete"}, "to": "activity_name"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "ISC BIND"}, + {"set": "metadata.product.vendor_name", "value": "ISC"}, + + // Time + {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"}, + + // Client + {"group": 2, "to": "src_endpoint.ip"}, + {"group": 3, "to": "src_endpoint.port"}, + + // Zone and record + {"group": 5, "to": "query_info.zone"}, + {"group": 7, "to": "query_info.hostname"}, + {"group": 8, "to": "query_info.type"}, + {"group": 9, "to": "answers.rdata"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Rate limiting + { + "pattern": "rate-limit:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+):\\s+rate limit\\s+(\\w+)\\s+(\\w+)\\s+response", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "finding_info.types", "value": ["DNS Rate Limiting"]}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "ISC BIND"}, + {"set": "metadata.product.vendor_name", "value": "ISC"}, + + // Time + {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"}, + + // Client + {"group": 2, "to": "src_endpoint.ip"}, + {"group": 3, "to": "src_endpoint.port"}, + + // Rate limit action + {"group": 4, "to": "activity_name"}, + {"group": 5, "to": "finding_info.title"}, + + // Severity + {"set": "severity_id", "value": "3"}, + {"set": "severity", "value": "Medium"} + ] + }, + + // DNSSEC events + { + "pattern": "dnssec:\\s+info:\\s+zone\\s+(\\S+):\\s+DNSKEY\\s+(\\d+)/(\\w+)\\s+\\((\\w+)\\)\\s+is now\\s+(\\w+)", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "DNS Activity"}, + {"set": "activity_id", "value": "7"}, + {"set": "activity_name", "value": "DNSSEC Key Event"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "ISC BIND"}, + {"set": "metadata.product.vendor_name", "value": "ISC"}, + + // Time + {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"}, + + // Zone + {"group": 1, "to": "query_info.zone"}, + + // Key info + {"group": 2, "to": "dnssec.key_tag"}, + {"group": 3, "to": "dnssec.algorithm"}, + {"group": 4, "to": "dnssec.key_type"}, + {"group": 5, "to": "dnssec.key_state"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + } + ], + + "query_type_mappings": { + "A": 1, "AAAA": 28, "MX": 15, "TXT": 16, "CNAME": 5, + "NS": 2, "SOA": 6, "PTR": 12, "SRV": 33, "AXFR": 252, "ANY": 255 + } +} diff --git a/parsers/ocsf-linux-os b/parsers/ocsf-linux-os new file mode 100644 index 0000000..446407f --- /dev/null +++ b/parsers/ocsf-linux-os @@ -0,0 +1,406 @@ +// SentinelOne AI SIEM Parser: Linux OS +// OCSF Schema Version: 1.1.0 +// Maps Linux syslog/auth/audit logs to OCSF classes +// Primary Classes: Authentication (3002), Process Activity (1007), Account Change (3001) + +{ + "parserName": "LinuxOS-OCSF", + "version": "1.0.0", + "vendor": "Linux", + "product": "Linux OS", + "format": "syslog", + + "patterns": [ + // SSH successful login + { + "pattern": "sshd\\[\\d+\\]:\\s+Accepted\\s+(\\w+)\\s+for\\s+(\\S+)\\s+from\\s+([\\d.]+)\\s+port\\s+(\\d+)", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "type_uid", "value": "300201"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "OpenSSH"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)\\s+(\\S+)", "group": 2, "to": "device.hostname"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // Auth method + {"group": 1, "to": "auth_protocol"}, + + // User + {"group": 2, "to": "user.name"}, + + // Source + {"group": 3, "to": "src_endpoint.ip"}, + {"group": 4, "to": "src_endpoint.port"}, + + // SSH key fingerprint + {"regex": "SHA256:(\\S+)", "group": 1, "to": "user.credential_uid"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // SSH failed login + { + "pattern": "sshd\\[\\d+\\]:\\s+Failed\\s+(\\w+)\\s+for\\s+(invalid user\\s+)?(\\S+)\\s+from\\s+([\\d.]+)\\s+port\\s+(\\d+)", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "OpenSSH"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // Auth method + {"group": 1, "to": "auth_protocol"}, + + // User + {"group": 3, "to": "user.name"}, + {"set": "user.type", "value": "Invalid", "if": "invalid user"}, + + // Source + {"group": 4, "to": "src_endpoint.ip"}, + {"group": 5, "to": "src_endpoint.port"}, + + // Severity + {"set": "severity_id", "value": "3"}, + {"set": "severity", "value": "Medium"} + ] + }, + + // Sudo command execution + { + "pattern": "sudo:\\s+(\\S+)\\s+:\\s+TTY=(\\S+)\\s+;\\s+PWD=(\\S+)\\s+;\\s+USER=(\\S+)\\s+;\\s+COMMAND=(.+)$", + "rewrites": [ + {"set": "class_uid", "value": "1007"}, + {"set": "class_name", "value": "Process Activity"}, + {"set": "category_uid", "value": "1"}, + {"set": "category_name", "value": "System Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Launch"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "sudo"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // Actor + {"group": 1, "to": "actor.user.name"}, + {"group": 2, "to": "actor.session.terminal"}, + {"group": 3, "to": "process.cwd"}, + + // Target user (run as) + {"group": 4, "to": "user.name"}, + + // Command + {"group": 5, "to": "process.cmd_line"}, + + // Privilege escalation indicator + {"set": "is_privileged", "value": "true"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Sudo denied + { + "pattern": "sudo:\\s+(\\S+)\\s+:\\s+user NOT in sudoers", + "rewrites": [ + {"set": "class_uid", "value": "3003"}, + {"set": "class_name", "value": "Authorization"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Deny"}, + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "sudo"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // User + {"group": 1, "to": "actor.user.name"}, + + // Extract command attempted + {"regex": "COMMAND=(.+)$", "group": 1, "to": "process.cmd_line"}, + + // Severity + {"set": "severity_id", "value": "4"}, + {"set": "severity", "value": "High"} + ] + }, + + // User creation (useradd) + { + "pattern": "useradd\\[\\d+\\]:\\s+new user:\\s+name=(\\S+),\\s+UID=(\\d+),\\s+GID=(\\d+),\\s+home=(\\S+),\\s+shell=(\\S+)", + "rewrites": [ + {"set": "class_uid", "value": "3001"}, + {"set": "class_name", "value": "Account Change"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Create"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "useradd"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // New user + {"group": 1, "to": "user.name"}, + {"group": 2, "to": "user.uid"}, + {"group": 3, "to": "user.gid"}, + {"group": 4, "to": "user.home"}, + {"group": 5, "to": "user.shell"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // User modification (usermod) + { + "pattern": "usermod\\[\\d+\\]:\\s+add\\s+'(\\S+)'\\s+to\\s+group\\s+'(\\S+)'", + "rewrites": [ + {"set": "class_uid", "value": "3004"}, + {"set": "class_name", "value": "Group Membership"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Add"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "usermod"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // User and group + {"group": 1, "to": "user.name"}, + {"group": 2, "to": "group.name"}, + + // Severity for privileged groups + {"set": "severity_id", "value": "4", "if": "wheel|sudo|root|admin"}, + {"set": "severity", "value": "High", "if": "wheel|sudo|root|admin"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // UFW firewall block + { + "pattern": "kernel:\\s+\\[UFW BLOCK\\]\\s+IN=(\\S*)\\s+OUT=(\\S*).*SRC=([\\d.]+)\\s+DST=([\\d.]+).*PROTO=(\\w+)\\s+SPT=(\\d+)\\s+DPT=(\\d+)", + "rewrites": [ + {"set": "class_uid", "value": "4001"}, + {"set": "class_name", "value": "Network Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Deny"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "UFW"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // Interfaces + {"group": 1, "to": "src_endpoint.interface_name"}, + {"group": 2, "to": "dst_endpoint.interface_name"}, + + // Endpoints + {"group": 3, "to": "src_endpoint.ip"}, + {"group": 4, "to": "dst_endpoint.ip"}, + {"group": 6, "to": "src_endpoint.port"}, + {"group": 7, "to": "dst_endpoint.port"}, + + // Protocol + {"group": 5, "to": "connection_info.protocol_name"}, + + // Status + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"} + ] + }, + + // Audit EXECVE (command execution) + { + "pattern": "auditd\\[\\d+\\]:\\s+EXECVE\\s+argc=(\\d+)\\s+(.+)$", + "rewrites": [ + {"set": "class_uid", "value": "1007"}, + {"set": "class_name", "value": "Process Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Launch"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "auditd"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // Arguments + {"group": 1, "to": "process.argc"}, + {"group": 2, "to": "process.cmd_line", "transform": "parseAuditArgs"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Systemd service start + { + "pattern": "systemd\\[1\\]:\\s+Started\\s+(.+?)(?:\\s+-\\s+(.+))?\\.?$", + "rewrites": [ + {"set": "class_uid", "value": "1006"}, + {"set": "class_name", "value": "Service Activity"}, + {"set": "category_uid", "value": "1"}, + {"set": "category_name", "value": "System Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Start"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "systemd"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // Service + {"group": 1, "to": "service.name"}, + {"group": 2, "to": "service.desc"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Cron job execution + { + "pattern": "cron\\[\\d+\\]:\\s+\\((\\S+)\\)\\s+CMD\\s+\\((.+)\\)$", + "rewrites": [ + {"set": "class_uid", "value": "1007"}, + {"set": "class_name", "value": "Process Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Launch"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "cron"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // User + {"group": 1, "to": "actor.user.name"}, + + // Command + {"group": 2, "to": "process.cmd_line"}, + + // Scheduled task indicator + {"set": "is_scheduled", "value": "true"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Password change + { + "pattern": "passwd\\[\\d+\\]:\\s+password changed for\\s+(\\S+)\\s+by\\s+(\\S+)", + "rewrites": [ + {"set": "class_uid", "value": "3001"}, + {"set": "class_name", "value": "Account Change"}, + {"set": "activity_id", "value": "3"}, + {"set": "activity_name", "value": "Password Change"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "passwd"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // Target user + {"group": 1, "to": "user.name"}, + + // Actor + {"group": 2, "to": "actor.user.name"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // SSH disconnect + { + "pattern": "sshd\\[\\d+\\]:\\s+Received disconnect from\\s+([\\d.]+)\\s+port\\s+(\\d+):(\\d+):\\s+(.+)$", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Logoff"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "OpenSSH"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // Source + {"group": 1, "to": "src_endpoint.ip"}, + {"group": 2, "to": "src_endpoint.port"}, + + // Disconnect code and reason + {"group": 3, "to": "status_code"}, + {"group": 4, "to": "status_detail"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + } + ], + + "transforms": { + "parseAuditArgs": { + "description": "Parse audit EXECVE arguments a0=\"/bin/bash\" a1=\"-c\" to command line", + "regex": "a\\d+=\"([^\"]+)\"", + "join": " " + } + } +} diff --git a/parsers/ocsf-mitre-attack b/parsers/ocsf-mitre-attack new file mode 100644 index 0000000..a007a9a --- /dev/null +++ b/parsers/ocsf-mitre-attack @@ -0,0 +1 @@ +{"name": "OCSF MITRE Coverage", "graphs": [{"label": "T1110-Brute Force", "filter": "message contains \"Failed\"", "function": "count", "graphType": "value"}, {"label": "T1046-Scanning", "filter": "action=\"deny\"", "function": "count", "graphType": "value"}, {"label": "T1059-Command Exec", "filter": "message contains \"bash\"", "function": "count", "graphType": "value"}, {"label": "T1078-Valid Accounts", "filter": "user_name=\"root\"", "function": "count", "graphType": "value"}, {"label": "T1548-Priv Esc", "filter": "message contains \"sudo\"", "function": "count", "graphType": "value"}, {"label": "Top IPs", "facet": "src_ip", "filter": "src_ip is not null", "graphType": "topValuesTable", "limit": 10}]} \ No newline at end of file diff --git a/parsers/ocsf-mitre-coverage b/parsers/ocsf-mitre-coverage new file mode 100644 index 0000000..8dd7477 --- /dev/null +++ b/parsers/ocsf-mitre-coverage @@ -0,0 +1,160 @@ +{ + "duration": "24h", + "description": "MITRE ATT&CK technique coverage from OCSF detections", + "graphs": [ + { + "title": "MITRE ATT&CK Coverage", + "graphStyle": "markdown", + "markdown": "## MITRE ATT&CK Technique Counters\nEach panel shows the count of events matching a specific MITRE technique pattern.\n\n| Technique | Description |\n|---|---|\n| T1110 | Brute Force |\n| T1046 | Network Service Scanning |\n| T1059 | Command and Scripting Interpreter |\n| T1078 | Valid Accounts |\n| T1098 | Account Manipulation |\n| T1548 | Abuse Elevation Control Mechanism |", + "layout": { + "w": 60, + "h": 10, + "x": 0, + "y": 0 + } + }, + { + "title": "T1110 - Brute Force", + "graphStyle": "number", + "query": "message contains 'Failed password' or message contains 'authentication failure' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 0, + "y": 10 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1046 - Network Scanning", + "graphStyle": "number", + "query": "action = 'deny' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 15, + "y": 10 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1059 - Command Execution", + "graphStyle": "number", + "query": "message contains 'bash -c' or message contains 'python -c' or message contains 'powershell -enc' or message contains 'cmd.exe /c' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 30, + "y": 10 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1078 - Valid Accounts", + "graphStyle": "number", + "query": "user_name = 'root' or user_name = 'Administrator' or user_name = 'admin' or user_name = 'SYSTEM' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 45, + "y": 10 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1098 - Account Manipulation", + "graphStyle": "number", + "query": "message contains 'useradd' or message contains 'usermod' or message contains 'GRANT' or message contains 'Add member' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 0, + "y": 17 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1548 - Privilege Escalation", + "graphStyle": "number", + "query": "message contains 'sudo' or message contains 'NOT in sudoers' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 15, + "y": 17 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1021 - Remote Services", + "graphStyle": "number", + "query": "(dstport = 22 or dstport = 3389 or dstport = 5985) action = 'allow' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 30, + "y": 17 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1136 - Create Account", + "graphStyle": "number", + "query": "message contains 'useradd' or message contains 'new user' or message contains 'CREATE USER' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 45, + "y": 17 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "Detections Over Time", + "graphStyle": "stacked_bar", + "xAxis": "time", + "query": "serverHost contains 'ocsf' | group count() by timestamp=timebucket('1h'), serverHost | transpose serverHost on timestamp", + "layout": { + "w": 40, + "h": 14, + "x": 0, + "y": 24 + } + }, + { + "title": "Top Attacker IPs", + "graphStyle": "table", + "query": "src_ip = * (message contains 'Failed' or message contains 'deny' or action = 'deny') | group hits=count() by src_ip | sort -hits | limit 10", + "layout": { + "w": 20, + "h": 14, + "x": 40, + "y": 24 + } + } + ] +} \ No newline at end of file diff --git a/parsers/ocsf-mitre-coverage-v2 b/parsers/ocsf-mitre-coverage-v2 new file mode 100644 index 0000000..bed2681 --- /dev/null +++ b/parsers/ocsf-mitre-coverage-v2 @@ -0,0 +1,160 @@ +{ + "duration": "24h", + "description": "MITRE ATT&CK technique coverage from OCSF detections", + "graphs": [ + { + "title": "MITRE ATT&CK Coverage", + "graphStyle": "markdown", + "markdown": "## MITRE ATT&CK Technique Counters\\n\\nEach panel shows the count of events matching a specific MITRE technique pattern.\\n\\n| Technique | Description | Detection Pattern |\\n|---|---|---|\\n| T1110 | Brute Force | Failed password attempts |\\n| T1046 | Network Scanning | Firewall denies to multiple ports |\\n| T1059 | Command Execution | bash -c, powershell -enc |\\n| T1078 | Valid Accounts | root/admin/SYSTEM usage |\\n| T1098 | Account Manipulation | useradd, GRANT |\\n| T1548 | Privilege Escalation | sudo, NOT in sudoers |", + "layout": { + "w": 60, + "h": 12, + "x": 0, + "y": 0 + } + }, + { + "title": "T1110 - Brute Force", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' (message contains 'Failed password' or message contains 'authentication failure') | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 0, + "y": 12 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1046 - Network Scanning", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' action = 'deny' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 15, + "y": 12 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1059 - Command Execution", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' (message contains 'bash -c' or message contains 'python -c' or message contains 'powershell -enc' or message contains 'cmd.exe /c') | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 30, + "y": 12 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1078 - Valid Accounts", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' (user_name = 'root' or user_name = 'Administrator' or user_name = 'admin' or user_name = 'SYSTEM') | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 45, + "y": 12 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1098 - Account Manipulation", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' (message contains 'useradd' or message contains 'usermod' or message contains 'GRANT' or message contains 'Add member') | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 0, + "y": 19 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1548 - Privilege Escalation", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' (message contains 'sudo' or message contains 'NOT in sudoers') | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 15, + "y": 19 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1021 - Remote Services", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' (dstport = 22 or dstport = 3389 or dstport = 5985) action = 'allow' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 30, + "y": 19 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1136 - Create Account", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' (message contains 'useradd' or message contains 'new user' or message contains 'CREATE USER') | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 45, + "y": 19 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "Detections Over Time", + "graphStyle": "stacked_bar", + "xAxis": "time", + "query": "serverHost contains 'ocsf' | group count() by timestamp=timebucket('1h'), serverHost | transpose serverHost on timestamp", + "layout": { + "w": 40, + "h": 14, + "x": 0, + "y": 26 + } + }, + { + "title": "Top Attacker IPs", + "graphStyle": "table", + "query": "src_ip = * serverHost contains 'ocsf' (message contains 'Failed' or message contains 'deny' or action = 'deny') | group hits=count() by src_ip | sort -hits | limit 10", + "layout": { + "w": 20, + "h": 14, + "x": 40, + "y": 26 + } + } + ] +} \ No newline at end of file diff --git a/parsers/ocsf-ms-dhcp b/parsers/ocsf-ms-dhcp new file mode 100644 index 0000000..cadc65f --- /dev/null +++ b/parsers/ocsf-ms-dhcp @@ -0,0 +1,163 @@ +// SentinelOne AI SIEM Parser: Microsoft DHCP Server +// OCSF Schema Version: 1.1.0 +// Maps Microsoft DHCP CSV logs to OCSF classes +// Primary Class: DHCP Activity (4004) + +{ + "parserName": "MicrosoftDHCP-OCSF", + "version": "1.0.0", + "vendor": "Microsoft", + "product": "DHCP Server", + "format": "csv", + "hasHeader": true, + + "patterns": [ + // DHCP Lease events (Assign, Renew, Release) + { + "pattern": "^(10|11|12|17|20),", + "rewrites": [ + {"set": "class_uid", "value": "4004"}, + {"set": "class_name", "value": "DHCP Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft DHCP"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + {"csv": "TransactionID", "to": "metadata.uid"}, + {"csv": "CorrelationID", "to": "metadata.correlation_uid"}, + + // Time + {"concat": ["$Date", " ", "$Time"], "to": "time"}, + + // Event ID mapping + {"csv": "ID", "to": "event_id"}, + {"lookup": "event_id", "map": { + "10": 1, "11": 2, "12": 3, "13": 4, "14": 5, + "15": 6, "16": 7, "17": 8, "20": 9 + }, "to": "activity_id"}, + {"lookup": "event_id", "map": { + "10": "Assign", "11": "Renew", "12": "Release", + "13": "DNS Update Request", "14": "DNS Update Successful", + "15": "NACK", "16": "Decline", "17": "Expired", "20": "BOOTP Assign" + }, "to": "activity_name"}, + + // Description + {"csv": "Description", "to": "message"}, + + // Lease info + {"csv": "IP Address", "to": "lease.ip"}, + {"csv": "Host Name", "to": "lease.hostname"}, + {"csv": "MAC Address", "to": "lease.mac"}, + + // Device + {"csv": "IP Address", "to": "device.ip"}, + {"csv": "Host Name", "to": "device.hostname"}, + {"csv": "MAC Address", "to": "device.mac"}, + + // User (if available) + {"csv": "User Name", "to": "user.name"}, + + // DHCP identifiers + {"csv": "Dhcid", "to": "dhcp.client_id"}, + {"csv": "VendorClass(ASCII)", "to": "dhcp.vendor_class"}, + {"csv": "UserClass(ASCII)", "to": "dhcp.user_class"}, + {"csv": "RelayAgentInformation", "to": "dhcp.relay_agent"}, + + // Status based on event + {"set": "status_id", "value": "1", "if": "ID:(10|11|13|14|20)"}, + {"set": "status", "value": "Success", "if": "ID:(10|11|13|14|20)"}, + {"set": "status_id", "value": "2", "if": "ID:(15|16|30)"}, + {"set": "status", "value": "Failure", "if": "ID:(15|16|30)"} + ] + }, + + // DNS Update events + { + "pattern": "^(13|14|30|31),", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "DNS Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft DHCP"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + + // Time + {"concat": ["$Date", " ", "$Time"], "to": "time"}, + + // Activity + {"csv": "ID", "to": "event_id"}, + {"lookup": "event_id", "map": { + "13": 1, "14": 1, "30": 2, "31": 1 + }, "to": "activity_id"}, + {"lookup": "event_id", "map": { + "13": "DNS Update Request", "14": "DNS Update Successful", + "30": "DNS Update Failed", "31": "DNS Update Request" + }, "to": "activity_name"}, + + // DNS info + {"csv": "Host Name", "to": "query_info.hostname"}, + {"csv": "IP Address", "to": "answers.rdata"}, + + // Status + {"csv": "DnsRegError", "to": "status_code"}, + {"set": "status_id", "value": "1", "if": "DnsRegError:0"}, + {"set": "status", "value": "Success", "if": "DnsRegError:0"}, + {"set": "status_id", "value": "2", "if": "DnsRegError:[^0]"}, + {"set": "status", "value": "Failure", "if": "DnsRegError:[^0]"} + ] + }, + + // NACK/Decline/Expired (potential issues) + { + "pattern": "^(15|16|17|32),", + "rewrites": [ + {"set": "class_uid", "value": "4004"}, + {"set": "class_name", "value": "DHCP Activity"}, + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft DHCP"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + + // Time + {"concat": ["$Date", " ", "$Time"], "to": "time"}, + + // Event + {"csv": "ID", "to": "event_id"}, + {"lookup": "event_id", "map": { + "15": "NACK", "16": "Decline", "17": "Expired", "32": "Deleted" + }, "to": "activity_name"}, + + // Device + {"csv": "IP Address", "to": "device.ip"}, + {"csv": "Host Name", "to": "device.hostname"}, + {"csv": "MAC Address", "to": "device.mac"}, + + // Severity for issues + {"set": "severity_id", "value": "2"}, + {"set": "severity", "value": "Low"} + ] + } + ], + + "event_id_reference": { + "10": "New IP address leased to client", + "11": "Lease renewed by client", + "12": "Lease released by client", + "13": "DNS update request sent", + "14": "DNS update successful", + "15": "DHCP NACK sent to client", + "16": "DHCP Decline from client", + "17": "Lease expired and deleted", + "20": "BOOTP address leased to client", + "30": "DNS update failed", + "31": "DNS update request sent", + "32": "Lease deleted by administrator" + } +} diff --git a/parsers/ocsf-ms-dns b/parsers/ocsf-ms-dns new file mode 100644 index 0000000..ed78e7a --- /dev/null +++ b/parsers/ocsf-ms-dns @@ -0,0 +1,113 @@ +// SentinelOne AI SIEM Parser: Microsoft DNS Debug Log +// OCSF Schema Version: 1.1.0 +// Maps Microsoft DNS debug logs to OCSF classes +// Primary Class: DNS Activity (4003) + +{ + "parserName": "MicrosoftDNS-OCSF", + "version": "1.0.0", + "vendor": "Microsoft", + "product": "DNS Server", + "format": "regex", + + "patterns": [ + // DNS Query/Response + { + "pattern": "^(\\d+/\\d+/\\d+)\\s+(\\d+:\\d+:\\d+\\s+[AP]M)\\s+(\\w+)\\s+PACKET\\s+(\\w+)\\s+(UDP|TCP)\\s+(Rcv|Snd)\\s+([\\d.]+)\\s+(\\w+)\\s+([RQ\\s]+)\\s+\\[([^\\]]+)\\]\\s+(\\w+)\\s+(.+)$", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "DNS Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + // Activity based on direction + {"group": 6, "to": "direction"}, + {"lookup": "direction", "map": {"Rcv": 1, "Snd": 2}, "to": "activity_id"}, + {"lookup": "direction", "map": {"Rcv": "Query", "Snd": "Response"}, "to": "activity_name"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft DNS"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + {"group": 3, "to": "metadata.uid"}, + {"group": 4, "to": "metadata.log_name"}, + + // Time + {"concat": ["$1", " ", "$2"], "to": "time"}, + + // Protocol + {"group": 5, "to": "connection_info.protocol_name"}, + + // Client IP + {"group": 7, "to": "src_endpoint.ip"}, + + // Transaction ID + {"group": 8, "to": "query_info.uid"}, + + // Flags + {"group": 9, "to": "query_info.flags"}, + {"group": 10, "to": "rcode_name"}, + + // Query type + {"group": 11, "to": "query_info.type"}, + + // Query name (decode DNS format) + {"group": 12, "to": "query_info.hostname", "transform": "decodeDnsName"}, + + // Response code mapping + {"lookup": "rcode_name", "map": { + "NOERROR": 0, "FORMERR": 1, "SERVFAIL": 2, "NXDOMAIN": 3, + "NOTIMP": 4, "REFUSED": 5, "YXDOMAIN": 6, "YXRRSET": 7 + }, "to": "rcode_id"}, + + // Status based on response code + {"set": "status_id", "value": "1", "if": "NOERROR"}, + {"set": "status", "value": "Success", "if": "NOERROR"}, + {"set": "status_id", "value": "2", "if": "REFUSED|NXDOMAIN|SERVFAIL"}, + {"set": "status", "value": "Failure", "if": "REFUSED|NXDOMAIN|SERVFAIL"}, + + // Observables + {"array": "observables", "append": {"type": "IP Address", "type_id": 2, "value": "$7"}}, + {"array": "observables", "append": {"type": "Hostname", "type_id": 1, "value": "$query_info.hostname"}} + ] + } + ], + + "transforms": { + "decodeDnsName": { + "description": "Converts DNS wire format (4)mail(4)corp(5)local(0) to mail.corp.local", + "regex": "\\((\\d+)\\)([^(]+)", + "replace": "$2.", + "trim": "." + } + }, + + "query_type_mappings": { + "A": {"id": 1, "name": "A (IPv4 Address)"}, + "AAAA": {"id": 28, "name": "AAAA (IPv6 Address)"}, + "MX": {"id": 15, "name": "MX (Mail Exchange)"}, + "TXT": {"id": 16, "name": "TXT (Text)"}, + "CNAME": {"id": 5, "name": "CNAME (Canonical Name)"}, + "NS": {"id": 2, "name": "NS (Name Server)"}, + "SOA": {"id": 6, "name": "SOA (Start of Authority)"}, + "PTR": {"id": 12, "name": "PTR (Pointer)"}, + "SRV": {"id": 33, "name": "SRV (Service)"}, + "AXFR": {"id": 252, "name": "AXFR (Zone Transfer)"}, + "ANY": {"id": 255, "name": "ANY (All Records)"} + }, + + "security_indicators": { + "zone_transfer": { + "condition": "query_info.type == 'AXFR'", + "severity_id": 4, + "severity": "High", + "finding_info.title": "DNS Zone Transfer Attempt" + }, + "any_query": { + "condition": "query_info.type == 'ANY'", + "severity_id": 3, + "severity": "Medium", + "finding_info.title": "DNS ANY Query (Potential Amplification)" + } + } +} diff --git a/parsers/ocsf-oracle-rdbms b/parsers/ocsf-oracle-rdbms new file mode 100644 index 0000000..159c232 --- /dev/null +++ b/parsers/ocsf-oracle-rdbms @@ -0,0 +1,184 @@ +// SentinelOne AI SIEM Parser: Oracle RDBMS Audit Record +// OCSF Schema Version: 1.1.0 +// Maps Oracle Database audit trail to OCSF classes +// Primary Classes: Database Activity (4003), Authentication (3002), Authorization (3003) + +{ + "parserName": "OracleRDBMS-OCSF", + "version": "1.0.0", + "vendor": "Oracle", + "product": "Oracle Database", + "format": "kv", + "delimiter": " ", + "kvSeparator": ":", + + "patterns": [ + // Logon events + { + "pattern": "ACTION_NAME:\\s*LOGON", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "type_uid", "value": "300201"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Oracle Database"}, + {"set": "metadata.product.vendor_name", "value": "Oracle"}, + {"regex": "DBID:\\s*(\\d+)", "group": 1, "to": "metadata.product.uid"}, + {"regex": "INSTANCE_NUMBER:\\s*(\\d+)", "group": 1, "to": "metadata.product.feature.uid"}, + + // Time + {"regex": "TIMESTAMP:\\s*([\\d-]+\\s[\\d:.]+\\s\\w+)", "group": 1, "to": "time"}, + + // User + {"regex": "USERID:\\s*(\\S+)", "group": 1, "to": "user.name"}, + {"regex": "OS_USERNAME:\\s*(\\S+)", "group": 1, "to": "actor.user.name"}, + {"regex": "CLIENT_ID:\\s*(\\S+)", "group": 1, "to": "user.credential_uid"}, + + // Session + {"regex": "SESSIONID:\\s*(\\d+)", "group": 1, "to": "session.uid"}, + + // Source + {"regex": "USERHOST:\\s*(\\S+)", "group": 1, "to": "src_endpoint.name"}, + {"regex": "TERMINAL:\\s*(\\S+)", "group": 1, "to": "src_endpoint.interface_name"}, + {"regex": "OS_PROCESS:\\s*(\\d+)", "group": 1, "to": "actor.process.pid"}, + + // Auth details + {"regex": "AUTHENTICATION_TYPE:\\s*(\\S+)", "group": 1, "to": "auth_protocol"}, + {"regex": "PRIV_USED:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "user.privileges"}, + + // Status + {"regex": "RETURNCODE:\\s*(\\d+)", "group": 1, "to": "status_code"}, + {"set": "status_id", "value": "1", "if": "RETURNCODE: 0"}, + {"set": "status", "value": "Success", "if": "RETURNCODE: 0"}, + {"set": "status_id", "value": "2", "if": "RETURNCODE: [^0]"}, + {"set": "status", "value": "Failure", "if": "RETURNCODE: [^0]"}, + + // Comment + {"regex": "COMMENT_TEXT:\\s*(.+?)$", "group": 1, "to": "message"} + ] + }, + + // SELECT/Query events + { + "pattern": "ACTION_NAME:\\s*SELECT", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "Database Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Query"}, + {"set": "type_uid", "value": "400301"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Oracle Database"}, + {"set": "metadata.product.vendor_name", "value": "Oracle"}, + + // User + {"regex": "USERID:\\s*(\\S+)", "group": 1, "to": "actor.user.name"}, + {"regex": "SESSIONID:\\s*(\\d+)", "group": 1, "to": "actor.session.uid"}, + + // Database object + {"regex": "OBJ_CREATOR:\\s*(\\S+)", "group": 1, "to": "database.schema"}, + {"regex": "OBJ_NAME:\\s*(\\S+)", "group": 1, "to": "database.table"}, + + // Query + {"regex": "SQL_TEXT:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "query_info.query_string"}, + {"set": "query_info.query_type", "value": "SELECT"}, + + // Source + {"regex": "USERHOST:\\s*(\\S+)", "group": 1, "to": "src_endpoint.name"}, + + // Privileges + {"regex": "PRIV_USED:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "actor.user.privileges"} + ] + }, + + // INSERT/UPDATE/DELETE events + { + "pattern": "ACTION_NAME:\\s*(INSERT|UPDATE|DELETE)", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "Database Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + {"lookup": "ACTION_NAME", "map": {"INSERT": 2, "UPDATE": 3, "DELETE": 4}, "to": "activity_id"}, + {"lookup": "ACTION_NAME", "map": {"INSERT": "Insert", "UPDATE": "Update", "DELETE": "Delete"}, "to": "activity_name"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Oracle Database"}, + {"set": "metadata.product.vendor_name", "value": "Oracle"}, + + // User + {"regex": "USERID:\\s*(\\S+)", "group": 1, "to": "actor.user.name"}, + {"regex": "SESSIONID:\\s*(\\d+)", "group": 1, "to": "actor.session.uid"}, + + // Database object + {"regex": "OBJ_CREATOR:\\s*(\\S+)", "group": 1, "to": "database.schema"}, + {"regex": "OBJ_NAME:\\s*(\\S+)", "group": 1, "to": "database.table"}, + + // Query + {"regex": "SQL_TEXT:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "query_info.query_string"}, + + // Source + {"regex": "USERHOST:\\s*(\\S+)", "group": 1, "to": "src_endpoint.name"}, + + // Severity for data modification + {"set": "severity_id", "value": "2"}, + {"set": "severity", "value": "Low"} + ] + }, + + // GRANT/REVOKE events + { + "pattern": "ACTION_NAME:\\s*(GRANT|REVOKE)", + "rewrites": [ + {"set": "class_uid", "value": "3003"}, + {"set": "class_name", "value": "Authorization"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + + {"lookup": "ACTION_NAME", "map": {"GRANT": 1, "REVOKE": 2}, "to": "activity_id"}, + {"lookup": "ACTION_NAME", "map": {"GRANT": "Grant", "REVOKE": "Revoke"}, "to": "activity_name"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Oracle Database"}, + {"set": "metadata.product.vendor_name", "value": "Oracle"}, + + // Actor (who granted) + {"regex": "USERID:\\s*(\\S+)", "group": 1, "to": "actor.user.name"}, + + // Target (who received) + {"regex": "GRANTEE:\\s*(\\S+)", "group": 1, "to": "user.name"}, + + // Privilege/Role + {"regex": "OBJ_NAME:\\s*(\\S+)", "group": 1, "to": "privileges"}, + {"regex": "SQL_TEXT:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "message"}, + + // Severity for privilege changes + {"set": "severity_id", "value": "4"}, + {"set": "severity", "value": "High"} + ] + } + ], + + "action_mappings": { + "100": {"name": "LOGON", "class": "Authentication", "activity": "Logon"}, + "101": {"name": "LOGOFF", "class": "Authentication", "activity": "Logoff"}, + "103": {"name": "SELECT", "class": "Database Activity", "activity": "Query"}, + "2": {"name": "INSERT", "class": "Database Activity", "activity": "Insert"}, + "6": {"name": "UPDATE", "class": "Database Activity", "activity": "Update"}, + "7": {"name": "DELETE", "class": "Database Activity", "activity": "Delete"}, + "108": {"name": "GRANT", "class": "Authorization", "activity": "Grant"}, + "109": {"name": "REVOKE", "class": "Authorization", "activity": "Revoke"}, + "1": {"name": "CREATE TABLE", "class": "Database Activity", "activity": "Create"}, + "12": {"name": "DROP TABLE", "class": "Database Activity", "activity": "Delete"} + } +} diff --git a/parsers/ocsf-paloalto b/parsers/ocsf-paloalto new file mode 100644 index 0000000..b239acc --- /dev/null +++ b/parsers/ocsf-paloalto @@ -0,0 +1,158 @@ +// SentinelOne AI SIEM Parser: Palo Alto PA Series +// OCSF Schema Version: 1.1.0 +// Maps Palo Alto CSV logs to OCSF classes +// Primary Classes: Network Activity (4001), Detection Finding (2004), Security Finding (2001) + +{ + "parserName": "PaloAlto-OCSF", + "version": "1.0.0", + "vendor": "Palo Alto Networks", + "product": "PA Series Firewall", + "format": "csv", + + "patterns": [ + // TRAFFIC logs + { + "pattern": ",TRAFFIC,", + "rewrites": [ + {"set": "class_uid", "value": "4001"}, + {"set": "class_name", "value": "Network Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Palo Alto Firewall"}, + {"set": "metadata.product.vendor_name", "value": "Palo Alto Networks"}, + {"csv": 1, "to": "metadata.product.version"}, + {"csv": 2, "to": "device.uid"}, + {"csv": 6, "to": "time"}, + + // Source endpoint + {"csv": 7, "to": "src_endpoint.ip"}, + {"csv": 8, "to": "dst_endpoint.ip"}, + {"csv": 9, "to": "proxy.ip"}, + {"csv": 10, "to": "proxy.dst_ip"}, + {"csv": 24, "to": "src_endpoint.port"}, + {"csv": 25, "to": "dst_endpoint.port"}, + + // User + {"csv": 12, "to": "actor.user.name"}, + + // Application + {"csv": 14, "to": "app_name"}, + + // Zones + {"csv": 16, "to": "src_endpoint.zone"}, + {"csv": 17, "to": "dst_endpoint.zone"}, + + // Interfaces + {"csv": 18, "to": "src_endpoint.interface_name"}, + {"csv": 19, "to": "dst_endpoint.interface_name"}, + + // Session + {"csv": 22, "to": "connection_info.session.uid"}, + + // Protocol + {"csv": 29, "to": "connection_info.protocol_name"}, + + // Action + {"csv": 30, "to": "activity_name"}, + {"lookup": "activity_name", "map": {"allow": 1, "deny": 2, "drop": 5, "reset-both": 6}, "to": "activity_id"}, + + // Traffic stats + {"csv": 31, "to": "traffic.bytes"}, + {"csv": 32, "to": "traffic.bytes_out"}, + {"csv": 33, "to": "traffic.bytes_in"}, + {"csv": 34, "to": "traffic.packets"}, + + // Duration + {"csv": 36, "to": "connection_info.session.duration"}, + + // Policy + {"csv": 11, "to": "policy.name"}, + + // Status + {"set": "status_id", "value": "1", "if": "allow"}, + {"set": "status", "value": "Success", "if": "allow"} + ] + }, + + // THREAT logs (vulnerability, spyware, virus, wildfire) + { + "pattern": ",THREAT,", + "rewrites": [ + {"set": "class_uid", "value": "2004"}, + {"set": "class_name", "value": "Detection Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Palo Alto Threat Prevention"}, + {"set": "metadata.product.vendor_name", "value": "Palo Alto Networks"}, + {"csv": 2, "to": "device.uid"}, + {"csv": 6, "to": "time"}, + + // Threat subtype + {"csv": 4, "to": "finding_info.type_uid"}, + + // Endpoints + {"csv": 7, "to": "src_endpoint.ip"}, + {"csv": 8, "to": "dst_endpoint.ip"}, + {"csv": 24, "to": "src_endpoint.port"}, + {"csv": 25, "to": "dst_endpoint.port"}, + + // User + {"csv": 12, "to": "actor.user.name"}, + + // Threat info + {"csv": 31, "to": "finding_info.title"}, + {"csv": 32, "to": "finding_info.desc"}, + {"csv": 33, "to": "severity"}, + {"lookup": "severity", "map": {"critical": 5, "high": 4, "medium": 3, "low": 2, "informational": 1}, "to": "severity_id"}, + + // Direction + {"csv": 34, "to": "connection_info.direction"}, + + // Threat ID + {"csv": 35, "to": "finding_info.uid"}, + + // Action + {"csv": 30, "to": "activity_name"}, + {"lookup": "activity_name", "map": {"alert": 1, "block": 2, "drop": 2, "reset-both": 2, "reset-client": 2, "reset-server": 2}, "to": "activity_id"}, + + // File info (for wildfire) + {"csv": 42, "to": "file.name"}, + {"csv": 43, "to": "file.type_id"}, + {"csv": 46, "to": "file.hashes.sha256"}, + {"csv": 47, "to": "malware.classification.name"} + ] + }, + + // SYSTEM logs + { + "pattern": ",SYSTEM,", + "rewrites": [ + {"set": "class_uid", "value": "6002"}, + {"set": "class_name", "value": "API Activity"}, + {"set": "category_uid", "value": "6"}, + {"set": "category_name", "value": "Application Activity"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Palo Alto System"}, + {"set": "metadata.product.vendor_name", "value": "Palo Alto Networks"}, + {"csv": 2, "to": "device.uid"}, + {"csv": 6, "to": "time"}, + + // System event type + {"csv": 4, "to": "activity_name"}, + + // Severity + {"csv": 33, "to": "severity"}, + + // Message + {"csv": 31, "to": "message"} + ] + } + ] +} diff --git a/parsers/ocsf-qradar b/parsers/ocsf-qradar new file mode 100644 index 0000000..d6c5e35 --- /dev/null +++ b/parsers/ocsf-qradar @@ -0,0 +1,96 @@ +// SentinelOne AI SIEM Parser: IBM QRadar +// OCSF Schema Version: 1.1.0 +// Maps QRadar LEEF/JSON events to OCSF classes +// Primary Classes: Security Finding (2001), Authentication (3002), Network Activity (4001) + +{ + "parserName": "QRadar-OCSF", + "version": "1.0.0", + "vendor": "IBM", + "product": "QRadar", + "format": "json", + + "patterns": [ + { + "pattern": ".*", + "rewrites": [ + // OCSF Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "QRadar"}, + {"set": "metadata.product.vendor_name", "value": "IBM"}, + {"copy": "logSourceName", "to": "metadata.log_name"}, + {"copy": "logSourceTypeName", "to": "metadata.product.feature.name"}, + + // OCSF Classification + {"set": "class_uid", "value": "2001"}, // Security Finding + {"set": "class_name", "value": "Security Finding"}, + {"copy": "category", "to": "category_name"}, + {"set": "type_uid", "value": "200101"}, // Security Finding: Create + + // Time mapping + {"copy": "startTime", "to": "time"}, + {"parseTimestamp": "startTime", "format": "ISO8601", "to": "time_dt"}, + + // Severity mapping (QRadar 1-10 to OCSF 0-6) + {"copy": "severity", "to": "severity_id", "transform": "qradarSeverityToOCSF"}, + {"lookup": "severity_id", "map": {"1": "Informational", "2": "Low", "3": "Medium", "4": "High", "5": "Critical", "6": "Fatal"}, "to": "severity"}, + + // Actor/User mapping + {"copy": "username", "to": "actor.user.name"}, + {"copy": "domainName", "to": "actor.user.domain"}, + {"copy": "identityHostName", "to": "actor.user.credential_uid"}, + + // Source endpoint + {"copy": "sourceIP", "to": "src_endpoint.ip"}, + {"copy": "sourcePort", "to": "src_endpoint.port"}, + + // Destination endpoint + {"copy": "destinationIP", "to": "dst_endpoint.ip"}, + {"copy": "destinationPort", "to": "dst_endpoint.port"}, + + // Network connection + {"copy": "protocol", "to": "connection_info.protocol_name"}, + + // Finding details + {"copy": "qidName", "to": "finding_info.title"}, + {"copy": "eventName", "to": "finding_info.desc"}, + {"copy": "qid", "to": "finding_info.uid"}, + {"copy": "payload", "to": "finding_info.data_sources"}, + + // Risk scoring + {"copy": "magnitude", "to": "risk_score"}, + {"copy": "credibility", "to": "confidence_score"}, + {"copy": "relevance", "to": "impact_score"}, + + // Observables + {"array": "observables", "append": {"type": "IP Address", "type_id": 2, "value": "$sourceIP"}}, + {"array": "observables", "append": {"type": "IP Address", "type_id": 2, "value": "$destinationIP"}}, + {"array": "observables", "append": {"type": "User Name", "type_id": 4, "value": "$username"}, "if": "username"} + ] + } + ], + + "transforms": { + "qradarSeverityToOCSF": { + "1-2": 1, + "3-4": 2, + "5-6": 3, + "7-8": 4, + "9-10": 5 + } + }, + + "ocsf_mappings": { + "authentication_events": { + "condition": "category == 'Authentication'", + "class_uid": 3002, + "class_name": "Authentication", + "activity_id": {"success": 1, "failure": 2} + }, + "network_events": { + "condition": "protocol != ''", + "class_uid": 4001, + "class_name": "Network Activity" + } + } +} diff --git a/parsers/ocsf-security-overview b/parsers/ocsf-security-overview new file mode 100644 index 0000000..046739e --- /dev/null +++ b/parsers/ocsf-security-overview @@ -0,0 +1,84 @@ +{ + "duration": "24h", + "description": "Cross-source security posture from OCSF-normalized events", + "graphs": [ + { + "title": "Events by Source", + "graphStyle": "donut", + "maxPieSlices": 15, + "query": "serverHost = * | group count() by serverHost | sort -count | limit 15", + "layout": { + "w": 20, + "h": 14, + "x": 0, + "y": 0 + } + }, + { + "title": "Event Volume Over Time", + "graphStyle": "stacked_bar", + "xAxis": "time", + "query": "serverHost = * | group count() by timestamp=timebucket('1h'), serverHost | transpose serverHost on timestamp", + "layout": { + "w": 40, + "h": 14, + "x": 20, + "y": 0 + } + }, + { + "title": "Top Source IPs", + "graphStyle": "table", + "query": "src_ip = * | group hits=count() by src_ip | sort -hits | limit 15", + "layout": { + "w": 20, + "h": 14, + "x": 0, + "y": 14 + } + }, + { + "title": "Top Active Users", + "graphStyle": "table", + "query": "user_name = * | group hits=count() by user_name | sort -hits | limit 15", + "layout": { + "w": 20, + "h": 14, + "x": 20, + "y": 14 + } + }, + { + "title": "Authentication Failures", + "graphStyle": "number", + "query": "message contains 'Failed password' or message contains 'authentication failure' | group count() | limit 1", + "layout": { + "w": 10, + "h": 7, + "x": 40, + "y": 14 + }, + "options": { + "format": "auto", + "precision": "0", + "suffix": " failures" + } + }, + { + "title": "Firewall Denies", + "graphStyle": "number", + "query": "action = 'deny' or action = 'block' or action = 'drop' | group count() | limit 1", + "layout": { + "w": 10, + "h": 7, + "x": 50, + "y": 14 + }, + "options": { + "format": "auto", + "precision": "0", + "suffix": " blocked" + } + } + ] +} \ No newline at end of file diff --git a/parsers/ocsf-security-overview-v2 b/parsers/ocsf-security-overview-v2 new file mode 100644 index 0000000..f3673a1 --- /dev/null +++ b/parsers/ocsf-security-overview-v2 @@ -0,0 +1,221 @@ +{ + "duration": "24h", + "description": "Cross-source security posture from OCSF-normalized events", + "parameters": [ + { + "name": "source", + "values": [ + { + "label": "All Sources", + "value": "*" + }, + { + "label": "Linux", + "value": "linux-ocsf" + }, + { + "label": "FortiGate", + "value": "fortigate-ocsf" + }, + { + "label": "CheckPoint", + "value": "checkpoint-ocsf" + }, + { + "label": "Palo Alto", + "value": "paloalto-ocsf" + }, + { + "label": "Windows", + "value": "windows-ocsf" + } + ], + "defaultValue": "*" + } + ], + "graphs": [ + { + "title": "Dashboard Overview", + "graphStyle": "markdown", + "markdown": "## OCSF Security Overview\\n\\nCross-source security posture from **OCSF v1.3.0** normalized events.\\n\\n| Metric | Description |\\n|--------|-------------|\\n| **Sources** | All serverHost containing 'ocsf' |\\n| **Time Range** | Last 24 hours |\\n| **Refresh** | Auto (5 min) |\\n\\nUse the **source** dropdown above to filter by specific data source.", + "layout": { + "w": 60, + "h": 8, + "x": 0, + "y": 0 + } + }, + { + "title": "Event Count by OCSF Source", + "graphStyle": "donut", + "maxPieSlices": 12, + "dataLabelType": "PERCENTAGE", + "query": "serverHost contains 'ocsf' | group count() by serverHost | sort -count | limit 12", + "layout": { + "w": 20, + "h": 14, + "x": 0, + "y": 8 + } + }, + { + "title": "Event Volume Over Time (24h)", + "graphStyle": "stacked_bar", + "xAxis": "time", + "query": "serverHost contains 'ocsf' | group count() by timestamp=timebucket('1h'), serverHost | transpose serverHost on timestamp", + "layout": { + "w": 40, + "h": 14, + "x": 20, + "y": 8 + } + }, + { + "title": "Unique Source IPs", + "graphStyle": "number", + "query": "src_ip = * serverHost contains 'ocsf' | group estimate_distinct(src_ip) | limit 1", + "layout": { + "w": 12, + "h": 7, + "x": 0, + "y": 22 + }, + "options": { + "format": "auto", + "precision": "0", + "suffix": " IPs" + } + }, + { + "title": "Unique Users", + "graphStyle": "number", + "query": "user_name = * serverHost contains 'ocsf' | group estimate_distinct(user_name) | limit 1", + "layout": { + "w": 12, + "h": 7, + "x": 12, + "y": 22 + }, + "options": { + "format": "auto", + "precision": "0", + "suffix": " users" + } + }, + { + "title": "Unique Destinations", + "graphStyle": "number", + "query": "dst_ip = * serverHost contains 'ocsf' | group estimate_distinct(dst_ip) | limit 1", + "layout": { + "w": 12, + "h": 7, + "x": 24, + "y": 22 + }, + "options": { + "format": "auto", + "precision": "0", + "suffix": " IPs" + } + }, + { + "title": "Total Events", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' | group count() | limit 1", + "layout": { + "w": 12, + "h": 7, + "x": 36, + "y": 22 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "Auth Failure Events (24h)", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' (message contains 'Failed password' or message contains 'authentication failure' or status = 'failure') | group count() | limit 1", + "layout": { + "w": 12, + "h": 7, + "x": 48, + "y": 22 + }, + "options": { + "format": "auto", + "precision": "0", + "suffix": " failures" + } + }, + { + "title": "Top Source IPs (24h)", + "graphStyle": "table", + "query": "src_ip = * serverHost contains 'ocsf' | group hits=count() by src_ip | sort -hits | limit 15", + "layout": { + "w": 20, + "h": 14, + "x": 0, + "y": 29 + } + }, + { + "title": "Top Active Users (24h)", + "graphStyle": "table", + "query": "user_name = * serverHost contains 'ocsf' | group hits=count() by user_name | sort -hits | limit 15", + "layout": { + "w": 20, + "h": 14, + "x": 20, + "y": 29 + } + }, + { + "title": "External Connections (non-RFC1918)", + "graphStyle": "table", + "query": "dst_ip = * serverHost contains 'ocsf' | let is_external = not net_rfc1918(dst_ip) | filter is_external = true | group hits=count() by dst_ip | sort -hits | limit 15", + "layout": { + "w": 20, + "h": 14, + "x": 40, + "y": 29 + } + }, + { + "title": "Events by Severity", + "graphStyle": "donut", + "maxPieSlices": 5, + "query": "severity_id = * serverHost contains 'ocsf' | group count() by severity_id | sort -count | limit 5", + "layout": { + "w": 15, + "h": 12, + "x": 0, + "y": 43 + } + }, + { + "title": "Events by Action", + "graphStyle": "donut", + "maxPieSlices": 6, + "query": "action = * serverHost contains 'ocsf' | group count() by action | sort -count | limit 6", + "layout": { + "w": 15, + "h": 12, + "x": 15, + "y": 43 + } + }, + { + "title": "Firewall Blocks (24h)", + "graphStyle": "table", + "query": "serverHost contains 'ocsf' (action = 'deny' or action = 'block' or action = 'drop') | group hits=count() by serverHost, src_ip, dst_ip | sort -hits | limit 20", + "layout": { + "w": 30, + "h": 12, + "x": 30, + "y": 43 + } + } + ] +} \ No newline at end of file diff --git a/parsers/ocsf-sim-generic b/parsers/ocsf-sim-generic new file mode 100644 index 0000000..74f7b53 --- /dev/null +++ b/parsers/ocsf-sim-generic @@ -0,0 +1,184 @@ +// SentinelOne AI SIEM Parser: SIM Generic Log DSM +// OCSF Schema Version: 1.1.0 +// Maps generic syslog-style logs to OCSF classes +// Primary Classes: Base Event (0), Application Activity (6001) + +{ + "parserName": "SIMGeneric-OCSF", + "version": "1.0.0", + "vendor": "Generic", + "product": "SIM Generic Log", + "format": "syslog", + + "patterns": [ + // Generic syslog with key=value pairs + { + "pattern": "^(\\w+\\s+\\d+\\s+[\\d:]+)\\s+(\\S+)\\s+(\\S+)\\[(\\d+)\\]:\\s+(\\w+)\\s+(.*)$", + "rewrites": [ + {"set": "class_uid", "value": "6001"}, + {"set": "class_name", "value": "Application Activity"}, + {"set": "category_uid", "value": "6"}, + {"set": "category_name", "value": "Application Activity"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Generic Application"}, + {"set": "metadata.product.vendor_name", "value": "Unknown"}, + {"group": 2, "to": "device.hostname"}, + {"group": 3, "to": "app_name"}, + {"group": 4, "to": "actor.process.pid"}, + + // Time + {"group": 1, "to": "time", "transform": "syslogTimestamp"}, + + // Severity from log level + {"group": 5, "to": "severity"}, + {"lookup": "severity", "map": { + "CRITICAL": 5, "FATAL": 6, "ERROR": 4, "WARNING": 3, "WARN": 3, + "INFO": 1, "DEBUG": 0, "TRACE": 0 + }, "to": "severity_id"}, + + // Message + {"group": 6, "to": "message"}, + + // Extract key=value pairs from message + {"kvExtract": "$6", "to": "unmapped"} + ] + }, + + // Authentication events + { + "pattern": "(login|logon|auth|authentication)", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + + // Extract user + {"regex": "user[=:]\\s*(\\S+)", "group": 1, "to": "user.name"}, + + // Extract source IP + {"regex": "(?:src_ip|ip|from)[=:]\\s*([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + + // Extract session + {"regex": "session[_id]*[=:]\\s*(\\S+)", "group": 1, "to": "session.uid"}, + + // Determine success/failure + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "status_id", "value": "1", "if": "success|successful|accepted"}, + {"set": "status", "value": "Success", "if": "success|successful|accepted"}, + {"set": "status_id", "value": "2", "if": "fail|failed|denied|invalid"}, + {"set": "status", "value": "Failure", "if": "fail|failed|denied|invalid"} + ] + }, + + // File operations + { + "pattern": "(file|upload|download)", + "rewrites": [ + {"set": "class_uid", "value": "1001"}, + {"set": "class_name", "value": "File Activity"}, + + // Extract filename + {"regex": "filename[=:]\\s*(\\S+)", "group": 1, "to": "file.name"}, + + // Extract size + {"regex": "size[_bytes]*[=:]\\s*(\\d+)", "group": 1, "to": "file.size"}, + + // Extract user + {"regex": "user[=:]\\s*(\\S+)", "group": 1, "to": "actor.user.name"}, + + // Extract destination + {"regex": "destination[=:]\\s*(\\S+)", "group": 1, "to": "file.path"}, + + // Activity + {"set": "activity_id", "value": "2", "if": "upload"}, + {"set": "activity_name", "value": "Upload", "if": "upload"}, + {"set": "activity_id", "value": "3", "if": "download"}, + {"set": "activity_name", "value": "Download", "if": "download"} + ] + }, + + // Security alerts + { + "pattern": "(security|alert|attack|injection|malware|threat)", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + + // Extract source IP + {"regex": "(?:src_ip|ip)[=:]\\s*([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + + // Extract target + {"regex": "(?:target_url|url)[=:]\\s*(\\S+)", "group": 1, "to": "finding_info.src_url"}, + + // Extract payload + {"regex": "payload[=:]\\s*\"([^\"]+)\"", "group": 1, "to": "finding_info.data_sources"}, + + // Severity + {"set": "severity_id", "value": "4"}, + {"set": "severity", "value": "High"} + ] + }, + + // Configuration changes + { + "pattern": "(config|configuration|setting|changed)", + "rewrites": [ + {"set": "class_uid", "value": "5001"}, + {"set": "class_name", "value": "Configuration"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Update"}, + + // Extract setting + {"regex": "setting[=:]\\s*(\\S+)", "group": 1, "to": "config.name"}, + + // Extract old/new values + {"regex": "old_value[=:]\\s*(\\S+)", "group": 1, "to": "prev_config.value"}, + {"regex": "new_value[=:]\\s*(\\S+)", "group": 1, "to": "config.value"}, + + // Extract who changed + {"regex": "changed_by[=:]\\s*(\\S+)", "group": 1, "to": "actor.user.name"} + ] + }, + + // Service events + { + "pattern": "(service|started|stopped|restart)", + "rewrites": [ + {"set": "class_uid", "value": "1006"}, + {"set": "class_name", "value": "Service Activity"}, + + // Extract service name + {"regex": "service_name[=:]\\s*(\\S+)", "group": 1, "to": "service.name"}, + + // Extract version + {"regex": "version[=:]\\s*(\\S+)", "group": 1, "to": "service.version"}, + + // Extract port + {"regex": "port[=:]\\s*(\\d+)", "group": 1, "to": "service.port"}, + + // Extract PID + {"regex": "pid[=:]\\s*(\\d+)", "group": 1, "to": "service.pid"}, + + // Activity + {"set": "activity_id", "value": "1", "if": "started"}, + {"set": "activity_name", "value": "Start", "if": "started"}, + {"set": "activity_id", "value": "2", "if": "stopped"}, + {"set": "activity_name", "value": "Stop", "if": "stopped"} + ] + } + ], + + "transforms": { + "syslogTimestamp": { + "formats": [ + "MMM dd HH:mm:ss", + "MMM d HH:mm:ss" + ], + "timezone": "local" + } + } +} diff --git a/parsers/ocsf-threat-detection b/parsers/ocsf-threat-detection new file mode 100644 index 0000000..bc33470 --- /dev/null +++ b/parsers/ocsf-threat-detection @@ -0,0 +1,73 @@ +{ + "duration": "24h", + "description": "Active threats and detection triggers across OCSF sources", + "graphs": [ + { + "title": "About This Dashboard", + "graphStyle": "markdown", + "markdown": "## OCSF Threat Detection\nMonitors suspicious activity patterns across all OCSF-normalized log sources.\n\n**Key Indicators:**\n- Brute force attempts (3+ failed logins)\n- Port scanning (5+ unique ports)\n- Suspicious process execution\n- Lateral movement indicators", + "layout": { + "w": 60, + "h": 6, + "x": 0, + "y": 0 + } + }, + { + "title": "Brute Force Attempts", + "graphStyle": "table", + "query": "message contains 'Failed password' or message contains 'authentication failure' | group failed_attempts=count() by src_ip, user_name | filter failed_attempts >= 3 | sort -failed_attempts | limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 6 + } + }, + { + "title": "Port Scan Sources", + "graphStyle": "table", + "query": "action = 'deny' dstport = * srcip = * | group hits=count() by srcip, dstport | group unique_ports=count() by srcip | filter unique_ports >= 5 | sort -unique_ports | limit 15", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 6 + } + }, + { + "title": "Suspicious Process Execution", + "graphStyle": "table", + "query": "message contains 'mimikatz' or message contains 'psexec' or message contains 'netcat' or message contains 'reverse shell' or message contains 'powershell -enc' | columns timestamp, serverHost, message | limit 50", + "layout": { + "w": 60, + "h": 14, + "x": 0, + "y": 20 + } + }, + { + "title": "Lateral Movement Indicators", + "graphStyle": "table", + "query": "(dstport = 22 or dstport = 3389 or dstport = 445 or dstport = 5985) srcip = * | group conns=count() by srcip, dstport | filter conns >= 3 | sort -conns | limit 15", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 34 + } + }, + { + "title": "C2 Beacon Activity", + "graphStyle": "stacked_bar", + "xAxis": "grouped_data", + "query": "(dstport = 4444 or dstport = 8080 or dstport = 1337) srcip = * | group count() by srcip | sort -count | limit 10", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 34 + } + } + ] +} \ No newline at end of file diff --git a/parsers/ocsf-threat-detection-v2 b/parsers/ocsf-threat-detection-v2 new file mode 100644 index 0000000..57ecb50 --- /dev/null +++ b/parsers/ocsf-threat-detection-v2 @@ -0,0 +1,93 @@ +{ + "duration": "24h", + "description": "Active threats and detection triggers across OCSF sources", + "parameters": [ + { + "name": "severity_filter", + "values": [ + { + "label": "All", + "value": "*" + }, + { + "label": "Critical Only", + "value": "1" + }, + { + "label": "High+", + "value": "1,2" + } + ], + "defaultValue": "*" + } + ], + "graphs": [ + { + "title": "Threat Detection Overview", + "graphStyle": "markdown", + "markdown": "## OCSF Threat Detection\\n\\nMonitors suspicious activity patterns across all OCSF-normalized log sources.\\n\\n**Key Indicators:**\\n- Brute force attempts (3+ failed logins from same IP)\\n- Port scanning (5+ unique destination ports)\\n- Suspicious process execution (mimikatz, psexec, etc.)\\n- Lateral movement (SSH/RDP/SMB from internal IPs)", + "layout": { + "w": 60, + "h": 7, + "x": 0, + "y": 0 + } + }, + { + "title": "Brute Force Attempts (3+ failures)", + "graphStyle": "table", + "query": "serverHost contains 'ocsf' (message contains 'Failed password' or message contains 'authentication failure') | group failed_attempts=count() by src_ip, user_name | filter failed_attempts >= 3 | sort -failed_attempts | limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 7 + } + }, + { + "title": "Port Scan Sources (5+ ports)", + "graphStyle": "table", + "query": "serverHost contains 'ocsf' action = 'deny' dstport = * srcip = * | group hits=count() by srcip, dstport | group unique_ports=count() by srcip | filter unique_ports >= 5 | sort -unique_ports | limit 15", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 7 + } + }, + { + "title": "Suspicious Process Execution", + "graphStyle": "table", + "query": "serverHost contains 'ocsf' (message contains 'mimikatz' or message contains 'psexec' or message contains 'netcat' or message contains 'reverse shell' or message contains 'powershell -enc' or message contains 'certutil -decode') | columns timestamp, serverHost, message | limit 50", + "layout": { + "w": 60, + "h": 14, + "x": 0, + "y": 21 + } + }, + { + "title": "Lateral Movement (SSH/RDP/SMB)", + "graphStyle": "table", + "query": "serverHost contains 'ocsf' (dstport = 22 or dstport = 3389 or dstport = 445 or dstport = 5985) srcip = * | group conns=count() by srcip, dstport | filter conns >= 3 | sort -conns | limit 15", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 35 + } + }, + { + "title": "C2 Beacon Activity (suspicious ports)", + "graphStyle": "stacked_bar", + "xAxis": "grouped_data", + "query": "serverHost contains 'ocsf' (dstport = 4444 or dstport = 8080 or dstport = 1337 or dstport = 6666) srcip = * | group count() by srcip | sort -count | limit 10", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 35 + } + } + ] +} \ No newline at end of file diff --git a/parsers/ocsf-watchguard b/parsers/ocsf-watchguard new file mode 100644 index 0000000..6c240c6 --- /dev/null +++ b/parsers/ocsf-watchguard @@ -0,0 +1,216 @@ +// SentinelOne AI SIEM Parser: WatchGuard Fireware OS +// OCSF Schema Version: 1.1.0 +// Maps WatchGuard Firebox logs to OCSF classes +// Primary Classes: Network Activity (4001), Authentication (3002), Security Finding (2001) + +{ + "parserName": "WatchGuard-OCSF", + "version": "1.0.0", + "vendor": "WatchGuard", + "product": "Fireware OS", + "format": "space-delimited", + + "patterns": [ + // Firewall traffic logs + { + "pattern": "^(\\d{4}-\\d{2}-\\d{2}\\s+[\\d:]+)\\s+firewall\\s+(Allow|Deny)\\s+([\\d.]+)\\s+([\\d.]+|\\S+)\\s+(\\S+)\\s+(\\d+)\\s+(\\d+)", + "rewrites": [ + {"set": "class_uid", "value": "4001"}, + {"set": "class_name", "value": "Network Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + // Activity + {"group": 2, "to": "activity_name"}, + {"lookup": "activity_name", "map": {"Allow": 1, "Deny": 2}, "to": "activity_id"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "WatchGuard Fireware"}, + {"set": "metadata.product.vendor_name", "value": "WatchGuard"}, + + // Time + {"group": 1, "to": "time"}, + + // Endpoints + {"group": 3, "to": "src_endpoint.ip"}, + {"group": 4, "to": "dst_endpoint.ip"}, + {"group": 6, "to": "src_endpoint.port"}, + {"group": 7, "to": "dst_endpoint.port"}, + + // Protocol/Service + {"group": 5, "to": "connection_info.protocol_name"}, + + // Extract additional fields + {"regex": "rule_name=\"([^\"]+)\"", "group": 1, "to": "policy.name"}, + {"regex": "geo_src=\"([^\"]+)\"", "group": 1, "to": "src_endpoint.location.country"}, + {"regex": "geo_dst=\"([^\"]+)\"", "group": 1, "to": "dst_endpoint.location.country"}, + {"regex": "proxy_act=\"([^\"]+)\"", "group": 1, "to": "proxy.name"}, + {"regex": "msg_id=\"([^\"]+)\"", "group": 1, "to": "metadata.uid"}, + + // Application info + {"regex": "app_name=\"([^\"]+)\"", "group": 1, "to": "app_name"}, + {"regex": "app_cat=\"([^\"]+)\"", "group": 1, "to": "app.category"}, + {"regex": "app_behavior=\"([^\"]+)\"", "group": 1, "to": "app.feature.name"}, + + // Status + {"lookup": "activity_name", "map": {"Allow": 1, "Deny": 2}, "to": "status_id"}, + {"lookup": "activity_name", "map": {"Allow": "Success", "Deny": "Failure"}, "to": "status"} + ] + }, + + // IPS signature match + { + "pattern": "IPS\\s+signature_match", + "rewrites": [ + {"set": "class_uid", "value": "2004"}, + {"set": "class_name", "value": "Detection Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "WatchGuard IPS"}, + {"set": "metadata.product.vendor_name", "value": "WatchGuard"}, + + // Endpoints + {"regex": "signature_match\\s+([\\d.]+)\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + {"regex": "signature_match\\s+([\\d.]+)\\s+([\\d.]+)", "group": 2, "to": "dst_endpoint.ip"}, + + // Signature info + {"regex": "sig_name=\"([^\"]+)\"", "group": 1, "to": "finding_info.title"}, + {"regex": "sig_id=\"([^\"]+)\"", "group": 1, "to": "finding_info.uid"}, + {"regex": "sig_vers=\"([^\"]+)\"", "group": 1, "to": "finding_info.version"}, + {"regex": "severity=\"([^\"]+)\"", "group": 1, "to": "severity"}, + {"regex": "action=\"([^\"]+)\"", "group": 1, "to": "activity_name"}, + + // Severity mapping + {"lookup": "severity", "map": {"Critical": 5, "High": 4, "Medium": 3, "Low": 2, "Info": 1}, "to": "severity_id"}, + + // Action mapping + {"lookup": "activity_name", "map": {"block": 2, "drop": 2, "alert": 1, "allow": 0}, "to": "activity_id"}, + + // Geo + {"regex": "geo_src=\"([^\"]+)\"", "group": 1, "to": "src_endpoint.location.country"} + ] + }, + + // Antivirus detection + { + "pattern": "antivirus\\s+virus_found", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "finding_info.types", "value": ["Malware"]}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "WatchGuard Gateway AntiVirus"}, + {"set": "metadata.product.vendor_name", "value": "WatchGuard"}, + + // Endpoints + {"regex": "virus_found\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + + // Malware info + {"regex": "virus_name=\"([^\"]+)\"", "group": 1, "to": "malware.name"}, + {"regex": "file_name=\"([^\"]+)\"", "group": 1, "to": "file.name"}, + {"regex": "action=\"([^\"]+)\"", "group": 1, "to": "activity_name"}, + {"regex": "content_type=\"([^\"]+)\"", "group": 1, "to": "file.type_id"}, + {"regex": "md5=\"([^\"]+)\"", "group": 1, "to": "file.hashes.md5"}, + + {"set": "severity_id", "value": "5"}, + {"set": "severity", "value": "Critical"} + ] + }, + + // Authentication events + { + "pattern": "authentication\\s+(auth_success|auth_failure)", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "WatchGuard Fireware"}, + {"set": "metadata.product.vendor_name", "value": "WatchGuard"}, + + // User + {"regex": "user=\"([^\"]+)\"", "group": 1, "to": "user.name"}, + {"regex": "domain=\"([^\"]+)\"", "group": 1, "to": "user.domain"}, + + // Source + {"regex": "auth_\\w+\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + + // Auth details + {"regex": "auth_method=\"([^\"]+)\"", "group": 1, "to": "auth_protocol"}, + {"regex": "auth_server=\"([^\"]+)\"", "group": 1, "to": "auth_server"}, + {"regex": "session_id=\"([^\"]+)\"", "group": 1, "to": "session.uid"}, + {"regex": "reason=\"([^\"]+)\"", "group": 1, "to": "status_detail"}, + {"regex": "attempts=\"([^\"]+)\"", "group": 1, "to": "attempts"}, + + // Status + {"set": "status_id", "value": "1", "if": "auth_success"}, + {"set": "status", "value": "Success", "if": "auth_success"}, + {"set": "status_id", "value": "2", "if": "auth_failure"}, + {"set": "status", "value": "Failure", "if": "auth_failure"} + ] + }, + + // System/Config changes + { + "pattern": "system\\s+config_change", + "rewrites": [ + {"set": "class_uid", "value": "5001"}, + {"set": "class_name", "value": "Configuration"}, + {"set": "category_uid", "value": "5"}, + {"set": "category_name", "value": "Discovery"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Update"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "WatchGuard Fireware"}, + {"set": "metadata.product.vendor_name", "value": "WatchGuard"}, + + // Actor + {"regex": "admin_user=\"([^\"]+)\"", "group": 1, "to": "actor.user.name"}, + {"regex": "config_change\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + + // Change details + {"regex": "change_type=\"([^\"]+)\"", "group": 1, "to": "activity_name"}, + {"regex": "object_type=\"([^\"]+)\"", "group": 1, "to": "resources.type"}, + {"regex": "object_name=\"([^\"]+)\"", "group": 1, "to": "resources.name"}, + {"regex": "action=\"([^\"]+)\"", "group": 1, "to": "resources.action"} + ] + }, + + // DLP events + { + "pattern": "dlp\\s+data_leak_prevented", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "finding_info.types", "value": ["Data Loss Prevention"]}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "WatchGuard DLP"}, + {"set": "metadata.product.vendor_name", "value": "WatchGuard"}, + + // Source + {"regex": "data_leak_prevented\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + + // DLP details + {"regex": "rule_name=\"([^\"]+)\"", "group": 1, "to": "policy.name"}, + {"regex": "pattern_matched=\"([^\"]+)\"", "group": 1, "to": "finding_info.title"}, + {"regex": "action=\"([^\"]+)\"", "group": 1, "to": "activity_name"}, + {"regex": "user=\"([^\"]+)\"", "group": 1, "to": "actor.user.name"}, + {"regex": "file_name=\"([^\"]+)\"", "group": 1, "to": "file.name"}, + {"regex": "bytes_blocked=\"([^\"]+)\"", "group": 1, "to": "traffic.bytes"}, + + {"set": "severity_id", "value": "4"}, + {"set": "severity", "value": "High"} + ] + } + ] +} diff --git a/parsers/ocsf-windows-security b/parsers/ocsf-windows-security new file mode 100644 index 0000000..588bd3b --- /dev/null +++ b/parsers/ocsf-windows-security @@ -0,0 +1,219 @@ +// SentinelOne AI SIEM Parser: Microsoft Windows Security Event Log +// OCSF Schema Version: 1.1.0 +// Maps Windows Security XML events to OCSF classes +// Primary Classes: Authentication (3002), Account Change (3001), Process Activity (1007) + +{ + "parserName": "WindowsSecurity-OCSF", + "version": "1.0.0", + "vendor": "Microsoft", + "product": "Windows Security", + "format": "xml", + + "patterns": [ + // Successful Logon (4624) + { + "pattern": "4624", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "type_uid", "value": "300201"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Windows Security"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + {"xpath": "//System/EventRecordID", "to": "metadata.uid"}, + {"xpath": "//System/Computer", "to": "metadata.product.feature.name"}, + + // Time + {"xpath": "//System/TimeCreated/@SystemTime", "to": "time"}, + + // User (Target) + {"xpath": "//EventData/Data[@Name='TargetUserName']", "to": "user.name"}, + {"xpath": "//EventData/Data[@Name='TargetDomainName']", "to": "user.domain"}, + {"xpath": "//EventData/Data[@Name='TargetUserSid']", "to": "user.uid"}, + {"xpath": "//EventData/Data[@Name='TargetLogonId']", "to": "session.uid"}, + + // Actor (Subject) + {"xpath": "//EventData/Data[@Name='SubjectUserName']", "to": "actor.user.name"}, + {"xpath": "//EventData/Data[@Name='SubjectDomainName']", "to": "actor.user.domain"}, + {"xpath": "//EventData/Data[@Name='SubjectUserSid']", "to": "actor.user.uid"}, + + // Logon type mapping + {"xpath": "//EventData/Data[@Name='LogonType']", "to": "logon_type_id"}, + {"lookup": "logon_type_id", "map": { + "2": "Interactive", + "3": "Network", + "4": "Batch", + "5": "Service", + "7": "Unlock", + "8": "NetworkCleartext", + "9": "NewCredentials", + "10": "RemoteInteractive", + "11": "CachedInteractive" + }, "to": "logon_type"}, + + // Source endpoint + {"xpath": "//EventData/Data[@Name='IpAddress']", "to": "src_endpoint.ip"}, + {"xpath": "//EventData/Data[@Name='IpPort']", "to": "src_endpoint.port"}, + {"xpath": "//EventData/Data[@Name='WorkstationName']", "to": "src_endpoint.name"}, + + // Authentication details + {"xpath": "//EventData/Data[@Name='AuthenticationPackageName']", "to": "auth_protocol"}, + {"xpath": "//EventData/Data[@Name='LogonProcessName']", "to": "logon_process.name"}, + + // Process + {"xpath": "//EventData/Data[@Name='ProcessId']", "to": "actor.process.pid"}, + {"xpath": "//EventData/Data[@Name='ProcessName']", "to": "actor.process.file.path"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Failed Logon (4625) + { + "pattern": "4625", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Windows Security"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + + {"xpath": "//EventData/Data[@Name='TargetUserName']", "to": "user.name"}, + {"xpath": "//EventData/Data[@Name='TargetDomainName']", "to": "user.domain"}, + {"xpath": "//EventData/Data[@Name='Status']", "to": "status_code"}, + {"xpath": "//EventData/Data[@Name='SubStatus']", "to": "status_detail"}, + {"xpath": "//EventData/Data[@Name='FailureReason']", "to": "message"}, + {"xpath": "//EventData/Data[@Name='IpAddress']", "to": "src_endpoint.ip"}, + {"xpath": "//EventData/Data[@Name='WorkstationName']", "to": "src_endpoint.name"}, + {"xpath": "//EventData/Data[@Name='LogonType']", "to": "logon_type_id"}, + + // Severity for failed auth + {"set": "severity_id", "value": "3"}, + {"set": "severity", "value": "Medium"} + ] + }, + + // Process Creation (4688) + { + "pattern": "4688", + "rewrites": [ + {"set": "class_uid", "value": "1007"}, + {"set": "class_name", "value": "Process Activity"}, + {"set": "category_uid", "value": "1"}, + {"set": "category_name", "value": "System Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Launch"}, + {"set": "type_uid", "value": "100701"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Windows Security"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + + // Actor + {"xpath": "//EventData/Data[@Name='SubjectUserName']", "to": "actor.user.name"}, + {"xpath": "//EventData/Data[@Name='SubjectDomainName']", "to": "actor.user.domain"}, + {"xpath": "//EventData/Data[@Name='SubjectUserSid']", "to": "actor.user.uid"}, + {"xpath": "//EventData/Data[@Name='SubjectLogonId']", "to": "actor.session.uid"}, + + // New Process + {"xpath": "//EventData/Data[@Name='NewProcessId']", "to": "process.pid"}, + {"xpath": "//EventData/Data[@Name='NewProcessName']", "to": "process.file.path"}, + {"xpath": "//EventData/Data[@Name='CommandLine']", "to": "process.cmd_line"}, + {"xpath": "//EventData/Data[@Name='TokenElevationType']", "to": "process.integrity"}, + + // Parent Process + {"xpath": "//EventData/Data[@Name='ProcessId']", "to": "process.parent_process.pid"}, + {"xpath": "//EventData/Data[@Name='ParentProcessName']", "to": "process.parent_process.file.path"}, + + // Labels + {"xpath": "//EventData/Data[@Name='MandatoryLabel']", "to": "process.integrity_id"} + ] + }, + + // Special Privileges (4672) + { + "pattern": "4672", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Logon: Privileged"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Windows Security"}, + + {"xpath": "//EventData/Data[@Name='SubjectUserName']", "to": "user.name"}, + {"xpath": "//EventData/Data[@Name='SubjectDomainName']", "to": "user.domain"}, + {"xpath": "//EventData/Data[@Name='SubjectUserSid']", "to": "user.uid"}, + {"xpath": "//EventData/Data[@Name='SubjectLogonId']", "to": "session.uid"}, + {"xpath": "//EventData/Data[@Name='PrivilegeList']", "to": "user.privileges"}, + + {"set": "is_admin", "value": "true"} + ] + }, + + // User Account Created (4720) + { + "pattern": "4720", + "rewrites": [ + {"set": "class_uid", "value": "3001"}, + {"set": "class_name", "value": "Account Change"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Create"}, + {"set": "type_uid", "value": "300101"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Windows Security"}, + + // Actor (who created) + {"xpath": "//EventData/Data[@Name='SubjectUserName']", "to": "actor.user.name"}, + {"xpath": "//EventData/Data[@Name='SubjectDomainName']", "to": "actor.user.domain"}, + {"xpath": "//EventData/Data[@Name='SubjectUserSid']", "to": "actor.user.uid"}, + + // Target (new account) + {"xpath": "//EventData/Data[@Name='TargetUserName']", "to": "user.name"}, + {"xpath": "//EventData/Data[@Name='TargetDomainName']", "to": "user.domain"}, + {"xpath": "//EventData/Data[@Name='TargetSid']", "to": "user.uid"}, + {"xpath": "//EventData/Data[@Name='SamAccountName']", "to": "user.account.name"}, + {"xpath": "//EventData/Data[@Name='DisplayName']", "to": "user.full_name"}, + {"xpath": "//EventData/Data[@Name='UserPrincipalName']", "to": "user.email_addr"} + ] + } + ], + + "event_id_mappings": { + "4624": {"class": "Authentication", "activity": "Logon", "status": "Success"}, + "4625": {"class": "Authentication", "activity": "Logon", "status": "Failure"}, + "4634": {"class": "Authentication", "activity": "Logoff", "status": "Success"}, + "4648": {"class": "Authentication", "activity": "Logon: Explicit Credentials"}, + "4672": {"class": "Authentication", "activity": "Logon: Privileged"}, + "4688": {"class": "Process Activity", "activity": "Launch"}, + "4689": {"class": "Process Activity", "activity": "Terminate"}, + "4720": {"class": "Account Change", "activity": "Create"}, + "4722": {"class": "Account Change", "activity": "Enable"}, + "4723": {"class": "Account Change", "activity": "Password Change"}, + "4724": {"class": "Account Change", "activity": "Password Reset"}, + "4725": {"class": "Account Change", "activity": "Disable"}, + "4726": {"class": "Account Change", "activity": "Delete"}, + "4728": {"class": "Group Membership", "activity": "Add"}, + "4729": {"class": "Group Membership", "activity": "Remove"}, + "4732": {"class": "Group Membership", "activity": "Add"}, + "4733": {"class": "Group Membership", "activity": "Remove"} + } +} diff --git a/parsers/paloalto_firewall-latest b/parsers/paloalto_firewall-latest new file mode 100644 index 0000000..9080daf --- /dev/null +++ b/parsers/paloalto_firewall-latest @@ -0,0 +1,1169 @@ +{ + attributes: { + "dataSource.category": "security", + "dataSource.name": "Palo Alto Networks Firewall", + "dataSource.vendor": "Palo Alto Networks", + }, + patterns: { + //maps to high_resolution_timestamp: + //timestamp: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3}(\\+|-)\\d{2}:\\d{2}", + //application_characteristic can be a single value, a comma delimited list in quotes, or blank. Null value is handled by format: traffic-2, not by this pattern. + app_characteristic: "(\".*\")|[^,]+", + //description field from system log is wrapped in quotes and may contain commas + desc: "(\".*\")", + userid_log_type: "USERID", + logout_sub_type: "logout", + login_sub_type: "login", + hipmatch_log_type: "HIPMATCH", + config_log_type: "CONFIG", + wildfire_sub_type: "wildfire", + data_filtering_sub_type: "file", + globalprotect_log_type: "GLOBALPROTECT", + iptag_log_type: "IPTAG", + gtp_log_type: "GTP", + tunnel_log_type: "\\b(?:START|END|start|end)\\b", + sctp_log_type: "SCTP", + system_log_type: "SYSTEM" + }, + + formats: [ + // { + // format: ".*$timestamp=timestamp$(\\,)*", + //}, + { + //match all fields. application_characteristic can be a single value, or a comma delimited list in quotes. + attributes: { + "class_uid": "4001", + "category_uid": "4", + "severity_id": "0", + "class_name": "Network Activity", + "category_name": "Network Activity", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.0.0-rc.3", + "metadata.log_name": "TRAFFIC", + }, + format: ".*,$metadata.logged_time_dt$,$device.hw_info.serial_number$,TRAFFIC,$unmapped.sub_type$,.*,$metadata.original_time$,$src_endpoint.ip$,$dst_endpoint.ip$,$src_endpoint.intermediate_ips$,$dst_endpoint.intermediate_ips$,$unmapped.rule_matched$,$actor.user.name$,$unmapped.dst_user$,$app_name$,$unmapped.vsys$,$unmapped.from_zone$,$unmapped.to_zone$,$unmapped.inbound_if$,$unmapped.outbound_if$,$actor.session.issuer$,$metadata.original_time$,$actor.session.uid$,$unmapped.repeat_count$,$src_endpoint.port$,$dst_endpoint.port$,$unmapped.nat_src_port$,$unmapped.nat_dst_port$,$unmapped.flags$,$connection_info.protocol_name$,$unmapped.action_value$,$traffic.bytes$,$traffic.bytes_in$,$traffic.bytes_out$,$traffic.packets$,$actor.session.created_time_dt$,$duration$,$unmapped.url_category_value$,.*,$metadata.sequence$,$unmapped.action_flags$,$src_endpoint.location.region$,$dst_endpoint.location.region$,.*,$traffic.packets_out$,$traffic.packets_in$,$unmapped.session_end_reason_value$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.hostname$,$unmapped.action_source$,$unmapped.src_uuid$,$unmapped.dst_uuid$,$device.imsi$,$device.imei$,$unmapped.parent_session_id$,$unmapped.parent_start_time$,$unmapped.tunnel_type$,$unmapped.ep_assoc_id$,$unmapped.chunks_total$,$unmapped.chunks_sent$,$unmapped.chunks_received$,$unmapped.rule_matched_uuid$,$unmapped.http2_connection$,$unmapped.link_change_count$,$unmapped.policy_id$,$unmapped.link_switches$,$unmapped.sdwan_cluster$,$unmapped.sdwan_device_type$,$unmapped.sdwan_cluster_type$,$unmapped.sdwan_site$,$actor.user.groups$,$src_endpoint.intermediate_ips$,$unmapped.src_category$,$unmapped.src_profile$,$unmapped.src_model$,$unmapped.src_vendor$,$unmapped.src_osfamily$,$unmapped.src_osversion$,$src_endpoint.hostname$,$src_endpoint.mac$,$unmapped.dst_category$,$unmapped.dst_profile$,$unmapped.dst_model$,$unmapped.dst_vendor$,$unmapped.dst_osfamily$,$unmapped.dst_osversion$,$dst_endpoint.hostname$,$dst_endpoint.mac$,$unmapped.container_id$,$unmapped.pod_namespace$,$unmapped.pod_name$,$unmapped.src_edl$,$unmapped.dst_edl$,$device.uid$,$unmapped.serial_number$,$unmapped.src_dag$,$unmapped.dst_dag$,$unmapped.session_owner$,$unmapped.high_res_timestamp$,$unmapped.nsdsai_sst$,$unmapped.nsdsai_sd$,$unmapped.subcategory_of_app$,$unmapped.category_of_app$,$unmapped.technology_of_app$,$unmapped.risk_of_app$,$unmapped.characteristic_of_app=app_characteristic$,$unmapped.container_of_app$,$unmapped.tunneled_app$,$unmapped.is_saas_of_app$,$unmapped.sanctioned_state_of_app$,$unmapped.offloaded$", + halt: true, + rewrites: [ + { + input: "unmapped.sub_type", + output: "activity_id", + match: "^start$", + replace: "1" + }, + { + input: "unmapped.sub_type", + output: "activity_id", + match: "^end$", + replace: "2" + }, + { + input: "unmapped.sub_type", + output: "activity_id", + match: "^drop$", + replace: "4" + }, + { + input: "unmapped.sub_type", + output: "activity_id", + match: "^deny$", + replace: "5" + }, + { + input: "unmapped.sub_type", + output: "activity_name", + match: "^start$", + replace: "Open" + }, + { + input: "unmapped.sub_type", + output: "activity_name", + match: "^end$", + replace: "Close" + }, + { + input: "unmapped.sub_type", + output: "activity_name", + match: "^drop$", + replace: "Fail" + }, + { + input: "unmapped.sub_type", + output: "activity_name", + match: "^deny$", + replace: "Refuse" + }, + { + input: "unmapped.sub_type", + output: "event.type", + match: "^start$", + replace: "Open" + }, + { + input: "unmapped.sub_type", + output: "event.type", + match: "^end$", + replace: "Close" + }, + { + input: "unmapped.sub_type", + output: "event.type", + match: "^drop$", + replace: "Fail" + }, + { + input: "unmapped.sub_type", + output: "event.type", + match: "^deny$", + replace: "Refuse" + }, + { + input: "unmapped.sub_type", + output: "type_uid", + match: "^start$", + replace: "400101" + }, + { + input: "unmapped.sub_type", + output: "type_uid", + match: "^end$", + replace: "400102" + }, + { + input: "unmapped.sub_type", + output: "type_uid", + match: "^drop$", + replace: "400104" + }, + { + input: "unmapped.sub_type", + output: "type_uid", + match: "^deny$", + replace: "400105" + }, + { + input: "unmapped.sub_type", + output: "type_name", + match: "^start$", + replace: "Network Activity: Open" + }, + { + input: "unmapped.sub_type", + output: "type_name", + match: "^end$", + replace: "Network Activity: Close" + }, + { + input: "unmapped.sub_type", + output: "type_name", + match: "^drop$", + replace: "Network Activity: Fail" + }, + { + input: "unmapped.sub_type", + output: "type_name", + match: "^deny$", + replace: "Network Activity: Refuse" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^allow$", + replace: "1" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^deny$", + replace: "2" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^allow$", + replace: "Success" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^deny$", + replace: "Failure" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^(?!allow|deny$).*", + replace: "99" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^(?!allow|deny$).*", + replace: "Other" + }, + { + input: "dst_endpoint.intermediate_ips", + output: "dst_endpoint.intermediate_ips", + match: ".*", + replace: "\\[\"$0\"\\]" + }, + { + input: "message", + output: "src_endpoint.intermediate_ips", + match: "(?:[^,]*,){9}([^,]*){1},(?:[^,]*,){65}([^,]*){1},(?:[^,]*,){38}.*", + replace: "\\[\"$1\"\\, \"$2\"\\]" + }, + { + input: "message", + output: "observables", + match: "(?:[^,]*,){7}([^,]*),([^,]*),(?:[^,]*,){3}([^,]*),(?:[^,]*,){69}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),.*", + replace: "\\[\\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"src_endpoint.hostname\"\\, \"value\"\\: \"$4\"\\}\\, \\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"dst_endpoint.hostname\"\\, \"value\"\\: \"$6\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: \"$1\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"dst_endpoint.ip\"\\, \"value\"\\: \"$2\"\\}\\, \\{\"type_id\"\\: \"4\"\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"actor.user.name\"\\, \"value\"\\: \"$3\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"src_endpoint.mac\"\\, \"value\"\\: \"$5\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"dst_endpoint.mac\"\\, \"value\"\\: \"$7\"\\}\\]" + }, + ] + }, + { + //dont match on application_characteristic for cases where is it blank. + attributes: { + "class_uid": "4001", + "category_uid": "4", + "severity_id": "0", + "class_name": "Network Activity", + "category_name": "Network Activity", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.0.0-rc.3", + "metadata.log_name": "TRAFFIC", + }, + format: ".*,$metadata.logged_time_dt$,$device.hw_info.serial_number$,TRAFFIC,$unmapped.sub_type$,.*,$metadata.original_time$,$src_endpoint.ip$,$dst_endpoint.ip$,$src_endpoint.intermediate_ips$,$dst_endpoint.intermediate_ips$,$unmapped.rule_matched$,$actor.user.name$,$unmapped.dst_user$,$app_name$,$unmapped.vsys$,$unmapped.from_zone$,$unmapped.to_zone$,$unmapped.inbound_if$,$unmapped.outbound_if$,$actor.session.issuer$,$metadata.original_time$,$actor.session.uid$,$unmapped.repeat_count$,$src_endpoint.port$,$dst_endpoint.port$,$unmapped.nat_src_port$,$unmapped.nat_dst_port$,$unmapped.flags$,$connection_info.protocol_name$,$unmapped.action_value$,$traffic.bytes$,$traffic.bytes_in$,$traffic.bytes_out$,$traffic.packets$,$actor.session.created_time_dt$,$duration$,$unmapped.url_category_value$,.*,$metadata.sequence$,$unmapped.action_flags$,$src_endpoint.location.region$,$dst_endpoint.location.region$,.*,$traffic.packets_out$,$traffic.packets_in$,$unmapped.session_end_reason_value$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.hostname$,$unmapped.action_source$,$unmapped.src_uuid$,$unmapped.dst_uuid$,$device.imsi$,$device.imei$,$unmapped.parent_session_id$,$unmapped.parent_start_time$,$unmapped.tunnel_type$,$unmapped.ep_assoc_id$,$unmapped.chunks_total$,$unmapped.chunks_sent$,$unmapped.chunks_received$,$unmapped.rule_matched_uuid$,$unmapped.http2_connection$,$unmapped.link_change_count$,$unmapped.policy_id$,$unmapped.link_switches$,$unmapped.sdwan_cluster$,$unmapped.sdwan_device_type$,$unmapped.sdwan_cluster_type$,$unmapped.sdwan_site$,$actor.user.groups$,$src_endpoint.intermediate_ips$,$unmapped.src_category$,$unmapped.src_profile$,$unmapped.src_model$,$unmapped.src_vendor$,$unmapped.src_osfamily$,$unmapped.src_osversion$,$src_endpoint.hostname$,$src_endpoint.mac$,$unmapped.dst_category$,$unmapped.dst_profile$,$unmapped.dst_model$,$unmapped.dst_vendor$,$unmapped.dst_osfamily$,$unmapped.dst_osversion$,$dst_endpoint.hostname$,$dst_endpoint.mac$,$unmapped.container_id$,$unmapped.pod_namespace$,$unmapped.pod_name$,$unmapped.src_edl$,$unmapped.dst_edl$,$device.uid$,$unmapped.serial_number$,$unmapped.src_dag$,$unmapped.dst_dag$,$unmapped.session_owner$,$unmapped.high_res_timestamp$,$unmapped.nsdsai_sst$,$unmapped.nsdsai_sd$,$unmapped.subcategory_of_app$,$unmapped.category_of_app$,$unmapped.technology_of_app$,$unmapped.risk_of_app$,$unmapped.characteristic_of_app$,$unmapped.container_of_app$,$unmapped.tunneled_app$,$unmapped.is_saas_of_app$,$unmapped.sanctioned_state_of_app$,$unmapped.offloaded$", + halt: true, + rewrites: [ + { + input: "unmapped.sub_type", + output: "event.type", + match: "^start$", + replace: "Open" + }, + { + input: "unmapped.sub_type", + output: "event.type", + match: "^end$", + replace: "Close" + }, + { + input: "unmapped.sub_type", + output: "event.type", + match: "^drop$", + replace: "Fail" + }, + { + input: "unmapped.sub_type", + output: "event.type", + match: "^deny$", + replace: "Refuse" + }, + { + input: "unmapped.sub_type", + output: "activity_id", + match: "^start$", + replace: "1" + }, + { + input: "unmapped.sub_type", + output: "activity_id", + match: "^end$", + replace: "2" + }, + { + input: "unmapped.sub_type", + output: "activity_id", + match: "^drop$", + replace: "4" + }, + { + input: "unmapped.sub_type", + output: "activity_id", + match: "^deny$", + replace: "5" + }, + { + input: "unmapped.sub_type", + output: "activity_name", + match: "^start$", + replace: "Open" + }, + { + input: "unmapped.sub_type", + output: "activity_name", + match: "^end$", + replace: "Close" + }, + { + input: "unmapped.sub_type", + output: "activity_name", + match: "^drop$", + replace: "Fail" + }, + { + input: "unmapped.sub_type", + output: "activity_name", + match: "^deny$", + replace: "Refuse" + }, + { + input: "unmapped.sub_type", + output: "type_uid", + match: "^start$", + replace: "400101" + }, + { + input: "unmapped.sub_type", + output: "type_uid", + match: "^end$", + replace: "400102" + }, + { + input: "unmapped.sub_type", + output: "type_uid", + match: "^drop$", + replace: "400104" + }, + { + input: "unmapped.sub_type", + output: "type_uid", + match: "^deny$", + replace: "400105" + }, + { + input: "unmapped.sub_type", + output: "type_name", + match: "^start$", + replace: "Network Activity: Open" + }, + { + input: "unmapped.sub_type", + output: "type_name", + match: "^end$", + replace: "Network Activity: Close" + }, + { + input: "unmapped.sub_type", + output: "type_name", + match: "^drop$", + replace: "Network Activity: Fail" + }, + { + input: "unmapped.sub_type", + output: "type_name", + match: "^deny$", + replace: "Network Activity: Refuse" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^allow$", + replace: "1" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^deny$", + replace: "2" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^allow$", + replace: "Success" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^deny$", + replace: "Failure" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^(?!allow|deny$).*", + replace: "99" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^(?!allow|deny$).*", + replace: "Other" + }, + { + input: "dst_endpoint.intermediate_ips", + output: "dst_endpoint.intermediate_ips", + match: ".*", + replace: "\\[\"$0\"\\]" + }, + { + input: "message", + output: "src_endpoint.intermediate_ips", + match: "(?:[^,]*,){9}([^,]*){1},(?:[^,]*,){65}([^,]*){1},(?:[^,]*,){38}.*", + replace: "\\[\"$1\"\\, \"$2\"\\]" + }, + { + input: "message", + output: "observables", + match: "(?:[^,]*,){7}([^,]*),([^,]*),(?:[^,]*,){3}([^,]*),(?:[^,]*,){69}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),.*", + replace: "\\[\\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"src_endpoint.hostname\"\\, \"value\"\\: \"$4\"\\}\\, \\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"dst_endpoint.hostname\"\\, \"value\"\\: \"$6\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: \"$1\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"dst_endpoint.ip\"\\, \"value\"\\: \"$2\"\\}\\, \\{\"type_id\"\\: \"4\"\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"actor.user.name\"\\, \"value\"\\: \"$3\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"src_endpoint.mac\"\\, \"value\"\\: \"$5\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"dst_endpoint.mac\"\\, \"value\"\\: \"$7\"\\}\\]" + }, + ] + }, + { + attributes: { + "class_uid": "0", + "activity_id": "99", + "category_uid": "0", + "type_uid": "99", + "type_name": "Base Event: Other", + "class_name": "Base Event", + "category_name": "Uncategorized", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.0.0-rc.3", + "metadata.log_name": "SYSTEM", + }, + format: ".*,$metadata.logged_time_dt$,$unmapped.serial$,SYSTEM,$unmapped.sub_type$,.*,$metadata.original_time$,$unmapped.vsys$,$unmapped.event_id$,$unmapped.object$,.*,.*,$unmapped.module$,$unmapped.severity$,$unmapped.description=desc$,$metadata.sequence$,$unmapped.action_flags$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$unmapped.device_name$,.*,.*,$unmapped.high_res_timestamp$", + halt: true, + rewrites: [ + { + input: "unmapped.sub_type", + output: "activity_name", + match: ".*", + replace: "$0" + }, + { + input: "unmapped.sub_type", + output: "event.type", + match: ".*", + replace: "$0" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^informational$", + replace: "1" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^low$", + replace: "2" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^medium$", + replace: "3" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^high$", + replace: "4" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^critical$", + replace: "5" + }, + { + input: "message", + output: "observables", + match: "(?:[^,]*,){14}(\".*\"),(?:[^,]*,){7}([^,]*),.*", + replace: "\\[\\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"device.hostname\"\\, \"value\"\\: \"$2\"\\}\\]" + }, + ] + }, + { + //matches THREAT logs with comma surround lists in application_characteristic and url_category_list. + attributes: { + "activity_name": "THREAT", + "class_uid": "4001", + "activity_id": "99", + "category_uid": "4", + "type_uid": "400199", + "type_name": "Network Activity: Other", + "class_name": "Network Activity", + "category_name": "Network Activity", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.0.0-rc.3", + "metadata.log_name": "THREAT", + "event.type": "THREAT" + }, + format: ".*,$metadata.logged_time_dt$,$device.hw_info.serial_number$,THREAT,$unmapped.sub_type$,.*,$metadata.original_time$,$src_endpoint.ip$,$dst_endpoint.ip$,$src_endpoint.intermediate_ips$,$dst_endpoint.intermediate_ips$,$unmapped.rule_matched$,$actor.user.name$,$unmapped.dst_user$,$app_name$,$unmapped.vsys$,$unmapped.from_zone$,$unmapped.to_zone$,$unmapped.inbound_if$,$unmapped.outbound_if$,$actor.session.issuer$,$metadata.original_time$,$actor.session.uid$,$unmapped.repeat_count$,$src_endpoint.port$,$dst_endpoint.port$,$unmapped.nat_src_port$,$unmapped.nat_dst_port$,$unmapped.flags$,$connection_info.protocol_name$,$unmapped.action_value$,$unmapped.file$,$unmapped.threat_id$,$unmapped.url_category_value$,$unmapped.severity$,$unmapped.direction_of_attack$,$metadata.sequence$,$unmapped.action_flags$,$src_endpoint.location.region$,$dst_endpoint.location.region$,$metadata.product.version$,$unmapped.pcap_id$,$unmapped.file_digest$,.*,$cloud.account_uid$,$unmapped.url_idx$,$unmapped.user_agent$,$unmapped.file_type$,$src_endpoint.intermediate_ips$,$unmapped.referrer$,$unmapped.sender_of_email$,$unmapped.subject_of_email$,$unmapped.receipent_of_email$,$unmapped.report_id$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.hostname$,.*,$unmapped.src_uuid$,$unmapped.dst_uuid$,$unmapped.http_method$,$device.imsi$,$device.imei$,$unmapped.parent_session_id$,$unmapped.parent_start_time$,$unmapped.tunnel_type$,$unmapped.threat_category$,$unmapped.content_version$,.*,$unmapped.ep_assoc_id$,$unmapped.ppid$,$unmapped.http_headers$,\"$unmapped.url_category_list$\",$unmapped.rule_matched_uuid$,$unmapped.http2_connection$,$actor.user.groups$,$src_endpoint.intermediate_ips$,$unmapped.src_category$,$unmapped.src_profile$,$unmapped.src_model$,$unmapped.src_vendor$,$unmapped.src_osfamily$,$unmapped.src_osversion$,$src_endpoint.hostname$,$src_endpoint.mac$,$unmapped.dst_category$,$unmapped.dst_profile$,$unmapped.dst_model$,$unmapped.dst_vendor$,$unmapped.dst_osfamily$,$unmapped.dst_osversion$,$dst_endpoint.hostname$,$dst_endpoint.mac$,$unmapped.container_id$,$unmapped.pod_namespace$,$unmapped.pod_name$,$unmapped.src_edl$,$unmapped.dst_edl$,$device.uid$,$unmapped.serial_number$,$unmapped.src_dag$,$unmapped.dst_dag$,$unmapped.partial_hash$,.*,$unmapped.high_res_timestamp$,$unmapped.reason$,$unmapped.justification$,$unmapped.nssai_sst$,$unmapped.subcategory_of_app$,$unmapped.category_of_app$,$unmapped.technology_of_app$,$unmapped.risk_of_app$,\"$unmapped.characteristic_of_app$\",$unmapped.container_of_app$,$unmapped.tunneled_app$,$unmapped.is_saas_of_app$,$unmapped.sanctioned_state_of_app$", + halt: true, + rewrites: [ + { + input: "unmapped.severity", + output: "severity_id", + match: "^informational$", + replace: "1" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^low$", + replace: "2" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^medium$", + replace: "3" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^high$", + replace: "4" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^critical$", + replace: "5" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^allow$", + replace: "1" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^deny$", + replace: "2" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^allow$", + replace: "Success" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^deny$", + replace: "Failure" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^(?!allow|deny$).*", + replace: "99" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^(?!allow|deny$).*", + replace: "Other" + }, + { + input: "dst_endpoint.intermediate_ips", + output: "dst_endpoint.intermediate_ips", + match: ".*", + replace: "\\[\"$0\"\\]" + }, + { + input: "message", + output: "src_endpoint.intermediate_ips", + match: "(?:[^,]*,){9}([^,]*),(?:[^,]*,){21}(\".*\"),(?:[^,]*,){16}([^,]*),(?:[^,]*,){26}(\".*\"),(?:[^,]*,){3}([^,]*),.*", + replace: "\\[\"$1\"\\, \"$3\"\\, \"$5\"\\]" + }, + { + input: "message", + output: "observables", + match: "(?:[^,]*,){7}([^,]*),([^,]*),(?:[^,]*,){3}([^,]*),(?:[^,]*,){18}(\".*\"),(?:[^,]*,){43}(\".*\"),(?:[^,]*,){10}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),.*", + replace: "\\[\\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"src_endpoint.hostname\"\\, \"value\"\\: \"$6\"\\}\\, \\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"dst_endpoint.hostname\"\\, \"value\"\\: \"$8\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: \"$1\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"dst_endpoint.ip\"\\, \"value\"\\: \"$2\"\\}\\, \\{\"type_id\"\\: \"4\"\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"actor.user.name\"\\, \"value\"\\: \"$3\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"src_endpoint.mac\"\\, \"value\"\\: \"$7\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"dst_endpoint.mac\"\\, \"value\"\\: \"$9\"\\}\\]" + }, + ] + }, + { + //matches THREAT logs with comma surround lists in application_characteristic and url_category_list. + attributes: { + "activity_name": "THREAT", + "class_uid": "4001", + "activity_id": "99", + "category_uid": "4", + "type_uid": "400199", + "type_name": "Network Activity: Other", + "class_name": "Network Activity", + "category_name": "Network Activity", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.0.0-rc.3", + "metadata.log_name": "THREAT", + "event.type": "THREAT" + }, + format: ".*,$metadata.logged_time_dt$,$device.hw_info.serial_number$,THREAT,$unmapped.sub_type$,.*,$metadata.original_time$,$src_endpoint.ip$,$dst_endpoint.ip$,$src_endpoint.intermediate_ips$,$dst_endpoint.intermediate_ips$,$unmapped.rule_matched$,$actor.user.name$,$unmapped.dst_user$,$app_name$,$unmapped.vsys$,$unmapped.from_zone$,$unmapped.to_zone$,$unmapped.inbound_if$,$unmapped.outbound_if$,$actor.session.issuer$,$metadata.original_time$,$actor.session.uid$,$unmapped.repeat_count$,$src_endpoint.port$,$dst_endpoint.port$,$unmapped.nat_src_port$,$unmapped.nat_dst_port$,$unmapped.flags$,$connection_info.protocol_name$,$unmapped.action_value$,$unmapped.file$,$unmapped.threat_id$,$unmapped.url_category_value$,$unmapped.severity$,$unmapped.direction_of_attack$,$metadata.sequence$,$unmapped.action_flags$,$src_endpoint.location.region$,$dst_endpoint.location.region$,$metadata.product.version$,$unmapped.pcap_id$,$unmapped.file_digest$,.*,$cloud.account_uid$,$unmapped.url_idx$,$unmapped.user_agent$,$unmapped.file_type$,$src_endpoint.intermediate_ips$,$unmapped.referrer$,$unmapped.sender_of_email$,$unmapped.subject_of_email$,$unmapped.receipent_of_email$,$unmapped.report_id$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.hostname$,.*,$unmapped.src_uuid$,$unmapped.dst_uuid$,$unmapped.http_method$,$device.imsi$,$device.imei$,$unmapped.parent_session_id$,$unmapped.parent_start_time$,$unmapped.tunnel_type$,$unmapped.threat_category$,$unmapped.content_version$,.*,$unmapped.ep_assoc_id$,$unmapped.ppid$,$unmapped.http_headers$,$unmapped.url_category_list$,$unmapped.rule_matched_uuid$,$unmapped.http2_connection$,$actor.user.groups$,$src_endpoint.intermediate_ips$,$unmapped.src_category$,$unmapped.src_profile$,$unmapped.src_model$,$unmapped.src_vendor$,$unmapped.src_osfamily$,$unmapped.src_osversion$,$src_endpoint.hostname$,$src_endpoint.mac$,$unmapped.dst_category$,$unmapped.dst_profile$,$unmapped.dst_model$,$unmapped.dst_vendor$,$unmapped.dst_osfamily$,$unmapped.dst_osversion$,$dst_endpoint.hostname$,$dst_endpoint.mac$,$unmapped.container_id$,$unmapped.pod_namespace$,$unmapped.pod_name$,$unmapped.src_edl$,$unmapped.dst_edl$,$device.uid$,$unmapped.serial_number$,$unmapped.src_dag$,$unmapped.dst_dag$,$unmapped.partial_hash$,.*,$unmapped.high_res_timestamp$,$unmapped.reason$,$unmapped.justification$,$unmapped.nssai_sst$,$unmapped.subcategory_of_app$,$unmapped.category_of_app$,$unmapped.technology_of_app$,$unmapped.risk_of_app$,$unmapped.characteristic_of_app$,$unmapped.container_of_app$,$unmapped.tunneled_app$,$unmapped.is_saas_of_app$,$unmapped.sanctioned_state_of_app$", + halt: true, + rewrites: [ + { + input: "unmapped.severity", + output: "severity_id", + match: "^informational$", + replace: "1" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^low$", + replace: "2" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^medium$", + replace: "3" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^high$", + replace: "4" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^critical$", + replace: "5" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^allow$", + replace: "1" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^deny$", + replace: "2" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^allow$", + replace: "Success" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^deny$", + replace: "Failure" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^(?!allow|deny$).*", + replace: "99" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^(?!allow|deny$).*", + replace: "Other" + }, + { + input: "dst_endpoint.intermediate_ips", + output: "dst_endpoint.intermediate_ips", + match: ".*", + replace: "\\[\"$0\"\\]" + }, + { + input: "message", + output: "src_endpoint.intermediate_ips", + match: "(?:[^,]*,){9}([^,]*),(?:[^,]*,){38}([^,]*),(?:[^,]*,){30}([^,]*),.*", + replace: "\\[\"$1\"\\, \"$2\"\\, \"$3\"\\]" + }, + { + input: "message", + output: "observables", + match: "(?:[^,]*,){7}([^,]*),([^,]*),(?:[^,]*,){3}([^,]*),(?:[^,]*,){73}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),.*", + replace: "\\[\\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"src_endpoint.hostname\"\\, \"value\"\\: \"$4\"\\}\\, \\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"dst_endpoint.hostname\"\\, \"value\"\\: \"$6\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: \"$1\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"dst_endpoint.ip\"\\, \"value\"\\: \"$2\"\\}\\, \\{\"type_id\"\\: \"4\"\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"actor.user.name\"\\, \"value\"\\: \"$3\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"src_endpoint.mac\"\\, \"value\"\\: \"$5\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"dst_endpoint.mac\"\\, \"value\"\\: \"$7\"\\}\\]" + }, + ] + }, + { + attributes: { + "activity_name": "Logoff", + "activity_id": "2", + "category_name": "Identity & Access Management", + "category_uid": "3", + "class_name": "Authentication", + "class_uid": "3002", + "cloud.provider": "Palo Alto Networks" + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "300202", + "type_name": "Authentication: Logoff", + "event.type": "Logoff", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=userid_log_type$,$unmapped.subtype=logout_sub_type$,.*,$start_time_dt$,$unmapped.vsys$,$src_endpoint.ip$,$user.name$,$user.uid$,$metadata.event_code$,$unmapped.repeatcnt$,$unmapped.timeout$,$src_endpoint.port$,$dst_endpoint.port$,$unmapped.datasource$,$unmapped.datasourcetype$,$unmapped.seqno$,$unmapped.actionflags$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$src_endpoint.hostname$,$unmapped.vsys_id$,$unmapped.factortype$,$unmapped.factorcompletiontime$,$unmapped.factorno$,$unmapped.ugflags$,$unmapped.userbysource$,$unmapped.tag_name$,$unmapped.high_res_timestamp$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){7}([^,]*)(?:,[^,]*){0},([^,]*)(?:,[^,]*){15},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"src_endpoint.hostname\"\\, \"value\"\\: $3\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 4\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"user.name\"\\, \"value\"\\: $2\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "activity_name": "Logon", + "activity_id": "1", + "category_name": "Identity & Access Management", + "category_uid": "3", + "class_name": "Authentication", + "class_uid": "3002", + "cloud.provider": "Palo Alto Networks" + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "300201", + "type_name": "Authentication: Logon", + "event.type": "Logon", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=userid_log_type$,$unmapped.subtype=login_sub_type$,.*,$start_time_dt$,$unmapped.vsys$,$src_endpoint.ip$,$user.name$,$user.uid$,$metadata.event_code$,$unmapped.repeatcnt$,$unmapped.timeout$,$src_endpoint.port$,$dst_endpoint.port$,$unmapped.datasource$,$unmapped.datasourcetype$,$unmapped.seqno$,$unmapped.actionflags$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$src_endpoint.hostname$,$unmapped.vsys_id$,$unmapped.factortype$,$unmapped.factorcompletiontime$,$unmapped.factorno$,$unmapped.ugflags$,$unmapped.userbysource$,$unmapped.tag_name$,$unmapped.high_res_timestamp$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){7}([^,]*)(?:,[^,]*){0},([^,]*)(?:,[^,]*){15},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"src_endpoint.hostname\"\\, \"value\"\\: $3\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 4\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"user.name\"\\, \"value\"\\: $2\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "action": "Other", + "action_id": "99", + "activity_name": "Other", + "activity_id": "99", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Detection Finding", + "class_uid": "2004", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "200499", + "type_name": "Detection Finding: Other", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$finding_info.title=hipmatch_log_type$,$unmapped.subtype$,.*,$start_time_dt$,$actor.user.name$,$unmapped.vsys$,$device.name$,$device.os.name$,$device.ip$,$unmapped.matchname$,$unmapped.repeatcnt$,$unmapped.matchtype$,.*,.*,$unmapped.seqno$,$unmapped.actionflags$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.hostname$,$unmapped.vsys_id$,$unmapped.srcipv6$,$unmapped.uid_alt$,$device.uid$,$device.mac$,$unmapped.high_res_timestamp$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){10}([^,]*)(?:,[^,]*){12},([^,]*)(?:,[^,]*){4},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"device.hostname\"\\, \"value\"\\: $2\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"device.ip\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 3\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"device.mac\"\\, \"value\"\\: $3\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "activity_name": "Log", + "activity_id": "1", + "category_name": "Discovery", + "category_uid": "5", + "class_name": "Device Config State", + "class_uid": "5002", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "500201", + "type_name": "Device Config State: Log", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=config_log_type$,$unmapped.subtype$,.*,$start_time_dt$,$device.hostname$,$unmapped.vsys$,$actor.process.cmd_line$,$actor.user.name$,$unmapped.client$,$unmapped.result$,$metadata.product.path$,$unmapped.before-change-detail$,$unmapped.after-change-detail$,$unmapped.seqno$,$unmapped.actionflags$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.name$,$device.groups$,$unmapped.comment$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){6}([^,]*)(?:,[^,]*){2},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"device.hostname\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 4\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"actor.user.name\"\\, \"value\"\\: $2\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "action": "Other", + "action_id": "99", + "activity_name": "Other", + "activity_id": "99", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Detection Finding", + "class_uid": "2004", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "200499", + "type_name": "Detection Finding: Other", + "severity_id": "99" + }, + format: "$metadata.original_time$,$device.hw_info.serial_number$,$unmapped.type$,$unmapped.subtype=wildfire_sub_type$,.*,$finding_info.created_time_dt$,$source_address$,$destination_address$,$nat_source_ip$,$nat_destination_ip$,$firewall_rule.name$,$actor.user.name$,$unmapped.dstuser$,$unmapped.app$,$unmapped.vsys$,$source_zone$,$destination_zone$,$inbound_interface$,$outbound_interface$,$unmapped.logset$,.*,$actor.session.uid$,$count$,$source_port$,$destination_port$,$unmapped.natsport$,$unmapped.natdport$,$unmapped.flags$,$ip_protocol$,$action$,$filename$,$finding_info.uid$,$unmapped.category$,$unmapped.severity$,$unmapped.direction$,$metadata.sequence$,$unmapped.actionflags$,$source_location$,$destination_location$,.*,$unmapped.contenttype$,$unmapped.pcap_id$,$unmapped.filedigest$,$unmapped.cloud$,$unmapped.url_idx$,$unmapped.user_agent$,$file_type$,$unmapped.xff$,$unmapped.referer$,$unmapped.sender$,$unmapped.subject$,$unmapped.recipient$,$unmapped.reportid$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.name$,.*,$source_vm_uuid$,$destination_vm_uuid$,$unmapped.http_method$,$unmapped.imsi$,$device.imei$,$parent_session_id$,$parent_start_time$,$unmapped.tunnel$,$unmapped.thr_category$,$unmapped.contentver$,.*,$unmapped.assoc_id$,$unmapped.ppid$,$unmapped.http_headers$,$unmapped.url_category_list$,$unmapped.rule_uuid$,$unmapped.http2_connection$,$unmapped.dynusergroup_name$,$unmapped.xff_ip$,$unmapped.src_category$,$unmapped.src_profile$,$unmapped.src_model$,$unmapped.src_vendor$,$unmapped.src_osfamily$,$unmapped.src_osversion$,$source_hostname$,$source_mac_address$,$unmapped.dst_category$,$unmapped.dst_profile$,$unmapped.dst_model$,$unmapped.dst_vendor$,$unmapped.dst_osfamily$,$unmapped.dst_osversion$,$destination_hostname$,$destination_mac_address$,$unmapped.container_id$,$unmapped.pod_namespace$,$unmapped.pod_name$,$unmapped.src_edl$,$unmapped.dst_edl$,$unmapped.hostid$,$unmapped.serialnumber$,$unmapped.domain_edl$,$unmapped.src_dag$,$unmapped.dst_dag$,$unmapped.partial_hash$,$unmapped.high_res_timestamp$,$unmapped.reason$,$unmapped.justification$,$unmapped.nssai_sst$,$unmapped.subcategory_of_app$,$unmapped.category_of_app$,$unmapped.technology_of_app$,$risk_level$,$unmapped.characteristic_of_app=app_characteristic$,$unmapped.container_of_app$,$unmapped.tunneled_app$,$unmapped.is_saas_of_app$,$unmapped.sanctioned_state_of_app$,$unmapped.cloud_reportid$", + halt: true, + rewrites: [ + { + input: "message", + output: "evidences", + match: "^(?:[^,]*,){6}([^,]*),([^,]*),([^,]*),([^,]*),(?:[^,]*,){5}([^,]*),([^,]*),([^,]*),([^,]*),(?:[^,]*,){4}([^,]*),([^,]*),(?:[^,]*,){3}([^,]*),(?:[^,]*,){1}([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),(?:[^,]*,){7}([^,]*),([^,]*),(?:[^,]*,){13}([^,]*),(?:[^,]*,){1}([^,]*),(?:[^,]*,){18}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),(?:[^,]*,){7}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),(?:[^,]*,){1}([^,]*),([^,]*).*", + replace: "\\[\"src_endpoint\"\\:\\{\"ip\"\\: $1\\, \"intermediate_ips\"\\:\\[$3\\]\\, \"zone\"\\: $5\\, \"interface_name\"\\: $7\\, \"port\"\\: $9\\, \"location\"\\: \\{\"country\"\\: $13\\}\\, \"uid\"\\: $16\\, \"hostname\"\\: $20\\, \"mac\"\\: $21\\}\\, \"dst_endpoint\"\\:\\{\"ip\"\\: $2\\, \"intermediate_ips\"\\:\\[$4\\]\\, \"zone\"\\: $6\\, \"interface_name\"\\: $8\\, \"port\"\\: $10\\, \"location\"\\: \\{\"country\"\\: $14\\}\\, \"uid\"\\: $17\\, \"hostname\"\\: $22\\, \"mac\"\\: $23\\}\\, \"connection_info\"\\: \\{ \"protocol_name\"\\: $11\\}\\, \"process\"\\: \\{\"file\"\\: \\{\"name\"\\: $12\\, \"type\"\\: $15\\}\\, \"parent_process\"\\: \\{\"session\": \\{\"uid\": $18\\}\\, \"created_time\"\\: $19\\}\\} \\]" + }, + { + input: "message", + output: "observables", + match: "^(?:[^,]*,){6}([^,]*),(?:[^,]*,){0}([^,]*),(?:[^,]*,){3}([^,]*),(?:[^,]*,){73}([^,]*),(?:[^,]*,){7}([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"evidences.src_endpoint.hostname\"\\, \"value\"\\: $4\\}\\, \\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"evidences.dst_endpoint.hostname\"\\, \"value\"\\: $5\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"evidences.src_endpoint.ip\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"evidences.dst_endpoint.ip\"\\, \"value\"\\: $2\\}\\, \\{\"type_id\"\\: 4\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"actor.user.name\"\\, \"value\"\\: $3\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + }, + { + action: "removeFields", + fields: [ + "source_address", + "destination_address", + "nat_source_ip", + "nat_destination_ip", + "source_zone", + "destination_zone", + "inbound_interface", + "outbound_interface", + "source_port", + "destination_port", + "ip_protocol", + "filename", + "source_location", + "destination_location", + "file_type", + "source_vm_uuid", + "destination_vm_uuid", + "parent_session_id", + "parent_start_time", + "source_hostname", + "source_mac_address", + "destination_hostname", + "destination_mac_address" + ] + } + ] + }, + { + attributes: { + "action": "Other", + "action_id": "99", + "activity_name": "Other", + "activity_id": "99", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Detection Finding", + "class_uid": "2004", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "200499", + "type_name": "Detection Finding: Other", + "severity_id": "99" + }, + format: "$metadata.original_time$,$device.hw_info.serial_number$,$unmapped.type$,$unmapped.subtype=data_filtering_sub_type$,.*,$finding_info.created_time_dt$,$source_address$,$destination_address$,$nat_source_ip$,$nat_destination_ip$,$firewall_rule.name$,$actor.user.name$,$unmapped.dstuser$,$unmapped.app$,$unmapped.vsys$,$source_zone$,$destination_zone$,$inbound_interface$,$outbound_interface$,$unmapped.logset$,.*,$actor.session.uid$,$count$,$source_port$,$destination_port$,$unmapped.natsport$,$unmapped.natdport$,$unmapped.flags$,$ip_protocol$,$action$,$filename$,$finding_info.uid$,$unmapped.category$,$unmapped.severity$,$unmapped.direction$,$metadata.sequence$,$unmapped.actionflags$,$source_location$,$destination_location$,.*,$unmapped.contenttype$,$unmapped.pcap_id$,$unmapped.filedigest$,$unmapped.cloud$,$unmapped.url_idx$,$unmapped.user_agent$,$file_type$,$unmapped.xff$,$unmapped.referer$,$unmapped.sender$,$unmapped.subject$,$unmapped.recipient$,$unmapped.reportid$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.name$,.*,$source_vm_uuid$,$destination_vm_uuid$,$unmapped.http_method$,$unmapped.imsi$,$device.imei$,$parent_session_id$,$parent_start_time$,$unmapped.tunnel$,$unmapped.thr_category$,$unmapped.contentver$,.*,$unmapped.assoc_id$,$unmapped.ppid$,$unmapped.http_headers$,$unmapped.url_category_list$,$unmapped.rule_uuid$,$unmapped.http2_connection$,$unmapped.dynusergroup_name$,$unmapped.xff_ip$,$unmapped.src_category$,$unmapped.src_profile$,$unmapped.src_model$,$unmapped.src_vendor$,$unmapped.src_osfamily$,$unmapped.src_osversion$,$source_hostname$,$source_mac_address$,$unmapped.dst_category$,$unmapped.dst_profile$,$unmapped.dst_model$,$unmapped.dst_vendor$,$unmapped.dst_osfamily$,$unmapped.dst_osversion$,$destination_hostname$,$destination_mac_address$,$unmapped.container_id$,$unmapped.pod_namespace$,$unmapped.pod_name$,$unmapped.src_edl$,$unmapped.dst_edl$,$unmapped.hostid$,$unmapped.serialnumber$,$unmapped.domain_edl$,$unmapped.src_dag$,$unmapped.dst_dag$,$unmapped.partial_hash$,$unmapped.high_res_timestamp$,$unmapped.reason$,$unmapped.justification$,$unmapped.nssai_sst$,$unmapped.subcategory_of_app$,$unmapped.category_of_app$,$unmapped.technology_of_app$,$risk_level$,$unmapped.characteristic_of_app=app_characteristic$,$unmapped.container_of_app$,$unmapped.tunneled_app$,$unmapped.is_saas_of_app$,$unmapped.sanctioned_state_of_app$,$unmapped.cloud_reportid$", + halt: true, + rewrites: [ + { + input: "message", + output: "evidences", + match: "^(?:[^,]*,){6}([^,]*),([^,]*),([^,]*),([^,]*),(?:[^,]*,){5}([^,]*),([^,]*),([^,]*),([^,]*),(?:[^,]*,){4}([^,]*),([^,]*),(?:[^,]*,){3}([^,]*),(?:[^,]*,){1}([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),(?:[^,]*,){7}([^,]*),([^,]*),(?:[^,]*,){13}([^,]*),(?:[^,]*,){1}([^,]*),(?:[^,]*,){18}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),(?:[^,]*,){7}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),(?:[^,]*,){1}([^,]*),([^,]*).*", + replace: "\\[\"src_endpoint\"\\:\\{\"ip\"\\: $1\\, \"intermediate_ips\"\\:\\[$3\\]\\, \"zone\"\\: $5\\, \"interface_name\"\\: $7\\, \"port\"\\: $9\\, \"location\"\\: \\{\"country\"\\: $13\\}\\, \"uid\"\\: $16\\, \"hostname\"\\: $20\\, \"mac\"\\: $21\\}\\, \"dst_endpoint\"\\:\\{\"ip\"\\: $2\\, \"intermediate_ips\"\\:\\[$4\\]\\, \"zone\"\\: $6\\, \"interface_name\"\\: $8\\, \"port\"\\: $10\\, \"location\"\\: \\{\"country\"\\: $14\\}\\, \"uid\"\\: $17\\, \"hostname\"\\: $22\\, \"mac\"\\: $23\\}\\, \"connection_info\"\\: \\{ \"protocol_name\"\\: $11\\}\\, \"process\"\\: \\{\"file\"\\: \\{\"name\"\\: $12\\, \"type\"\\: $15\\}\\, \"parent_process\"\\: \\{\"session\": \\{\"uid\": $18\\}\\, \"created_time\"\\: $19\\}\\} \\]" + }, + { + input: "message", + output: "observables", + match: "^(?:[^,]*,){6}([^,]*),(?:[^,]*,){0}([^,]*),(?:[^,]*,){3}([^,]*),(?:[^,]*,){73}([^,]*),(?:[^,]*,){7}([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"evidences.src_endpoint.hostname\"\\, \"value\"\\: $4\\}\\, \\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"evidences.dst_endpoint.hostname\"\\, \"value\"\\: $5\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"evidences.src_endpoint.ip\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"evidences.dst_endpoint.ip\"\\, \"value\"\\: $2\\}\\, \\{\"type_id\"\\: 4\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"actor.user.name\"\\, \"value\"\\: $3\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + }, + { + action: "removeFields", + fields: [ + "source_address", + "destination_address", + "nat_source_ip", + "nat_destination_ip", + "source_zone", + "destination_zone", + "inbound_interface", + "outbound_interface", + "source_port", + "destination_port", + "ip_protocol", + "filename", + "source_location", + "destination_location", + "file_type", + "source_vm_uuid", + "destination_vm_uuid", + "parent_session_id", + "parent_start_time", + "source_hostname", + "source_mac_address", + "destination_hostname", + "destination_mac_address" + ] + } + ] + }, + { + attributes: { + "activity_name": "Other", + "activity_id": "99", + "category_name": "Identity & Access Management", + "category_uid": "3", + "class_name": "Authentication", + "class_uid": "3002", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "300299", + "type_name": "Authentication: Other", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=globalprotect_log_type$,$unmapped.subtype$,.*,$start_time_dt$,$unmapped.vsys$,$metadata.event_code$,$unmapped.stage$,$auth_protocol$,$unmapped.tunnel_type$,$actor.user.name$,$src_endpoint.location.region$,$device.name$,$device.ip$,$unmapped.public_ipv6$,$unmapped.private_ip$,$unmapped.private_ipv6$,$unmapped.hostid$,$src_endpoint.hw_info.serial_number$,$metadata.product.version$,$src_endpoint.os.name$,$src_endpoint.os.version$,$unmapped.repeatcnt$,$unmapped.reason$,$unmapped.error$,$unmapped.description$,$status$,$unmapped.location$,$unmapped.login_duration$,$unmapped.connect_method$,$unmapped.error_code$,$unmapped.portal$,$unmapped.seqno$,$unmapped.actionflags$,$unmapped.high_res_timestamp$,$unmapped.selection_type$,$unmapped.response_time$,$unmapped.priority$,$unmapped.attempted_gateways$,$unmapped.gateway$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$src_endpoint.hostname$,$unmapped.vsys_id$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){11}([^,]*)(?:,[^,]*){2},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"device.ip\"\\, \"value\"\\: $2\\}\\, \\{\"type_id\"\\: 4\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"actor.user.name\"\\, \"value\"\\: $1\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "activity_name": "Update", + "activity_id": "3", + "category_name": "Identity & Access Management", + "category_uid": "3", + "class_name": "Entity Management", + "class_uid": "3004", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "300403", + "type_name": "Entity Management: Update", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=iptag_log_type$,$unmapped.subtype$,.*,$start_time_dt$,$unmapped.vsys$,$device.ip$,$unmapped.tag_name$,$metadata.event_code$,$unmapped.repeatcnt$,$unmapped.timeout$,$unmapped.datasource$,$unmapped.datasourcetype$,$unmapped.datasource_subtype$,$unmapped.seqno$,$unmapped.actionflags$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.name$,$unmapped.vsys_id$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){7}([^,]*)(?:,[^,]*){14},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"device.name\"\\, \"value\"\\: $2\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"device.ip\"\\, \"value\"\\: $1\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "activity_name": "Open", + "activity_id": "1", + "category_name": "Network Activity", + "category_uid": "4", + "class_name": "Network Activity", + "class_uid": "4001", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "400101", + "type_name": "Network Activity: Open", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=gtp_log_type$,$unmapped.subtype$,.*,$start_time_dt$,$src_endpoint.ip$,$dst_endpoint.ip$,.*,.*,$firewall_rule.name$,.*,.*,$unmapped.app$,$unmapped.vsys$,$src_endpoint.zone$,$dst_endpoint.zone$,$src_endpoint.interface_name$,$dst_endpoint.interface_name$,$unmapped.logset$,.*,$actor.session.uid$,.*,$src_endpoint.port$,$dst_endpoint.port$,.*,.*,.*,$connection_info.protocol_name$,$action$,$unmapped.event_type$,$unmapped.msisdn$,$unmapped.apn$,$unmapped.rat$,$unmapped.msg_type$,$device.ip$,$unmapped.teid1$,$unmapped.teid2$,$unmapped.gtp_interface$,$unmapped.cause_code$,$unmapped.severity$,$unmapped.mcc$,$unmapped.mnc$,$unmapped.area_code$,$unmapped.cell_id$,$unmapped.event_code$,.*,.*,$src_endpoint.location.country$,$dst_endpoint.location.country$,.*,.*,.*,.*,.*,.*,.*,$unmapped.imsi$,$device.imei$,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,$start_time$,$unmapped.elapsed$,$unmapped.tunnel_insp_rule$,$unmapped.tunnel_insp_rule$,$unmapped.tunnel_insp_rule$,$unmapped.rule_uuid$,$unmapped.pcap_id$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){6}([^,]*)(?:,[^,]*){0},([^,]*)(?:,[^,]*){27},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"dst_endpoint.ip\"\\, \"value\"\\: $2\\}, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"device.ip\"\\, \"value\"\\: $3\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "activity_name": "Open", + "activity_id": "1", + "category_name": "Network Activity", + "category_uid": "4", + "class_name": "Network Activity", + "class_uid": "4001", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "400101", + "type_name": "Network Activity: Open", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=tunnel_log_type$,$unmapped.subtype$,.*,$start_time_dt$,$src_endpoint.ip$,$dst_endpoint.ip$,$src_endpoint.proxy_endpoint.ip$,$dst_endpoint.proxy_endpoint.ip$,$firewall_rule.name$,$actor.user.name$,$user.name$,$unmapped.app$,$unmapped.vsys$,$src_endpoint.zone$,$dst_endpoint.zone$,$src_endpoint.interface_name$,$dst_endpoint.interface_name$,$unmapped.logset$,.*,$actor.session.uid$,$unmapped.repeatcnt$,$src_endpoint.port$,$dst_endpoint.port$,$src_endpoint.proxy_endpoint.port$,$dst_endpoint.proxy_endpoint.port$,$unmapped.flags$,$connection_info.protocol_name$,$action$,$unmapped.severity$,$unmapped.seqno$,$unmapped.actionflags$,$src_endpoint.location.country$,$dst_endpoint.location.country$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.name$,$unmapped.imsi$,$device.imei$,$session.uid$,$start_time$,$tunnel_type$,$traffic.bytes$,$traffic.bytes_out$,$traffic.bytes_in$,$traffic.packets$,$traffic.packets_out$,$traffic.packets_in$,$unmapped.max_encap$,$unmapped.unknown_proto$,$unmapped.strict_check$,$unmapped.tunnel_fragment$,$session.count$,$unmapped.sessions_closed$,$session.expiration_reason$,$unmapped.action_source$,$session.created_time$,$session.expiration_time$,$unmapped.tunnel_insp_rule$,$device.ip$,$user.uid$,$unmapped.rule_uuid$,$unmapped.pcap_id$,$unmapped.dynusergroup_name$,$unmapped.src_edl$,$unmapped.dst_edl$,$unmapped.high_res_timestamp$,$unmapped.nssai_sd$,$unmapped.nssai_sd$,$unmapped.pdu_session_id$,$unmapped.subcategory_of_app$,$unmapped.category_of_app$,$unmapped.technology_of_app$,$unmapped.risk_of_app$,$unmapped.characteristic_of_app$,$unmapped.container_of_app$,$unmapped.is_saas_of_app$,$unmapped.sanctioned_state_of_app$,$unmapped.cluster_name$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){6}([^,]*)(?:,[^,]*){0},([^,]*)(?:,[^,]*){57},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"dst_endpoint.ip\"\\, \"value\"\\: $2\\}, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"device.ip\"\\, \"value\"\\: $3\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "activity_name": "Open", + "activity_id": "1", + "category_name": "Network Activity", + "category_uid": "4", + "class_name": "Network Activity", + "class_uid": "4001", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "400101", + "type_name": "Network Activity: Open", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=sctp_log_type$,.*,.*,$start_time_dt$,$src_endpoint.ip$,$dst_endpoint.ip$,.*,.*,$firewall_rule.name$,.*,.*,.*,$unmapped.vsys$,$src_endpoint.zone$,$dst_endpoint.zone$,$src_endpoint.interface_name$,$dst_endpoint.interface_name$,$unmapped.logset$,.*,$actor.session.uid$,$unmapped.repeatcnt$,$src_endpoint.port$,$dst_endpoint.port$,.*,.*,.*,.*,$connection_info.protocol_name$,$action$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.name$,$unmapped.seqno$,.*,$unmapped.assoc_id$,$unmapped.ppid$,$unmapped.severity$,$unmappedsctp_chunk_type$,.*,$unmapped.verif_tag_1$,$unmapped.verif_tag_2$,$unmapped.sctp_cause_code$,$unmapped.diam_app_id$,$unmapped.diam_cmd_code$,$unmapped.diam_avp_code$,$unmapped.stream_id$,$unmapped.assoc_end_reason$,$unmapped.op_code$,$unmapped.sccp_calling_ssn$,$unmapped.sccp_calling_gt$,$unmapped.sctp_filter$,$unmapped.chunks$,$unmapped.chunks_sent$,$unmapped.chunks_received$,$traffic.packets$,$traffic.packets_out$,$traffic.packets_in$,$unmapped.rule_uuid$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){6}([^,]*)(?:,[^,]*){0},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"dst_endpoint.ip\"\\, \"value\"\\: $2\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "activity_name": "Create", + "activity_id": "1", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Detection Finding", + "class_uid": "2004", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "200401", + "type_name": "Detection Finding: Create", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=system_log_type$,$unmapped.subtype$,.*,$start_time_dt$,$unmapped.vsys$,$metadata.event_code$,$unmapped.object$,.*,.*,$unmapped.module$,$unmapped.severity$,$unmapped.description$,$unmapped.seqno$,$unmapped.actionflags$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.hostname$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){21}([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"device.hostname\"\\, \"value\"\\: $1\\}\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + ] +} diff --git a/parsers/pingone_mfa-latest b/parsers/pingone_mfa-latest new file mode 100644 index 0000000..87925d7 --- /dev/null +++ b/parsers/pingone_mfa-latest @@ -0,0 +1,289 @@ +{ + "attributes": { + "dataSource.vendor": "Ping Identity", + "dataSource.name": "PingOne MFA", + "dataSource.category": "security", + "metadata.product.vendor_name": "Ping Identity", + "metadata.product.name": "PingOne MFA", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [ + { + "input": "unmapped.timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.recordedAt", + "output": "recorded_at", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.user", + "output": "user.email_addr", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.source\\.ip", + "output": "src_endpoint.ip", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.action\\.type", + "output": "activity_name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.factor", + "output": "mfa_factors", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.result\\.status", + "output": "status_detail", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.description", + "output": "message", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.sessionId", + "output": "session.uid", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dataSource", + "output": "metadata.product.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dataSource\\.vendor", + "output": "metadata.product.vendor_name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dataSource\\.name", + "output": "metadata.product.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dataSource\\.category", + "output": "metadata.product.category", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "activity_name = *", + "transformations": [ + { + "constant": { + "value": 3002, + "field": "class_uid" + } + }, + { + "constant": { + "value": "Authentication", + "field": "class_name" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "activity_name = 'MFA.AUTHENTICATE'" + } + }, + { + "constant": { + "value": "Logon", + "field": "activity_name", + "predicate": "activity_name = 'MFA.AUTHENTICATE'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "activity_name = 'MFA.ENROLL'" + } + }, + { + "constant": { + "value": "Other", + "field": "activity_name", + "predicate": "activity_name = 'MFA.ENROLL'" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "status_detail = 'SUCCESS'" + } + }, + { + "constant": { + "value": "Success", + "field": "status", + "predicate": "status_detail = 'SUCCESS'" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "status_detail = 'FAILURE'" + } + }, + { + "constant": { + "value": "Failure", + "field": "status", + "predicate": "status_detail = 'FAILURE'" + } + }, + { + "constant": { + "value": 1, + "field": "severity_id" + } + }, + { + "constant": { + "value": "Informational", + "field": "severity" + } + }, + { + "constant": { + "value": 300201, + "field": "type_uid" + } + }, + { + "copy": { + "from": "user.email_addr", + "to": "user.email_addr" + } + }, + { + "copy": { + "from": "user.email_addr", + "to": "user.name" + } + }, + { + "copy": { + "from": "src_endpoint.ip", + "to": "src_endpoint.ip" + } + }, + { + "copy": { + "from": "mfa_factors", + "to": "mfa_factors" + } + }, + { + "copy": { + "from": "session.uid", + "to": "session.uid" + } + }, + { + "copy": { + "from": "status_detail", + "to": "status_detail" + } + }, + { + "copy": { + "from": "recorded_at", + "to": "recorded_at" + } + }, + { + "copy": { + "from": "message", + "to": "message" + } + }, + { + "copy": { + "from": "metadata.product.name", + "to": "metadata.product.name" + } + }, + { + "copy": { + "from": "metadata.product.vendor_name", + "to": "metadata.product.vendor_name" + } + }, + { + "copy": { + "from": "metadata.product.category", + "to": "metadata.product.category" + } + } + ] + } + ] + }, + "observables": { + "fields": [ + { + "name": "user.email_addr", + "type": "User" + }, + { + "name": "user.name", + "type": "User" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address" + }, + { + "name": "session.uid", + "type": "Other" + } + ] + } +} \ No newline at end of file diff --git a/parsers/pingprotect-latest b/parsers/pingprotect-latest new file mode 100644 index 0000000..75913c3 --- /dev/null +++ b/parsers/pingprotect-latest @@ -0,0 +1,309 @@ +{ + "attributes": { + "dataSource.vendor": "Ping Identity", + "dataSource.name": "PingProtect", + "dataSource.category": "security", + "metadata.product.vendor_name": "Ping Identity", + "metadata.product.name": "PingProtect", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [ + { + "input": "unmapped.timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.recordedAt", + "output": "recorded_at", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.actors\\.client\\.id", + "output": "actor.app.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.actors\\.user\\.id", + "output": "actor.user.uid", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.source\\.ip", + "output": "src_endpoint.ip", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.action\\.type", + "output": "activity_name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.action\\.description", + "output": "activity_desc", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.resources\\.application\\.id", + "output": "resource.uid", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.result\\.status", + "output": "status_detail", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.result\\.description", + "output": "message", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dataSource", + "output": "metadata.product.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dataSource\\.vendor", + "output": "metadata.product.vendor_name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dataSource\\.name", + "output": "metadata.product.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dataSource\\.category", + "output": "metadata.product.category", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "activity_name = *", + "transformations": [ + { + "constant": { + "value": 3001, + "field": "class_uid" + } + }, + { + "constant": { + "value": "Account Change", + "field": "class_name" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "constant": { + "value": 5, + "field": "activity_id", + "predicate": "activity_name = 'SECRET.READ'" + } + }, + { + "constant": { + "value": "Read", + "field": "activity_name", + "predicate": "activity_name = 'SECRET.READ'" + } + }, + { + "constant": { + "value": 3, + "field": "activity_id", + "predicate": "activity_name = 'ROLE_ASSIGNMENT.DELETED'" + } + }, + { + "constant": { + "value": "Delete", + "field": "activity_name", + "predicate": "activity_name = 'ROLE_ASSIGNMENT.DELETED'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "activity_name = 'MFA.CHALLENGE'" + } + }, + { + "constant": { + "value": "Other", + "field": "activity_name", + "predicate": "activity_name = 'MFA.CHALLENGE'" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "status_detail = 'SUCCESS'" + } + }, + { + "constant": { + "value": "Success", + "field": "status", + "predicate": "status_detail = 'SUCCESS'" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "status_detail = 'FAILURE'" + } + }, + { + "constant": { + "value": "Failure", + "field": "status", + "predicate": "status_detail = 'FAILURE'" + } + }, + { + "constant": { + "value": 1, + "field": "severity_id" + } + }, + { + "constant": { + "value": "Informational", + "field": "severity" + } + }, + { + "constant": { + "value": 300101, + "field": "type_uid" + } + }, + { + "copy": { + "from": "actor.user.uid", + "to": "actor.user.uid" + } + }, + { + "copy": { + "from": "actor.app.name", + "to": "actor.app.name" + } + }, + { + "copy": { + "from": "src_endpoint.ip", + "to": "src_endpoint.ip" + } + }, + { + "copy": { + "from": "resource.uid", + "to": "resource.uid" + } + }, + { + "copy": { + "from": "activity_desc", + "to": "activity_desc" + } + }, + { + "copy": { + "from": "status_detail", + "to": "status_detail" + } + }, + { + "copy": { + "from": "recorded_at", + "to": "recorded_at" + } + }, + { + "copy": { + "from": "message", + "to": "message" + } + }, + { + "copy": { + "from": "metadata.product.name", + "to": "metadata.product.name" + } + }, + { + "copy": { + "from": "metadata.product.vendor_name", + "to": "metadata.product.vendor_name" + } + }, + { + "copy": { + "from": "metadata.product.category", + "to": "metadata.product.category" + } + } + ] + } + ] + }, + "observables": { + "fields": [ + { + "name": "actor.user.uid", + "type": "User" + }, + { + "name": "actor.app.name", + "type": "Other" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address" + }, + { + "name": "resource.uid", + "type": "Other" + } + ] + } +} \ No newline at end of file diff --git a/parsers/proofpoint_proofpoint_logs-latest b/parsers/proofpoint_proofpoint_logs-latest new file mode 100644 index 0000000..614244b --- /dev/null +++ b/parsers/proofpoint_proofpoint_logs-latest @@ -0,0 +1,85 @@ +{ + attributes: { + "dataSource.vendor": "Proofpoint", + "dataSource.category": "security" + }, + formats: [ + { + id: "format1", + format: "${parse=dottedjson}$" + rewrites: [ + {input: "messageTime", output: "timestamp", match: ".*", replace: "$0"}, + {input: "clickTime", output: "unmapped.clickTime", match: ".*", replace: "$0"}, + + {input: "threatsInfoMap", output: "unmapped.threatsInfoMap", match: ".*", replace: "$0"}, + {input: "messageParts", output: "unmapped.messageParts", match: ".*", replace: "$0"}, + {input: "quarantineFolder", output: "unmapped.quarantineFolder", match: ".*", replace: "$0"}, + {input: "impostorScore", output: "unmapped.impostorScore", match: ".*", replace: "$0"}, + {input: "phishScore", output: "unmapped.phishScore", match: ".*", replace: "$0"}, + {input: "policyRoutes", output: "unmapped.policyRoutes", match: ".*", replace: "$0"}, + + {input: "threatStatus", output: "unmapped.threatStatus", match: ".*", replace: "$0"}, + {input: "threatsInfoMap[0].threatStatus", output: "unmapped.threatStatus", match: ".*", replace: "$0"}, + + {input: "classification", output: "unmapped.classification", match: ".*", replace: "$0"}, + {input: "threatsInfoMap[0].classification", output: "unmapped.classification", match: ".*", replace: "$0"}, + + {input: "sender", output: "unmapped.sender", match: ".*", replace: "$0"}, + {input: "recipient", output: "unmapped.recipient", match: ".*", replace: "$0"}, + + {input: "sender", output: "email.from", match: ".*", replace: "$0"}, + {input: "fromAddress[0]", output: "email.from", match: ".*", replace: "$0"}, + {input: "fromAddress", output: "email.from", match: ".*", replace: "$0"}, + + {input: "recipient", output: "email.to", match: ".*", replace: "$0"}, + {input: "toAddresses[0]", output: "email.to", match: ".*", replace: "$0"}, + {input: "toAddresses", output: "email.to", match: ".*", replace: "$0"}, + + {input: "recipient", output: "actor.user.name", match: ".*", replace: "$0"}, + {input: "toAddresses[0]", output: "actor.user.name", match: ".*", replace: "$0"}, + {input: "toAddresses", output: "actor.user.name", match: ".*", replace: "$0"}, + + {input: "messageSize", output: "email.size", match: ".*", replace: "$0"}, + {input: "headerFrom", output: "email.smtp_from", match: ".*", replace: "$0"}, + + {input: "oext", output: "oext", match: ".*", replace: "$0"}, + {input: "mod", output: "mod", match: ".*", replace: "$0"} + ] + } + ], + mappings: { + version: 1, + mappings: [ + { + predicate: "clickTime = * OR clickIP = * OR threatURL = *", + transformations: [ + { constant: { field: "dataSource.name", value: "Proofpoint" } }, + { constant: { field: "event.type", value: "Click" } }, + { copy: { from: "fromAddress[0]", to: "email.from" } }, + { copy: { from: "toAddresses[0]", to: "email.to" } }, + { copy: { from: "toAddresses[0]", to: "actor.user.name" } }, + { copy: { from: "recipient", to: "actor.user.name" } } + ] + }, + { + predicate: "messageTime = * OR messageParts = * OR threatsInfoMap = *", + transformations: [ + { constant: { field: "dataSource.name", value: "Proofpoint" } }, + { constant: { field: "event.type", value: "Email" } }, + { copy: { from: "fromAddress[0]", to: "email.from" } }, + { copy: { from: "toAddresses[0]", to: "email.to" } }, + { copy: { from: "toAddresses[0]", to: "actor.user.name" } }, + { copy: { from: "recipient", to: "actor.user.name" } } + ] + }, + { + predicate: "true", + transformations: [ + { constant: { field: "dataSource.name", value: "Proofpoint" } }, + { constant: { field: "event.type", value: "Other" } }, + + ] + } + ] + } +} \ No newline at end of file diff --git a/parsers/sdl_skill_smoke_1776702106 b/parsers/sdl_skill_smoke_1776702106 new file mode 100644 index 0000000..a86e696 --- /dev/null +++ b/parsers/sdl_skill_smoke_1776702106 @@ -0,0 +1 @@ +{"keys": {"a": "1"}} \ No newline at end of file diff --git a/parsers/searches b/parsers/searches new file mode 100644 index 0000000..9195f4f --- /dev/null +++ b/parsers/searches @@ -0,0 +1,12 @@ +{ + searches: [ + { + title: "marc - Impossible traveller 2", + url: "/events/pq?_scopeId=2387775029058663326&_scopeLevel=site&_categoryId=eventSearch&startTime=4+hours&endTime=NOW&filter=%7C+sql+join+baseline+%3D+%28%0AdataSource.vendor%3D%27Microsoft%27+dataSource.category+%3D+%27security%27+event.type%3D%27Logon%27%0A%7C+columns+actor.user.email_addr%2C+device.ip%2C+geo_ip_state%28device.ip%29%0A%7C+group+login_freq_by_state%3Dcount%28%29+by+email_addr%3Dlower%28actor.user.email_addr%29%2Cstate%3Dgeo_ip_state%28device.ip%29%0A%7C+columns+email_addr%2Cstate%2Clogin_freq_by_state%0A%2F%2Fthe+sort+below+is+necessary+because+it+ensure+that+the+order+of+rows+is+preserved+when+using+array_ag++%0A%7C+sort+%2Bemail_addr%2C-login_freq_by_state%0A%7C+group+baseline_login_freq_by_state%3Dmax%28login_freq_by_state%29%2C+states%3Darray_agg%28state%29+by+email_addr%0A%7C+columns+email_addr%2Cstate%3Darray_get%28states%2C0%29%2Cbaseline_login_freq_by_state%0A%29%2C%0Alogons+%3D+%28%0AdataSource.vendor%3D%27Microsoft%27+dataSource.category+%3D+%27security%27+event.type%3D%27Logon%27%0A%2F%2F%7C+columns+actor.user.email_addr%2C+unmapped.UserId%2C+event.type%2C+device.ip%2C+geo_ip_state%28device.ip%29%0A%7C+group+deviation_login_count%3Dcount%28event.type%29%2Cdeviation_ip_addresses%3Darray_agg_distinct%28device.ip%29+by+email_addr%3Dlower%28actor.user.email_addr%29%2C+deviation_country%3Dgeo_ip_country%28device.ip%29%2C+state%3Dgeo_ip_state%28device.ip%29%0A%29+on+baseline.email_addr%3D%3Dlogons.email_addr%0A%7Cfilter+baseline.state%21%3Dlogons.state%0A%7C+columns+email_addr%2Cbaseline.state%2C+baseline_login_freq_by_state%2Cdeviation_login_source%3Dformat%28%22%25s+%28%25s%29%22%2Clogons.state%2Cdeviation_country%29%2Cdeviation_login_count%2C+deviation_ip_addresses" + }, + { + title: "marc - Impossible traveller IP tets", + url: "/events/pq?_scopeId=2387775029058663326&_scopeLevel=site&_categoryId=eventSearch&startTime=72+hours&endTime=NOW&filter=%7C+sql+join+baseline+%3D+%28%0AdataSource.vendor%3D%27Microsoft%27+dataSource.category+%3D+%27security%27+event.type%3D%27Logon%27%0A%7C+columns+actor.user.email_addr%2C+device.ip%0A%7C+group+login_freq_by_ip%3Dcount%28%29+by+email_addr%3Dlower%28actor.user.email_addr%29%2Cdevice.ip%0A%7C+columns+email_addr%2Cdevice.ip%2Clogin_freq_by_ip%0A%2F%2Fthe+sort+below+is+necessary+because+it+ensure+that+the+order+of+rows+is+preserved+when+using+array_ag++%0A%7C+sort+%2Bemail_addr%2C-login_freq_by_ip%0A%7C+group+baseline_login_freq_by_ip%3Dmax%28login_freq_by_ip%29%2C+ips%3Darray_agg%28device.ip%29+by+email_addr%0A%7C+columns+email_addr%2Cip%3Darray_get%28ips%2C0%29%2Cbaseline_login_freq_by_ip%0A%29%2C%0Alogons+%3D+%28%0AdataSource.vendor%3D%27Microsoft%27+dataSource.category+%3D+%27security%27+event.type%3D%27Logon%27%0A%2F%2F%7C+columns+actor.user.email_addr%2C+unmapped.UserId%2C+event.type%2C+device.ip%0A%7C+group+deviation_login_count%3Dcount%28event.type%29%2Cdeviation_ip_addresses%3Darray_agg_distinct%28device.ip%29+by+email_addr%3Dlower%28actor.user.email_addr%29%2C+deviation_ip%3Ddevice.ip%29+on+baseline.email_addr%3D%3Dlogons.email_addr%0A" + } + ] +} \ No newline at end of file diff --git a/parsers/sentinelone_endpoint-latest b/parsers/sentinelone_endpoint-latest new file mode 100644 index 0000000..3a7cd18 --- /dev/null +++ b/parsers/sentinelone_endpoint-latest @@ -0,0 +1,466 @@ +{ + "attributes": { + "dataSource.vendor": "SentinelOne", + "dataSource.name": "SentinelOne", + "dataSource.category": "security", + "metadata.product.vendor_name": "SentinelOne", + "metadata.product.name": "EDR", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [ + { + "input": "unmapped.event\\.time", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "constant": { + "value": 1001, + "field": "class_uid" + } + }, + { + "constant": { + "value": "Process Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": 1, + "field": "category_uid" + } + }, + { + "constant": { + "value": "System Activity", + "field": "category_name" + } + }, + { + "copy": { + "from": "unmapped.event\\.time", + "to": "time" + } + }, + { + "replace": { + "field": "time", + "regexp": "(\\d+)\\d{3}", + "replacement": "$1" + } + }, + { + "copy": { + "from": "unmapped.event\\.id", + "to": "metadata.uid" + } + }, + { + "copy": { + "from": "unmapped.event\\.type", + "to": "message" + } + }, + { + "copy": { + "from": "unmapped.event\\.category", + "to": "category_name" + } + }, + { + "copy": { + "from": "unmapped.meta\\.event\\.name", + "to": "activity_name" + } + }, + { + "copy": { + "from": "unmapped.endpoint\\.name", + "to": "device.hostname" + } + }, + { + "copy": { + "from": "unmapped.endpoint\\.os", + "to": "device.os.name" + } + }, + { + "copy": { + "from": "unmapped.endpoint\\.type", + "to": "device.type" + } + }, + { + "copy": { + "from": "unmapped.agent\\.uuid", + "to": "device.uid" + } + }, + { + "copy": { + "from": "unmapped.agent\\.version", + "to": "device.agent_list[0].version" + } + }, + { + "copy": { + "from": "unmapped.site\\.id", + "to": "device.location.uid" + } + }, + { + "copy": { + "from": "unmapped.site\\.name", + "to": "device.location.desc" + } + }, + { + "copy": { + "from": "unmapped.account\\.id", + "to": "device.org.uid" + } + }, + { + "copy": { + "from": "unmapped.account\\.name", + "to": "device.org.name" + } + }, + { + "copy": { + "from": "unmapped.os\\.name", + "to": "device.os.name" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.name", + "to": "process.name" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.pid", + "to": "process.pid" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.uid", + "to": "process.uid" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.user", + "to": "process.user.name" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.cmdline", + "to": "process.cmd_line" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.displayName", + "to": "process.name" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.image\\.path", + "to": "process.file.path" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.image\\.sha1", + "to": "process.file.hashes[0].value" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.image\\.sha256", + "to": "process.file.hashes[1].value" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.image\\.size", + "to": "process.file.size" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.parent\\.name", + "to": "process.parent_process.name" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.parent\\.pid", + "to": "process.parent_process.pid" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.parent\\.uid", + "to": "process.parent_process.uid" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.parent\\.cmdline", + "to": "process.parent_process.cmd_line" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.parent\\.image\\.path", + "to": "process.parent_process.file.path" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.parent\\.image\\.sha1", + "to": "process.parent_process.file.hashes[0].value" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.parent\\.image\\.sha256", + "to": "process.parent_process.file.hashes[1].value" + } + }, + { + "copy": { + "from": "unmapped.tgt\\.process\\.uid", + "to": "actor.process.uid" + } + }, + { + "copy": { + "from": "unmapped.tgt\\.process\\.cmdline", + "to": "actor.process.cmd_line" + } + }, + { + "copy": { + "from": "unmapped.tgt\\.process\\.user", + "to": "actor.user.name" + } + }, + { + "copy": { + "from": "unmapped.tgt\\.file\\.path", + "to": "file.path" + } + }, + { + "copy": { + "from": "unmapped.tgt\\.file\\.size", + "to": "file.size" + } + }, + { + "copy": { + "from": "unmapped.src\\.ip\\.address", + "to": "src_endpoint.ip" + } + }, + { + "copy": { + "from": "unmapped.src\\.port\\.number", + "to": "src_endpoint.port" + } + }, + { + "copy": { + "from": "unmapped.dst\\.ip\\.address", + "to": "dst_endpoint.ip" + } + }, + { + "copy": { + "from": "unmapped.dst\\.port\\.number", + "to": "dst_endpoint.port" + } + }, + { + "copy": { + "from": "unmapped.event\\.network\\.direction", + "to": "connection_info.direction" + } + }, + { + "copy": { + "from": "unmapped.event\\.network\\.connectionStatus", + "to": "connection_info.status" + } + }, + { + "copy": { + "from": "unmapped.event\\.network\\.protocolName", + "to": "connection_info.protocol_name" + } + }, + { + "copy": { + "from": "unmapped.indicator\\.category", + "to": "finding.title" + } + }, + { + "copy": { + "from": "unmapped.indicator\\.name", + "to": "finding.desc" + } + }, + { + "copy": { + "from": "unmapped.indicator\\.description", + "to": "finding.message" + } + }, + { + "copy": { + "from": "unmapped.registry\\.keyPath", + "to": "registry.key" + } + }, + { + "copy": { + "from": "unmapped.registry\\.value", + "to": "registry.value" + } + }, + { + "copy": { + "from": "unmapped.cmdScript\\.content", + "to": "process.cmd_line" + } + }, + { + "copy": { + "from": "unmapped.threadId", + "to": "process.tid" + } + }, + { + "copy": { + "from": "unmapped.session", + "to": "process.session.uid" + } + }, + { + "constant": { + "value": "SHA1", + "field": "process.file.hashes[0].type_id", + "predicate": "unmapped.src\\.process\\.image\\.sha1 != \"\"" + } + }, + { + "constant": { + "value": "SHA256", + "field": "process.file.hashes[1].type_id", + "predicate": "unmapped.src\\.process\\.image\\.sha256 != \"\"" + } + }, + { + "constant": { + "value": "SHA1", + "field": "process.parent_process.file.hashes[0].type_id", + "predicate": "unmapped.src\\.process\\.parent\\.image\\.sha1 != \"\"" + } + }, + { + "constant": { + "value": "SHA256", + "field": "process.parent_process.file.hashes[1].type_id", + "predicate": "unmapped.src\\.process\\.parent\\.image\\.sha256 != \"\"" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id" + } + }, + { + "constant": { + "value": 1, + "field": "severity_id" + } + }, + { + "constant": { + "value": 1, + "field": "status_id" + } + } + ] + } + ] + }, + "observables": { + "fields": [ + { + "name": "device.hostname", + "type": "Hostname" + }, + { + "name": "process.name", + "type": "Process Name" + }, + { + "name": "process.user.name", + "type": "User" + }, + { + "name": "process.file.path", + "type": "File Name" + }, + { + "name": "process.file.hashes[0].value", + "type": "File Hash" + }, + { + "name": "process.file.hashes[1].value", + "type": "File Hash" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address" + }, + { + "name": "dst_endpoint.ip", + "type": "IP Address" + }, + { + "name": "file.path", + "type": "File Name" + }, + { + "name": "registry.key", + "type": "Other" + } + ] + } +} \ No newline at end of file diff --git a/parsers/sophos b/parsers/sophos new file mode 100644 index 0000000..1763eee --- /dev/null +++ b/parsers/sophos @@ -0,0 +1,447 @@ +{ + attributes: { + "metadata.version": "2.0.0", + "dataSource.vendor": "Sophos", + "dataSource.name": "Sophos Firewall", + "dataSource.category": "security", + "metadata.product.vendor_name": "Sophos", + "metadata.product.name": "Sophos Firewall", + "metadata.log_provider": "syslog", + "severity_id": 1, + "severity": "Informational" + }, + + patterns: { + tsval: "[^\"]+", + qval: "[^\"]+", + nqval: "[^ ]+", + ip: "\\d+\\.\\d+\\.\\d+\\.\\d+", + mac: "[0-9A-Fa-f:]+", + num: "\\d+", + rest: ".*" + }, + + formats: [ + // FIREWALL ALLOWED - match log_type="Firewall" and log_subtype="Allowed" + { + id: "fw_allow", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106, + disposition_id: 1, disposition: "Allowed" + }, + format: ".*log_type=\"Firewall\".*log_subtype=\"Allowed\".*src_ip=\"$src_ip=ip$\".*dst_ip=\"$dst_ip=ip$\".*protocol=\"$protocol=qval$\".*", + rewrites: [ + { input: "message", output: "src_port", match: ".*src_port=$v=num$.*" }, + { input: "message", output: "dst_port", match: ".*dst_port=$v=num$.*" }, + { input: "message", output: "fw_rule", match: ".*fw_rule_name=\"$v=qval$\".*" }, + { input: "message", output: "src_zone", match: ".*src_zone=\"$v=qval$\".*" }, + { input: "message", output: "dst_zone", match: ".*dst_zone=\"$v=qval$\".*" }, + { input: "message", output: "src_mac", match: ".*src_mac=\"$v=mac$\".*" }, + { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" } + ], + halt: true + }, + + // FIREWALL DENIED + { + id: "fw_deny", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106, + disposition_id: 2, disposition: "Blocked", + severity_id: 3, severity: "Medium" + }, + format: ".*log_type=\"Firewall\".*log_subtype=\"Denied\".*src_ip=\"$src_ip=ip$\".*dst_ip=\"$dst_ip=ip$\".*protocol=\"$protocol=qval$\".*", + rewrites: [ + { input: "message", output: "src_port", match: ".*src_port=$v=num$.*" }, + { input: "message", output: "dst_port", match: ".*dst_port=$v=num$.*" }, + { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" } + ], + halt: true + }, + + // IPS DETECT + { + id: "ips_detect", + attributes: { + class_uid: 4002, class_name: "Detection Finding", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Create", + type_uid: 400201, + severity_id: 3, severity: "Medium" + }, + format: ".*log_type=\"IDP\".*log_subtype=\"Detect\".*", + rewrites: [ + { input: "message", output: "sig_id", match: ".*signature_id=$v=num$.*" }, + { input: "message", output: "sig_msg", match: ".*signature_msg=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=$v=ip$.*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=$v=ip$.*" }, + { input: "message", output: "src_port", match: ".*src_port=$v=num$.*" }, + { input: "message", output: "dst_port", match: ".*dst_port=$v=num$.*" }, + { input: "message", output: "protocol", match: ".*protocol=\"$v=qval$\".*" }, + { input: "message", output: "classification", match: ".*classification=\"$v=qval$\".*" }, + { input: "message", output: "category", match: ".*category=\"$v=qval$\".*" }, + { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" } + ], + halt: true + }, + + // IPS DROP + { + id: "ips_drop", + attributes: { + class_uid: 4002, class_name: "Detection Finding", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Create", + type_uid: 400201, + disposition_id: 2, disposition: "Blocked", + severity_id: 4, severity: "High" + }, + format: ".*log_type=\"IDP\".*log_subtype=\"Drop\".*", + rewrites: [ + { input: "message", output: "sig_id", match: ".*signature_id=$v=num$.*" }, + { input: "message", output: "sig_msg", match: ".*signature_msg=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=$v=ip$.*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=$v=ip$.*" }, + { input: "message", output: "src_port", match: ".*src_port=$v=num$.*" }, + { input: "message", output: "dst_port", match: ".*dst_port=$v=num$.*" }, + { input: "message", output: "protocol", match: ".*protocol=\"$v=qval$\".*" }, + { input: "message", output: "classification", match: ".*classification=\"$v=qval$\".*" }, + { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" } + ], + halt: true + }, + + // ATP THREAT + { + id: "atp", + attributes: { + class_uid: 4002, class_name: "Detection Finding", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Create", + type_uid: 400201, + severity_id: 4, severity: "High" + }, + format: ".*log_type=\"ATP\".*", + rewrites: [ + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" }, + { input: "message", output: "malware", match: ".*malware=\"$v=qval$\".*" }, + { input: "message", output: "threatfeed", match: ".*threatfeed=\"$v=qval$\".*" }, + { input: "message", output: "protocol", match: ".*protocol=\"$v=qval$\".*" }, + { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" } + ], + halt: true + }, + + // AUTH SUCCESS + { + id: "auth_ok", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 1, activity_name: "Logon", + type_uid: 300201, + status_id: 1, status: "Success" + }, + format: ".*log_subtype=\"Authentication\".*status=\"Successful\".*", + rewrites: [ + { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "auth_comp", match: ".*log_component=\"$v=qval$\".*" }, + { input: "message", output: "user_grp", match: ".*user_group=\"$v=qval$\".*" }, + { input: "message", output: "auth_mech", match: ".*auth_mechanism=\"$v=qval$\".*" }, + { input: "message", output: "client", match: ".*client_used=\"$v=qval$\".*" } + ], + halt: true + }, + + // AUTH FAILURE + { + id: "auth_fail", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 1, activity_name: "Logon", + type_uid: 300201, + status_id: 2, status: "Failure", + severity_id: 3, severity: "Medium" + }, + format: ".*log_subtype=\"Authentication\".*status=\"Failed\".*", + rewrites: [ + { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "auth_comp", match: ".*log_component=\"$v=qval$\".*" }, + { input: "message", output: "reason", match: ".*reason=\"$v=qval$\".*" }, + { input: "message", output: "auth_mech", match: ".*auth_mechanism=\"$v=qval$\".*" } + ], + halt: true + }, + + // IPSEC ESTABLISHED + { + id: "ipsec_up", + attributes: { + class_uid: 4014, class_name: "Tunnel Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Open", + type_uid: 401401, + status_id: 1, status: "Success" + }, + format: ".*log_component=\"IPSec\".*status=\"Established\".*", + rewrites: [ + { input: "message", output: "con_name", match: ".*con_name=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" }, + { input: "message", output: "local_net", match: ".*local_network=\"$v=qval$\".*" }, + { input: "message", output: "remote_net", match: ".*remote_network=\"$v=qval$\".*" } + ], + halt: true + }, + + // IPSEC TERMINATED + { + id: "ipsec_down", + attributes: { + class_uid: 4014, class_name: "Tunnel Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 2, activity_name: "Close", + type_uid: 401402 + }, + format: ".*log_component=\"IPSec\".*status=\"Terminated\".*", + rewrites: [ + { input: "message", output: "con_name", match: ".*con_name=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" }, + { input: "message", output: "local_net", match: ".*local_network=\"$v=qval$\".*" }, + { input: "message", output: "remote_net", match: ".*remote_network=\"$v=qval$\".*" } + ], + halt: true + }, + + // DHCP + { + id: "dhcp", + attributes: { + class_uid: 4004, class_name: "DHCP Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Lease", + type_uid: 400401 + }, + format: ".*log_component=\"DHCP Server\".*", + rewrites: [ + { input: "message", output: "client_ip", match: ".*reported_ip=\"$v=ip$\".*" }, + { input: "message", output: "client_mac", match: ".*src_mac=\"$v=mac$\".*" }, + { input: "message", output: "hostname", match: ".*reported_host=\"$v=qval$\".*" }, + { input: "message", output: "lease_time", match: ".*lease_time=$v=num$.*" }, + { input: "message", output: "dhcp_status", match: ".*status=\"$v=qval$\".*" } + ], + halt: true + }, + + // ANTIVIRUS - full format with all fields + { + id: "av_full", + attributes: { + class_uid: 4002, class_name: "Detection Finding", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Create", + type_uid: 400201, + severity_id: 4, severity: "High" + }, + format: ".*log_type=\"Anti-Virus\".*virus=\"$malware=qval$\".*src_ip=\"$src_ip=ip$\".*dst_ip=\"$dst_ip=ip$\".*filename=\"$filename=qval$\".*url=\"$url=qval$\".*user=\"$user=qval$\".*", + halt: true + }, + // ANTIVIRUS - minimal (virus, src, dst only) + { + id: "av_min", + attributes: { + class_uid: 4002, class_name: "Detection Finding", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Create", + type_uid: 400201, + severity_id: 4, severity: "High" + }, + format: ".*log_type=\"Anti-Virus\".*virus=\"$malware=qval$\".*src_ip=\"$src_ip=ip$\".*dst_ip=\"$dst_ip=ip$\".*", + halt: true + }, + + // WEB FILTER ALLOWED + { + id: "web_allow", + attributes: { + class_uid: 4007, class_name: "Web Resources Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Access", + type_uid: 400701, + disposition_id: 1, disposition: "Allowed" + }, + format: ".*log_type=\"Content Filtering\".*log_subtype=\"Allowed\".*", + rewrites: [ + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" }, + { input: "message", output: "url", match: ".*url=\"$v=qval$\".*" }, + { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" }, + { input: "message", output: "category", match: ".*category=\"$v=qval$\".*" } + ], + halt: true + }, + + // WEB FILTER DENIED + { + id: "web_deny", + attributes: { + class_uid: 4007, class_name: "Web Resources Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Access", + type_uid: 400701, + disposition_id: 2, disposition: "Blocked", + severity_id: 2, severity: "Low" + }, + format: ".*log_type=\"Content Filtering\".*log_subtype=\"Denied\".*", + rewrites: [ + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" }, + { input: "message", output: "url", match: ".*url=\"$v=qval$\".*" }, + { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" }, + { input: "message", output: "category", match: ".*category=\"$v=qval$\".*" }, + { input: "message", output: "reason", match: ".*reason=\"$v=qval$\".*" } + ], + halt: true + }, + + // SSL VPN CONNECT + { + id: "sslvpn_up", + attributes: { + class_uid: 4014, class_name: "Tunnel Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Open", + type_uid: 401401 + }, + format: ".*log_component=\"SSL VPN\".*status=\"Connected\".*", + rewrites: [ + { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "tunnel_ip", match: ".*tunnel_ip=\"$v=ip$\".*" } + ], + halt: true + }, + + // SSL VPN DISCONNECT + { + id: "sslvpn_down", + attributes: { + class_uid: 4014, class_name: "Tunnel Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 2, activity_name: "Close", + type_uid: 401402 + }, + format: ".*log_component=\"SSL VPN\".*status=\"Disconnected\".*", + rewrites: [ + { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "bytes_sent", match: ".*bytes_sent=$v=num$.*" }, + { input: "message", output: "bytes_recv", match: ".*bytes_received=$v=num$.*" } + ], + halt: true + }, + + // WAF + { + id: "waf", + attributes: { + class_uid: 4007, class_name: "Web Resources Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Access", + type_uid: 400701, + severity_id: 3, severity: "Medium" + }, + format: ".*log_type=\"WAF\".*", + rewrites: [ + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" }, + { input: "message", output: "url", match: ".*url=\"$v=qval$\".*" }, + { input: "message", output: "reason", match: ".*reason=\"$v=qval$\".*" } + ], + halt: true + }, + + // FALLBACK - extract common fields from any Sophos log + { + id: "fallback", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 0, activity_name: "Unknown", + type_uid: 400100 + }, + format: "$body=rest$", + rewrites: [ + { input: "message", output: "log_type", match: ".*log_type=\"$v=qval$\".*" }, + { input: "message", output: "log_comp", match: ".*log_component=\"$v=qval$\".*" }, + { input: "message", output: "subtype", match: ".*log_subtype=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" }, + { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" }, + { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" } + ] + } + ], + + mappings: { + version: 1, + mappings: [ + { + transformations: [ + { rename: { from: "src_ip", to: "src_endpoint.ip" } }, + { rename: { from: "dst_ip", to: "dst_endpoint.ip" } }, + { rename: { from: "src_port", to: "src_endpoint.port" } }, + { rename: { from: "dst_port", to: "dst_endpoint.port" } }, + { rename: { from: "src_mac", to: "src_endpoint.mac" } }, + { rename: { from: "protocol", to: "connection_info.protocol_name" } }, + { rename: { from: "bytes_sent", to: "traffic.bytes_out" } }, + { rename: { from: "bytes_recv", to: "traffic.bytes_in" } }, + { rename: { from: "user", to: "actor.user.name" } }, + { rename: { from: "user_grp", to: "actor.user.groups" } }, + { rename: { from: "auth_mech", to: "auth_protocol" } }, + { rename: { from: "fw_rule", to: "unmapped.fw_rule_name" } }, + { rename: { from: "src_zone", to: "src_endpoint.zone" } }, + { rename: { from: "dst_zone", to: "dst_endpoint.zone" } }, + { rename: { from: "in_iface", to: "src_endpoint.interface_name" } }, + { rename: { from: "out_iface", to: "dst_endpoint.interface_name" } }, + { rename: { from: "sig_id", to: "finding_info.uid" } }, + { rename: { from: "sig_msg", to: "finding_info.title" } }, + { rename: { from: "classification", to: "finding_info.types" } }, + { rename: { from: "category", to: "unmapped.category" } }, + { rename: { from: "malware", to: "malware.name" } }, + { rename: { from: "threatfeed", to: "unmapped.threatfeed" } }, + { rename: { from: "url", to: "http_request.url.original" } }, + { rename: { from: "filename", to: "file.name" } }, + { rename: { from: "con_name", to: "unmapped.connection_name" } }, + { rename: { from: "local_net", to: "unmapped.local_network" } }, + { rename: { from: "remote_net", to: "unmapped.remote_network" } }, + { rename: { from: "client_ip", to: "dst_endpoint.ip" } }, + { rename: { from: "client_mac", to: "dst_endpoint.mac" } }, + { rename: { from: "hostname", to: "dst_endpoint.hostname" } }, + { rename: { from: "tunnel_ip", to: "unmapped.tunnel_ip" } }, + { rename: { from: "auth_comp", to: "unmapped.auth_component" } }, + { rename: { from: "log_type", to: "unmapped.log_type" } }, + { rename: { from: "log_comp", to: "unmapped.log_component" } }, + { rename: { from: "subtype", to: "unmapped.log_subtype" } }, + { rename: { from: "reason", to: "unmapped.reason" } }, + { rename: { from: "client", to: "unmapped.client_used" } }, + { rename: { from: "dhcp_status", to: "unmapped.dhcp_status" } }, + { rename: { from: "lease_time", to: "unmapped.lease_time" } }, + { rename: { from: "dev", to: "device.name" } }, + { rename: { from: "body", to: "unmapped.raw_body" } } + ] + } + ] + } +} diff --git a/parsers/sophos-edr b/parsers/sophos-edr new file mode 100644 index 0000000..4c7f45a --- /dev/null +++ b/parsers/sophos-edr @@ -0,0 +1,33 @@ +{ + attributes: { + "metadata.version": "1.0.0", + "dataSource.vendor": "Sophos", + "dataSource.name": "Sophos EDR", + "dataSource.category": "security", + "Category": "security", + "metadata.product.vendor_name": "Sophos", + "metadata.product.name": "Endpoint Detection and Response", + "metadata.log_provider": "api", + "class_uid": 2001, + "class_name": "Security Finding", + "severity_id": 2, + "severity": "Low" + }, + + formats: [ + { + format: ".*\\{.*\\}.*", + rewrites: [ + { input: "message", output: "sophos.name", match: ".*\"name\":\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "sophos.type", match: ".*\"type\":\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "sophos.severity", match: ".*\"severity\":\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "sophos.group", match: ".*\"group\":\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "sophos.dhost", match: ".*\"dhost\":\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "sophos.suser", match: ".*\"suser\":\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "sophos.endpoint_id", match: ".*\"endpoint_id\":\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "sophos.customer_id", match: ".*\"customer_id\":\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "src_endpoint.ip", match: ".*\"ip\":\\s*\"([^\"]+)\".*", replace: "$1" } + ] + } + ] +} diff --git a/parsers/stormshield b/parsers/stormshield new file mode 100644 index 0000000..fbb2fdb --- /dev/null +++ b/parsers/stormshield @@ -0,0 +1,58 @@ +{ + // specify a time zone if the timestamps in your log are not in GMT + timezone: "Europe/Paris", + attributes: { + "dataSource.category": "security", + "dataSource.name": "Stormshield", + "dataSource.vendor": "Stormshield", + "class_name": "Network Activity", + "class_id": 4001 + }, + patterns: { + tsPattern: "\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}" + }, + formats: [ + { + format: ".*time=\"$timestamp=tsPattern$\"" + }, + { + format: ".*$_$=$unmapped._$ ", + repeat: true + }, + { + format: "^.*", + rewrites: [ + { + "input": "unmapped.src", + "output": "src_endpoint.ip", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.srcport", + "output": "src_endpoint.port", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dst", + "output": "dst_endpoint.ip", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dstport", + "output": "dst_endpoint.port", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.user", + "output": "actor.user.name", + "match": ".*", + "replace": "$0" + }, + ] + } + ] +} \ No newline at end of file diff --git a/parsers/ueba-healthcare b/parsers/ueba-healthcare new file mode 100644 index 0000000..8a92116 --- /dev/null +++ b/parsers/ueba-healthcare @@ -0,0 +1,204 @@ +{ + "duration": "24h", + "description": "Healthcare UEBA \u2014 auth, TI/Konnektor, data-transfer, SMC-B/HBA card ops. Powered by ueba/01..12 feature extractors.", + "graphs": [ + { + "title": "Auth events (24h)", + "graphStyle": "number", + "query": "| filter( class_uid == 3002 )\n| group n = count()", + "layout": { + "w": 15, + "h": 6, + "x": 0, + "y": 0 + } + }, + { + "title": "Auth failures (24h)", + "graphStyle": "number", + "query": "| filter( class_uid == 3002 )\n| parse '\"outcome\": \"$outcome{regex=[^\"]+}$\"' from message\n| group n = count( outcome == \"failure\" )", + "layout": { + "w": 15, + "h": 6, + "x": 15, + "y": 0 + } + }, + { + "title": "Konnektor disconnects (24h)", + "graphStyle": "number", + "query": "| filter( class_uid == 4001 )\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group n = count( event_type == \"KONNEKTOR_DISCONNECTED\" )", + "layout": { + "w": 15, + "h": 6, + "x": 30, + "y": 0 + } + }, + { + "title": "Certs expired/expiring (24h)", + "graphStyle": "number", + "query": "| filter( class_uid == 4001 )\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group n = count( event_type == \"CERTIFICATE_EXPIRED\" or event_type == \"CERTIFICATE_EXPIRING\" )", + "layout": { + "w": 15, + "h": 6, + "x": 45, + "y": 0 + } + }, + { + "title": "Auth success vs failure (hourly)", + "graphStyle": "line", + "query": "| filter( class_uid == 3002 )\n| parse '\"outcome\": \"$outcome{regex=[^\"]+}$\"' from message\n| group\n success = count( outcome == \"success\" ),\n failure = count( outcome == \"failure\" )\n by hour = timebucket('1 hour')\n| sort hour", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 6 + } + }, + { + "title": "Konnektor health (hourly)", + "graphStyle": "line", + "query": "| filter( class_uid == 4001 )\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n connected = count( event_type == \"KONNEKTOR_CONNECTED\" ),\n disconnected = count( event_type == \"KONNEKTOR_DISCONNECTED\" ),\n vpn_failed = count( event_type == \"VPN_TUNNEL_FAILED\" )\n by hour = timebucket('1 hour')\n| sort hour", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 6 + } + }, + { + "title": "Top users by auth failures", + "graphStyle": "table", + "query": "| filter( class_uid == 3002 )\n| parse '\"username\": \"$user{regex=[^\"]+}$\"' from message\n| parse '\"outcome\": \"$outcome{regex=[^\"]+}$\"' from message\n| group fails = count( outcome == \"failure\" ) by user\n| filter user = *\n| sort - fails\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 20 + } + }, + { + "title": "Top users by password reset / lockout", + "graphStyle": "table", + "query": "| filter( class_uid == 3002 )\n| parse '\"username\": \"$user{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n pwd_reset = count( event_type == \"PASSWORD_RESET_REQUEST\" ),\n locked = count( event_type == \"ACCOUNT_LOCKED\" )\n by user\n| filter user = *\n| sort - locked\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 20 + } + }, + { + "title": "Top Konnektor hosts by VPN failures", + "graphStyle": "table", + "query": "| filter( class_uid == 4001 )\n| parse '\"hostname\": \"$host{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group vpn_failed = count( event_type == \"VPN_TUNNEL_FAILED\" ) by host\n| filter host = *\n| sort - vpn_failed\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 34 + } + }, + { + "title": "Cert lifecycle by host", + "graphStyle": "table", + "query": "| filter( class_uid == 4001 )\n| parse '\"hostname\": \"$host{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n expired = count( event_type == \"CERTIFICATE_EXPIRED\" ),\n expiring = count( event_type == \"CERTIFICATE_EXPIRING\" ),\n valid = count( event_type == \"CERTIFICATE_VALID\" )\n by host\n| filter host = *\n| sort - expired, - expiring\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 34 + } + }, + { + "title": "HL7 / FHIR / Exports by user", + "graphStyle": "table", + "query": "| filter( class_uid == 4001 )\n| parse '\"username\": \"$user{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n hl7_recv = count( event_type == \"HL7_MESSAGE_RECEIVED\" ),\n hl7_sent = count( event_type == \"HL7_MESSAGE_SENT\" ),\n fhir = count( event_type == \"FHIR_API_REQUEST\" ),\n exports = count( event_type == \"DATA_EXPORT_COMPLETED\" )\n by user\n| filter user = *\n| sort - exports, - hl7_recv\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 48 + } + }, + { + "title": "Total records exported by user (24h)", + "graphStyle": "table", + "query": "| filter( class_uid == 4001 )\n| parse '\"username\": \"$user{regex=[^\"]+}$\"' from message\n| parse '\"record_count\": $record_count{regex=[0-9]+}$' from message\n| group total_records = sum( record_count ) by user\n| filter user = *\n| sort - total_records\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 48 + } + }, + { + "title": "External destinations by user", + "graphStyle": "table", + "query": "| filter( class_uid == 4001 )\n| parse '\"username\": \"$user{regex=[^\"]+}$\"' from message\n| parse '\"destination\": \"$dest{regex=[^\"]+}$\"' from message\n| group external = count( dest == \"External Specialist\" ) by user, dest\n| filter user = *\n| filter dest = *\n| sort - external\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 62 + } + }, + { + "title": "Auth failures by role (24h)", + "graphStyle": "table", + "query": "| filter( class_uid == 3002 )\n| parse '\"role\": \"$role{regex=[^\"]+}$\"' from message\n| parse '\"outcome\": \"$outcome{regex=[^\"]+}$\"' from message\n| group fails = count( outcome == \"failure\" ) by role\n| filter role = *\n| sort - fails", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 62 + } + }, + { + "title": "SMC-B PIN events per Konnektor host", + "graphStyle": "table", + "query": "| filter( class_uid == 3002 )\n| parse '\"hostname\": \"$host{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n pin_verified = count( event_type == \"CARD_PIN_VERIFIED\" ),\n pin_failed = count( event_type == \"CARD_PIN_FAILED\" ),\n pin_blocked = count( event_type == \"CARD_PIN_BLOCKED\" )\n by host\n| filter host = *\n| sort - pin_failed, - pin_blocked\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 76 + } + }, + { + "title": "QES signatures + decryptions per host", + "graphStyle": "table", + "query": "| filter( class_uid == 3002 )\n| parse '\"hostname\": \"$host{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n signatures = count( event_type == \"CARD_SIGNATURE_CREATED\" ),\n decryptions = count( event_type == \"CARD_DECRYPTION_SUCCESS\" ),\n auth_success = count( event_type == \"CARD_AUTHENTICATION_SUCCESS\" ),\n auth_failed = count( event_type == \"CARD_AUTHENTICATION_FAILED\" )\n by host\n| filter host = *\n| sort - signatures\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 76 + } + }, + { + "title": "Account lockouts by hospital", + "graphStyle": "table", + "query": "| filter( class_uid == 3002 )\n| parse '\"hospital_id\": \"$hospital{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n locked = count( event_type == \"ACCOUNT_LOCKED\" ),\n unlocked = count( event_type == \"ACCOUNT_UNLOCKED\" ),\n pwd_reset = count( event_type == \"PASSWORD_RESET_REQUEST\" )\n by hospital\n| filter hospital = *\n| sort - locked", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 90 + } + }, + { + "title": "High/Critical severity events per host", + "graphStyle": "table", + "query": "| filter( class_uid == 3002 or class_uid == 4001 )\n| parse '\"hostname\": \"$host{regex=[^\"]+}$\"' from message\n| parse '\"severity\": \"$severity{regex=[^\"]+}$\"' from message\n| group high_sev = count( severity == \"HIGH\" or severity == \"CRITICAL\" ) by host\n| filter host = *\n| sort - high_sev\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 90 + } + } + ] +} \ No newline at end of file diff --git a/parsers/ueba_alerts b/parsers/ueba_alerts new file mode 100644 index 0000000..1bb33fb --- /dev/null +++ b/parsers/ueba_alerts @@ -0,0 +1 @@ +{"columnNames": ["alert_id", "created_at", "entity_type", "entity_id", "family", "severity", "score", "explanation", "status"], "rows": [["risk-1778716800000000000-host-omniconnect-fra-01.local", 1778791804244494080, "host", "omniconnect-fra-01.local", "risk", "high", 82.61, "daily_risk=82.61 (>70)", "new"], ["risk-1778630400000000000-host-omniconnect-mun-01.local", 1778791804244494080, "host", "omniconnect-mun-01.local", "risk", "high", 83.27, "daily_risk=83.27 (>70)", "new"], ["risk-1778716800000000000-host-omniconnect-mun-01.local", 1778791804244494080, "host", "omniconnect-mun-01.local", "risk", "high", 88.22, "daily_risk=88.22 (>70)", "new"]]} \ No newline at end of file diff --git a/parsers/ueba_baselines_entity b/parsers/ueba_baselines_entity new file mode 100644 index 0000000..53f54df --- /dev/null +++ b/parsers/ueba_baselines_entity @@ -0,0 +1 @@ +{"columnNames": ["entity_type", "entity_id", "family", "feature_name", "mu", "sigma", "q99", "n"], "rows": [["user", ".anna.schmidt", "auth", "auth_total", 1.4545454545454546, 0.6555547773570889, 3.0, 11], ["user", "lab.tech.sarah.koch", "auth", "auth_total", 1.3333333333333333, 0.4714045207910317, 2.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "auth_total", 1.5, 0.6708203932499369, 3.0, 10], ["user", "pharmacist.hans.meyer", "auth", "auth_total", 1.3333333333333333, 0.6236095644623235, 3.0, 12], ["user", ".lisa.bauer", "auth", "auth_total", 1.2857142857142858, 0.6998542122237652, 3.0, 7], ["user", ".thomas.weber", "auth", "auth_total", 1.8, 0.8717797887081348, 4.0, 10], ["user", "admin.klaus.fischer", "auth", "auth_total", 1.2307692307692308, 0.4213250442347432, 2.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "auth_total", 1.5454545454545454, 0.6555547773570889, 3.0, 11], ["user", ".anna.schmidt", "auth", "auth_fail", 0.5454545454545454, 0.6555547773570889, 2.0, 11], ["user", "lab.tech.sarah.koch", "auth", "auth_fail", 0.5, 0.5, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "auth_fail", 0.5, 0.5, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "auth_fail", 0.75, 0.5951190357119042, 2.0, 12], ["user", ".lisa.bauer", "auth", "auth_fail", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "auth", "auth_fail", 0.6, 0.48989794855663565, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "auth_fail", 0.8461538461538461, 0.532938710021193, 2.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "auth_fail", 0.5454545454545454, 0.6555547773570889, 2.0, 11], ["user", ".anna.schmidt", "auth", "auth_succ", 0.9090909090909091, 0.6680426571226848, 2.0, 11], ["user", "lab.tech.sarah.koch", "auth", "auth_succ", 0.8333333333333334, 0.6871842709362768, 2.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "auth_succ", 1.0, 0.4472135954999579, 2.0, 10], ["user", "pharmacist.hans.meyer", "auth", "auth_succ", 0.5833333333333334, 0.6400954789890506, 2.0, 12], ["user", ".lisa.bauer", "auth", "auth_succ", 1.1428571428571428, 0.8329931278350428, 3.0, 7], ["user", ".thomas.weber", "auth", "auth_succ", 1.2, 1.16619037896906, 4.0, 10], ["user", "admin.klaus.fischer", "auth", "auth_succ", 0.38461538461538464, 0.48650425541051995, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "auth_succ", 1.0, 0.6030226891555273, 2.0, 11], ["user", ".anna.schmidt", "auth", "auth_fail_ratio", 0.34848484848484845, 0.42908491692443324, 1.0, 11], ["user", "lab.tech.sarah.koch", "auth", "auth_fail_ratio", 0.4166666666666667, 0.44876373392787533, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "auth_fail_ratio", 0.2833333333333333, 0.3253203549323856, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "auth_fail_ratio", 0.5694444444444444, 0.45368008252947434, 1.0, 12], ["user", ".lisa.bauer", "auth", "auth_fail_ratio", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "auth", "auth_fail_ratio", 0.45, 0.4153311931459037, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "auth_fail_ratio", 0.6923076923076923, 0.41779924966154675, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "auth_fail_ratio", 0.3333333333333333, 0.3956837835515332, 1.0, 11], ["user", ".anna.schmidt", "auth", "login_success", 0.45454545454545453, 0.6555547773570889, 2.0, 11], ["user", "lab.tech.sarah.koch", "auth", "login_success", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "login_success", 0.3, 0.45825756949558394, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "login_success", 0.25, 0.4330127018922193, 1.0, 12], ["user", ".lisa.bauer", "auth", "login_success", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", ".thomas.weber", "auth", "login_success", 0.0, 0.0, 0.0, 10], ["user", "admin.klaus.fischer", "auth", "login_success", 0.07692307692307693, 0.26646935501059654, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "login_success", 0.36363636363636365, 0.48104569292083466, 1.0, 11], ["user", ".anna.schmidt", "auth", "login_failure", 0.18181818181818182, 0.38569460791993493, 1.0, 11], ["user", "lab.tech.sarah.koch", "auth", "login_failure", 0.0, 0.0, 0.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "login_failure", 0.2, 0.4000000000000001, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "login_failure", 0.16666666666666666, 0.3726779962499649, 1.0, 12], ["user", ".lisa.bauer", "auth", "login_failure", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "auth", "login_failure", 0.1, 0.30000000000000004, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "login_failure", 0.07692307692307693, 0.26646935501059654, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "login_failure", 0.09090909090909091, 0.28747978728803447, 1.0, 11], ["user", ".anna.schmidt", "auth", "logout", 0.0, 0.0, 0.0, 11], ["user", "lab.tech.sarah.koch", "auth", "logout", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "logout", 0.2, 0.4, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "logout", 0.08333333333333333, 0.2763853991962833, 1.0, 12], ["user", ".lisa.bauer", "auth", "logout", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "auth", "logout", 0.6, 1.0198039027185568, 3.0, 10], ["user", "admin.klaus.fischer", "auth", "logout", 0.07692307692307693, 0.26646935501059654, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "logout", 0.18181818181818182, 0.38569460791993493, 1.0, 11], ["user", ".anna.schmidt", "auth", "session_timeout", 0.2727272727272727, 0.4453617714151233, 1.0, 11], ["user", "lab.tech.sarah.koch", "auth", "session_timeout", 0.0, 0.0, 0.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "session_timeout", 0.2, 0.4000000000000001, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "session_timeout", 0.16666666666666666, 0.37267799624996495, 1.0, 12], ["user", ".lisa.bauer", "auth", "session_timeout", 0.7142857142857143, 0.4517539514526256, 1.0, 7], ["user", ".thomas.weber", "auth", "session_timeout", 0.2, 0.4000000000000001, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "session_timeout", 0.0, 0.0, 0.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "session_timeout", 0.18181818181818182, 0.38569460791993493, 1.0, 11], ["user", ".anna.schmidt", "auth", "mfa_success", 0.0, 0.0, 0.0, 11], ["user", "lab.tech.sarah.koch", "auth", "mfa_success", 0.16666666666666666, 0.37267799624996495, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "mfa_success", 0.0, 0.0, 0.0, 10], ["user", "pharmacist.hans.meyer", "auth", "mfa_success", 0.0, 0.0, 0.0, 12], ["user", ".lisa.bauer", "auth", "mfa_success", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "auth", "mfa_success", 0.1, 0.30000000000000004, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "mfa_success", 0.23076923076923078, 0.4213250442347432, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "mfa_success", 0.09090909090909091, 0.2874797872880344, 1.0, 11], ["user", ".anna.schmidt", "auth", "mfa_failure", 0.0, 0.0, 0.0, 11], ["user", "lab.tech.sarah.koch", "auth", "mfa_failure", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "mfa_failure", 0.1, 0.30000000000000004, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "mfa_failure", 0.0, 0.0, 0.0, 12], ["user", ".lisa.bauer", "auth", "mfa_failure", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "auth", "mfa_failure", 0.1, 0.30000000000000004, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "mfa_failure", 0.07692307692307693, 0.2664693550105966, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "mfa_failure", 0.0, 0.0, 0.0, 11], ["user", ".anna.schmidt", "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 11], ["user", "lab.tech.sarah.koch", "auth", "mfa_fail_ratio", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "mfa_fail_ratio", 0.1, 0.30000000000000004, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 12], ["user", ".lisa.bauer", "auth", "mfa_fail_ratio", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "auth", "mfa_fail_ratio", 0.1, 0.30000000000000004, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "mfa_fail_ratio", 0.07692307692307693, 0.2664693550105966, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 11], ["user", ".anna.schmidt", "auth", "password_change", 0.18181818181818182, 0.385694607919935, 1.0, 11], ["user", "lab.tech.sarah.koch", "auth", "password_change", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "password_change", 0.3, 0.45825756949558394, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "password_change", 0.08333333333333333, 0.2763853991962833, 1.0, 12], ["user", ".lisa.bauer", "auth", "password_change", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", ".thomas.weber", "auth", "password_change", 0.3, 0.45825756949558394, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "password_change", 0.0, 0.0, 0.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "password_change", 0.18181818181818182, 0.385694607919935, 1.0, 11], ["user", ".anna.schmidt", "auth", "password_reset_req", 0.18181818181818182, 0.385694607919935, 1.0, 11], ["user", "lab.tech.sarah.koch", "auth", "password_reset_req", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "password_reset_req", 0.0, 0.0, 0.0, 10], ["user", "pharmacist.hans.meyer", "auth", "password_reset_req", 0.25, 0.4330127018922193, 1.0, 12], ["user", ".lisa.bauer", "auth", "password_reset_req", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "auth", "password_reset_req", 0.1, 0.30000000000000004, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "password_reset_req", 0.15384615384615385, 0.36080121229410994, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "password_reset_req", 0.2727272727272727, 0.616575453011388, 2.0, 11], ["user", ".anna.schmidt", "auth", "account_locked", 0.18181818181818182, 0.38569460791993493, 1.0, 11], ["user", "lab.tech.sarah.koch", "auth", "account_locked", 0.0, 0.0, 0.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "account_locked", 0.1, 0.30000000000000004, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "account_locked", 0.16666666666666666, 0.3726779962499649, 1.0, 12], ["user", ".lisa.bauer", "auth", "account_locked", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "auth", "account_locked", 0.1, 0.30000000000000004, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "account_locked", 0.23076923076923078, 0.4213250442347432, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "account_locked", 0.09090909090909091, 0.2874797872880344, 1.0, 11], ["user", ".anna.schmidt", "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 11], ["user", "lab.tech.sarah.koch", "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "account_unlocked_fail", 0.1, 0.30000000000000004, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "account_unlocked_fail", 0.16666666666666666, 0.3726779962499649, 1.0, 12], ["user", ".lisa.bauer", "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "auth", "account_unlocked_fail", 0.2, 0.4000000000000001, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "account_unlocked_fail", 0.3076923076923077, 0.46153846153846156, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "account_unlocked_fail", 0.09090909090909091, 0.2874797872880344, 1.0, 11], ["host", "avelios-app-01.berlin.local", "endpoint", "host_events", 1.5714285714285714, 0.7284313590846836, 3.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_events", 1.3333333333333333, 0.8498365855987975, 4.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_events", 2.0, 1.0690449676496976, 4.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_events", 1.2, 0.4000000000000001, 2.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_events", 1.6666666666666667, 0.9428090415820634, 4.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_events", 2.5, 1.2583057392117916, 6.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_events", 1.0909090909090908, 0.28747978728803447, 2.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_events", 1.6428571428571428, 0.7178482586514923, 3.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_events", 1.3333333333333333, 0.4714045207910317, 2.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_events", 1.4, 0.48989794855663565, 2.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_events", 1.4545454545454546, 0.6555547773570889, 3.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_events", 1.6666666666666667, 0.7453559924999299, 3.0, 6], ["host", "avelios-app-01.berlin.local", "endpoint", "host_failures", 0.7142857142857143, 0.7953949089757174, 3.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_failures", 0.4166666666666667, 0.6400954789890505, 2.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_failures", 0.7142857142857143, 0.5890150893739515, 2.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_failures", 0.4, 0.48989794855663565, 1.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_failures", 1.0, 0.8944271909999159, 4.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_failures", 0.0, 0.0, 0.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_failures", 0.2727272727272727, 0.4453617714151233, 1.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_failures", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_failures", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_failures", 0.2, 0.4000000000000001, 1.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_failures", 0.45454545454545453, 0.7820295697311479, 2.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_failures", 0.0, 0.0, 0.0, 6], ["host", "avelios-app-01.berlin.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_infos", 0.3, 0.45825756949558405, 1.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_infos", 0.2727272727272727, 0.4453617714151233, 1.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_infos", 0.5, 0.5, 1.0, 6], ["host", "avelios-app-01.berlin.local", "endpoint", "host_failure_ratio", 0.4642857142857143, 0.4417613170304636, 1.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_failure_ratio", 0.3333333333333333, 0.47140452079103173, 1.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_failure_ratio", 0.3392857142857143, 0.3369804727313848, 1.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_failure_ratio", 0.4, 0.48989794855663565, 1.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_failure_ratio", 0.6444444444444444, 0.4076430295076476, 1.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_failure_ratio", 0.2727272727272727, 0.4453617714151233, 1.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_failure_ratio", 0.1, 0.20000000000000004, 0.5, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_failure_ratio", 0.2424242424242424, 0.4042928504280707, 1.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 6], ["host", "avelios-app-01.berlin.local", "endpoint", "host_high_severity", 0.21428571428571427, 0.41032590332414504, 1.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_high_severity", 0.25, 0.5951190357119042, 2.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_high_severity", 0.07142857142857142, 0.25753937681885636, 1.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_high_severity", 0.1, 0.30000000000000004, 1.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_high_severity", 0.06666666666666667, 0.2494438257849295, 1.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_high_severity", 0.09090909090909091, 0.2874797872880344, 1.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_high_severity", 0.3, 0.45825756949558394, 1.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_high_severity", 0.18181818181818182, 0.38569460791993493, 1.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_high_severity", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["host", "avelios-app-01.berlin.local", "endpoint", "host_auth_events", 1.5714285714285714, 0.7284313590846836, 3.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_auth_events", 1.3333333333333333, 0.8498365855987975, 4.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_auth_events", 2.0, 1.0690449676496976, 4.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_auth_events", 1.2, 0.4000000000000001, 2.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_auth_events", 1.6666666666666667, 0.9428090415820634, 4.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_auth_events", 0.0, 0.0, 0.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_auth_events", 1.0909090909090908, 0.28747978728803447, 2.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_auth_events", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_auth_events", 1.1666666666666667, 0.6871842709362768, 2.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_auth_events", 0.9, 0.5385164807134504, 2.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_auth_events", 0.9090909090909091, 0.6680426571226848, 2.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_auth_events", 1.0, 0.5773502691896257, 2.0, 6], ["host", "avelios-app-01.berlin.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_data_events", 2.5, 1.2583057392117916, 6.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_data_events", 1.6428571428571428, 0.7178482586514923, 3.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 6], ["host", "avelios-app-01.berlin.local", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_ti_events", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_ti_events", 0.5, 0.6708203932499369, 2.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_ti_events", 0.5454545454545454, 0.49792959773196915, 1.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_ti_events", 0.6666666666666666, 0.74535599249993, 2.0, 6], ["host", "avelios-app-01.berlin.local", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_card_events", 1.1666666666666667, 0.6871842709362768, 2.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_card_events", 0.9, 0.5385164807134504, 2.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_card_events", 0.9090909090909091, 0.6680426571226848, 2.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_card_events", 1.0, 0.5773502691896257, 2.0, 6], ["host", "avelios-int-01.berlin.local", "network", "ti_events", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "ti_events", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "ti_events", 1.0, 0.0, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "ti_events", 1.3333333333333333, 0.4714045207910317, 2.0, 3], ["host", "omniconnect-fra-01.local", "network", "ti_events", 1.25, 0.4330127018922193, 2.0, 4], ["host", "omniconnect-ber-01.local", "network", "ti_events", 1.0, 0.0, 1.0, 1], ["host", "avelios-int-01.berlin.local", "network", "ti_failures", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "ti_failures", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "ti_failures", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "ti_failures", 0.0, 0.0, 0.0, 3], ["host", "omniconnect-fra-01.local", "network", "ti_failures", 0.5, 0.5, 1.0, 4], ["host", "omniconnect-ber-01.local", "network", "ti_failures", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "ti_failure_ratio", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 3], ["host", "omniconnect-fra-01.local", "network", "ti_failure_ratio", 0.375, 0.414578098794425, 1.0, 4], ["host", "omniconnect-ber-01.local", "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "konnektor_connected", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "konnektor_connected", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "konnektor_connected", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "konnektor_connected", 0.0, 0.0, 0.0, 3], ["host", "omniconnect-fra-01.local", "network", "konnektor_connected", 0.0, 0.0, 0.0, 4], ["host", "omniconnect-ber-01.local", "network", "konnektor_connected", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-ham-01.local", "network", "konnektor_disconnected", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "omniconnect-fra-01.local", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 4], ["host", "omniconnect-ber-01.local", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "konnektor_health_check", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "konnektor_health_check", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "konnektor_health_check", 0.16666666666666666, 0.37267799624996495, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "konnektor_health_check", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "omniconnect-fra-01.local", "network", "konnektor_health_check", 0.0, 0.0, 0.0, 4], ["host", "omniconnect-ber-01.local", "network", "konnektor_health_check", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "konnektor_flap_score", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "konnektor_flap_score", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "omniconnect-fra-01.local", "network", "konnektor_flap_score", 0.5, 0.5, 1.0, 4], ["host", "omniconnect-ber-01.local", "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "vpn_tunnel_failed", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 3], ["host", "omniconnect-fra-01.local", "network", "vpn_tunnel_failed", 0.5, 0.5, 1.0, 4], ["host", "omniconnect-ber-01.local", "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "vpn_tunnel_reconnect", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 3], ["host", "omniconnect-fra-01.local", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 4], ["host", "omniconnect-ber-01.local", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "cert_expired", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "cert_expired", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "cert_expired", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-ham-01.local", "network", "cert_expired", 0.0, 0.0, 0.0, 3], ["host", "omniconnect-fra-01.local", "network", "cert_expired", 0.0, 0.0, 0.0, 4], ["host", "omniconnect-ber-01.local", "network", "cert_expired", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "cert_expiring", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "cert_expiring", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "cert_expiring", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-ham-01.local", "network", "cert_expiring", 0.0, 0.0, 0.0, 3], ["host", "omniconnect-fra-01.local", "network", "cert_expiring", 0.0, 0.0, 0.0, 4], ["host", "omniconnect-ber-01.local", "network", "cert_expiring", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "cert_valid", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "cert_valid", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "cert_valid", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "cert_valid", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "omniconnect-fra-01.local", "network", "cert_valid", 0.0, 0.0, 0.0, 4], ["host", "omniconnect-ber-01.local", "network", "cert_valid", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-ham-01.local", "network", "ti_service_unavailable", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "omniconnect-fra-01.local", "network", "ti_service_unavailable", 0.25, 0.4330127018922193, 1.0, 4], ["host", "omniconnect-ber-01.local", "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "ti_service_available", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "ti_service_available", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "ti_service_available", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "ti_service_available", 0.0, 0.0, 0.0, 3], ["host", "omniconnect-fra-01.local", "network", "ti_service_available", 0.5, 0.5, 1.0, 4], ["host", "omniconnect-ber-01.local", "network", "ti_service_available", 1.0, 0.0, 1.0, 1], ["host", "avelios-int-01.berlin.local", "network", "high_sev_events", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "high_sev_events", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "high_sev_events", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "high_sev_events", 0.6666666666666666, 0.4714045207910317, 1.0, 3], ["host", "omniconnect-fra-01.local", "network", "high_sev_events", 0.75, 0.4330127018922193, 1.0, 4], ["host", "omniconnect-ber-01.local", "network", "high_sev_events", 0.0, 0.0, 0.0, 1], ["user", "billing.clerk.peter.wolf", "cloud", "dt_events", 1.1428571428571428, 0.3499271061118826, 2.0, 7], ["user", ".thomas.weber", "cloud", "dt_events", 1.125, 0.33071891388307384, 2.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "dt_events", 1.4444444444444444, 0.4969039949999533, 2.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "dt_events", 1.0, 0.0, 1.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "dt_events", 1.3333333333333333, 0.4714045207910317, 2.0, 6], ["user", ".anna.schmidt", "cloud", "dt_events", 1.2857142857142858, 0.45175395145262565, 2.0, 7], ["user", ".lisa.bauer", "cloud", "dt_events", 1.6666666666666667, 0.7453559924999299, 3.0, 6], ["user", "admin.klaus.fischer", "cloud", "dt_events", 1.0, 0.0, 1.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "dt_failures", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "cloud", "dt_failures", 0.0, 0.0, 0.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "dt_failures", 0.0, 0.0, 0.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "dt_failures", 0.0, 0.0, 0.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "dt_failures", 0.0, 0.0, 0.0, 6], ["user", ".anna.schmidt", "cloud", "dt_failures", 0.0, 0.0, 0.0, 7], ["user", ".lisa.bauer", "cloud", "dt_failures", 0.0, 0.0, 0.0, 6], ["user", "admin.klaus.fischer", "cloud", "dt_failures", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "export_initiated", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", ".thomas.weber", "cloud", "export_initiated", 0.125, 0.33071891388307384, 1.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "export_initiated", 0.3333333333333333, 0.6666666666666666, 2.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "export_initiated", 0.0, 0.0, 0.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "export_initiated", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", ".anna.schmidt", "cloud", "export_initiated", 0.0, 0.0, 0.0, 7], ["user", ".lisa.bauer", "cloud", "export_initiated", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "admin.klaus.fischer", "cloud", "export_initiated", 0.5, 0.5, 1.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "export_completed", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "cloud", "export_completed", 0.0, 0.0, 0.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "export_completed", 0.1111111111111111, 0.31426968052735443, 1.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "export_completed", 0.0, 0.0, 0.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "export_completed", 0.0, 0.0, 0.0, 6], ["user", ".anna.schmidt", "cloud", "export_completed", 0.42857142857142855, 0.4948716593053935, 1.0, 7], ["user", ".lisa.bauer", "cloud", "export_completed", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", "admin.klaus.fischer", "cloud", "export_completed", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "import_initiated", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", ".thomas.weber", "cloud", "import_initiated", 0.0, 0.0, 0.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "import_initiated", 0.1111111111111111, 0.3142696805273545, 1.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "import_initiated", 0.125, 0.33071891388307384, 1.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "import_initiated", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", ".anna.schmidt", "cloud", "import_initiated", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".lisa.bauer", "cloud", "import_initiated", 0.0, 0.0, 0.0, 6], ["user", "admin.klaus.fischer", "cloud", "import_initiated", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "import_completed", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "cloud", "import_completed", 0.125, 0.33071891388307384, 1.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "import_completed", 0.0, 0.0, 0.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "import_completed", 0.25, 0.4330127018922193, 1.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "import_completed", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", ".anna.schmidt", "cloud", "import_completed", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".lisa.bauer", "cloud", "import_completed", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "admin.klaus.fischer", "cloud", "import_completed", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "email_notifications", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "cloud", "email_notifications", 0.375, 0.4841229182759271, 1.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "email_notifications", 0.2222222222222222, 0.41573970964154905, 1.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "email_notifications", 0.25, 0.4330127018922193, 1.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "email_notifications", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", ".anna.schmidt", "cloud", "email_notifications", 0.2857142857142857, 0.4517539514526256, 1.0, 7], ["user", ".lisa.bauer", "cloud", "email_notifications", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", "admin.klaus.fischer", "cloud", "email_notifications", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "report_generated", 0.2857142857142857, 0.4517539514526256, 1.0, 7], ["user", ".thomas.weber", "cloud", "report_generated", 0.25, 0.4330127018922193, 1.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "report_generated", 0.0, 0.0, 0.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "report_generated", 0.25, 0.4330127018922193, 1.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "report_generated", 0.0, 0.0, 0.0, 6], ["user", ".anna.schmidt", "cloud", "report_generated", 0.0, 0.0, 0.0, 7], ["user", ".lisa.bauer", "cloud", "report_generated", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "admin.klaus.fischer", "cloud", "report_generated", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "fhir_requests", 0.4444444444444444, 0.4969039949999533, 1.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "fhir_requests", 0.16666666666666666, 0.37267799624996495, 1.0, 6], ["user", ".anna.schmidt", "cloud", "fhir_requests", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".lisa.bauer", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 6], ["user", "admin.klaus.fischer", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "hl7_received", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", ".thomas.weber", "cloud", "hl7_received", 0.0, 0.0, 0.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "hl7_received", 0.0, 0.0, 0.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "hl7_received", 0.125, 0.33071891388307384, 1.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "hl7_received", 0.0, 0.0, 0.0, 6], ["user", ".anna.schmidt", "cloud", "hl7_received", 0.0, 0.0, 0.0, 7], ["user", ".lisa.bauer", "cloud", "hl7_received", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", "admin.klaus.fischer", "cloud", "hl7_received", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "hl7_sent", 0.2222222222222222, 0.6285393610547089, 2.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 6], ["user", ".anna.schmidt", "cloud", "hl7_sent", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", ".lisa.bauer", "cloud", "hl7_sent", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "admin.klaus.fischer", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "print_jobs", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "cloud", "print_jobs", 0.25, 0.4330127018922193, 1.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "print_jobs", 0.0, 0.0, 0.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "print_jobs", 0.0, 0.0, 0.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "print_jobs", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", ".anna.schmidt", "cloud", "print_jobs", 0.0, 0.0, 0.0, 7], ["user", ".lisa.bauer", "cloud", "print_jobs", 0.0, 0.0, 0.0, 6], ["user", "admin.klaus.fischer", "cloud", "print_jobs", 0.5, 0.5, 1.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "total_records_exported", 106.57142857142857, 175.98933177314805, 468.0, 7], ["user", ".thomas.weber", "cloud", "total_records_exported", 84.75, 224.22742361272404, 678.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "total_records_exported", 205.11111111111111, 302.92919761131, 829.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "total_records_exported", 0.0, 0.0, 0.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "total_records_exported", 146.66666666666666, 327.9566366999692, 880.0, 6], ["user", ".anna.schmidt", "cloud", "total_records_exported", 263.14285714285717, 365.019149623464, 857.0, 7], ["user", ".lisa.bauer", "cloud", "total_records_exported", 302.5, 427.87059959758864, 921.0, 6], ["user", "admin.klaus.fischer", "cloud", "total_records_exported", 151.5, 151.5, 303.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "external_destinations", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "cloud", "external_destinations", 0.0, 0.0, 0.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "external_destinations", 0.2222222222222222, 0.41573970964154905, 1.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "external_destinations", 0.0, 0.0, 0.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "external_destinations", 0.0, 0.0, 0.0, 6], ["user", ".anna.schmidt", "cloud", "external_destinations", 0.0, 0.0, 0.0, 7], ["user", ".lisa.bauer", "cloud", "external_destinations", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", "admin.klaus.fischer", "cloud", "external_destinations", 0.0, 0.0, 0.0, 2], ["host", "omniconnect-ber-01.local", "healthcare", "card_events", 1.4, 0.4898979485566356, 2.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_events", 1.125, 0.33071891388307384, 2.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_events", 1.25, 0.4330127018922193, 2.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_events", 1.2, 0.4, 2.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_failures", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_failures", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_failures", 0.5, 0.8660254037844386, 2.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_failures", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_failure_ratio", 0.25, 0.4330127018922193, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_read_success", 0.4, 0.48989794855663565, 1.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_read_success", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_read_success", 0.25, 0.4330127018922193, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_read_success", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_read_failure", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_read_failure", 0.2, 0.4, 1.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_pin_verified", 0.4, 0.48989794855663565, 1.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_pin_verified", 0.25, 0.4330127018922193, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_pin_verified", 0.25, 0.4330127018922193, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_pin_verified", 0.2, 0.4000000000000001, 1.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_pin_failed", 0.25, 0.4330127018922193, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_pin_blocked", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_removed", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_removed", 0.25, 0.4330127018922193, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_removed", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_removed", 0.2, 0.4, 1.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_decryption", 0.2, 0.4000000000000001, 1.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_decryption", 0.25, 0.4330127018922193, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_decryption", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_decryption", 0.6, 0.48989794855663565, 1.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_signature_created", 0.2, 0.4, 1.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_signature_created", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_auth_success", 0.2, 0.4, 1.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_auth_success", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_auth_failed", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "smcb_events", 0.4, 0.48989794855663565, 1.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "smcb_events", 0.25, 0.4330127018922193, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "smcb_events", 0.375, 0.4841229182759271, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "smcb_events", 0.4, 0.48989794855663565, 1.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "hba_events", 0.4, 0.48989794855663565, 1.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "hba_events", 0.375, 0.4841229182759271, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "hba_events", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "hba_events", 0.2, 0.4, 1.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "qes_pin_attempts", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "low_attempts_remaining", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 5], ["user", ".anna.schmidt", "auth", "distinct_src_ip", 1.2727272727272727, 0.4453617714151233, 2.0, 11], ["user", "nurse.maria.m\\u00fcller", "auth", "distinct_src_ip", 1.5, 0.6708203932499369, 3.0, 10], ["user", ".lisa.bauer", "auth", "distinct_src_ip", 1.2857142857142858, 0.6998542122237652, 3.0, 7], ["user", ".thomas.weber", "auth", "distinct_src_ip", 1.8, 0.8717797887081348, 4.0, 10], ["user", "admin.klaus.fischer", "auth", "distinct_src_ip", 1.2307692307692308, 0.4213250442347432, 2.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "distinct_src_ip", 1.5454545454545454, 0.6555547773570889, 3.0, 11], ["user", "lab.tech.sarah.koch", "auth", "distinct_src_ip", 1.4, 0.4898979485566356, 2.0, 5], ["user", "pharmacist.hans.meyer", "auth", "distinct_src_ip", 1.3636363636363635, 0.642824346533225, 3.0, 11], ["user", ".anna.schmidt", "auth", "distinct_src_host", 1.1818181818181819, 0.385694607919935, 2.0, 11], ["user", "nurse.maria.m\\u00fcller", "auth", "distinct_src_host", 1.5, 0.6708203932499369, 3.0, 10], ["user", ".lisa.bauer", "auth", "distinct_src_host", 1.1428571428571428, 0.34992710611188266, 2.0, 7], ["user", ".thomas.weber", "auth", "distinct_src_host", 1.7, 0.6403124237432849, 3.0, 10], ["user", "admin.klaus.fischer", "auth", "distinct_src_host", 1.0769230769230769, 0.26646935501059654, 2.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "distinct_src_host", 1.4545454545454546, 0.6555547773570889, 3.0, 11], ["user", "lab.tech.sarah.koch", "auth", "distinct_src_host", 1.4, 0.4898979485566356, 2.0, 5], ["user", "pharmacist.hans.meyer", "auth", "distinct_src_host", 1.2727272727272727, 0.4453617714151233, 2.0, 11], ["host", "avelios-app-02.berlin.local", "endpoint", "host_distinct_users", 1.9285714285714286, 1.0326308782000686, 4.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_distinct_users", 1.1, 0.3, 2.0, 10], ["host", "avelios-int-01.berlin.local", "endpoint", "host_distinct_users", 2.2222222222222223, 1.082977149423218, 5.0, 18], ["host", "avelios-app-01.berlin.local", "endpoint", "host_distinct_users", 1.4615384615384615, 0.7457969011409737, 3.0, 13], ["host", "avelios-app-01.munich.local", "endpoint", "host_distinct_users", 1.2727272727272727, 0.616575453011388, 3.0, 11], ["host", "avelios-app-03.berlin.local", "endpoint", "host_distinct_users", 1.5714285714285714, 0.7284313590846836, 3.0, 14], ["host", "avelios-app-03.munich.local", "endpoint", "host_distinct_users", 1.0, 0.0, 1.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_distinct_users", 1.5, 0.5, 2.0, 14], ["host", "avelios-app-02.berlin.local", "endpoint", "host_distinct_etypes", 1.8571428571428572, 0.989743318610787, 4.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_distinct_etypes", 1.1, 0.3, 2.0, 10], ["host", "avelios-int-01.berlin.local", "endpoint", "host_distinct_etypes", 2.111111111111111, 0.9938079899999066, 4.0, 18], ["host", "avelios-app-01.berlin.local", "endpoint", "host_distinct_etypes", 1.6153846153846154, 0.737820234355803, 3.0, 13], ["host", "avelios-app-01.munich.local", "endpoint", "host_distinct_etypes", 1.1818181818181819, 0.5749595745760689, 3.0, 11], ["host", "avelios-app-03.berlin.local", "endpoint", "host_distinct_etypes", 1.6428571428571428, 0.8112726208286106, 3.0, 14], ["host", "avelios-app-03.munich.local", "endpoint", "host_distinct_etypes", 1.0, 0.0, 1.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_distinct_etypes", 1.5714285714285714, 0.6226998490772391, 3.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_distinct_etypes", 1.3333333333333333, 0.4714045207910317, 2.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_distinct_etypes", 1.4, 0.48989794855663565, 2.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_distinct_etypes", 1.4545454545454546, 0.6555547773570889, 3.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_distinct_etypes", 1.6666666666666667, 0.7453559924999299, 3.0, 6], ["host", "omniconnect-mun-01.local", "network", "distinct_telematik_ids", 1.0, 0.0, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "distinct_telematik_ids", 1.3333333333333333, 0.4714045207910317, 2.0, 3], ["host", "omniconnect-fra-01.local", "network", "distinct_telematik_ids", 1.25, 0.4330127018922193, 2.0, 4], ["host", "omniconnect-ber-01.local", "network", "distinct_telematik_ids", 1.0, 0.0, 1.0, 1], ["user", "billing.clerk.peter.wolf", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 3], ["user", "lab.tech.sarah.koch", "cloud", "distinct_destinations", 1.5, 0.5, 2.0, 4], ["user", ".thomas.weber", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 1], ["user", ".anna.schmidt", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 4], ["user", ".lisa.bauer", "cloud", "distinct_destinations", 1.5, 0.5, 2.0, 4], ["user", "admin.klaus.fischer", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 1], ["user", "pharmacist.hans.meyer", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 1], ["user", "nurse.maria.m\\u00fcller", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 1], ["user", "billing.clerk.peter.wolf", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 2], ["user", "lab.tech.sarah.koch", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 3], ["user", ".thomas.weber", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 1], ["user", ".anna.schmidt", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 3], ["user", "admin.klaus.fischer", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 1], ["user", ".lisa.bauer", "cloud", "distinct_export_types", 1.5, 0.5, 2.0, 2], ["user", "pharmacist.hans.meyer", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 1], ["user", "billing.clerk.peter.wolf", "cloud", "distinct_msg_types", 1.0, 0.0, 1.0, 1], ["user", ".lisa.bauer", "cloud", "distinct_msg_types", 1.0, 0.0, 1.0, 3], ["user", ".anna.schmidt", "cloud", "distinct_msg_types", 1.0, 0.0, 1.0, 1], ["user", "lab.tech.sarah.koch", "cloud", "distinct_msg_types", 2.0, 0.0, 2.0, 1], ["user", "nurse.maria.m\\u00fcller", "cloud", "distinct_msg_types", 1.0, 0.0, 1.0, 1], ["host", "omniconnect-ber-01.local", "healthcare", "distinct_cards", 1.4, 0.4898979485566356, 2.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "distinct_cards", 1.125, 0.33071891388307384, 2.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "distinct_cards", 1.25, 0.4330127018922193, 2.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "distinct_cards", 1.2, 0.4, 2.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "distinct_terminals", 1.4, 0.4898979485566356, 2.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "distinct_terminals", 1.125, 0.33071891388307384, 2.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "distinct_terminals", 1.25, 0.4330127018922193, 2.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "distinct_terminals", 1.2, 0.4, 2.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "distinct_card_types", 1.4, 0.4898979485566356, 2.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "distinct_card_types", 1.0, 0.0, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "distinct_card_types", 1.25, 0.4330127018922193, 2.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "distinct_card_types", 1.0, 0.0, 1.0, 5]]} \ No newline at end of file diff --git a/parsers/ueba_baselines_peer b/parsers/ueba_baselines_peer new file mode 100644 index 0000000..443739b --- /dev/null +++ b/parsers/ueba_baselines_peer @@ -0,0 +1 @@ +{"columnNames": ["entity_type", "peer_id", "family", "feature_name", "mu", "sigma", "q99", "n"], "rows": [["user", "role=Nurse|hosp=HOSP-003", "auth", "auth_total", 1.5, 0.6708203932499369, 3.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "auth_total", 1.3333333333333333, 0.6236095644623235, 3.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "auth_total", 1.8, 0.8717797887081348, 4.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "auth_total", 1.2307692307692308, 0.4213250442347432, 2.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "auth_total", 1.5454545454545454, 0.6555547773570889, 3.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "auth_fail", 0.5, 0.5, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "auth_fail", 0.75, 0.5951190357119042, 2.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "auth_fail", 0.6, 0.48989794855663565, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "auth_fail", 0.8461538461538461, 0.532938710021193, 2.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "auth_fail", 0.5454545454545454, 0.6555547773570889, 2.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "auth_succ", 1.0, 0.4472135954999579, 2.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "auth_succ", 0.5833333333333334, 0.6400954789890506, 2.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "auth_succ", 1.2, 1.16619037896906, 4.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "auth_succ", 0.38461538461538464, 0.48650425541051995, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "auth_succ", 1.0, 0.6030226891555273, 2.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "auth_fail_ratio", 0.2833333333333333, 0.3253203549323856, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "auth_fail_ratio", 0.5694444444444444, 0.45368008252947434, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "auth_fail_ratio", 0.45, 0.4153311931459037, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "auth_fail_ratio", 0.6923076923076923, 0.41779924966154675, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "auth_fail_ratio", 0.3333333333333333, 0.3956837835515332, 1.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "login_success", 0.3, 0.45825756949558394, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "login_success", 0.25, 0.4330127018922193, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "login_success", 0.0, 0.0, 0.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "login_success", 0.07692307692307693, 0.26646935501059654, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "login_success", 0.36363636363636365, 0.48104569292083466, 1.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "login_failure", 0.2, 0.4000000000000001, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "login_failure", 0.16666666666666666, 0.3726779962499649, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "login_failure", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "login_failure", 0.07692307692307693, 0.26646935501059654, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "login_failure", 0.09090909090909091, 0.28747978728803447, 1.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "logout", 0.2, 0.4, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "logout", 0.08333333333333333, 0.2763853991962833, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "logout", 0.6, 1.0198039027185568, 3.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "logout", 0.07692307692307693, 0.26646935501059654, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "logout", 0.18181818181818182, 0.38569460791993493, 1.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "session_timeout", 0.2, 0.4000000000000001, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "session_timeout", 0.16666666666666666, 0.37267799624996495, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "session_timeout", 0.2, 0.4000000000000001, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "session_timeout", 0.0, 0.0, 0.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "session_timeout", 0.18181818181818182, 0.38569460791993493, 1.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "mfa_success", 0.0, 0.0, 0.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "mfa_success", 0.0, 0.0, 0.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "mfa_success", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "mfa_success", 0.23076923076923078, 0.4213250442347432, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "mfa_success", 0.09090909090909091, 0.2874797872880344, 1.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "mfa_failure", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "mfa_failure", 0.0, 0.0, 0.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "mfa_failure", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "mfa_failure", 0.07692307692307693, 0.2664693550105966, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "mfa_failure", 0.0, 0.0, 0.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "mfa_fail_ratio", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "mfa_fail_ratio", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "mfa_fail_ratio", 0.07692307692307693, 0.2664693550105966, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "password_change", 0.3, 0.45825756949558394, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "password_change", 0.08333333333333333, 0.2763853991962833, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "password_change", 0.3, 0.45825756949558394, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "password_change", 0.0, 0.0, 0.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "password_change", 0.18181818181818182, 0.385694607919935, 1.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "password_reset_req", 0.0, 0.0, 0.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "password_reset_req", 0.25, 0.4330127018922193, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "password_reset_req", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "password_reset_req", 0.15384615384615385, 0.36080121229410994, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "password_reset_req", 0.2727272727272727, 0.616575453011388, 2.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "account_locked", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "account_locked", 0.16666666666666666, 0.3726779962499649, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "account_locked", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "account_locked", 0.23076923076923078, 0.4213250442347432, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "account_locked", 0.09090909090909091, 0.2874797872880344, 1.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "account_unlocked_fail", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "account_unlocked_fail", 0.16666666666666666, 0.3726779962499649, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "account_unlocked_fail", 0.2, 0.4000000000000001, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "account_unlocked_fail", 0.3076923076923077, 0.46153846153846156, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "account_unlocked_fail", 0.09090909090909091, 0.2874797872880344, 1.0, 11], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_events", 1.9574468085106382, 1.1100593583613256, 6.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_events", 1.4, 0.632455532033676, 3.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_events", 1.3333333333333333, 0.4714045207910317, 2.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_events", 1.4, 0.48989794855663565, 2.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_events", 1.4545454545454546, 0.6555547773570889, 3.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_events", 1.6666666666666667, 0.7453559924999299, 3.0, 6], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_failures", 0.5319148936170213, 0.7949592209476344, 4.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_failures", 0.12, 0.3249615361854385, 1.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_failures", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_failures", 0.2, 0.4000000000000001, 1.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_failures", 0.45454545454545453, 0.7820295697311479, 2.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_failures", 0.0, 0.0, 0.0, 6], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_infos", 0.0, 0.0, 0.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_infos", 0.0, 0.0, 0.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_infos", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_infos", 0.3, 0.45825756949558405, 1.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_infos", 0.2727272727272727, 0.4453617714151233, 1.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_infos", 0.5, 0.5, 1.0, 6], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_failure_ratio", 0.3439716312056737, 0.43543442522969733, 1.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_failure_ratio", 0.12, 0.3249615361854385, 1.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_failure_ratio", 0.1, 0.20000000000000004, 0.5, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_failure_ratio", 0.2424242424242424, 0.4042928504280707, 1.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 6], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_high_severity", 0.0851063829787234, 0.27903993720434067, 1.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_high_severity", 0.04, 0.19595917942265437, 1.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_high_severity", 0.3, 0.45825756949558394, 1.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_high_severity", 0.18181818181818182, 0.38569460791993493, 1.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_high_severity", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_auth_events", 1.0, 1.0314212462587935, 4.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_auth_events", 0.48, 0.574108003776293, 2.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_auth_events", 1.1666666666666667, 0.6871842709362768, 2.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_auth_events", 0.9, 0.5385164807134504, 2.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_auth_events", 0.9090909090909091, 0.6680426571226848, 2.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_auth_events", 1.0, 0.5773502691896257, 2.0, 6], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_data_events", 0.9574468085106383, 1.443362604778437, 6.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_data_events", 0.92, 0.9765244492586961, 3.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 6], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_ti_events", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_ti_events", 0.5, 0.6708203932499369, 2.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_ti_events", 0.5454545454545454, 0.49792959773196915, 1.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_ti_events", 0.6666666666666666, 0.74535599249993, 2.0, 6], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_card_events", 1.1666666666666667, 0.6871842709362768, 2.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_card_events", 0.9, 0.5385164807134504, 2.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_card_events", 0.9090909090909091, 0.6680426571226848, 2.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_card_events", 1.0, 0.5773502691896257, 2.0, 6], ["host", "host_fam=avelios|loc=Berlin", "network", "ti_events", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "ti_events", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "ti_events", 1.0, 0.0, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "ti_events", 1.3333333333333333, 0.4714045207910317, 2.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "ti_events", 1.25, 0.4330127018922193, 2.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "ti_events", 1.0, 0.0, 1.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "ti_failures", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "ti_failures", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "ti_failures", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "ti_failures", 0.0, 0.0, 0.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "ti_failures", 0.5, 0.5, 1.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "ti_failures", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "ti_failure_ratio", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "ti_failure_ratio", 0.375, 0.414578098794425, 1.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "konnektor_connected", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "konnektor_connected", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "konnektor_connected", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "konnektor_connected", 0.0, 0.0, 0.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "konnektor_connected", 0.0, 0.0, 0.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "konnektor_connected", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "konnektor_disconnected", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "konnektor_health_check", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "konnektor_health_check", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "konnektor_health_check", 0.16666666666666666, 0.37267799624996495, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "konnektor_health_check", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "konnektor_health_check", 0.0, 0.0, 0.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "konnektor_health_check", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "konnektor_flap_score", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "konnektor_flap_score", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "konnektor_flap_score", 0.5, 0.5, 1.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "vpn_tunnel_failed", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "vpn_tunnel_failed", 0.5, 0.5, 1.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "vpn_tunnel_reconnect", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "cert_expired", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "cert_expired", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "cert_expired", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "cert_expired", 0.0, 0.0, 0.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "cert_expired", 0.0, 0.0, 0.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "cert_expired", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "cert_expiring", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "cert_expiring", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "cert_expiring", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "cert_expiring", 0.0, 0.0, 0.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "cert_expiring", 0.0, 0.0, 0.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "cert_expiring", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "cert_valid", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "cert_valid", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "cert_valid", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "cert_valid", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "cert_valid", 0.0, 0.0, 0.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "cert_valid", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "ti_service_unavailable", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "ti_service_unavailable", 0.25, 0.4330127018922193, 1.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "ti_service_available", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "ti_service_available", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "ti_service_available", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "ti_service_available", 0.0, 0.0, 0.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "ti_service_available", 0.5, 0.5, 1.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "ti_service_available", 1.0, 0.0, 1.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "high_sev_events", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "high_sev_events", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "high_sev_events", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "high_sev_events", 0.6666666666666666, 0.4714045207910317, 1.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "high_sev_events", 0.75, 0.4330127018922193, 1.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "high_sev_events", 0.0, 0.0, 0.0, 1], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "dt_events", 1.1428571428571428, 0.3499271061118826, 2.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "dt_events", 1.125, 0.33071891388307384, 2.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "dt_events", 1.0, 0.0, 1.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "dt_events", 1.3333333333333333, 0.4714045207910317, 2.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "dt_events", 1.0, 0.0, 1.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "dt_failures", 0.0, 0.0, 0.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "dt_failures", 0.0, 0.0, 0.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "dt_failures", 0.0, 0.0, 0.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "dt_failures", 0.0, 0.0, 0.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "dt_failures", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "export_initiated", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "export_initiated", 0.125, 0.33071891388307384, 1.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "export_initiated", 0.0, 0.0, 0.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "export_initiated", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "export_initiated", 0.5, 0.5, 1.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "export_completed", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "export_completed", 0.0, 0.0, 0.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "export_completed", 0.0, 0.0, 0.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "export_completed", 0.0, 0.0, 0.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "export_completed", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "import_initiated", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "import_initiated", 0.0, 0.0, 0.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "import_initiated", 0.125, 0.33071891388307384, 1.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "import_initiated", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "import_initiated", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "import_completed", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "import_completed", 0.125, 0.33071891388307384, 1.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "import_completed", 0.25, 0.4330127018922193, 1.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "import_completed", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "import_completed", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "email_notifications", 0.0, 0.0, 0.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "email_notifications", 0.375, 0.4841229182759271, 1.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "email_notifications", 0.25, 0.4330127018922193, 1.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "email_notifications", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "email_notifications", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "report_generated", 0.2857142857142857, 0.4517539514526256, 1.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "report_generated", 0.25, 0.4330127018922193, 1.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "report_generated", 0.25, 0.4330127018922193, 1.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "report_generated", 0.0, 0.0, 0.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "report_generated", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "fhir_requests", 0.16666666666666666, 0.37267799624996495, 1.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "hl7_received", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "hl7_received", 0.0, 0.0, 0.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "hl7_received", 0.125, 0.33071891388307384, 1.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "hl7_received", 0.0, 0.0, 0.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "hl7_received", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "print_jobs", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "print_jobs", 0.25, 0.4330127018922193, 1.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "print_jobs", 0.0, 0.0, 0.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "print_jobs", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "print_jobs", 0.5, 0.5, 1.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "total_records_exported", 106.57142857142857, 175.98933177314805, 468.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "total_records_exported", 84.75, 224.22742361272404, 678.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "total_records_exported", 0.0, 0.0, 0.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "total_records_exported", 146.66666666666666, 327.9566366999692, 880.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "total_records_exported", 151.5, 151.5, 303.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "external_destinations", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "external_destinations", 0.0, 0.0, 0.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "external_destinations", 0.0, 0.0, 0.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "external_destinations", 0.0, 0.0, 0.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "external_destinations", 0.0, 0.0, 0.0, 2], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_events", 1.4, 0.4898979485566356, 2.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_events", 1.125, 0.33071891388307384, 2.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_events", 1.25, 0.4330127018922193, 2.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_events", 1.2, 0.4, 2.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_failures", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_failures", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_failures", 0.5, 0.8660254037844386, 2.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_failures", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_failure_ratio", 0.25, 0.4330127018922193, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_read_success", 0.4, 0.48989794855663565, 1.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_read_success", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_read_success", 0.25, 0.4330127018922193, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_read_success", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_read_failure", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_read_failure", 0.2, 0.4, 1.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_pin_verified", 0.4, 0.48989794855663565, 1.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_pin_verified", 0.25, 0.4330127018922193, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_pin_verified", 0.25, 0.4330127018922193, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_pin_verified", 0.2, 0.4000000000000001, 1.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_pin_failed", 0.25, 0.4330127018922193, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_pin_blocked", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_removed", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_removed", 0.25, 0.4330127018922193, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_removed", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_removed", 0.2, 0.4, 1.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_decryption", 0.2, 0.4000000000000001, 1.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_decryption", 0.25, 0.4330127018922193, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_decryption", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_decryption", 0.6, 0.48989794855663565, 1.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_signature_created", 0.2, 0.4, 1.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_signature_created", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_auth_success", 0.2, 0.4, 1.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_auth_success", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_auth_failed", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "smcb_events", 0.4, 0.48989794855663565, 1.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "smcb_events", 0.25, 0.4330127018922193, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "smcb_events", 0.375, 0.4841229182759271, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "smcb_events", 0.4, 0.48989794855663565, 1.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "hba_events", 0.4, 0.48989794855663565, 1.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "hba_events", 0.375, 0.4841229182759271, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "hba_events", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "hba_events", 0.2, 0.4, 1.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "qes_pin_attempts", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "low_attempts_remaining", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 5], ["user", "role=Nurse|hosp=HOSP-003", "auth", "distinct_src_ip", 1.5, 0.6708203932499369, 3.0, 10], ["user", "role=Physician|hosp=HOSP-003", "auth", "distinct_src_ip", 1.8, 0.8717797887081348, 4.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "distinct_src_ip", 1.2307692307692308, 0.4213250442347432, 2.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "distinct_src_ip", 1.5454545454545454, 0.6555547773570889, 3.0, 11], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "distinct_src_ip", 1.3636363636363635, 0.642824346533225, 3.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "distinct_src_host", 1.5, 0.6708203932499369, 3.0, 10], ["user", "role=Physician|hosp=HOSP-003", "auth", "distinct_src_host", 1.7, 0.6403124237432849, 3.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "distinct_src_host", 1.0769230769230769, 0.26646935501059654, 2.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "distinct_src_host", 1.4545454545454546, 0.6555547773570889, 3.0, 11], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "distinct_src_host", 1.2727272727272727, 0.4453617714151233, 2.0, 11], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_distinct_users", 1.8, 0.9568466729604884, 5.0, 45], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_distinct_users", 1.28, 0.44899888641287294, 2.0, 25], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_distinct_etypes", 1.8222222222222222, 0.9015761233378132, 4.0, 45], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_distinct_etypes", 1.32, 0.5455272678794343, 3.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_distinct_etypes", 1.3333333333333333, 0.4714045207910317, 2.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_distinct_etypes", 1.4, 0.48989794855663565, 2.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_distinct_etypes", 1.4545454545454546, 0.6555547773570889, 3.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_distinct_etypes", 1.6666666666666667, 0.7453559924999299, 3.0, 6], ["host", "host_fam=omniconnect|loc=Munich", "network", "distinct_telematik_ids", 1.0, 0.0, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "distinct_telematik_ids", 1.3333333333333333, 0.4714045207910317, 2.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "distinct_telematik_ids", 1.25, 0.4330127018922193, 2.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "distinct_telematik_ids", 1.0, 0.0, 1.0, 1], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 3], ["user", "role=Physician|hosp=HOSP-003", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 1], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 1], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 1], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 1], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 2], ["user", "role=Physician|hosp=HOSP-003", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 1], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 1], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 1], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "distinct_msg_types", 1.0, 0.0, 1.0, 1], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "distinct_msg_types", 1.0, 0.0, 1.0, 1], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "distinct_cards", 1.4, 0.4898979485566356, 2.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "distinct_cards", 1.125, 0.33071891388307384, 2.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "distinct_cards", 1.25, 0.4330127018922193, 2.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "distinct_cards", 1.2, 0.4, 2.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "distinct_terminals", 1.4, 0.4898979485566356, 2.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "distinct_terminals", 1.125, 0.33071891388307384, 2.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "distinct_terminals", 1.25, 0.4330127018922193, 2.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "distinct_terminals", 1.2, 0.4, 2.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "distinct_card_types", 1.4, 0.4898979485566356, 2.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "distinct_card_types", 1.0, 0.0, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "distinct_card_types", 1.25, 0.4330127018922193, 2.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "distinct_card_types", 1.0, 0.0, 1.0, 5]]} \ No newline at end of file diff --git a/parsers/ueba_entity_risk b/parsers/ueba_entity_risk new file mode 100644 index 0000000..cbd151f --- /dev/null +++ b/parsers/ueba_entity_risk @@ -0,0 +1 @@ +{"columnNames": ["entity_type", "entity_id", "date", "score"], "rows": [["user", ".anna.schmidt", 1778630400000000000, 23.57], ["user", ".anna.schmidt", 1778716800000000000, 56.48], ["user", "lab.tech.sarah.koch", 1778630400000000000, 48.55], ["user", "lab.tech.sarah.koch", 1778716800000000000, 61.95], ["user", "nurse.maria.m\\u00fcller", 1778630400000000000, 52.32], ["user", "nurse.maria.m\\u00fcller", 1778716800000000000, 67.04], ["user", "pharmacist.hans.meyer", 1778630400000000000, 42.16], ["user", "pharmacist.hans.meyer", 1778716800000000000, 64.47], ["user", ".lisa.bauer", 1778630400000000000, 24.49], ["user", ".lisa.bauer", 1778716800000000000, 55.79], ["user", ".thomas.weber", 1778630400000000000, 54.25], ["user", ".thomas.weber", 1778716800000000000, 67.04], ["user", "admin.klaus.fischer", 1778630400000000000, 34.64], ["user", "admin.klaus.fischer", 1778716800000000000, 48.64], ["user", "billing.clerk.peter.wolf", 1778630400000000000, 65.91], ["user", "billing.clerk.peter.wolf", 1778716800000000000, 65.91], ["host", "avelios-app-01.berlin.local", 1778630400000000000, 42.63], ["host", "avelios-app-01.berlin.local", 1778716800000000000, 42.63], ["host", "avelios-app-01.munich.local", 1778630400000000000, 18.38], ["host", "avelios-app-01.munich.local", 1778716800000000000, 41.11], ["host", "avelios-app-02.berlin.local", 1778630400000000000, 28.14], ["host", "avelios-app-02.berlin.local", 1778716800000000000, 46.88], ["host", "avelios-app-02.munich.local", 1778630400000000000, 26.0], ["host", "avelios-app-02.munich.local", 1778716800000000000, 39.0], ["host", "avelios-app-03.berlin.local", 1778630400000000000, 48.65], ["host", "avelios-app-03.berlin.local", 1778716800000000000, 56.72], ["host", "avelios-int-01.berlin.local", 1778630400000000000, 18.39], ["host", "avelios-int-01.berlin.local", 1778716800000000000, 47.35], ["host", "avelios-app-03.munich.local", 1778630400000000000, 63.69], ["host", "avelios-app-03.munich.local", 1778716800000000000, 45.03], ["host", "avelios-int-01.munich.local", 1778630400000000000, 13.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, 40.04], ["host", "omniconnect-ber-01.local", 1778630400000000000, 39.19], ["host", "omniconnect-ber-01.local", 1778716800000000000, 59.07], ["host", "omniconnect-fra-01.local", 1778630400000000000, 59.55], ["host", "omniconnect-fra-01.local", 1778716800000000000, 82.61], ["host", "omniconnect-mun-01.local", 1778630400000000000, 83.27], ["host", "omniconnect-mun-01.local", 1778716800000000000, 88.22], ["host", "omniconnect-ham-01.local", 1778630400000000000, 42.69], ["host", "omniconnect-ham-01.local", 1778716800000000000, 64.57]]} \ No newline at end of file diff --git a/parsers/ueba_family_scores_hourly b/parsers/ueba_family_scores_hourly new file mode 100644 index 0000000..babe0e2 --- /dev/null +++ b/parsers/ueba_family_scores_hourly @@ -0,0 +1 @@ +{"columnNames": ["entity_type", "entity_id", "hour_ts", "family", "family_score", "n_features"], "rows": [["user", ".anna.schmidt", 1778702400000000000, "auth", 23.57, 17], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", 22.36, 15], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", 15.28, 17], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", 22.36, 15], ["user", ".anna.schmidt", 1778706000000000000, "auth", 23.57, 17], ["user", ".lisa.bauer", 1778706000000000000, "auth", 6.32, 17], ["user", ".thomas.weber", 1778706000000000000, "auth", 30.0, 17], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", 18.26, 17], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", 31.62, 17], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", 14.14, 17], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", 22.36, 17], ["user", ".lisa.bauer", 1778709600000000000, "auth", 24.49, 17], ["user", ".thomas.weber", 1778709600000000000, "auth", 30.0, 17], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", 34.64, 17], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", 31.62, 17], ["user", ".anna.schmidt", 1778713200000000000, "auth", 8.32, 17], ["user", ".lisa.bauer", 1778713200000000000, "auth", 6.32, 17], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", 23.45, 17], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", 22.36, 17], ["user", ".anna.schmidt", 1778716800000000000, "auth", 22.19, 17], ["user", ".thomas.weber", 1778716800000000000, "auth", 20.0, 17], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", 21.21, 17], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", 14.14, 17], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", 22.36, 17], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", 31.62, 17], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", 30.0, 17], ["user", ".lisa.bauer", 1778724000000000000, "auth", 6.32, 17], ["user", ".thomas.weber", 1778724000000000000, "auth", 12.25, 17], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", 15.0, 17], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", 30.0, 17], ["user", ".anna.schmidt", 1778727600000000000, "auth", 16.33, 17], ["user", ".thomas.weber", 1778727600000000000, "auth", 13.73, 17], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", 15.0, 17], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", 13.23, 17], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", 33.17, 17], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", 34.64, 17], ["user", ".anna.schmidt", 1778734800000000000, "auth", 21.21, 17], ["user", ".lisa.bauer", 1778734800000000000, "auth", 6.32, 17], ["user", ".thomas.weber", 1778734800000000000, "auth", 30.0, 17], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", 18.26, 17], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", 22.36, 17], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", 30.0, 17], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", 17.32, 17], ["user", ".anna.schmidt", 1778742000000000000, "auth", 16.33, 17], ["user", ".thomas.weber", 1778742000000000000, "auth", 30.0, 17], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", 18.26, 17], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", 28.01, 17], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", 15.28, 17], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", 22.36, 17], ["user", ".anna.schmidt", 1778745600000000000, "auth", 8.32, 17], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", 34.64, 17], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", 21.21, 17], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", 22.36, 17], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", 22.36, 17], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", 22.36, 17], ["user", ".lisa.bauer", 1778749200000000000, "auth", 24.49, 17], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", 18.26, 17], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", 15.28, 17], ["user", ".anna.schmidt", 1778752800000000000, "auth", 21.21, 17], ["user", ".thomas.weber", 1778752800000000000, "auth", 25.24, 17], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", 15.28, 17], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", 22.36, 17], ["user", ".anna.schmidt", 1778756400000000000, "auth", 21.21, 17], ["user", ".thomas.weber", 1778756400000000000, "auth", 30.0, 17], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", 21.21, 17], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", 33.17, 17], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", 34.64, 17], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", 31.62, 17], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", 20.0, 17], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", 22.36, 17], ["user", ".anna.schmidt", 1778763600000000000, "auth", 21.21, 17], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", 23.45, 17], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", 21.21, 17], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", 22.36, 17], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", 20.0, 17], ["user", ".lisa.bauer", 1778767200000000000, "auth", 24.49, 17], ["user", ".thomas.weber", 1778767200000000000, "auth", 20.0, 17], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", 34.64, 17], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", 16.85, 17], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", 17.32, 17], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", 32.79, 9], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", 14.14, 9], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", 12.13, 11], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", 20.0, 11], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", 15.07, 9], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", 11.29, 11], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", 20.63, 11], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", 7.07, 11], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", 21.65, 11], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", 37.42, 11], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", 48.99, 11], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", 14.15, 11], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", 10.0, 11], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", 7.07, 10], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", 15.28, 10], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", 19.76, 10], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", 11.55, 11], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", 12.25, 11], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", 9.7, 11], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", 9.42, 11], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", 11.92, 11], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", 9.13, 10], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", 10.51, 11], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", 19.61, 11], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", 15.07, 11], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", 9.42, 11], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", 11.18, 11], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", 10.0, 11], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", 10.0, 10], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", 11.55, 11], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", 12.25, 11], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", 43.63, 11], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", 11.92, 11], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", 16.04, 11], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", 17.89, 10], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", 13.61, 10], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", 32.79, 11], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", 15.81, 11], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", 14.15, 11], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", 16.04, 11], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", 22.36, 10], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", 10.0, 10], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", 15.07, 11], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", 14.14, 11], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", 12.13, 11], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", 8.16, 11], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", 15.81, 11], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", 14.15, 11], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", 7.07, 10], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", 20.43, 10], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", 17.89, 10], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", 7.07, 11], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", 10.38, 11], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", 19.39, 11], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", 9.42, 11], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", 11.18, 11], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", 14.14, 11], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", 15.07, 11], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", 36.42, 11], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", 16.04, 11], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", 14.14, 10], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", 8.16, 10], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", 10.0, 10], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", 16.33, 10], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", 32.79, 11], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", 7.07, 11], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", 12.13, 11], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", 15.07, 11], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", 9.42, 11], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", 14.15, 11], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", 8.16, 10], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", 10.0, 10], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", 23.57, 10], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", 27.08, 11], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", 16.04, 11], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", 16.71, 10], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", 10.95, 10], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", 15.07, 11], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", 29.41, 11], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", 10.38, 11], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", 8.16, 11], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", 9.42, 11], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", 9.7, 11], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", 25.3, 11], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", 9.7, 11], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", 31.62, 11], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", 12.13, 11], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", 30.0, 11], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", 15.81, 11], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", 27.08, 11], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", 9.7, 11], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", 16.04, 11], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", 22.36, 10], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", 20.0, 10], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", 16.33, 10], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", 10.51, 11], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", 7.07, 11], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", 19.61, 11], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", 9.7, 11], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", 10.0, 11], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", 14.14, 10], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", 10.95, 10], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", 10.51, 11], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", 7.07, 11], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", 36.06, 11], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", 8.16, 11], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", 31.62, 11], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", 21.08, 11], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", 10.0, 11], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", 21.21, 10], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", 10.51, 11], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", 7.07, 11], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", 4.85, 11], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", 15.07, 11], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", 22.99, 11], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", 10.0, 11], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", 10.51, 11], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", 8.16, 11], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", 19.61, 11], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", 14.15, 11], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", 30.8, 11], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", 8.16, 10], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", 9.7, 11], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", 7.07, 11], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", 30.0, 11], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", 15.07, 11], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", 9.42, 11], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", 11.92, 11], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", 10.0, 11], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", 7.07, 10], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", 15.28, 10], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", 10.95, 10], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", 9.7, 11], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", 12.13, 11], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", 12.25, 11], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", 15.07, 11], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", 9.42, 11], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", 11.92, 11], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", 10.0, 11], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", 15.28, 10], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", 10.95, 10], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", 0.0, 15], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", 0.0, 15], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", 0.0, 15], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", 22.36, 16], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", 0.0, 15], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", 14.14, 16], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", 0.0, 15], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", 14.14, 16], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", 22.36, 16], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", 0.0, 15], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", 17.32, 16], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", 0.0, 15], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", 14.14, 16], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", 0.0, 15], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", 0.0, 15], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", 22.36, 16], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", 0.0, 15], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", 22.36, 16], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", 0.0, 15], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", 17.32, 16], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", 0.0, 15], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", 0.0, 15], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", 0.0, 16], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", 15.08, 16], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", 22.36, 16], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", 0.0, 15], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", 0.0, 15], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", 22.36, 16], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", 0.0, 15], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", 0.0, 15], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", 0.0, 15], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", 0.0, 15], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", 17.32, 16], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", 24.49, 14], ["user", ".thomas.weber", 1778706000000000000, "cloud", 17.32, 14], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", 11.18, 14], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", 26.46, 14], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", 14.14, 14], ["user", ".thomas.weber", 1778709600000000000, "cloud", 17.32, 14], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", 24.49, 16], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", 18.71, 16], ["user", ".thomas.weber", 1778716800000000000, "cloud", 26.46, 16], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", 24.49, 16], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", 18.71, 14], ["user", ".anna.schmidt", 1778720400000000000, "cloud", 14.9, 16], ["user", ".thomas.weber", 1778720400000000000, "cloud", 12.91, 14], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", 25.0, 16], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", 22.36, 14], ["user", ".anna.schmidt", 1778724000000000000, "cloud", 11.55, 16], ["user", ".lisa.bauer", 1778724000000000000, "cloud", 14.14, 16], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", 10.0, 16], ["user", ".thomas.weber", 1778727600000000000, "cloud", 12.91, 14], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", 17.32, 14], ["user", ".anna.schmidt", 1778731200000000000, "cloud", 24.49, 16], ["user", ".lisa.bauer", 1778731200000000000, "cloud", 22.36, 14], ["user", ".thomas.weber", 1778731200000000000, "cloud", 26.46, 14], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", 24.49, 16], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", 17.32, 14], ["user", ".lisa.bauer", 1778734800000000000, "cloud", 22.36, 16], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", 17.32, 14], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", 11.18, 14], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", 17.32, 14], ["user", ".anna.schmidt", 1778742000000000000, "cloud", 16.27, 16], ["user", ".lisa.bauer", 1778742000000000000, "cloud", 22.36, 17], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", 28.28, 14], ["user", ".anna.schmidt", 1778745600000000000, "cloud", 24.49, 14], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", 24.49, 14], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", 14.14, 14], ["user", ".anna.schmidt", 1778749200000000000, "cloud", 24.49, 14], ["user", ".lisa.bauer", 1778749200000000000, "cloud", 14.14, 14], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", 17.32, 14], ["user", ".lisa.bauer", 1778752800000000000, "cloud", 14.14, 16], ["user", ".thomas.weber", 1778752800000000000, "cloud", 17.32, 14], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", 28.28, 16], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", 22.36, 16], ["user", ".thomas.weber", 1778756400000000000, "cloud", 26.46, 14], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", 18.71, 14], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", 17.32, 14], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", 22.36, 14], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", 10.0, 14], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", 24.49, 14], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", 26.46, 16], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", 22.36, 14], ["user", ".anna.schmidt", 1778763600000000000, "cloud", 24.49, 14], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", 15.81, 14], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", 28.28, 16], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", 20.0, 20], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", 26.46, 20], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", 26.46, 20], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", 17.32, 20], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", 12.25, 20], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", 8.16, 20], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", 12.25, 20], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", 26.46, 20], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", 20.0, 20], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", 12.25, 20], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", 17.32, 20], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", 20.0, 20], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", 26.46, 20], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", 17.32, 20], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", 20.0, 20], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", 26.46, 20], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", 17.32, 20], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", 26.46, 20], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", 20.0, 20], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", 17.32, 20], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", 26.46, 20], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", 20.0, 20], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", 17.32, 20], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", 17.32, 20], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", 26.46, 20], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", 26.46, 20]]} \ No newline at end of file diff --git a/parsers/ueba_feature_scores_hourly b/parsers/ueba_feature_scores_hourly new file mode 100644 index 0000000..8d884fa --- /dev/null +++ b/parsers/ueba_feature_scores_hourly @@ -0,0 +1 @@ +{"columnNames": ["entity_type", "entity_id", "hour_ts", "family", "feature_name", "value", "z_self", "z_peer", "over_q99", "over_q99_peer", "feature_score"], "rows": [["user", ".anna.schmidt", 1778702400000000000, "auth", "auth_total", 3.0, 2.357, 0.0, 0, 0, 2.357], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "auth_total", 1.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "auth_total", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", ".anna.schmidt", 1778706000000000000, "auth", "auth_total", 2.0, 0.832, 0.0, 0, 0, 0.832], ["user", ".lisa.bauer", 1778706000000000000, "auth", "auth_total", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "auth_total", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "auth_total", 2.0, 0.693, 0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "auth_total", 2.0, 1.414, 0.0, 0, 0, 1.414], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", ".lisa.bauer", 1778709600000000000, "auth", "auth_total", 3.0, 2.449, 0.0, 0, 0, 2.449], ["user", ".thomas.weber", 1778709600000000000, "auth", "auth_total", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "auth_total", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", ".anna.schmidt", 1778713200000000000, "auth", "auth_total", 1.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".lisa.bauer", 1778713200000000000, "auth", "auth_total", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", ".anna.schmidt", 1778716800000000000, "auth", "auth_total", 2.0, 0.832, 0.0, 0, 0, 0.832], ["user", ".thomas.weber", 1778716800000000000, "auth", "auth_total", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "auth_total", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "auth_total", 1.0, -0.707, 0.0, 0, 0, 0.707], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "auth_total", 2.0, 1.069, 1.069, 0, 0, 1.069], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "auth_total", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "auth_total", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".lisa.bauer", 1778724000000000000, "auth", "auth_total", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "auth_total", 1.0, -0.918, -0.918, 0, 0, 0.918], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "auth_total", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".anna.schmidt", 1778727600000000000, "auth", "auth_total", 1.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778727600000000000, "auth", "auth_total", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "auth_total", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "auth_total", 3.0, 2.673, 2.673, 0, 0, 2.673], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "auth_total", 2.0, 1.826, 1.826, 0, 0, 1.826], ["user", ".anna.schmidt", 1778734800000000000, "auth", "auth_total", 1.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".lisa.bauer", 1778734800000000000, "auth", "auth_total", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "auth_total", 1.0, -0.918, -0.918, 0, 0, 0.918], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "auth_total", 2.0, 1.414, 0.0, 0, 0, 1.414], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "auth_total", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", ".anna.schmidt", 1778742000000000000, "auth", "auth_total", 1.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778742000000000000, "auth", "auth_total", 1.0, -0.918, -0.918, 0, 0, 0.918], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "auth_total", 3.0, 2.219, 2.219, 0, 0, 2.219], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "auth_total", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", ".anna.schmidt", 1778745600000000000, "auth", "auth_total", 1.0, -0.693, 0.0, 0, 0, 0.693], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "auth_total", 2.0, 1.826, 1.826, 0, 0, 1.826], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "auth_total", 2.0, 0.693, 0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "auth_total", 1.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "auth_total", 3.0, 2.236, 2.236, 0, 0, 2.236], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", ".lisa.bauer", 1778749200000000000, "auth", "auth_total", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "auth_total", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", ".anna.schmidt", 1778752800000000000, "auth", "auth_total", 1.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778752800000000000, "auth", "auth_total", 4.0, 2.524, 2.524, 0, 0, 2.524], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "auth_total", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "auth_total", 2.0, 1.069, 1.069, 0, 0, 1.069], ["user", ".anna.schmidt", 1778756400000000000, "auth", "auth_total", 2.0, 0.832, 0.0, 0, 0, 0.832], ["user", ".thomas.weber", 1778756400000000000, "auth", "auth_total", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "auth_total", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "auth_total", 2.0, 0.693, 0.693, 0, 0, 0.693], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "auth_total", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", ".anna.schmidt", 1778763600000000000, "auth", "auth_total", 1.0, -0.693, 0.0, 0, 0, 0.693], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "auth_total", 2.0, 0.693, 0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "auth_total", 1.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "auth_total", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".lisa.bauer", 1778767200000000000, "auth", "auth_total", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "auth_total", 1.0, -0.918, -0.918, 0, 0, 0.918], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "auth_total", 2.0, 1.826, 1.826, 0, 0, 1.826], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "auth_total", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", ".anna.schmidt", 1778702400000000000, "auth", "auth_fail", 1.0, 0.693, 0.0, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "auth_fail", 1.0, 1.0, 0.0, 0, 0, 1.0], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "auth_fail", 0.0, -1.0, -1.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "auth_fail", 1.0, 0.42, 0.42, 0, 0, 0.42], ["user", ".anna.schmidt", 1778706000000000000, "auth", "auth_fail", 0.0, -0.832, 0.0, 0, 0, 0.832], ["user", ".lisa.bauer", 1778706000000000000, "auth", "auth_fail", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "auth_fail", 0.0, -1.225, -1.225, 0, 0, 1.225], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "auth_fail", 0.0, -1.588, -1.588, 0, 0, 1.588], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "auth_fail", 1.0, 0.693, 0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "auth_fail", 1.0, 1.0, 0.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "auth_fail", 1.0, 0.42, 0.42, 0, 0, 0.42], ["user", ".lisa.bauer", 1778709600000000000, "auth", "auth_fail", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778709600000000000, "auth", "auth_fail", 1.0, 0.816, 0.816, 0, 0, 0.816], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "auth_fail", 1.0, 0.693, 0.693, 0, 0, 0.693], ["user", ".anna.schmidt", 1778713200000000000, "auth", "auth_fail", 0.0, -0.832, 0.0, 0, 0, 0.832], ["user", ".lisa.bauer", 1778713200000000000, "auth", "auth_fail", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "auth_fail", 1.0, 0.42, 0.42, 0, 0, 0.42], ["user", ".anna.schmidt", 1778716800000000000, "auth", "auth_fail", 2.0, 2.219, 0.0, 0, 0, 2.219], ["user", ".thomas.weber", 1778716800000000000, "auth", "auth_fail", 1.0, 0.816, 0.816, 0, 0, 0.816], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "auth_fail", 0.0, -0.832, -0.832, 0, 0, 0.832], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "auth_fail", 1.0, 1.0, 0.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "auth_fail", 2.0, 2.1, 2.1, 0, 0, 2.1], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "auth_fail", 0.0, -0.832, -0.832, 0, 0, 0.832], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "auth_fail", 1.0, 1.0, 1.0, 0, 0, 1.0], ["user", ".lisa.bauer", 1778724000000000000, "auth", "auth_fail", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "auth_fail", 0.0, -1.225, -1.225, 0, 0, 1.225], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "auth_fail", 1.0, 1.0, 1.0, 0, 0, 1.0], ["user", ".anna.schmidt", 1778727600000000000, "auth", "auth_fail", 0.0, -0.832, 0.0, 0, 0, 0.832], ["user", ".thomas.weber", 1778727600000000000, "auth", "auth_fail", 0.0, -1.225, -1.225, 0, 0, 1.225], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "auth_fail", 0.0, -0.832, -0.832, 0, 0, 0.832], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "auth_fail", 1.0, 0.42, 0.42, 0, 0, 0.42], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "auth_fail", 2.0, 2.165, 2.165, 0, 0, 2.165], ["user", ".anna.schmidt", 1778734800000000000, "auth", "auth_fail", 1.0, 0.693, 0.0, 0, 0, 0.693], ["user", ".lisa.bauer", 1778734800000000000, "auth", "auth_fail", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "auth_fail", 1.0, 0.816, 0.816, 0, 0, 0.816], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "auth_fail", 0.0, -1.0, 0.0, 0, 0, 1.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "auth_fail", 1.0, 1.0, 1.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "auth_fail", 1.0, 0.42, 0.42, 0, 0, 0.42], ["user", ".anna.schmidt", 1778742000000000000, "auth", "auth_fail", 0.0, -0.832, 0.0, 0, 0, 0.832], ["user", ".thomas.weber", 1778742000000000000, "auth", "auth_fail", 1.0, 0.816, 0.816, 0, 0, 0.816], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "auth_fail", 2.0, 2.219, 2.219, 0, 0, 2.219], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "auth_fail", 0.0, -1.0, -1.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "auth_fail", 0.0, -1.26, -1.26, 0, 0, 1.26], ["user", ".anna.schmidt", 1778745600000000000, "auth", "auth_fail", 0.0, -0.832, 0.0, 0, 0, 0.832], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "auth_fail", 0.0, -0.832, -0.832, 0, 0, 0.832], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "auth_fail", 0.0, -1.0, 0.0, 0, 0, 1.0], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "auth_fail", 1.0, 1.0, 1.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "auth_fail", 1.0, 0.42, 0.42, 0, 0, 0.42], ["user", ".lisa.bauer", 1778749200000000000, "auth", "auth_fail", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "auth_fail", 0.0, -1.588, -1.588, 0, 0, 1.588], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "auth_fail", 0.0, -1.0, -1.0, 0, 0, 1.0], ["user", ".anna.schmidt", 1778752800000000000, "auth", "auth_fail", 1.0, 0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778752800000000000, "auth", "auth_fail", 0.0, -1.225, -1.225, 0, 0, 1.225], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "auth_fail", 0.0, -1.0, -1.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "auth_fail", 1.0, 0.42, 0.42, 0, 0, 0.42], ["user", ".anna.schmidt", 1778756400000000000, "auth", "auth_fail", 1.0, 0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778756400000000000, "auth", "auth_fail", 1.0, 0.816, 0.816, 0, 0, 0.816], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "auth_fail", 0.0, -0.832, -0.832, 0, 0, 0.832], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "auth_fail", 0.0, -1.26, -1.26, 0, 0, 1.26], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "auth_fail", 0.0, -1.588, -1.588, 0, 0, 1.588], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "auth_fail", 1.0, 0.693, 0.693, 0, 0, 0.693], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "auth_fail", 0.0, -1.0, -1.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "auth_fail", 0.0, -1.26, -1.26, 0, 0, 1.26], ["user", ".anna.schmidt", 1778763600000000000, "auth", "auth_fail", 0.0, -0.832, 0.0, 0, 0, 0.832], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "auth_fail", 0.0, -0.832, -0.832, 0, 0, 0.832], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "auth_fail", 0.0, -1.0, 0.0, 0, 0, 1.0], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "auth_fail", 1.0, 1.0, 1.0, 0, 0, 1.0], ["user", ".lisa.bauer", 1778767200000000000, "auth", "auth_fail", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "auth_fail", 1.0, 0.816, 0.816, 0, 0, 0.816], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "auth_fail", 1.0, 0.693, 0.693, 0, 0, 0.693], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "auth_fail", 0.0, -1.26, -1.26, 0, 0, 1.26], ["user", ".anna.schmidt", 1778702400000000000, "auth", "auth_succ", 2.0, 1.633, 0.0, 0, 0, 1.633], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "auth_succ", 0.0, -1.213, 0.0, 0, 0, 1.213], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "auth_succ", 0.0, -0.911, -0.911, 0, 0, 0.911], ["user", ".anna.schmidt", 1778706000000000000, "auth", "auth_succ", 2.0, 1.633, 0.0, 0, 0, 1.633], ["user", ".lisa.bauer", 1778706000000000000, "auth", "auth_succ", 1.0, -0.171, 0.0, 0, 0, 0.171], ["user", ".thomas.weber", 1778706000000000000, "auth", "auth_succ", 2.0, 0.686, 0.686, 0, 0, 0.686], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "auth_succ", 1.0, 1.265, 1.265, 0, 0, 1.265], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "auth_succ", 1.0, 0.243, 0.0, 0, 0, 0.243], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "auth_succ", 0.0, -0.911, -0.911, 0, 0, 0.911], ["user", ".lisa.bauer", 1778709600000000000, "auth", "auth_succ", 3.0, 2.229, 0.0, 0, 0, 2.229], ["user", ".thomas.weber", 1778709600000000000, "auth", "auth_succ", 1.0, -0.171, -0.171, 0, 0, 0.171], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "auth_succ", 0.0, -0.791, -0.791, 0, 0, 0.791], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "auth_succ", 0.0, -1.658, -1.658, 0, 0, 1.658], ["user", ".anna.schmidt", 1778713200000000000, "auth", "auth_succ", 1.0, 0.136, 0.0, 0, 0, 0.136], ["user", ".lisa.bauer", 1778713200000000000, "auth", "auth_succ", 1.0, -0.171, 0.0, 0, 0, 0.171], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "auth_succ", 0.0, -0.791, -0.791, 0, 0, 0.791], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "auth_succ", 0.0, -0.911, -0.911, 0, 0, 0.911], ["user", ".anna.schmidt", 1778716800000000000, "auth", "auth_succ", 0.0, -1.361, 0.0, 0, 0, 1.361], ["user", ".thomas.weber", 1778716800000000000, "auth", "auth_succ", 1.0, -0.171, -0.171, 0, 0, 0.171], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "auth_succ", 0.0, -1.213, 0.0, 0, 0, 1.213], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "auth_succ", 0.0, -0.911, -0.911, 0, 0, 0.911], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "auth", "auth_succ", 1.0, -0.171, 0.0, 0, 0, 0.171], ["user", ".thomas.weber", 1778724000000000000, "auth", "auth_succ", 1.0, -0.171, -0.171, 0, 0, 0.171], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "auth_succ", 0.0, -0.791, -0.791, 0, 0, 0.791], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778727600000000000, "auth", "auth_succ", 1.0, 0.136, 0.0, 0, 0, 0.136], ["user", ".thomas.weber", 1778727600000000000, "auth", "auth_succ", 2.0, 0.686, 0.686, 0, 0, 0.686], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "auth_succ", 0.0, -0.791, -0.791, 0, 0, 0.791], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "auth_succ", 2.0, 2.213, 2.213, 0, 0, 2.213], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "auth_succ", 0.0, -0.791, -0.791, 0, 0, 0.791], ["user", ".anna.schmidt", 1778734800000000000, "auth", "auth_succ", 0.0, -1.361, 0.0, 0, 0, 1.361], ["user", ".lisa.bauer", 1778734800000000000, "auth", "auth_succ", 1.0, -0.171, 0.0, 0, 0, 0.171], ["user", ".thomas.weber", 1778734800000000000, "auth", "auth_succ", 0.0, -1.029, -1.029, 0, 0, 1.029], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "auth_succ", 0.0, -0.791, -0.791, 0, 0, 0.791], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "auth_succ", 2.0, 1.698, 0.0, 0, 0, 1.698], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "auth_succ", 0.0, -2.236, -2.236, 0, 0, 2.236], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "auth_succ", 0.0, -0.911, -0.911, 0, 0, 0.911], ["user", ".anna.schmidt", 1778742000000000000, "auth", "auth_succ", 1.0, 0.136, 0.0, 0, 0, 0.136], ["user", ".thomas.weber", 1778742000000000000, "auth", "auth_succ", 0.0, -1.029, -1.029, 0, 0, 1.029], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "auth_succ", 0.0, -0.791, -0.791, 0, 0, 0.791], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "auth_succ", 1.0, 0.651, 0.651, 0, 0, 0.651], ["user", ".anna.schmidt", 1778745600000000000, "auth", "auth_succ", 1.0, 0.136, 0.0, 0, 0, 0.136], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "auth_succ", 1.0, 1.265, 1.265, 0, 0, 1.265], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "auth_succ", 2.0, 1.658, 1.658, 0, 0, 1.658], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "auth_succ", 1.0, 0.243, 0.0, 0, 0, 0.243], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "auth_succ", 2.0, 2.236, 2.236, 0, 0, 2.236], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "auth_succ", 0.0, -0.911, -0.911, 0, 0, 0.911], ["user", ".lisa.bauer", 1778749200000000000, "auth", "auth_succ", 0.0, -1.372, 0.0, 0, 0, 1.372], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "auth_succ", 1.0, 1.265, 1.265, 0, 0, 1.265], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778752800000000000, "auth", "auth_succ", 0.0, -1.361, 0.0, 0, 0, 1.361], ["user", ".thomas.weber", 1778752800000000000, "auth", "auth_succ", 4.0, 2.401, 2.401, 0, 0, 2.401], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "auth_succ", 1.0, 0.651, 0.651, 0, 0, 0.651], ["user", ".anna.schmidt", 1778756400000000000, "auth", "auth_succ", 1.0, 0.136, 0.0, 0, 0, 0.136], ["user", ".thomas.weber", 1778756400000000000, "auth", "auth_succ", 1.0, -0.171, -0.171, 0, 0, 0.171], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "auth_succ", 1.0, 0.651, 0.651, 0, 0, 0.651], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "auth_succ", 1.0, 1.265, 1.265, 0, 0, 1.265], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "auth_succ", 1.0, 0.651, 0.651, 0, 0, 0.651], ["user", ".anna.schmidt", 1778763600000000000, "auth", "auth_succ", 1.0, 0.136, 0.0, 0, 0, 0.136], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "auth_succ", 0.0, -0.791, -0.791, 0, 0, 0.791], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "auth_succ", 2.0, 1.658, 1.658, 0, 0, 1.658], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "auth_succ", 1.0, 0.243, 0.0, 0, 0, 0.243], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778767200000000000, "auth", "auth_succ", 1.0, -0.171, 0.0, 0, 0, 0.171], ["user", ".thomas.weber", 1778767200000000000, "auth", "auth_succ", 0.0, -1.029, -1.029, 0, 0, 1.029], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "auth_succ", 1.0, 1.265, 1.265, 0, 0, 1.265], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "auth_succ", 0.0, -1.658, -1.658, 0, 0, 1.658], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "auth_succ", 1.0, 0.651, 0.651, 0, 0, 0.651], ["user", ".anna.schmidt", 1778702400000000000, "auth", "auth_fail_ratio", 0.3333333333333333, -0.035, 0.0, 0, 0, 0.035], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "auth_fail_ratio", 1.0, 1.3, 0.0, 0, 0, 1.3], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "auth_fail_ratio", 0.0, -0.871, -0.871, 0, 0, 0.871], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "auth_fail_ratio", 1.0, 0.949, 0.949, 0, 0, 0.949], ["user", ".anna.schmidt", 1778706000000000000, "auth", "auth_fail_ratio", 0.0, -0.812, 0.0, 0, 0, 0.812], ["user", ".lisa.bauer", 1778706000000000000, "auth", "auth_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "auth_fail_ratio", 0.0, -1.083, -1.083, 0, 0, 1.083], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "auth_fail_ratio", 0.0, -1.657, -1.657, 0, 0, 1.657], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "auth_fail_ratio", 0.5, 0.421, 0.421, 0, 0, 0.421], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "auth_fail_ratio", 0.5, 0.186, 0.0, 0, 0, 0.186], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "auth_fail_ratio", 1.0, 0.949, 0.949, 0, 0, 0.949], ["user", ".lisa.bauer", 1778709600000000000, "auth", "auth_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778709600000000000, "auth", "auth_fail_ratio", 0.5, 0.12, 0.12, 0, 0, 0.12], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "auth_fail_ratio", 1.0, 0.736, 0.736, 0, 0, 0.736], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "auth_fail_ratio", 1.0, 1.685, 1.685, 0, 0, 1.685], ["user", ".anna.schmidt", 1778713200000000000, "auth", "auth_fail_ratio", 0.0, -0.812, 0.0, 0, 0, 0.812], ["user", ".lisa.bauer", 1778713200000000000, "auth", "auth_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "auth_fail_ratio", 1.0, 0.736, 0.736, 0, 0, 0.736], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "auth_fail_ratio", 1.0, 0.949, 0.949, 0, 0, 0.949], ["user", ".anna.schmidt", 1778716800000000000, "auth", "auth_fail_ratio", 1.0, 1.518, 0.0, 0, 0, 1.518], ["user", ".thomas.weber", 1778716800000000000, "auth", "auth_fail_ratio", 0.5, 0.12, 0.12, 0, 0, 0.12], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "auth_fail_ratio", 0.0, -0.842, -0.842, 0, 0, 0.842], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "auth_fail_ratio", 1.0, 1.3, 0.0, 0, 0, 1.3], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "auth_fail_ratio", 1.0, 0.949, 0.949, 0, 0, 0.949], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "auth_fail_ratio", 0.0, -0.842, -0.842, 0, 0, 0.842], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "auth_fail_ratio", 0.5, 0.666, 0.666, 0, 0, 0.666], ["user", ".lisa.bauer", 1778724000000000000, "auth", "auth_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "auth_fail_ratio", 0.0, -1.083, -1.083, 0, 0, 1.083], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "auth_fail_ratio", 1.0, 0.736, 0.736, 0, 0, 0.736], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "auth_fail_ratio", 0.5, 0.666, 0.666, 0, 0, 0.666], ["user", ".anna.schmidt", 1778727600000000000, "auth", "auth_fail_ratio", 0.0, -0.812, 0.0, 0, 0, 0.812], ["user", ".thomas.weber", 1778727600000000000, "auth", "auth_fail_ratio", 0.0, -1.083, -1.083, 0, 0, 1.083], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "auth_fail_ratio", 1.0, 0.736, 0.736, 0, 0, 0.736], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "auth_fail_ratio", 0.0, -0.842, -0.842, 0, 0, 0.842], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "auth_fail_ratio", 0.3333333333333333, -0.52, -0.52, 0, 0, 0.52], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "auth_fail_ratio", 1.0, 0.736, 0.736, 0, 0, 0.736], ["user", ".anna.schmidt", 1778734800000000000, "auth", "auth_fail_ratio", 1.0, 1.518, 0.0, 0, 0, 1.518], ["user", ".lisa.bauer", 1778734800000000000, "auth", "auth_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "auth_fail_ratio", 1.0, 1.324, 1.324, 0, 0, 1.324], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "auth_fail_ratio", 1.0, 0.736, 0.736, 0, 0, 0.736], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "auth_fail_ratio", 0.0, -0.928, 0.0, 0, 0, 0.928], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "auth_fail_ratio", 1.0, 2.203, 2.203, 0, 0, 2.203], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "auth_fail_ratio", 1.0, 0.949, 0.949, 0, 0, 0.949], ["user", ".anna.schmidt", 1778742000000000000, "auth", "auth_fail_ratio", 0.0, -0.812, 0.0, 0, 0, 0.812], ["user", ".thomas.weber", 1778742000000000000, "auth", "auth_fail_ratio", 1.0, 1.324, 1.324, 0, 0, 1.324], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "auth_fail_ratio", 1.0, 0.736, 0.736, 0, 0, 0.736], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "auth_fail_ratio", 0.6666666666666666, 0.842, 0.842, 0, 0, 0.842], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "auth_fail_ratio", 0.0, -0.871, -0.871, 0, 0, 0.871], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "auth_fail_ratio", 0.0, -1.255, -1.255, 0, 0, 1.255], ["user", ".anna.schmidt", 1778745600000000000, "auth", "auth_fail_ratio", 0.0, -0.812, 0.0, 0, 0, 0.812], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "auth_fail_ratio", 0.5, -0.46, -0.46, 0, 0, 0.46], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "auth_fail_ratio", 0.0, -0.842, -0.842, 0, 0, 0.842], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "auth_fail_ratio", 0.0, -0.928, 0.0, 0, 0, 0.928], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "auth_fail_ratio", 0.3333333333333333, 0.154, 0.154, 0, 0, 0.154], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "auth_fail_ratio", 1.0, 0.949, 0.949, 0, 0, 0.949], ["user", ".lisa.bauer", 1778749200000000000, "auth", "auth_fail_ratio", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "auth_fail_ratio", 0.0, -1.657, -1.657, 0, 0, 1.657], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "auth_fail_ratio", 0.0, -0.871, -0.871, 0, 0, 0.871], ["user", ".anna.schmidt", 1778752800000000000, "auth", "auth_fail_ratio", 1.0, 1.518, 0.0, 0, 0, 1.518], ["user", ".thomas.weber", 1778752800000000000, "auth", "auth_fail_ratio", 0.0, -1.083, -1.083, 0, 0, 1.083], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "auth_fail_ratio", 0.0, -0.871, -0.871, 0, 0, 0.871], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "auth_fail_ratio", 0.5, -0.153, -0.153, 0, 0, 0.153], ["user", ".anna.schmidt", 1778756400000000000, "auth", "auth_fail_ratio", 0.5, 0.353, 0.0, 0, 0, 0.353], ["user", ".thomas.weber", 1778756400000000000, "auth", "auth_fail_ratio", 0.5, 0.12, 0.12, 0, 0, 0.12], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "auth_fail_ratio", 0.0, -0.842, -0.842, 0, 0, 0.842], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "auth_fail_ratio", 0.0, -1.255, -1.255, 0, 0, 1.255], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "auth_fail_ratio", 0.0, -1.657, -1.657, 0, 0, 1.657], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "auth_fail_ratio", 0.5, 0.421, 0.421, 0, 0, 0.421], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "auth_fail_ratio", 0.0, -0.871, -0.871, 0, 0, 0.871], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "auth_fail_ratio", 0.0, -1.255, -1.255, 0, 0, 1.255], ["user", ".anna.schmidt", 1778763600000000000, "auth", "auth_fail_ratio", 0.0, -0.812, 0.0, 0, 0, 0.812], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "auth_fail_ratio", 1.0, 0.736, 0.736, 0, 0, 0.736], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "auth_fail_ratio", 0.0, -0.842, -0.842, 0, 0, 0.842], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "auth_fail_ratio", 0.0, -0.928, 0.0, 0, 0, 0.928], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "auth_fail_ratio", 0.5, 0.666, 0.666, 0, 0, 0.666], ["user", ".lisa.bauer", 1778767200000000000, "auth", "auth_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "auth_fail_ratio", 1.0, 1.324, 1.324, 0, 0, 1.324], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "auth_fail_ratio", 0.5, -0.46, -0.46, 0, 0, 0.46], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "auth_fail_ratio", 1.0, 1.685, 1.685, 0, 0, 1.685], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "auth_fail_ratio", 0.0, -1.255, -1.255, 0, 0, 1.255], ["user", ".anna.schmidt", 1778702400000000000, "auth", "login_success", 1.0, 0.832, 0.0, 0, 0, 0.832], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "login_success", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "login_success", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778706000000000000, "auth", "login_success", 2.0, 2.357, 0.0, 0, 0, 2.357], ["user", ".lisa.bauer", 1778706000000000000, "auth", "login_success", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "login_success", 0.0, -0.756, -0.756, 0, 0, 0.756], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "login_success", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".lisa.bauer", 1778709600000000000, "auth", "login_success", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", ".thomas.weber", 1778709600000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "login_success", 0.0, -0.756, -0.756, 0, 0, 0.756], ["user", ".anna.schmidt", 1778713200000000000, "auth", "login_success", 1.0, 0.832, 0.0, 0, 0, 0.832], ["user", ".lisa.bauer", 1778713200000000000, "auth", "login_success", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778716800000000000, "auth", "login_success", 0.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778716800000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "login_success", 0.0, -0.756, -0.756, 0, 0, 0.756], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "login_success", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "login_success", 0.0, -0.756, -0.756, 0, 0, 0.756], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "login_success", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", ".lisa.bauer", 1778724000000000000, "auth", "login_success", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "login_success", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", ".anna.schmidt", 1778727600000000000, "auth", "login_success", 0.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778727600000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "login_success", 1.0, 1.323, 1.323, 0, 0, 1.323], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "login_success", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", ".anna.schmidt", 1778734800000000000, "auth", "login_success", 0.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".lisa.bauer", 1778734800000000000, "auth", "login_success", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "login_success", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "login_success", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778742000000000000, "auth", "login_success", 0.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778742000000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "login_success", 0.0, -0.756, -0.756, 0, 0, 0.756], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "login_success", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778745600000000000, "auth", "login_success", 1.0, 0.832, 0.0, 0, 0, 0.832], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "login_success", 1.0, 1.323, 1.323, 0, 0, 1.323], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "login_success", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "login_success", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".lisa.bauer", 1778749200000000000, "auth", "login_success", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "login_success", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", ".anna.schmidt", 1778752800000000000, "auth", "login_success", 0.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778752800000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "login_success", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "login_success", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", ".anna.schmidt", 1778756400000000000, "auth", "login_success", 0.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778756400000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "login_success", 0.0, -0.756, -0.756, 0, 0, 0.756], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "login_success", 1.0, 3.464, 3.464, 0, 0, 3.464], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "login_success", 1.0, 1.323, 1.323, 0, 0, 1.323], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "login_success", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778763600000000000, "auth", "login_success", 0.0, -0.693, 0.0, 0, 0, 0.693], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "login_success", 1.0, 1.323, 1.323, 0, 0, 1.323], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "login_success", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "login_success", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", ".lisa.bauer", 1778767200000000000, "auth", "login_success", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "login_success", 0.0, -0.756, -0.756, 0, 0, 0.756], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "login_success", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", ".anna.schmidt", 1778702400000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "login_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "login_failure", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".anna.schmidt", 1778706000000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778706000000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".lisa.bauer", 1778709600000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", ".anna.schmidt", 1778713200000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778713200000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "login_failure", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".anna.schmidt", 1778716800000000000, "auth", "login_failure", 1.0, 2.121, 0.0, 0, 0, 2.121], ["user", ".thomas.weber", 1778716800000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "login_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".lisa.bauer", 1778724000000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778724000000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "login_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".anna.schmidt", 1778727600000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778727600000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", ".anna.schmidt", 1778734800000000000, "auth", "login_failure", 1.0, 2.121, 0.0, 0, 0, 2.121], ["user", ".lisa.bauer", 1778734800000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778734800000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "login_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778742000000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778742000000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "login_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778745600000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "login_failure", 1.0, 3.464, 3.464, 0, 0, 3.464], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "login_failure", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".lisa.bauer", 1778749200000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "login_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".anna.schmidt", 1778752800000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778752800000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "login_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778756400000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778756400000000000, "auth", "login_failure", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "login_failure", 1.0, 3.162, 3.162, 0, 0, 3.162], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "login_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778763600000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "login_failure", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", ".lisa.bauer", 1778767200000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778767200000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778702400000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "logout", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "logout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778706000000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778706000000000000, "auth", "logout", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "logout", 0.0, -0.588, -0.588, 0, 0, 0.588], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "logout", 1.0, 2.121, 2.121, 0, 0, 2.121], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "logout", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".lisa.bauer", 1778709600000000000, "auth", "logout", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778709600000000000, "auth", "logout", 0.0, -0.588, -0.588, 0, 0, 0.588], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", ".anna.schmidt", 1778713200000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778713200000000000, "auth", "logout", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778716800000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "auth", "logout", 0.0, -0.588, -0.588, 0, 0, 0.588], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "logout", 1.0, 2.121, 2.121, 0, 0, 2.121], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "logout", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "logout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".lisa.bauer", 1778724000000000000, "auth", "logout", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "logout", 1.0, 0.392, 0.392, 0, 0, 0.392], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "logout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".anna.schmidt", 1778727600000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "auth", "logout", 2.0, 1.373, 1.373, 0, 0, 1.373], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "logout", 1.0, 3.317, 3.317, 0, 0, 3.317], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", ".anna.schmidt", 1778734800000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "auth", "logout", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "logout", 0.0, -0.588, -0.588, 0, 0, 0.588], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "logout", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "logout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778742000000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778742000000000000, "auth", "logout", 0.0, -0.588, -0.588, 0, 0, 0.588], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "logout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778745600000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "logout", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "logout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".lisa.bauer", 1778749200000000000, "auth", "logout", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "logout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".anna.schmidt", 1778752800000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "auth", "logout", 3.0, 2.353, 2.353, 0, 0, 2.353], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "logout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778756400000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "auth", "logout", 0.0, -0.588, -0.588, 0, 0, 0.588], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "logout", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778763600000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "logout", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "logout", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", ".lisa.bauer", 1778767200000000000, "auth", "logout", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", ".thomas.weber", 1778767200000000000, "auth", "logout", 0.0, -0.588, -0.588, 0, 0, 0.588], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "logout", 1.0, 3.464, 3.464, 0, 0, 3.464], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778702400000000000, "auth", "session_timeout", 0.0, -0.612, 0.0, 0, 0, 0.612], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778706000000000000, "auth", "session_timeout", 0.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".lisa.bauer", 1778706000000000000, "auth", "session_timeout", 1.0, 0.632, 0.0, 0, 0, 0.632], ["user", ".thomas.weber", 1778706000000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".lisa.bauer", 1778709600000000000, "auth", "session_timeout", 1.0, 0.632, 0.0, 0, 0, 0.632], ["user", ".thomas.weber", 1778709600000000000, "auth", "session_timeout", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", ".anna.schmidt", 1778713200000000000, "auth", "session_timeout", 0.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".lisa.bauer", 1778713200000000000, "auth", "session_timeout", 1.0, 0.632, 0.0, 0, 0, 0.632], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778716800000000000, "auth", "session_timeout", 0.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".thomas.weber", 1778716800000000000, "auth", "session_timeout", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".lisa.bauer", 1778724000000000000, "auth", "session_timeout", 1.0, 0.632, 0.0, 0, 0, 0.632], ["user", ".thomas.weber", 1778724000000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "session_timeout", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", ".anna.schmidt", 1778727600000000000, "auth", "session_timeout", 1.0, 1.633, 0.0, 0, 0, 1.633], ["user", ".thomas.weber", 1778727600000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778734800000000000, "auth", "session_timeout", 0.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".lisa.bauer", 1778734800000000000, "auth", "session_timeout", 1.0, 0.632, 0.0, 0, 0, 0.632], ["user", ".thomas.weber", 1778734800000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778742000000000000, "auth", "session_timeout", 1.0, 1.633, 0.0, 0, 0, 1.633], ["user", ".thomas.weber", 1778742000000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "session_timeout", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".anna.schmidt", 1778745600000000000, "auth", "session_timeout", 0.0, -0.612, 0.0, 0, 0, 0.612], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "session_timeout", 1.0, 2.121, 2.121, 0, 0, 2.121], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "session_timeout", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".lisa.bauer", 1778749200000000000, "auth", "session_timeout", 0.0, -1.581, 0.0, 0, 0, 1.581], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".anna.schmidt", 1778752800000000000, "auth", "session_timeout", 0.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".thomas.weber", 1778752800000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778756400000000000, "auth", "session_timeout", 1.0, 1.633, 0.0, 0, 0, 1.633], ["user", ".thomas.weber", 1778756400000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "session_timeout", 1.0, 2.121, 2.121, 0, 0, 2.121], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "session_timeout", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".anna.schmidt", 1778763600000000000, "auth", "session_timeout", 0.0, -0.612, 0.0, 0, 0, 0.612], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".lisa.bauer", 1778767200000000000, "auth", "session_timeout", 0.0, -1.581, 0.0, 0, 0, 1.581], ["user", ".thomas.weber", 1778767200000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778702400000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "mfa_success", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778706000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778706000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "auth", "mfa_success", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "mfa_success", 1.0, 1.826, 1.826, 0, 0, 1.826], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "mfa_success", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778709600000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", ".anna.schmidt", 1778713200000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778713200000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778716800000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "mfa_success", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "mfa_success", 1.0, 3.162, 3.162, 0, 0, 3.162], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778724000000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778727600000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", ".anna.schmidt", 1778734800000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778734800000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "mfa_success", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778742000000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778745600000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "mfa_success", 1.0, 1.826, 1.826, 0, 0, 1.826], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "mfa_success", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "mfa_success", 1.0, 1.826, 1.826, 0, 0, 1.826], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778752800000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778756400000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "mfa_success", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778767200000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778767200000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778702400000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "mfa_failure", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778706000000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778706000000000000, "auth", "mfa_failure", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "mfa_failure", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778709600000000000, "auth", "mfa_failure", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778709600000000000, "auth", "mfa_failure", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "mfa_failure", 1.0, 3.464, 3.464, 0, 0, 3.464], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778713200000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778713200000000000, "auth", "mfa_failure", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778716800000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "mfa_failure", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".lisa.bauer", 1778724000000000000, "auth", "mfa_failure", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "mfa_failure", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", ".anna.schmidt", 1778727600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", ".anna.schmidt", 1778734800000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "auth", "mfa_failure", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "mfa_failure", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778742000000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778745600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "mfa_failure", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "auth", "mfa_failure", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".anna.schmidt", 1778752800000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778756400000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "mfa_failure", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".lisa.bauer", 1778767200000000000, "auth", "mfa_failure", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778702400000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "mfa_fail_ratio", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778706000000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778706000000000000, "auth", "mfa_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "mfa_fail_ratio", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778709600000000000, "auth", "mfa_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778709600000000000, "auth", "mfa_fail_ratio", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "mfa_fail_ratio", 1.0, 3.464, 3.464, 0, 0, 3.464], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778713200000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778713200000000000, "auth", "mfa_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778716800000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "mfa_fail_ratio", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".lisa.bauer", 1778724000000000000, "auth", "mfa_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "mfa_fail_ratio", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", ".anna.schmidt", 1778727600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", ".anna.schmidt", 1778734800000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "auth", "mfa_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "mfa_fail_ratio", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778742000000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778745600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "mfa_fail_ratio", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "auth", "mfa_fail_ratio", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".anna.schmidt", 1778752800000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778756400000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "mfa_fail_ratio", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".lisa.bauer", 1778767200000000000, "auth", "mfa_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778702400000000000, "auth", "password_change", 1.0, 2.121, 0.0, 0, 0, 2.121], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "password_change", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "password_change", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778706000000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778706000000000000, "auth", "password_change", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "password_change", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "password_change", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".lisa.bauer", 1778709600000000000, "auth", "password_change", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", ".thomas.weber", 1778709600000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", ".anna.schmidt", 1778713200000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778713200000000000, "auth", "password_change", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778716800000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778716800000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "password_change", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", ".lisa.bauer", 1778724000000000000, "auth", "password_change", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", ".anna.schmidt", 1778727600000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778727600000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778734800000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778734800000000000, "auth", "password_change", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "password_change", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778742000000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778742000000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "password_change", 1.0, 2.121, 2.121, 0, 0, 2.121], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778745600000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "password_change", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".lisa.bauer", 1778749200000000000, "auth", "password_change", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "password_change", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", ".anna.schmidt", 1778752800000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778752800000000000, "auth", "password_change", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "password_change", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778756400000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778756400000000000, "auth", "password_change", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "password_change", 1.0, 3.317, 3.317, 0, 0, 3.317], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778763600000000000, "auth", "password_change", 1.0, 2.121, 0.0, 0, 0, 2.121], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "password_change", 1.0, 2.121, 2.121, 0, 0, 2.121], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "password_change", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", ".lisa.bauer", 1778767200000000000, "auth", "password_change", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778702400000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "password_reset_req", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778706000000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778706000000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "password_reset_req", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".lisa.bauer", 1778709600000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", ".anna.schmidt", 1778713200000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778713200000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "password_reset_req", 1.0, 2.345, 2.345, 0, 0, 2.345], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778716800000000000, "auth", "password_reset_req", 1.0, 2.121, 0.0, 0, 0, 2.121], ["user", ".thomas.weber", 1778716800000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "password_reset_req", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "password_reset_req", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778724000000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778727600000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778727600000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "password_reset_req", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", ".anna.schmidt", 1778734800000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778734800000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778734800000000000, "auth", "password_reset_req", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "password_reset_req", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "password_reset_req", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", ".anna.schmidt", 1778742000000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778742000000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "password_reset_req", 2.0, 2.801, 2.801, 0, 0, 2.801], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778745600000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "password_reset_req", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".lisa.bauer", 1778749200000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778752800000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778752800000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778756400000000000, "auth", "password_reset_req", 1.0, 2.121, 0.0, 0, 0, 2.121], ["user", ".thomas.weber", 1778756400000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778763600000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "password_reset_req", 1.0, 2.345, 2.345, 0, 0, 2.345], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "password_reset_req", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778767200000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778767200000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "password_reset_req", 1.0, 1.18, 1.18, 0, 0, 1.18], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778702400000000000, "auth", "account_locked", 1.0, 2.121, 0.0, 0, 0, 2.121], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778706000000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778706000000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "account_locked", 1.0, 3.162, 3.162, 0, 0, 3.162], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "account_locked", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".lisa.bauer", 1778709600000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", ".anna.schmidt", 1778713200000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778713200000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778716800000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778716800000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "account_locked", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", ".lisa.bauer", 1778724000000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778724000000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".anna.schmidt", 1778727600000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778727600000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "account_locked", 1.0, 1.826, 1.826, 0, 0, 1.826], ["user", ".anna.schmidt", 1778734800000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778734800000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778734800000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "account_locked", 1.0, 1.826, 1.826, 0, 0, 1.826], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778742000000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778742000000000000, "auth", "account_locked", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "account_locked", 1.0, 1.826, 1.826, 0, 0, 1.826], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778745600000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "account_locked", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".lisa.bauer", 1778749200000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".anna.schmidt", 1778752800000000000, "auth", "account_locked", 1.0, 2.121, 0.0, 0, 0, 2.121], ["user", ".thomas.weber", 1778752800000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778756400000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778756400000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778763600000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".lisa.bauer", 1778767200000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778767200000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778702400000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778706000000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778706000000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "auth", "account_unlocked_fail", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".lisa.bauer", 1778709600000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "auth", "account_unlocked_fail", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "account_unlocked_fail", 1.0, 3.162, 3.162, 0, 0, 3.162], ["user", ".anna.schmidt", 1778713200000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778713200000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778716800000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "auth", "account_unlocked_fail", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "account_unlocked_fail", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".lisa.bauer", 1778724000000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778724000000000000, "auth", "account_unlocked_fail", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "account_unlocked_fail", 1.0, 1.5, 1.5, 0, 0, 1.5], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".anna.schmidt", 1778727600000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "auth", "account_unlocked_fail", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "account_unlocked_fail", 1.0, 1.5, 1.5, 0, 0, 1.5], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "account_unlocked_fail", 1.0, 1.5, 1.5, 0, 0, 1.5], ["user", ".anna.schmidt", 1778734800000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778734800000000000, "auth", "account_unlocked_fail", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "account_unlocked_fail", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778742000000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778742000000000000, "auth", "account_unlocked_fail", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778745600000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".lisa.bauer", 1778749200000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".anna.schmidt", 1778752800000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "auth", "account_unlocked_fail", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "account_unlocked_fail", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".anna.schmidt", 1778756400000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "auth", "account_unlocked_fail", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778763600000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".lisa.bauer", 1778767200000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778767200000000000, "auth", "account_unlocked_fail", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "account_unlocked_fail", 1.0, 1.5, 1.5, 0, 0, 1.5], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_events", 1.0, -0.784, -0.863, 0, 0, 0.863], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_events", 2.0, 2.0, 0.0, 0, 0, 2.0], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_events", 2.0, -0.397, 0.038, 0, 0, 0.397], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_events", 3.0, 1.961, 0.939, 0, 0, 1.961], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_events", 4.0, 1.871, 0.0, 0, 0, 1.871], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_events", 2.0, 0.354, 0.038, 0, 0, 0.354], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_events", 3.0, 0.397, 0.939, 0, 0, 0.939], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_events", 1.0, -0.896, -0.632, 0, 0, 0.896], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_events", 2.0, 0.832, 0.832, 0, 0, 0.832], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_events", 2.0, 0.354, 0.038, 0, 0, 0.354], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_events", 1.0, -1.192, -0.863, 0, 0, 1.192], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_events", 2.0, 0.832, 0.832, 0, 0, 0.832], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_events", 1.0, -0.784, -0.863, 0, 0, 0.863], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_events", 2.0, -0.397, 0.038, 0, 0, 0.397], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_events", 1.0, -0.896, -0.632, 0, 0, 0.896], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_events", 2.0, 0.447, 0.447, 0, 0, 0.447], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_events", 4.0, 2.475, 1.84, 0, 0, 2.475], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_events", 1.0, -1.192, -0.863, 0, 0, 1.192], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_events", 2.0, 0.498, 0.949, 0, 0, 0.949], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_events", 2.0, 0.447, 0.447, 0, 0, 0.447], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_events", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_events", 1.0, -0.784, -0.863, 0, 0, 0.863], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_events", 2.0, 0.354, 0.038, 0, 0, 0.354], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_events", 3.0, 0.397, 0.939, 0, 0, 0.939], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_events", 2.0, 0.498, 0.949, 0, 0, 0.949], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_events", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_events", 1.0, -0.894, -0.894, 0, 0, 0.894], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_events", 1.0, -0.784, -0.863, 0, 0, 0.863], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_events", 3.0, 0.397, 0.939, 0, 0, 0.939], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_events", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_events", 3.0, 1.789, 1.789, 0, 0, 1.789], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_events", 3.0, 1.414, 0.939, 0, 0, 1.414], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_events", 2.0, -0.397, 0.038, 0, 0, 0.397], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_events", 6.0, 2.782, 3.642, 0, 0, 3.642], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_events", 2.0, 0.498, 0.949, 0, 0, 0.949], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_events", 2.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_events", 1.0, -0.894, -0.894, 0, 0, 0.894], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_events", 2.0, 0.832, 0.832, 0, 0, 0.832], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_events", 3.0, 1.961, 0.939, 0, 0, 1.961], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_events", 3.0, 0.397, 0.939, 0, 0, 0.939], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_events", 1.0, -0.894, -0.894, 0, 0, 0.894], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_events", 3.0, 2.357, 2.357, 0, 0, 2.357], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_events", 2.0, 0.498, 0.949, 0, 0, 0.949], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_events", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_events", 1.0, -0.784, -0.863, 0, 0, 0.863], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_events", 2.0, 0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_events", 2.0, -0.397, 0.038, 0, 0, 0.397], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_events", 3.0, 1.891, 2.53, 0, 0, 2.53], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_events", 2.0, 0.588, 0.038, 0, 0, 0.588], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_events", 4.0, 3.138, 0.0, 0, 0, 3.138], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_events", 2.0, -0.397, 0.038, 0, 0, 0.397], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_events", 2.0, 0.498, 0.949, 0, 0, 0.949], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_events", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_events", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_events", 1.0, -0.784, -0.863, 0, 0, 0.863], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_events", 2.0, -0.397, 0.038, 0, 0, 0.397], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_events", 1.0, -0.896, -0.632, 0, 0, 0.896], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_events", 2.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_events", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_events", 1.0, -0.784, -0.863, 0, 0, 0.863], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_events", 2.0, 3.162, 0.949, 0, 0, 3.162], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_events", 4.0, 1.192, 1.84, 0, 0, 1.84], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_events", 1.0, -0.896, -0.632, 0, 0, 0.896], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_events", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_events", 2.0, 0.588, 0.038, 0, 0, 0.588], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_events", 2.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_events", 4.0, 1.192, 1.84, 0, 0, 1.84], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_events", 1.0, -0.896, -0.632, 0, 0, 0.896], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_events", 1.0, -0.784, -0.863, 0, 0, 0.863], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_events", 3.0, 1.414, 0.939, 0, 0, 1.414], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_events", 3.0, 0.397, 0.939, 0, 0, 0.939], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_events", 3.0, 1.891, 2.53, 0, 0, 2.53], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_events", 2.0, 0.588, 0.038, 0, 0, 0.588], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_events", 2.0, 2.0, 0.0, 0, 0, 2.0], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_events", 1.0, -1.192, -0.863, 0, 0, 1.192], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_events", 1.0, -0.896, -0.632, 0, 0, 0.896], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_events", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_events", 2.0, 0.588, 0.038, 0, 0, 0.588], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_events", 1.0, -1.192, -0.863, 0, 0, 1.192], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_events", 1.0, -0.896, -0.632, 0, 0, 0.896], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_events", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_events", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_failures", 1.0, 0.359, 0.589, 0, 0, 0.589], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_failures", 1.0, 0.911, 0.0, 0, 0, 0.911], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_failures", 0.0, -1.213, 0.0, 0, 0, 1.213], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_failures", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_failures", 0.0, -0.898, -0.669, 0, 0, 0.898], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_failures", 0.0, -0.651, 0.0, 0, 0, 0.651], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_failures", 1.0, 0.485, 0.0, 0, 0, 0.485], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_failures", 1.0, 1.633, 2.708, 0, 0, 2.708], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_failures", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_failures", 2.0, 1.976, 1.976, 0, 0, 1.976], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_failures", 1.0, 0.485, 0.0, 0, 0, 0.485], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_failures", 1.0, 1.225, 0.0, 0, 0, 1.225], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_failures", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_failures", 0.0, -0.581, -0.581, 0, 0, 0.581], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_failures", 0.0, -0.898, -0.669, 0, 0, 0.898], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_failures", 1.0, 0.485, 0.0, 0, 0, 0.485], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_failures", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_failures", 1.0, 0.485, 0.0, 0, 0, 0.485], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_failures", 1.0, 1.225, 0.0, 0, 0, 1.225], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_failures", 4.0, 3.354, 4.363, 0, 0, 4.363], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_failures", 0.0, -0.581, -0.581, 0, 0, 0.581], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_failures", 1.0, 0.359, 0.589, 0, 0, 0.589], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_failures", 0.0, -1.118, -0.669, 0, 0, 1.118], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_failures", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_failures", 1.0, 0.359, 0.589, 0, 0, 0.589], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_failures", 1.0, 0.911, 0.0, 0, 0, 0.911], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_failures", 0.0, -1.213, 0.0, 0, 0, 1.213], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_failures", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_failures", 0.0, -1.118, -0.669, 0, 0, 1.118], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_failures", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_failures", 0.0, -0.651, 0.0, 0, 0, 0.651], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_failures", 1.0, 0.485, 0.0, 0, 0, 0.485], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_failures", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_failures", 1.0, 0.911, 0.0, 0, 0, 0.911], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_failures", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_failures", 0.0, -0.581, -0.581, 0, 0, 0.581], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_failures", 3.0, 2.874, 3.105, 0, 0, 3.105], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_failures", 0.0, -0.651, 0.0, 0, 0, 0.651], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_failures", 0.0, -1.213, 0.0, 0, 0, 1.213], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_failures", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_failures", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_failures", 2.0, 1.976, 1.976, 0, 0, 1.976], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_failures", 1.0, 1.633, 2.708, 0, 0, 2.708], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_failures", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_failures", 0.0, -0.581, -0.581, 0, 0, 0.581], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_failures", 1.0, 0.359, 0.589, 0, 0, 0.589], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_failures", 2.0, 2.474, 0.0, 0, 0, 2.474], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_failures", 1.0, 0.485, 0.0, 0, 0, 0.485], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_failures", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_failures", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_failures", 1.0, 0.359, 0.589, 0, 0, 0.589], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_failures", 0.0, -0.651, 0.0, 0, 0, 0.651], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_failures", 0.0, -1.213, 0.0, 0, 0, 1.213], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_failures", 1.0, 1.225, 0.0, 0, 0, 1.225], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_failures", 0.0, -1.118, -0.669, 0, 0, 1.118], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_failures", 1.0, 1.633, 2.708, 0, 0, 2.708], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_failures", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_failures", 0.0, -0.581, -0.581, 0, 0, 0.581], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_failures", 0.0, -0.898, -0.669, 0, 0, 0.898], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_failures", 0.0, -0.651, 0.0, 0, 0, 0.651], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_failures", 1.0, 0.485, 0.0, 0, 0, 0.485], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_failures", 0.0, -0.581, -0.581, 0, 0, 0.581], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_failures", 0.0, -0.898, -0.669, 0, 0, 0.898], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_failures", 0.0, -0.651, 0.0, 0, 0, 0.651], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_failures", 2.0, 2.183, 0.0, 0, 0, 2.183], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_failures", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_failures", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_failures", 1.0, 0.697, 0.697, 0, 0, 0.697], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_failures", 0.0, -0.898, -0.669, 0, 0, 0.898], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_failures", 0.0, -0.651, 0.0, 0, 0, 0.651], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_failures", 1.0, 0.485, 0.0, 0, 0, 0.485], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_failures", 0.0, -0.898, -0.669, 0, 0, 0.898], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_failures", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_failures", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_failures", 1.0, 0.359, 0.589, 0, 0, 0.589], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_failures", 0.0, -0.651, 0.0, 0, 0, 0.651], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_failures", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_failures", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_failures", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_failures", 0.0, -0.581, -0.581, 0, 0, 0.581], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_failures", 1.0, 0.359, 0.589, 0, 0, 0.589], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_failures", 0.0, -1.213, 0.0, 0, 0, 1.213], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_failures", 1.0, 1.225, 0.0, 0, 0, 1.225], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_failures", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_failures", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_failures", 0.0, -0.581, -0.581, 0, 0, 0.581], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_infos", 1.0, 1.528, 1.528, 0, 0, 1.528], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_infos", 0.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_infos", 0.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_infos", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_infos", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_infos", 0.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_infos", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_infos", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_infos", 1.0, 1.528, 1.528, 0, 0, 1.528], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_infos", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_infos", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_infos", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_infos", 1.0, 1.633, 1.633, 0, 0, 1.633], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_infos", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_infos", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_infos", 1.0, 1.633, 1.633, 0, 0, 1.633], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_infos", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_infos", 0.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_infos", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_infos", 1.0, 1.633, 1.633, 0, 0, 1.633], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_infos", 0.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_infos", 0.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_infos", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_infos", 1.0, 1.528, 1.528, 0, 0, 1.528], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_infos", 0.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_infos", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_infos", 0.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_failure_ratio", 1.0, 1.213, 1.507, 0, 0, 1.507], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_failure_ratio", 1.0, 1.414, 0.0, 0, 0, 1.414], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_failure_ratio", 0.0, -1.007, 0.0, 0, 0, 1.007], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_failure_ratio", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_failure_ratio", 1.0, 0.872, 1.507, 0, 0, 1.507], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_failure_ratio", 0.0, -1.051, -0.79, 0, 0, 1.051], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_failure_ratio", 0.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_failure_ratio", 0.25, -0.265, 0.0, 0, 0, 0.265], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_failure_ratio", 0.5, -0.354, 0.358, 0, 0, 0.358], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_failure_ratio", 1.0, 1.633, 2.708, 0, 0, 2.708], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_failure_ratio", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_failure_ratio", 1.0, 1.874, 1.874, 0, 0, 1.874], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_failure_ratio", 0.3333333333333333, -0.018, 0.0, 0, 0, 0.018], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_failure_ratio", 1.0, 1.225, 0.0, 0, 0, 1.225], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_failure_ratio", 0.5, -0.354, 0.358, 0, 0, 0.358], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_failure_ratio", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_failure_ratio", 0.0, -0.6, -0.6, 0, 0, 0.6], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_failure_ratio", 0.0, -1.051, -0.79, 0, 0, 1.051], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_failure_ratio", 1.0, 1.961, 0.0, 0, 0, 1.961], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_failure_ratio", 1.0, 0.872, 1.507, 0, 0, 1.507], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_failure_ratio", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_failure_ratio", 0.3333333333333333, -0.018, 0.0, 0, 0, 0.018], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_failure_ratio", 1.0, 1.225, 0.0, 0, 0, 1.225], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_failure_ratio", 1.0, 0.872, 1.507, 0, 0, 1.507], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_failure_ratio", 0.0, -0.6, -0.6, 0, 0, 0.6], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_failure_ratio", 1.0, 1.213, 1.507, 0, 0, 1.507], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_failure_ratio", 0.0, -1.581, -0.79, 0, 0, 1.581], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_failure_ratio", 0.5, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_failure_ratio", 1.0, 1.213, 1.507, 0, 0, 1.507], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_failure_ratio", 1.0, 1.414, 0.0, 0, 0, 1.414], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_failure_ratio", 0.0, -1.007, 0.0, 0, 0, 1.007], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_failure_ratio", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_failure_ratio", 0.0, -1.581, -0.79, 0, 0, 1.581], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_failure_ratio", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_failure_ratio", 0.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_failure_ratio", 0.3333333333333333, -0.018, 0.0, 0, 0, 0.018], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_failure_ratio", 0.3333333333333333, -0.763, -0.024, 0, 0, 0.763], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_failure_ratio", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_failure_ratio", 1.0, 1.414, 0.0, 0, 0, 1.414], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_failure_ratio", 1.0, 0.872, 1.507, 0, 0, 1.507], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_failure_ratio", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_failure_ratio", 0.0, -0.6, -0.6, 0, 0, 0.6], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_failure_ratio", 1.0, 1.213, 1.507, 0, 0, 1.507], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_failure_ratio", 0.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_failure_ratio", 0.0, -1.007, 0.0, 0, 0, 1.007], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_failure_ratio", 1.0, 0.872, 1.507, 0, 0, 1.507], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_failure_ratio", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_failure_ratio", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_failure_ratio", 0.6666666666666666, 1.049, 1.049, 0, 0, 1.049], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_failure_ratio", 1.0, 1.633, 2.708, 0, 0, 2.708], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_failure_ratio", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_failure_ratio", 0.0, -0.6, -0.6, 0, 0, 0.6], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_failure_ratio", 1.0, 1.213, 1.507, 0, 0, 1.507], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_failure_ratio", 1.0, 1.414, 0.0, 0, 0, 1.414], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_failure_ratio", 0.3333333333333333, -0.018, 0.0, 0, 0, 0.018], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_failure_ratio", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_failure_ratio", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.5, 0.081, 0.358, 0, 0, 0.358], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.0, -1.007, 0.0, 0, 0, 1.007], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_failure_ratio", 1.0, 1.225, 0.0, 0, 0, 1.225], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.0, -1.581, -0.79, 0, 0, 1.581], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_failure_ratio", 1.0, 1.633, 2.708, 0, 0, 2.708], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.5, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.0, -0.6, -0.6, 0, 0, 0.6], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_failure_ratio", 0.0, -1.051, -0.79, 0, 0, 1.051], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_failure_ratio", 0.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_failure_ratio", 1.0, 1.961, 0.0, 0, 0, 1.961], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_failure_ratio", 0.0, -0.6, -0.6, 0, 0, 0.6], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_failure_ratio", 0.0, -1.051, -0.79, 0, 0, 1.051], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_failure_ratio", 0.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_failure_ratio", 0.6666666666666666, 0.972, 0.0, 0, 0, 0.972], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_failure_ratio", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_failure_ratio", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_failure_ratio", 1.0, 1.874, 1.874, 0, 0, 1.874], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_failure_ratio", 0.0, -1.051, -0.79, 0, 0, 1.051], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_failure_ratio", 0.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_failure_ratio", 0.5, 0.477, 0.0, 0, 0, 0.477], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_failure_ratio", 1.0, 0.872, 1.507, 0, 0, 1.507], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_failure_ratio", 0.0, -1.051, -0.79, 0, 0, 1.051], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_failure_ratio", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_failure_ratio", 0.3333333333333333, -0.763, -0.024, 0, 0, 0.763], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_failure_ratio", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.5, 0.081, 0.358, 0, 0, 0.358], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_failure_ratio", 1.0, 0.872, 1.507, 0, 0, 1.507], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.0, -0.6, -0.6, 0, 0, 0.6], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_failure_ratio", 0.5, 0.081, 0.358, 0, 0, 0.358], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_failure_ratio", 0.0, -1.007, 0.0, 0, 0, 1.007], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_failure_ratio", 1.0, 1.225, 0.0, 0, 0, 1.225], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_failure_ratio", 1.0, 0.872, 1.507, 0, 0, 1.507], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_failure_ratio", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_failure_ratio", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_failure_ratio", 0.0, -0.6, -0.6, 0, 0, 0.6], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_high_severity", 1.0, 1.915, 3.279, 0, 0, 3.279], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_high_severity", 1.0, 3.742, 3.279, 0, 0, 3.742], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_high_severity", 1.0, 3.162, 4.899, 0, 0, 4.899], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_high_severity", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_high_severity", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_high_severity", 1.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_high_severity", 1.0, 1.915, 3.279, 0, 0, 3.279], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_high_severity", 1.0, 1.528, 1.528, 0, 0, 1.528], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_high_severity", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_high_severity", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_high_severity", 1.0, 1.414, 1.414, 0, 0, 1.414], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_high_severity", 1.0, 1.26, 0.0, 0, 0, 1.26], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_high_severity", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_high_severity", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_high_severity", 1.0, 1.915, 3.279, 0, 0, 3.279], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_high_severity", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_high_severity", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_high_severity", 1.0, 2.121, 2.121, 0, 0, 2.121], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_high_severity", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_high_severity", 2.0, 2.941, 0.0, 0, 0, 2.941], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_high_severity", 1.0, 3.0, 0.0, 0, 0, 3.0], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_high_severity", 1.0, 1.528, 1.528, 0, 0, 1.528], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_high_severity", 1.0, 3.606, 0.0, 0, 0, 3.606], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_high_severity", 1.0, 2.121, 2.121, 0, 0, 2.121], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_high_severity", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_high_severity", 1.0, 1.528, 1.528, 0, 0, 1.528], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_auth_events", 1.0, -0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_auth_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_auth_events", 2.0, 2.0, 0.0, 0, 0, 2.0], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_auth_events", 3.0, 1.961, 1.939, 0, 0, 1.961], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_auth_events", 4.0, 1.871, 0.0, 0, 0, 1.871], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_auth_events", 2.0, 0.354, 0.97, 0, 0, 0.97], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_auth_events", 1.0, -0.243, -0.243, 0, 0, 0.243], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_auth_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_auth_events", 2.0, 1.633, 1.633, 0, 0, 1.633], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_auth_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_auth_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_auth_events", 2.0, 0.354, 0.97, 0, 0, 0.97], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_auth_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_auth_events", 1.0, -0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_auth_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_auth_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_auth_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_auth_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_auth_events", 4.0, 2.475, 2.909, 0, 0, 2.909], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_auth_events", 0.0, -1.732, -1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_auth_events", 0.0, -1.361, -1.361, 0, 0, 1.361], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_auth_events", 1.0, -0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_auth_events", 2.0, 0.354, 0.97, 0, 0, 0.97], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_auth_events", 0.0, -1.671, -1.671, 0, 0, 1.671], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_auth_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_auth_events", 1.0, -0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_auth_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_auth_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_auth_events", 1.0, -0.243, -0.243, 0, 0, 0.243], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_auth_events", 2.0, 2.043, 2.043, 0, 0, 2.043], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_auth_events", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_auth_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_auth_events", 3.0, 1.414, 1.939, 0, 0, 1.939], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_auth_events", 2.0, 1.213, 1.213, 0, 0, 1.213], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_auth_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_auth_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_auth_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_auth_events", 3.0, 1.961, 1.939, 0, 0, 1.961], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_auth_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_auth_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_auth_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_auth_events", 2.0, 1.633, 1.633, 0, 0, 1.633], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_auth_events", 0.0, -1.671, -1.671, 0, 0, 1.671], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_auth_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_auth_events", 1.0, -0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_auth_events", 2.0, 0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_auth_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_auth_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_auth_events", 2.0, 0.588, 0.97, 0, 0, 0.97], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_auth_events", 4.0, 3.138, 0.0, 0, 0, 3.138], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_auth_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_auth_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_auth_events", 0.0, -1.698, -1.698, 0, 0, 1.698], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_auth_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_auth_events", 0.0, -1.361, -1.361, 0, 0, 1.361], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_auth_events", 1.0, -0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_auth_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_auth_events", 2.0, 1.213, 1.213, 0, 0, 1.213], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_auth_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_auth_events", 1.0, -0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_auth_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_auth_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_auth_events", 2.0, 3.162, 2.648, 0, 0, 3.162], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_auth_events", 0.0, -1.361, -1.361, 0, 0, 1.361], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_auth_events", 2.0, 0.588, 0.97, 0, 0, 0.97], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_auth_events", 2.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_auth_events", 1.0, -0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_auth_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_auth_events", 3.0, 1.414, 1.939, 0, 0, 1.939], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_auth_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_auth_events", 2.0, 0.588, 0.97, 0, 0, 0.97], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_auth_events", 2.0, 2.0, 0.0, 0, 0, 2.0], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_auth_events", 1.0, -0.243, -0.243, 0, 0, 0.243], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_auth_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_auth_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_auth_events", 2.0, 0.588, 0.97, 0, 0, 0.97], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_auth_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_auth_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_auth_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_auth_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_data_events", 2.0, -0.397, 0.722, 0, 0, 0.722], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_data_events", 3.0, 0.397, 1.415, 0, 0, 1.415], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_data_events", 1.0, -0.896, 0.082, 0, 0, 0.896], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_data_events", 1.0, -1.192, 0.029, 0, 0, 1.192], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_data_events", 2.0, -0.397, 0.722, 0, 0, 0.722], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_data_events", 1.0, -0.896, 0.082, 0, 0, 0.896], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_data_events", 1.0, -1.192, 0.029, 0, 0, 1.192], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_data_events", 2.0, 0.498, 1.106, 0, 0, 1.106], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_data_events", 3.0, 0.397, 1.415, 0, 0, 1.415], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_data_events", 2.0, 0.498, 1.106, 0, 0, 1.106], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_data_events", 3.0, 0.397, 1.415, 0, 0, 1.415], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_data_events", 2.0, -0.397, 0.722, 0, 0, 0.722], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_data_events", 6.0, 2.782, 3.494, 0, 0, 3.494], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_data_events", 2.0, 0.498, 1.106, 0, 0, 1.106], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_data_events", 3.0, 0.397, 1.415, 0, 0, 1.415], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_data_events", 2.0, 0.498, 1.106, 0, 0, 1.106], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_data_events", 2.0, -0.397, 0.722, 0, 0, 0.722], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_data_events", 3.0, 1.891, 2.13, 0, 0, 2.13], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_data_events", 2.0, -0.397, 0.722, 0, 0, 0.722], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_data_events", 2.0, 0.498, 1.106, 0, 0, 1.106], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_data_events", 2.0, -0.397, 0.722, 0, 0, 0.722], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_data_events", 1.0, -0.896, 0.082, 0, 0, 0.896], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_data_events", 4.0, 1.192, 2.108, 0, 0, 2.108], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_data_events", 1.0, -0.896, 0.082, 0, 0, 0.896], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_data_events", 4.0, 1.192, 2.108, 0, 0, 2.108], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_data_events", 1.0, -0.896, 0.082, 0, 0, 0.896], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_data_events", 3.0, 0.397, 1.415, 0, 0, 1.415], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_data_events", 3.0, 1.891, 2.13, 0, 0, 2.13], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_data_events", 1.0, -1.192, 0.029, 0, 0, 1.192], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_data_events", 1.0, -0.896, 0.082, 0, 0, 0.896], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_data_events", 1.0, -1.192, 0.029, 0, 0, 1.192], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_data_events", 1.0, -0.896, 0.082, 0, 0, 0.896], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, -0.745, -0.745, 0, 0, 0.745], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, -1.095, -1.095, 0, 0, 1.095], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_ti_events", 1.0, 0.913, 0.913, 0, 0, 0.913], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_ti_events", 1.0, 0.447, 0.447, 0, 0, 0.447], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_ti_events", 2.0, 1.789, 1.789, 0, 0, 1.789], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_ti_events", 1.0, 0.913, 0.913, 0, 0, 0.913], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_ti_events", 2.0, 2.236, 2.236, 0, 0, 2.236], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_ti_events", 0.0, -0.894, -0.894, 0, 0, 0.894], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_ti_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_ti_events", 0.0, -0.745, -0.745, 0, 0, 0.745], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_ti_events", 1.0, 0.447, 0.447, 0, 0, 0.447], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_ti_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_ti_events", 0.0, -0.745, -0.745, 0, 0, 0.745], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_ti_events", 0.0, -0.894, -0.894, 0, 0, 0.894], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_ti_events", 1.0, 0.913, 0.913, 0, 0, 0.913], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_ti_events", 0.0, -0.745, -0.745, 0, 0, 0.745], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_ti_events", 0.0, -0.894, -0.894, 0, 0, 0.894], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_ti_events", 1.0, 0.913, 0.913, 0, 0, 0.913], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_ti_events", 1.0, 0.745, 0.745, 0, 0, 0.745], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_ti_events", 0.0, -1.095, -1.095, 0, 0, 1.095], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_ti_events", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_ti_events", 1.0, 0.745, 0.745, 0, 0, 0.745], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_ti_events", 1.0, 0.913, 0.913, 0, 0, 0.913], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_ti_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_ti_events", 0.0, -1.095, -1.095, 0, 0, 1.095], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_ti_events", 1.0, 0.913, 0.913, 0, 0, 0.913], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_ti_events", 0.0, -0.745, -0.745, 0, 0, 0.745], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, -0.745, -0.745, 0, 0, 0.745], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, -1.095, -1.095, 0, 0, 1.095], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_ti_events", 1.0, 0.745, 0.745, 0, 0, 0.745], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_ti_events", 0.0, -1.095, -1.095, 0, 0, 1.095], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_card_events", 1.0, -0.243, -0.243, 0, 0, 0.243], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_card_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_card_events", 2.0, 1.633, 1.633, 0, 0, 1.633], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_card_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_card_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_card_events", 0.0, -1.732, -1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_card_events", 0.0, -1.361, -1.361, 0, 0, 1.361], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_card_events", 0.0, -1.671, -1.671, 0, 0, 1.671], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_card_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_card_events", 1.0, -0.243, -0.243, 0, 0, 0.243], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_card_events", 2.0, 2.043, 2.043, 0, 0, 2.043], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_card_events", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_card_events", 2.0, 1.213, 1.213, 0, 0, 1.213], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_card_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_card_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_card_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_card_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_card_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_card_events", 2.0, 1.633, 1.633, 0, 0, 1.633], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_card_events", 0.0, -1.671, -1.671, 0, 0, 1.671], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_card_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, -1.698, -1.698, 0, 0, 1.698], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_card_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, -1.361, -1.361, 0, 0, 1.361], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_card_events", 2.0, 1.213, 1.213, 0, 0, 1.213], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_card_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_card_events", 0.0, -1.361, -1.361, 0, 0, 1.361], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_card_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_card_events", 1.0, -0.243, -0.243, 0, 0, 0.243], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_card_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_card_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_card_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_card_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "ti_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "ti_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "ti_events", 2.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "ti_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "ti_events", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "ti_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "ti_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "ti_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "ti_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "ti_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "ti_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "ti_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "ti_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "ti_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "ti_failures", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "ti_failures", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "ti_failures", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "ti_failures", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "ti_failures", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "ti_failures", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "ti_failures", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "ti_failures", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "ti_failures", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "ti_failures", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "ti_failure_ratio", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "ti_failure_ratio", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "ti_failure_ratio", 0.5, 0.302, 0.302, 0, 0, 0.302], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "ti_failure_ratio", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "ti_failure_ratio", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "ti_failure_ratio", 0.0, -0.905, -0.905, 0, 0, 0.905], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "ti_failure_ratio", 1.0, 1.508, 1.508, 0, 0, 1.508], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "ti_failure_ratio", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "ti_failure_ratio", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "ti_failure_ratio", 0.0, -0.905, -0.905, 0, 0, 0.905], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "konnektor_connected", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "konnektor_connected", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "konnektor_connected", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "konnektor_connected", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "konnektor_connected", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "konnektor_connected", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "konnektor_disconnected", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "konnektor_disconnected", 1.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "konnektor_disconnected", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "konnektor_health_check", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "konnektor_health_check", 1.0, 1.414, 1.414, 0, 0, 1.414], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "konnektor_health_check", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "konnektor_health_check", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "konnektor_health_check", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "konnektor_health_check", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "konnektor_health_check", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "konnektor_health_check", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "konnektor_health_check", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "konnektor_flap_score", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "konnektor_flap_score", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "konnektor_flap_score", 1.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "konnektor_flap_score", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "konnektor_flap_score", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "konnektor_flap_score", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "konnektor_flap_score", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "konnektor_flap_score", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "konnektor_flap_score", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "konnektor_flap_score", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "konnektor_flap_score", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "konnektor_flap_score", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "konnektor_flap_score", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "vpn_tunnel_failed", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "vpn_tunnel_failed", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "vpn_tunnel_failed", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "vpn_tunnel_failed", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "vpn_tunnel_failed", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "vpn_tunnel_failed", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "vpn_tunnel_failed", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "vpn_tunnel_failed", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "vpn_tunnel_failed", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "vpn_tunnel_failed", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "vpn_tunnel_reconnect", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "vpn_tunnel_reconnect", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "vpn_tunnel_reconnect", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "vpn_tunnel_reconnect", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "vpn_tunnel_reconnect", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "vpn_tunnel_reconnect", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "cert_valid", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "cert_valid", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "cert_valid", 1.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "cert_valid", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "cert_valid", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "cert_valid", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "cert_valid", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "cert_valid", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "cert_valid", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "ti_service_unavailable", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "ti_service_unavailable", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "ti_service_unavailable", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "ti_service_unavailable", 1.0, 1.414, 1.414, 0, 0, 1.414], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "ti_service_unavailable", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "ti_service_unavailable", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "ti_service_unavailable", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "ti_service_available", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "ti_service_available", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "ti_service_available", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "ti_service_available", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "ti_service_available", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "ti_service_available", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "ti_service_available", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "ti_service_available", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "ti_service_available", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "ti_service_available", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "ti_service_available", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "high_sev_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "high_sev_events", 0.0, -1.414, -1.414, 0, 0, 1.414], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "high_sev_events", 1.0, 0.707, 0.707, 0, 0, 0.707], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "high_sev_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "high_sev_events", 1.0, 0.577, 0.577, 0, 0, 0.577], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "high_sev_events", 1.0, 0.707, 0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "high_sev_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "high_sev_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "high_sev_events", 0.0, -1.732, -1.732, 0, 0, 1.732], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "high_sev_events", 1.0, 0.577, 0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "high_sev_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "high_sev_events", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "high_sev_events", 1.0, 0.577, 0.577, 0, 0, 0.577], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "dt_events", 1.0, -0.408, -0.408, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "cloud", "dt_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "dt_events", 1.0, -0.894, 0.0, 0, 0, 0.894], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "dt_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".thomas.weber", 1778709600000000000, "cloud", "dt_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "dt_events", 1.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "dt_events", 2.0, 1.118, 0.0, 0, 0, 1.118], ["user", ".thomas.weber", 1778716800000000000, "cloud", "dt_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "dt_events", 1.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "dt_events", 1.0, -0.894, 0.0, 0, 0, 0.894], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "dt_events", 1.0, -0.632, 0.0, 0, 0, 0.632], ["user", ".thomas.weber", 1778720400000000000, "cloud", "dt_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "dt_events", 2.0, 1.118, 0.0, 0, 0, 1.118], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "dt_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "dt_events", 1.0, -0.632, 0.0, 0, 0, 0.632], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "dt_events", 1.0, -0.894, 0.0, 0, 0, 0.894], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "dt_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "dt_events", 2.0, 1.581, 0.0, 0, 0, 1.581], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "dt_events", 2.0, 0.447, 0.0, 0, 0, 0.447], ["user", ".thomas.weber", 1778731200000000000, "cloud", "dt_events", 2.0, 2.646, 2.646, 0, 0, 2.646], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "dt_events", 1.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "dt_events", 2.0, 0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "dt_events", 1.0, -0.894, 0.0, 0, 0, 0.894], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "dt_events", 1.0, -0.632, 0.0, 0, 0, 0.632], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "dt_events", 3.0, 1.789, 0.0, 0, 0, 1.789], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "dt_events", 1.0, -0.894, 0.0, 0, 0, 0.894], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "dt_events", 1.0, -0.632, 0.0, 0, 0, 0.632], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "dt_events", 1.0, -0.408, -0.408, 0, 0, 0.408], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "dt_events", 2.0, 1.414, 1.414, 0, 0, 1.414], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "dt_events", 1.0, -0.632, 0.0, 0, 0, 0.632], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "dt_events", 1.0, -0.894, 0.0, 0, 0, 0.894], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "dt_events", 1.0, -0.894, 0.0, 0, 0, 0.894], ["user", ".thomas.weber", 1778752800000000000, "cloud", "dt_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "dt_events", 2.0, 1.118, 0.0, 0, 0, 1.118], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "dt_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".thomas.weber", 1778756400000000000, "cloud", "dt_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "dt_events", 2.0, 1.118, 0.0, 0, 0, 1.118], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "dt_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "dt_events", 2.0, 2.449, 2.449, 0, 0, 2.449], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "dt_events", 2.0, 1.414, 1.414, 0, 0, 1.414], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "dt_events", 2.0, 1.581, 0.0, 0, 0, 1.581], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "dt_events", 1.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "dt_events", 1.0, -0.894, 0.0, 0, 0, 0.894], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778720400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778731200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "export_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "cloud", "export_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "export_initiated", 0.0, -0.5, 0.0, 0, 0, 0.5], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "export_initiated", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".thomas.weber", 1778709600000000000, "cloud", "export_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "export_initiated", 1.0, 2.449, 2.449, 0, 0, 2.449], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "export_initiated", 1.0, 1.0, 0.0, 0, 0, 1.0], ["user", ".thomas.weber", 1778716800000000000, "cloud", "export_initiated", 1.0, 2.646, 2.646, 0, 0, 2.646], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "export_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "export_initiated", 0.0, -0.5, 0.0, 0, 0, 0.5], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778720400000000000, "cloud", "export_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "export_initiated", 2.0, 2.5, 0.0, 0, 0, 2.5], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "export_initiated", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "export_initiated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "export_initiated", 1.0, 1.0, 1.0, 0, 0, 1.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "export_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "export_initiated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", ".thomas.weber", 1778731200000000000, "cloud", "export_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "export_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "export_initiated", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "export_initiated", 0.0, -0.5, 0.0, 0, 0, 0.5], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "export_initiated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "export_initiated", 0.0, -0.5, 0.0, 0, 0, 0.5], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "export_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "export_initiated", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "export_initiated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "export_initiated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", ".thomas.weber", 1778752800000000000, "cloud", "export_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "export_initiated", 0.0, -0.5, 0.0, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "export_initiated", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".thomas.weber", 1778756400000000000, "cloud", "export_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "export_initiated", 0.0, -0.5, 0.0, 0, 0, 0.5], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "export_initiated", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "export_initiated", 0.0, -1.0, -1.0, 0, 0, 1.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "export_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "export_initiated", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "export_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "export_initiated", 0.0, -0.5, 0.0, 0, 0, 0.5], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "export_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "export_completed", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "export_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "export_completed", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", ".thomas.weber", 1778716800000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "export_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "export_completed", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "export_completed", 1.0, 1.155, 0.0, 0, 0, 1.155], ["user", ".thomas.weber", 1778720400000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "export_completed", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "export_completed", 1.0, 1.155, 0.0, 0, 0, 1.155], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "export_completed", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "export_completed", 0.0, -0.866, 0.0, 0, 0, 0.866], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "export_completed", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", ".thomas.weber", 1778731200000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "export_completed", 1.0, 2.449, 2.449, 0, 0, 2.449], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "export_completed", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "export_completed", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "export_completed", 1.0, 1.155, 0.0, 0, 0, 1.155], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "export_completed", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "export_completed", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "export_completed", 0.0, -0.866, 0.0, 0, 0, 0.866], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "export_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "export_completed", 0.0, -0.866, 0.0, 0, 0, 0.866], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "export_completed", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "export_completed", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", ".thomas.weber", 1778752800000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "export_completed", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "export_completed", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "export_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "export_completed", 0.0, -0.866, 0.0, 0, 0, 0.866], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "export_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "export_completed", 1.0, 2.828, 0.0, 0, 0, 2.828], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "import_initiated", 1.0, 2.449, 2.449, 0, 0, 2.449], ["user", ".thomas.weber", 1778706000000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "import_initiated", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "import_initiated", 1.0, 2.646, 2.646, 0, 0, 2.646], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "import_initiated", 0.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".thomas.weber", 1778709600000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "import_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "import_initiated", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", ".thomas.weber", 1778716800000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "import_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "import_initiated", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "import_initiated", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778720400000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "import_initiated", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "import_initiated", 0.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "import_initiated", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "import_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "import_initiated", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778731200000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "import_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "import_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "import_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "import_initiated", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "import_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "import_initiated", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "import_initiated", 1.0, 2.828, 0.0, 0, 0, 2.828], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "import_initiated", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "import_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "import_initiated", 1.0, 1.414, 1.414, 0, 0, 1.414], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "import_initiated", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "import_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "import_initiated", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "import_initiated", 0.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".thomas.weber", 1778756400000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "import_initiated", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "import_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "import_initiated", 0.0, -0.707, -0.707, 0, 0, 0.707], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "import_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "import_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "import_initiated", 1.0, 1.414, 1.414, 0, 0, 1.414], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "import_initiated", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "import_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "import_initiated", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "import_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "cloud", "import_completed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "import_completed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "import_completed", 1.0, 1.414, 1.414, 0, 0, 1.414], ["user", ".thomas.weber", 1778709600000000000, "cloud", "import_completed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "import_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "cloud", "import_completed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "import_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "import_completed", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778720400000000000, "cloud", "import_completed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "import_completed", 0.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "import_completed", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "import_completed", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "import_completed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "import_completed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "import_completed", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "import_completed", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", ".thomas.weber", 1778731200000000000, "cloud", "import_completed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "import_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "import_completed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "import_completed", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "import_completed", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "import_completed", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "import_completed", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "import_completed", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "import_completed", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "import_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "import_completed", 1.0, 1.414, 1.414, 0, 0, 1.414], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "import_completed", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "import_completed", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "import_completed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "import_completed", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", ".thomas.weber", 1778752800000000000, "cloud", "import_completed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "import_completed", 0.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".thomas.weber", 1778756400000000000, "cloud", "import_completed", 1.0, 2.646, 2.646, 0, 0, 2.646], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "import_completed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "import_completed", 0.0, -0.707, -0.707, 0, 0, 0.707], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "import_completed", 1.0, 2.449, 2.449, 0, 0, 2.449], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "import_completed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "import_completed", 0.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "import_completed", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "import_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "cloud", "email_notifications", 0.0, -0.775, -0.775, 0, 0, 0.775], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "email_notifications", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "email_notifications", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "email_notifications", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".thomas.weber", 1778709600000000000, "cloud", "email_notifications", 0.0, -0.775, -0.775, 0, 0, 0.775], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "email_notifications", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", ".thomas.weber", 1778716800000000000, "cloud", "email_notifications", 0.0, -0.775, -0.775, 0, 0, 0.775], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "email_notifications", 1.0, 1.871, 0.0, 0, 0, 1.871], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "email_notifications", 0.0, -0.632, 0.0, 0, 0, 0.632], ["user", ".thomas.weber", 1778720400000000000, "cloud", "email_notifications", 1.0, 1.291, 1.291, 0, 0, 1.291], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "email_notifications", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "email_notifications", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "email_notifications", 0.0, -0.632, 0.0, 0, 0, 0.632], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "email_notifications", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "email_notifications", 1.0, 1.291, 1.291, 0, 0, 1.291], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "email_notifications", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "email_notifications", 1.0, 1.581, 0.0, 0, 0, 1.581], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "email_notifications", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", ".thomas.weber", 1778731200000000000, "cloud", "email_notifications", 1.0, 1.291, 1.291, 0, 0, 1.291], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "email_notifications", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "email_notifications", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "email_notifications", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "email_notifications", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "email_notifications", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "email_notifications", 0.0, -0.632, 0.0, 0, 0, 0.632], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "email_notifications", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "email_notifications", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "email_notifications", 0.0, -0.632, 0.0, 0, 0, 0.632], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "email_notifications", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "email_notifications", 0.0, -0.632, 0.0, 0, 0, 0.632], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "email_notifications", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "email_notifications", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "email_notifications", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", ".thomas.weber", 1778752800000000000, "cloud", "email_notifications", 0.0, -0.775, -0.775, 0, 0, 0.775], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "email_notifications", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "email_notifications", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".thomas.weber", 1778756400000000000, "cloud", "email_notifications", 0.0, -0.775, -0.775, 0, 0, 0.775], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "email_notifications", 1.0, 1.871, 0.0, 0, 0, 1.871], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "email_notifications", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "email_notifications", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "email_notifications", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "email_notifications", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "email_notifications", 1.0, 1.581, 0.0, 0, 0, 1.581], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "email_notifications", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "report_generated", 0.0, -0.632, -0.632, 0, 0, 0.632], ["user", ".thomas.weber", 1778706000000000000, "cloud", "report_generated", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "report_generated", 0.0, -0.632, -0.632, 0, 0, 0.632], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "report_generated", 0.0, -0.632, -0.632, 0, 0, 0.632], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778720400000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "report_generated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "report_generated", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", ".thomas.weber", 1778731200000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "report_generated", 0.0, -0.632, -0.632, 0, 0, 0.632], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "report_generated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "report_generated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "report_generated", 0.0, -0.632, -0.632, 0, 0, 0.632], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "report_generated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "report_generated", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "report_generated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", ".thomas.weber", 1778752800000000000, "cloud", "report_generated", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "report_generated", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "report_generated", 1.0, 1.581, 1.581, 0, 0, 1.581], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "report_generated", 1.0, 1.581, 1.581, 0, 0, 1.581], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "fhir_requests", 1.0, 1.118, 0.0, 0, 0, 1.118], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "fhir_requests", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".thomas.weber", 1778709600000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "fhir_requests", 1.0, 1.118, 0.0, 0, 0, 1.118], ["user", ".thomas.weber", 1778716800000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "fhir_requests", 0.0, -0.894, 0.0, 0, 0, 0.894], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "fhir_requests", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778720400000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "fhir_requests", 0.0, -0.894, 0.0, 0, 0, 0.894], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "fhir_requests", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "fhir_requests", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "fhir_requests", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778731200000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "fhir_requests", 1.0, 1.118, 0.0, 0, 0, 1.118], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "fhir_requests", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "fhir_requests", 0.0, -0.894, 0.0, 0, 0, 0.894], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "fhir_requests", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "fhir_requests", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "fhir_requests", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "fhir_requests", 0.0, -0.894, 0.0, 0, 0, 0.894], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "fhir_requests", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".thomas.weber", 1778756400000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "fhir_requests", 1.0, 1.118, 0.0, 0, 0, 1.118], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "fhir_requests", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "fhir_requests", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "fhir_requests", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "fhir_requests", 0.0, -0.894, 0.0, 0, 0, 0.894], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "hl7_received", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "hl7_received", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "hl7_received", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "hl7_received", 1.0, 2.449, 2.449, 0, 0, 2.449], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778720400000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "hl7_received", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "hl7_received", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "hl7_received", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", ".thomas.weber", 1778731200000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "hl7_received", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "hl7_received", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "hl7_received", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "hl7_received", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "hl7_received", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "hl7_received", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "hl7_received", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "hl7_received", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "hl7_received", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "hl7_received", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", ".thomas.weber", 1778752800000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "hl7_received", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "hl7_received", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "hl7_received", 1.0, 2.646, 2.646, 0, 0, 2.646], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "hl7_received", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "hl7_sent", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "hl7_sent", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", ".thomas.weber", 1778716800000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "hl7_sent", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "hl7_sent", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778720400000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "hl7_sent", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "hl7_sent", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "hl7_sent", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "hl7_sent", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "hl7_sent", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", ".thomas.weber", 1778731200000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "hl7_sent", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "hl7_sent", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "hl7_sent", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "hl7_sent", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "hl7_sent", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "hl7_sent", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "hl7_sent", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "hl7_sent", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "hl7_sent", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", ".thomas.weber", 1778752800000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "hl7_sent", 2.0, 2.828, 0.0, 0, 0, 2.828], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "hl7_sent", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "hl7_sent", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "hl7_sent", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "print_jobs", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "cloud", "print_jobs", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "print_jobs", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".thomas.weber", 1778709600000000000, "cloud", "print_jobs", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "print_jobs", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "cloud", "print_jobs", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "print_jobs", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778720400000000000, "cloud", "print_jobs", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "print_jobs", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "print_jobs", 0.0, -1.0, -1.0, 0, 0, 1.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "print_jobs", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778731200000000000, "cloud", "print_jobs", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "print_jobs", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "print_jobs", 1.0, 2.449, 2.449, 0, 0, 2.449], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "print_jobs", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "cloud", "print_jobs", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "print_jobs", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".thomas.weber", 1778756400000000000, "cloud", "print_jobs", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "print_jobs", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "print_jobs", 1.0, 1.0, 1.0, 0, 0, 1.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "print_jobs", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "print_jobs", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "print_jobs", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "total_records_exported", 0.0, -0.606, -0.606, 0, 0, 0.606], ["user", ".thomas.weber", 1778706000000000000, "cloud", "total_records_exported", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "total_records_exported", 0.0, -0.677, 0.0, 0, 0, 0.677], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "total_records_exported", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "total_records_exported", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".thomas.weber", 1778709600000000000, "cloud", "total_records_exported", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "total_records_exported", 468.0, 2.054, 2.054, 0, 0, 2.054], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "total_records_exported", 500.0, 0.973, 0.0, 0, 0, 0.973], ["user", ".thomas.weber", 1778716800000000000, "cloud", "total_records_exported", 678.0, 2.646, 2.646, 0, 0, 2.646], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "total_records_exported", 0.0, -0.606, -0.606, 0, 0, 0.606], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "total_records_exported", 0.0, -0.677, 0.0, 0, 0, 0.677], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "total_records_exported", 807.0, 1.49, 0.0, 0, 0, 1.49], ["user", ".thomas.weber", 1778720400000000000, "cloud", "total_records_exported", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "total_records_exported", 517.0, 1.03, 0.0, 0, 0, 1.03], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "total_records_exported", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "total_records_exported", 178.0, -0.233, 0.0, 0, 0, 0.233], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "total_records_exported", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "total_records_exported", 303.0, 1.0, 1.0, 0, 0, 1.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "total_records_exported", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "total_records_exported", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "total_records_exported", 0.0, -0.721, 0.0, 0, 0, 0.721], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "total_records_exported", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", ".thomas.weber", 1778731200000000000, "cloud", "total_records_exported", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "total_records_exported", 278.0, 0.974, 0.974, 0, 0, 0.974], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "total_records_exported", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "total_records_exported", 894.0, 1.382, 0.0, 0, 0, 1.382], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "total_records_exported", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "total_records_exported", 0.0, -0.677, 0.0, 0, 0, 0.677], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "total_records_exported", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "total_records_exported", 857.0, 1.627, 0.0, 0, 0, 1.627], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "total_records_exported", 921.0, 1.446, 0.0, 0, 0, 1.446], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "total_records_exported", 0.0, -0.677, 0.0, 0, 0, 0.677], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "total_records_exported", 0.0, -0.721, 0.0, 0, 0, 0.721], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "total_records_exported", 0.0, -0.606, -0.606, 0, 0, 0.606], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "total_records_exported", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "total_records_exported", 0.0, -0.721, 0.0, 0, 0, 0.721], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "total_records_exported", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "total_records_exported", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "total_records_exported", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", ".thomas.weber", 1778752800000000000, "cloud", "total_records_exported", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "total_records_exported", 0.0, -0.677, 0.0, 0, 0, 0.677], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "total_records_exported", 880.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".thomas.weber", 1778756400000000000, "cloud", "total_records_exported", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "total_records_exported", 0.0, -0.677, 0.0, 0, 0, 0.677], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "total_records_exported", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "total_records_exported", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "total_records_exported", 0.0, -1.0, -1.0, 0, 0, 1.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "total_records_exported", 0.0, -0.606, -0.606, 0, 0, 0.606], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "total_records_exported", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "total_records_exported", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "total_records_exported", 0.0, -0.721, 0.0, 0, 0, 0.721], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "total_records_exported", 0.0, -0.606, -0.606, 0, 0, 0.606], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "total_records_exported", 829.0, 2.06, 0.0, 0, 0, 2.06], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "external_destinations", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "external_destinations", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "external_destinations", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "external_destinations", 1.0, 1.871, 0.0, 0, 0, 1.871], ["user", ".thomas.weber", 1778716800000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "external_destinations", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "external_destinations", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778720400000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "external_destinations", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "external_destinations", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "external_destinations", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", ".thomas.weber", 1778731200000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "external_destinations", 1.0, 2.449, 2.449, 0, 0, 2.449], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "external_destinations", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "external_destinations", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "external_destinations", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "external_destinations", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "external_destinations", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "external_destinations", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "external_destinations", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", ".thomas.weber", 1778752800000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "external_destinations", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "external_destinations", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "external_destinations", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "external_destinations", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "external_destinations", 1.0, 1.871, 0.0, 0, 0, 1.871], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_events", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_events", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_events", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_events", 2.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_events", 2.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_events", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_events", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_events", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_events", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_events", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_failures", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_failures", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_failures", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_failures", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_failures", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_failures", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_failures", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_failures", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_failure_ratio", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_failure_ratio", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_failure_ratio", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_failure_ratio", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_failure_ratio", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_failure_ratio", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_failure_ratio", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_failure_ratio", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_read_success", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_read_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_read_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_read_success", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_read_success", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_read_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_read_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_read_success", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_read_success", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_read_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_read_success", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_read_success", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_read_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_read_failure", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_read_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_read_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_read_failure", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_read_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_read_failure", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_read_failure", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_read_failure", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_read_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_read_failure", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_read_failure", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_read_failure", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_read_failure", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_pin_verified", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_pin_verified", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_pin_verified", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_pin_verified", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_pin_verified", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_pin_verified", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_pin_verified", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_pin_verified", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_pin_verified", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_pin_verified", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_pin_verified", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_pin_verified", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_pin_verified", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_pin_verified", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_pin_failed", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_pin_failed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_pin_failed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_pin_failed", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_pin_failed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_pin_failed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_pin_failed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_pin_failed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_pin_blocked", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_pin_blocked", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_pin_blocked", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_pin_blocked", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_pin_blocked", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_pin_blocked", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_pin_blocked", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_pin_blocked", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_removed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_removed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_removed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_removed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_removed", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_removed", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_removed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_removed", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_removed", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_removed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_removed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_removed", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_removed", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_removed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_removed", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_removed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_removed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_removed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_removed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_removed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_removed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_removed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_removed", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_removed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_removed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_removed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_decryption", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_decryption", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_decryption", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_decryption", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_decryption", 1.0, 0.816, 0.816, 0, 0, 0.816], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_decryption", 1.0, 0.816, 0.816, 0, 0, 0.816], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_decryption", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_decryption", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_decryption", 1.0, 0.816, 0.816, 0, 0, 0.816], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_decryption", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_decryption", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_decryption", 0.0, -1.225, -1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_decryption", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_decryption", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_decryption", 0.0, -1.225, -1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_decryption", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_decryption", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_decryption", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_decryption", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_decryption", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_decryption", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_decryption", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_decryption", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_decryption", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_decryption", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_decryption", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_signature_created", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_signature_created", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_signature_created", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_signature_created", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_signature_created", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_signature_created", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_signature_created", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_signature_created", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_signature_created", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_signature_created", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_signature_created", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_signature_created", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_signature_created", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_auth_success", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_auth_success", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_auth_success", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_auth_success", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_auth_success", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_auth_success", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_auth_success", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_auth_success", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_auth_success", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_auth_success", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_auth_success", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_auth_success", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_auth_success", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_auth_failed", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_auth_failed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_auth_failed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_auth_failed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_auth_failed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_auth_failed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_auth_failed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_auth_failed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "smcb_events", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "smcb_events", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "smcb_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "smcb_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "smcb_events", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "smcb_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "smcb_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "smcb_events", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "smcb_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "smcb_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "smcb_events", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "smcb_events", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "smcb_events", 1.0, 1.291, 1.291, 0, 0, 1.291], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "smcb_events", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "smcb_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "smcb_events", 1.0, 1.291, 1.291, 0, 0, 1.291], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "smcb_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "smcb_events", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "smcb_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "smcb_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "smcb_events", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "smcb_events", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "smcb_events", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "smcb_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "smcb_events", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "smcb_events", 1.0, 1.291, 1.291, 0, 0, 1.291], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "hba_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "hba_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "hba_events", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "hba_events", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "hba_events", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "hba_events", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "hba_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "hba_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "hba_events", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "hba_events", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "hba_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "hba_events", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "hba_events", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "hba_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "hba_events", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "hba_events", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "hba_events", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "hba_events", 1.0, 1.291, 1.291, 0, 0, 1.291], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "hba_events", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "hba_events", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "hba_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "hba_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "hba_events", 1.0, 1.291, 1.291, 0, 0, 1.291], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "hba_events", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "hba_events", 1.0, 1.291, 1.291, 0, 0, 1.291], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "hba_events", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "qes_pin_attempts", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "qes_pin_attempts", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "qes_pin_attempts", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "qes_pin_attempts", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "qes_pin_attempts", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "qes_pin_attempts", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "qes_pin_attempts", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "qes_pin_attempts", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "low_attempts_remaining", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "low_attempts_remaining", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "low_attempts_remaining", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "low_attempts_remaining", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "low_attempts_remaining", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "low_attempts_remaining", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "low_attempts_remaining", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "low_attempts_remaining", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".anna.schmidt", 1778702400000000000, "auth", "distinct_src_ip", 1.0, -0.612, 0.0, 0, 0, 0.612], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "distinct_src_ip", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", ".anna.schmidt", 1778706000000000000, "auth", "distinct_src_ip", 2.0, 1.633, 0.0, 0, 0, 1.633], ["user", ".lisa.bauer", 1778706000000000000, "auth", "distinct_src_ip", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "distinct_src_ip", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "distinct_src_ip", 2.0, 0.693, 0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "distinct_src_ip", 2.0, 1.225, 0.0, 0, 0, 1.225], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "distinct_src_ip", 1.0, -0.566, -0.566, 0, 0, 0.566], ["user", ".lisa.bauer", 1778709600000000000, "auth", "distinct_src_ip", 3.0, 2.449, 0.0, 0, 0, 2.449], ["user", ".thomas.weber", 1778709600000000000, "auth", "distinct_src_ip", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "distinct_src_ip", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", ".anna.schmidt", 1778713200000000000, "auth", "distinct_src_ip", 1.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".lisa.bauer", 1778713200000000000, "auth", "distinct_src_ip", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "distinct_src_ip", 1.0, -0.566, -0.566, 0, 0, 0.566], ["user", ".anna.schmidt", 1778716800000000000, "auth", "distinct_src_ip", 2.0, 1.633, 0.0, 0, 0, 1.633], ["user", ".thomas.weber", 1778716800000000000, "auth", "distinct_src_ip", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "distinct_src_ip", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "distinct_src_ip", 1.0, -0.816, 0.0, 0, 0, 0.816], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "distinct_src_ip", 2.0, 0.99, 0.99, 0, 0, 0.99], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "distinct_src_ip", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "distinct_src_ip", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".lisa.bauer", 1778724000000000000, "auth", "distinct_src_ip", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "distinct_src_ip", 1.0, -0.918, -0.918, 0, 0, 0.918], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "distinct_src_ip", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".anna.schmidt", 1778727600000000000, "auth", "distinct_src_ip", 1.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".thomas.weber", 1778727600000000000, "auth", "distinct_src_ip", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "distinct_src_ip", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "distinct_src_ip", 3.0, 2.546, 2.546, 0, 0, 2.546], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "distinct_src_ip", 2.0, 1.826, 1.826, 0, 0, 1.826], ["user", ".anna.schmidt", 1778734800000000000, "auth", "distinct_src_ip", 1.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".lisa.bauer", 1778734800000000000, "auth", "distinct_src_ip", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "distinct_src_ip", 1.0, -0.918, -0.918, 0, 0, 0.918], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "distinct_src_ip", 2.0, 1.225, 0.0, 0, 0, 1.225], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "distinct_src_ip", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "distinct_src_ip", 1.0, -0.566, -0.566, 0, 0, 0.566], ["user", ".anna.schmidt", 1778742000000000000, "auth", "distinct_src_ip", 1.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".thomas.weber", 1778742000000000000, "auth", "distinct_src_ip", 1.0, -0.918, -0.918, 0, 0, 0.918], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "distinct_src_ip", 3.0, 2.219, 2.219, 0, 0, 2.219], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "distinct_src_ip", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "distinct_src_ip", 1.0, -0.566, -0.566, 0, 0, 0.566], ["user", ".anna.schmidt", 1778745600000000000, "auth", "distinct_src_ip", 1.0, -0.612, 0.0, 0, 0, 0.612], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "distinct_src_ip", 2.0, 1.826, 1.826, 0, 0, 1.826], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "distinct_src_ip", 2.0, 0.693, 0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "distinct_src_ip", 1.0, -0.816, 0.0, 0, 0, 0.816], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "distinct_src_ip", 3.0, 2.236, 2.236, 0, 0, 2.236], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "distinct_src_ip", 1.0, -0.566, -0.566, 0, 0, 0.566], ["user", ".lisa.bauer", 1778749200000000000, "auth", "distinct_src_ip", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "distinct_src_ip", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", ".anna.schmidt", 1778752800000000000, "auth", "distinct_src_ip", 1.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".thomas.weber", 1778752800000000000, "auth", "distinct_src_ip", 4.0, 2.524, 2.524, 0, 0, 2.524], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "distinct_src_ip", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "distinct_src_ip", 2.0, 0.99, 0.99, 0, 0, 0.99], ["user", ".anna.schmidt", 1778756400000000000, "auth", "distinct_src_ip", 2.0, 1.633, 0.0, 0, 0, 1.633], ["user", ".thomas.weber", 1778756400000000000, "auth", "distinct_src_ip", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "distinct_src_ip", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "distinct_src_ip", 1.0, -0.566, -0.566, 0, 0, 0.566], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "distinct_src_ip", 2.0, 0.693, 0.693, 0, 0, 0.693], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "distinct_src_ip", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "distinct_src_ip", 1.0, -0.566, -0.566, 0, 0, 0.566], ["user", ".anna.schmidt", 1778763600000000000, "auth", "distinct_src_ip", 1.0, -0.612, 0.0, 0, 0, 0.612], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "distinct_src_ip", 2.0, 0.693, 0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "distinct_src_ip", 1.0, -0.816, 0.0, 0, 0, 0.816], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "distinct_src_ip", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".lisa.bauer", 1778767200000000000, "auth", "distinct_src_ip", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "distinct_src_ip", 1.0, -0.918, -0.918, 0, 0, 0.918], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "distinct_src_ip", 2.0, 1.826, 1.826, 0, 0, 1.826], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "distinct_src_ip", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "distinct_src_ip", 1.0, -0.566, -0.566, 0, 0, 0.566], ["user", ".anna.schmidt", 1778702400000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "distinct_src_host", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", ".anna.schmidt", 1778706000000000000, "auth", "distinct_src_host", 2.0, 2.121, 0.0, 0, 0, 2.121], ["user", ".lisa.bauer", 1778706000000000000, "auth", "distinct_src_host", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "distinct_src_host", 2.0, 0.469, 0.469, 0, 0, 0.469], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "distinct_src_host", 2.0, 0.832, 0.832, 0, 0, 0.832], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "distinct_src_host", 2.0, 1.225, 0.0, 0, 0, 1.225], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "distinct_src_host", 1.0, -0.612, -0.612, 0, 0, 0.612], ["user", ".lisa.bauer", 1778709600000000000, "auth", "distinct_src_host", 2.0, 2.449, 0.0, 0, 0, 2.449], ["user", ".thomas.weber", 1778709600000000000, "auth", "distinct_src_host", 2.0, 0.469, 0.469, 0, 0, 0.469], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "distinct_src_host", 1.0, -0.693, -0.693, 0, 0, 0.693], ["user", ".anna.schmidt", 1778713200000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778713200000000000, "auth", "distinct_src_host", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "distinct_src_host", 1.0, -0.612, -0.612, 0, 0, 0.612], ["user", ".anna.schmidt", 1778716800000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778716800000000000, "auth", "distinct_src_host", 2.0, 0.469, 0.469, 0, 0, 0.469], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "distinct_src_host", 1.0, -0.693, -0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "distinct_src_host", 1.0, -0.816, 0.0, 0, 0, 0.816], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "distinct_src_host", 2.0, 1.633, 1.633, 0, 0, 1.633], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "distinct_src_host", 1.0, -0.693, -0.693, 0, 0, 0.693], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "distinct_src_host", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".lisa.bauer", 1778724000000000000, "auth", "distinct_src_host", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "distinct_src_host", 1.0, -1.093, -1.093, 0, 0, 1.093], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "distinct_src_host", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".anna.schmidt", 1778727600000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778727600000000000, "auth", "distinct_src_host", 2.0, 0.469, 0.469, 0, 0, 0.469], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "distinct_src_host", 1.0, -0.693, -0.693, 0, 0, 0.693], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "distinct_src_host", 2.0, 1.633, 1.633, 0, 0, 1.633], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "distinct_src_host", 2.0, 3.464, 3.464, 0, 0, 3.464], ["user", ".anna.schmidt", 1778734800000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778734800000000000, "auth", "distinct_src_host", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "distinct_src_host", 1.0, -1.093, -1.093, 0, 0, 1.093], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "distinct_src_host", 2.0, 1.225, 0.0, 0, 0, 1.225], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "distinct_src_host", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "distinct_src_host", 1.0, -0.612, -0.612, 0, 0, 0.612], ["user", ".anna.schmidt", 1778742000000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778742000000000000, "auth", "distinct_src_host", 1.0, -1.093, -1.093, 0, 0, 1.093], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "distinct_src_host", 3.0, 2.357, 2.357, 0, 0, 2.357], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "distinct_src_host", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "distinct_src_host", 1.0, -0.612, -0.612, 0, 0, 0.612], ["user", ".anna.schmidt", 1778745600000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "distinct_src_host", 1.0, -0.693, -0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "distinct_src_host", 1.0, -0.816, 0.0, 0, 0, 0.816], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "distinct_src_host", 3.0, 2.236, 2.236, 0, 0, 2.236], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "distinct_src_host", 1.0, -0.612, -0.612, 0, 0, 0.612], ["user", ".lisa.bauer", 1778749200000000000, "auth", "distinct_src_host", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "distinct_src_host", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", ".anna.schmidt", 1778752800000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778752800000000000, "auth", "distinct_src_host", 3.0, 2.03, 2.03, 0, 0, 2.03], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "distinct_src_host", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "distinct_src_host", 2.0, 1.633, 1.633, 0, 0, 1.633], ["user", ".anna.schmidt", 1778756400000000000, "auth", "distinct_src_host", 2.0, 2.121, 0.0, 0, 0, 2.121], ["user", ".thomas.weber", 1778756400000000000, "auth", "distinct_src_host", 2.0, 0.469, 0.469, 0, 0, 0.469], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "distinct_src_host", 1.0, -0.693, -0.693, 0, 0, 0.693], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "distinct_src_host", 1.0, -0.612, -0.612, 0, 0, 0.612], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "distinct_src_host", 2.0, 0.832, 0.832, 0, 0, 0.832], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "distinct_src_host", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "distinct_src_host", 1.0, -0.612, -0.612, 0, 0, 0.612], ["user", ".anna.schmidt", 1778763600000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "distinct_src_host", 2.0, 0.832, 0.832, 0, 0, 0.832], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "distinct_src_host", 1.0, -0.816, 0.0, 0, 0, 0.816], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "distinct_src_host", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".lisa.bauer", 1778767200000000000, "auth", "distinct_src_host", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "distinct_src_host", 1.0, -1.093, -1.093, 0, 0, 1.093], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "distinct_src_host", 1.0, -0.693, -0.693, 0, 0, 0.693], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "distinct_src_host", 1.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_distinct_users", 1.0, -0.899, 0.0, 0, 0, 0.899], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_distinct_users", 1.0, -1.129, -0.836, 0, 0, 1.129], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_distinct_users", 3.0, 2.063, 1.254, 0, 0, 2.063], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_distinct_users", 4.0, 2.006, 0.0, 0, 0, 2.006], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_distinct_users", 2.0, 0.588, 0.209, 0, 0, 0.588], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_distinct_users", 3.0, 0.718, 1.254, 0, 0, 1.254], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_distinct_users", 1.0, -1.0, -0.624, 0, 0, 1.0], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_distinct_users", 2.0, 0.069, 0.0, 0, 0, 0.069], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_distinct_users", 2.0, 0.588, 0.209, 0, 0, 0.588], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_distinct_users", 1.0, -1.129, -0.836, 0, 0, 1.129], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_distinct_users", 1.0, -0.899, 0.0, 0, 0, 0.899], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_distinct_users", 1.0, -0.784, -0.836, 0, 0, 0.836], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_distinct_users", 2.0, -0.205, 0.209, 0, 0, 0.209], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_distinct_users", 1.0, -1.0, -0.624, 0, 0, 1.0], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_distinct_users", 3.0, 1.038, 0.0, 0, 0, 1.038], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_distinct_users", 3.0, 1.961, 1.254, 0, 0, 1.961], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_distinct_users", 1.0, -1.129, -0.836, 0, 0, 1.129], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_distinct_users", 2.0, 1.0, 1.604, 0, 0, 1.604], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_distinct_users", 2.0, 0.588, 0.209, 0, 0, 0.588], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_distinct_users", 3.0, 0.718, 1.254, 0, 0, 1.254], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_distinct_users", 2.0, 1.0, 1.604, 0, 0, 1.604], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_distinct_users", 1.0, -0.899, 0.0, 0, 0, 0.899], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_distinct_users", 1.0, -0.784, -0.836, 0, 0, 0.836], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_distinct_users", 3.0, 0.718, 1.254, 0, 0, 1.254], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_distinct_users", 3.0, 1.038, 0.0, 0, 0, 1.038], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_distinct_users", 2.0, 0.588, 0.209, 0, 0, 0.588], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_distinct_users", 2.0, -0.205, 0.209, 0, 0, 0.209], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_distinct_users", 1.0, -0.784, -0.836, 0, 0, 0.836], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_distinct_users", 5.0, 2.565, 3.344, 0, 0, 3.344], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_distinct_users", 2.0, 1.0, 1.604, 0, 0, 1.604], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_distinct_users", 3.0, 2.063, 1.254, 0, 0, 2.063], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_distinct_users", 1.0, -0.899, 0.0, 0, 0, 0.899], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_distinct_users", 1.0, -0.784, -0.836, 0, 0, 0.836], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_distinct_users", 2.0, -0.205, 0.209, 0, 0, 0.209], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_distinct_users", 2.0, 1.0, 1.604, 0, 0, 1.604], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_distinct_users", 2.0, 1.18, 0.0, 0, 0, 1.18], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_distinct_users", 3.0, 1.038, 0.0, 0, 0, 1.038], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_distinct_users", 2.0, -0.205, 0.209, 0, 0, 0.209], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_distinct_users", 2.0, 1.0, 1.604, 0, 0, 1.604], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_distinct_users", 3.0, 2.801, 0.0, 0, 0, 2.801], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_distinct_users", 1.0, -0.899, 0.0, 0, 0, 0.899], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_distinct_users", 1.0, -0.784, -0.836, 0, 0, 0.836], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_distinct_users", 2.0, -0.205, 0.209, 0, 0, 0.209], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_distinct_users", 2.0, 1.0, 1.604, 0, 0, 1.604], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_distinct_users", 1.0, -0.899, 0.0, 0, 0, 0.899], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_distinct_users", 2.0, -0.205, 0.209, 0, 0, 0.209], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_distinct_users", 1.0, -1.0, -0.624, 0, 0, 1.0], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_distinct_users", 3.0, 1.038, 0.0, 0, 0, 1.038], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_distinct_users", 3.0, 0.718, 1.254, 0, 0, 1.254], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_distinct_users", 1.0, -1.0, -0.624, 0, 0, 1.0], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_distinct_users", 2.0, 0.722, 0.209, 0, 0, 0.722], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_distinct_users", 2.0, 0.069, 0.0, 0, 0, 0.069], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_distinct_users", 1.0, -0.784, -0.836, 0, 0, 0.836], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_distinct_users", 4.0, 1.642, 2.299, 0, 0, 2.299], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_distinct_users", 1.0, -1.0, -0.624, 0, 0, 1.0], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_distinct_users", 3.0, 1.961, 1.254, 0, 0, 1.961], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_distinct_users", 2.0, -0.205, 0.209, 0, 0, 0.209], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_distinct_users", 2.0, 1.0, 1.604, 0, 0, 1.604], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_distinct_users", 2.0, 0.722, 0.209, 0, 0, 0.722], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_distinct_users", 2.0, 3.0, 0.0, 0, 0, 3.0], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_distinct_users", 1.0, -0.784, -0.836, 0, 0, 0.836], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_distinct_users", 1.0, -1.129, -0.836, 0, 0, 1.129], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_distinct_users", 1.0, -1.0, -0.624, 0, 0, 1.0], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_distinct_users", 1.0, -0.899, 0.0, 0, 0, 0.899], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_distinct_users", 1.0, -0.784, -0.836, 0, 0, 0.836], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_distinct_users", 1.0, -1.129, -0.836, 0, 0, 1.129], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_distinct_users", 1.0, -1.0, -0.624, 0, 0, 1.0], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.866, 0.0, 0, 0, 0.866], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_distinct_etypes", 1.0, -1.118, -0.912, 0, 0, 1.118], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 3.0, 1.877, 1.306, 0, 0, 1.877], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 4.0, 2.165, 0.0, 0, 0, 2.165], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 2.0, 0.44, 0.197, 0, 0, 0.44], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 3.0, 0.894, 1.306, 0, 0, 1.306], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.918, -0.587, 0, 0, 0.918], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 2.0, 0.832, 0.832, 0, 0, 0.832], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_distinct_etypes", 3.0, 1.155, 0.0, 0, 0, 1.155], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_distinct_etypes", 2.0, 0.44, 0.197, 0, 0, 0.44], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_distinct_etypes", 1.0, -1.118, -0.912, 0, 0, 1.118], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_distinct_etypes", 2.0, 0.832, 0.832, 0, 0, 0.832], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.834, -0.912, 0, 0, 0.912], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.866, 0.0, 0, 0, 0.866], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.792, -0.912, 0, 0, 0.912], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_distinct_etypes", 1.0, -1.118, -0.912, 0, 0, 1.118], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.918, -0.587, 0, 0, 0.918], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_distinct_etypes", 2.0, 0.447, 0.447, 0, 0, 0.447], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_distinct_etypes", 3.0, 1.155, 0.0, 0, 0, 1.155], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_distinct_etypes", 3.0, 1.673, 1.306, 0, 0, 1.673], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_distinct_etypes", 1.0, -1.118, -0.912, 0, 0, 1.118], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_distinct_etypes", 2.0, 0.688, 1.247, 0, 0, 1.247], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_distinct_etypes", 2.0, 0.447, 0.447, 0, 0, 0.447], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.834, -0.912, 0, 0, 0.912], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_distinct_etypes", 2.0, 0.44, 0.197, 0, 0, 0.44], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_distinct_etypes", 3.0, 0.894, 1.306, 0, 0, 1.306], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_distinct_etypes", 2.0, 0.688, 1.247, 0, 0, 1.247], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_distinct_etypes", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.894, -0.894, 0, 0, 0.894], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.834, -0.912, 0, 0, 0.912], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.866, 0.0, 0, 0, 0.866], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.792, -0.912, 0, 0, 0.912], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 3.0, 0.894, 1.306, 0, 0, 1.306], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 3.0, 1.789, 1.789, 0, 0, 1.789], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_distinct_etypes", 2.0, 0.144, 0.0, 0, 0, 0.144], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_distinct_etypes", 3.0, 1.673, 1.306, 0, 0, 1.673], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_distinct_etypes", 1.0, -1.118, -0.912, 0, 0, 1.118], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.792, -0.912, 0, 0, 0.912], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_distinct_etypes", 4.0, 1.901, 2.416, 0, 0, 2.416], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_distinct_etypes", 2.0, 0.688, 1.247, 0, 0, 1.247], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_distinct_etypes", 2.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.894, -0.894, 0, 0, 0.894], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_distinct_etypes", 2.0, 0.832, 0.832, 0, 0, 0.832], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 3.0, 1.877, 1.306, 0, 0, 1.877], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.866, 0.0, 0, 0, 0.866], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.792, -0.912, 0, 0, 0.912], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 3.0, 0.894, 1.306, 0, 0, 1.306], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.894, -0.894, 0, 0, 0.894], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 3.0, 2.357, 2.357, 0, 0, 2.357], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_distinct_etypes", 2.0, 0.688, 1.247, 0, 0, 1.247], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.834, -0.912, 0, 0, 0.912], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_distinct_etypes", 2.0, 0.144, 0.0, 0, 0, 0.144], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_distinct_etypes", 2.0, -0.112, 0.197, 0, 0, 0.197], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_distinct_etypes", 2.0, 0.688, 1.247, 0, 0, 1.247], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 2.0, 0.521, 0.197, 0, 0, 0.521], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 3.0, 3.162, 0.0, 0, 0, 3.162], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.866, 0.0, 0, 0, 0.866], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.792, -0.912, 0, 0, 0.912], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 2.0, -0.112, 0.197, 0, 0, 0.197], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 2.0, 0.688, 1.247, 0, 0, 1.247], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.834, -0.912, 0, 0, 0.912], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.866, 0.0, 0, 0, 0.866], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_distinct_etypes", 2.0, -0.112, 0.197, 0, 0, 0.197], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.918, -0.587, 0, 0, 0.918], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_distinct_etypes", 2.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.834, -0.912, 0, 0, 0.912], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_distinct_etypes", 3.0, 1.155, 0.0, 0, 0, 1.155], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_distinct_etypes", 3.0, 0.894, 1.306, 0, 0, 1.306], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.918, -0.587, 0, 0, 0.918], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_distinct_etypes", 2.0, 0.521, 0.197, 0, 0, 0.521], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_distinct_etypes", 2.0, 0.144, 0.0, 0, 0, 0.144], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.792, -0.912, 0, 0, 0.912], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_distinct_etypes", 3.0, 0.894, 1.306, 0, 0, 1.306], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.918, -0.587, 0, 0, 0.918], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.834, -0.912, 0, 0, 0.912], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_distinct_etypes", 3.0, 1.673, 1.306, 0, 0, 1.673], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_distinct_etypes", 3.0, 0.894, 1.306, 0, 0, 1.306], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_distinct_etypes", 3.0, 2.294, 3.08, 0, 0, 3.08], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 2.0, 0.521, 0.197, 0, 0, 0.521], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 2.0, 3.0, 0.0, 0, 0, 3.0], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.792, -0.912, 0, 0, 0.912], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 1.0, -1.118, -0.912, 0, 0, 1.118], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.918, -0.587, 0, 0, 0.918], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 2.0, 0.521, 0.197, 0, 0, 0.521], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.866, 0.0, 0, 0, 0.866], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.792, -0.912, 0, 0, 0.912], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 1.0, -1.118, -0.912, 0, 0, 1.118], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.918, -0.587, 0, 0, 0.918], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "distinct_telematik_ids", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "distinct_telematik_ids", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "distinct_telematik_ids", 2.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "distinct_telematik_ids", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "distinct_telematik_ids", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "distinct_telematik_ids", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "distinct_telematik_ids", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "distinct_telematik_ids", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "distinct_telematik_ids", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "distinct_telematik_ids", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "distinct_telematik_ids", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "distinct_telematik_ids", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "distinct_telematik_ids", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "distinct_telematik_ids", 1.0, -0.577, -0.577, 0, 0, 0.577], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "distinct_destinations", 1.0, -1.0, 0.0, 0, 0, 1.0], ["user", ".thomas.weber", 1778716800000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "distinct_destinations", 2.0, 1.0, 0.0, 0, 0, 1.0], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "distinct_destinations", 1.0, -1.0, 0.0, 0, 0, 1.0], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "distinct_destinations", 2.0, 1.0, 0.0, 0, 0, 1.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "distinct_destinations", 2.0, 1.0, 0.0, 0, 0, 1.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "distinct_destinations", 1.0, -1.0, 0.0, 0, 0, 1.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "distinct_destinations", 2.0, 1.0, 0.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "distinct_destinations", 1.0, -1.0, 0.0, 0, 0, 1.0], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "distinct_export_types", 2.0, 1.0, 0.0, 0, 0, 1.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "distinct_export_types", 1.0, -1.0, 0.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "distinct_msg_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "distinct_msg_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "distinct_msg_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "distinct_msg_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "distinct_msg_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "distinct_msg_types", 2.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "distinct_msg_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "distinct_cards", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "distinct_cards", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "distinct_cards", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "distinct_cards", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "distinct_cards", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "distinct_cards", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "distinct_cards", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "distinct_cards", 2.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "distinct_cards", 2.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "distinct_cards", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "distinct_cards", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "distinct_cards", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "distinct_cards", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "distinct_cards", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "distinct_cards", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "distinct_cards", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "distinct_cards", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "distinct_cards", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "distinct_cards", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "distinct_cards", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "distinct_cards", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "distinct_cards", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "distinct_cards", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "distinct_cards", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "distinct_cards", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "distinct_cards", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "distinct_terminals", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "distinct_terminals", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "distinct_terminals", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "distinct_terminals", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "distinct_terminals", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "distinct_terminals", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "distinct_terminals", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "distinct_terminals", 2.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "distinct_terminals", 2.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "distinct_terminals", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "distinct_terminals", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "distinct_terminals", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "distinct_terminals", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "distinct_terminals", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "distinct_terminals", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "distinct_terminals", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "distinct_terminals", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "distinct_terminals", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "distinct_terminals", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "distinct_terminals", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "distinct_terminals", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "distinct_terminals", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "distinct_terminals", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "distinct_terminals", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "distinct_terminals", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "distinct_terminals", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "distinct_card_types", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "distinct_card_types", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "distinct_card_types", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "distinct_card_types", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "distinct_card_types", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "distinct_card_types", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "distinct_card_types", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "distinct_card_types", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "distinct_card_types", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "distinct_card_types", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "distinct_card_types", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "distinct_card_types", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "distinct_card_types", 1.0, -0.577, -0.577, 0, 0, 0.577]]} \ No newline at end of file diff --git a/parsers/ueba_features_hourly b/parsers/ueba_features_hourly new file mode 100644 index 0000000..88ec506 --- /dev/null +++ b/parsers/ueba_features_hourly @@ -0,0 +1 @@ +{"columnNames": ["entity_type", "entity_id", "hour_ts", "family", "feature_name", "value"], "rows": [["user", ".anna.schmidt", 1779058800000000000, "auth", "account_locked", 0], ["user", ".lisa.bauer", 1779058800000000000, "auth", "account_locked", 1], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "account_locked", 0], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "account_locked", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "account_locked", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "account_locked", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "account_locked", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "account_locked", 1], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "account_locked", 1], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "account_locked", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "account_locked", 0], ["user", ".lisa.bauer", 1779066000000000000, "auth", "account_locked", 0], ["user", ".thomas.weber", 1779066000000000000, "auth", "account_locked", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "account_locked", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "account_locked", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "account_locked", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "account_locked", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "account_locked", 0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "account_locked", 1], ["user", ".lisa.bauer", 1779069600000000000, "auth", "account_locked", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "account_locked", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "account_locked", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "account_locked", 1], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "account_locked", 0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "account_locked", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "account_locked", 0], ["user", ".anna.schmidt", 1779073200000000000, "auth", "account_locked", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "account_locked", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "account_locked", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "account_locked", 1], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "account_locked", 0], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "account_locked", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "account_locked", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "account_locked", 0], ["user", ".anna.schmidt", 1779076800000000000, "auth", "account_locked", 1], ["user", ".lisa.bauer", 1779076800000000000, "auth", "account_locked", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "account_locked", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "account_locked", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "account_locked", 1], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "account_locked", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "account_locked", 1], ["user", ".anna.schmidt", 1779080400000000000, "auth", "account_locked", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "account_locked", 2], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "account_locked", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "account_locked", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "account_locked", 1], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "account_locked", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "account_locked", 0], ["user", ".anna.schmidt", 1779084000000000000, "auth", "account_locked", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "account_locked", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "account_locked", 1], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "account_locked", 0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "account_unlocked_fail", 0], ["user", ".lisa.bauer", 1779058800000000000, "auth", "account_unlocked_fail", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "account_unlocked_fail", 0], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "account_unlocked_fail", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "account_unlocked_fail", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "account_unlocked_fail", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "account_unlocked_fail", 1], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "account_unlocked_fail", 0], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "account_unlocked_fail", 0], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "account_unlocked_fail", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "account_unlocked_fail", 0], ["user", ".lisa.bauer", 1779066000000000000, "auth", "account_unlocked_fail", 0], ["user", ".thomas.weber", 1779066000000000000, "auth", "account_unlocked_fail", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "account_unlocked_fail", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "account_unlocked_fail", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "account_unlocked_fail", 1], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "account_unlocked_fail", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "account_unlocked_fail", 0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "account_unlocked_fail", 0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "account_unlocked_fail", 1], ["user", ".thomas.weber", 1779069600000000000, "auth", "account_unlocked_fail", 1], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "account_unlocked_fail", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "account_unlocked_fail", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "account_unlocked_fail", 1], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "account_unlocked_fail", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "account_unlocked_fail", 0], ["user", ".anna.schmidt", 1779073200000000000, "auth", "account_unlocked_fail", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "account_unlocked_fail", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "account_unlocked_fail", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "account_unlocked_fail", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "account_unlocked_fail", 0], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "account_unlocked_fail", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "account_unlocked_fail", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "account_unlocked_fail", 0], ["user", ".anna.schmidt", 1779076800000000000, "auth", "account_unlocked_fail", 1], ["user", ".lisa.bauer", 1779076800000000000, "auth", "account_unlocked_fail", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "account_unlocked_fail", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "account_unlocked_fail", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "account_unlocked_fail", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "account_unlocked_fail", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "account_unlocked_fail", 0], ["user", ".anna.schmidt", 1779080400000000000, "auth", "account_unlocked_fail", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "account_unlocked_fail", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "account_unlocked_fail", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "account_unlocked_fail", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "account_unlocked_fail", 0], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "account_unlocked_fail", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "account_unlocked_fail", 1], ["user", ".anna.schmidt", 1779084000000000000, "auth", "account_unlocked_fail", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "account_unlocked_fail", 1], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "account_unlocked_fail", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "account_unlocked_fail", 0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "auth_fail", 1], ["user", ".lisa.bauer", 1779058800000000000, "auth", "auth_fail", 1], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "auth_fail", 1], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "auth_fail", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "auth_fail", 1], ["user", ".lisa.bauer", 1779062400000000000, "auth", "auth_fail", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "auth_fail", 2], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "auth_fail", 2], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "auth_fail", 2], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "auth_fail", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "auth_fail", 1], ["user", ".lisa.bauer", 1779066000000000000, "auth", "auth_fail", 1], ["user", ".thomas.weber", 1779066000000000000, "auth", "auth_fail", 2], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "auth_fail", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "auth_fail", 1], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "auth_fail", 2], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "auth_fail", 1], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "auth_fail", 1], ["user", ".anna.schmidt", 1779069600000000000, "auth", "auth_fail", 1], ["user", ".lisa.bauer", 1779069600000000000, "auth", "auth_fail", 1], ["user", ".thomas.weber", 1779069600000000000, "auth", "auth_fail", 1], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "auth_fail", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "auth_fail", 1], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "auth_fail", 1], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "auth_fail", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "auth_fail", 1], ["user", ".anna.schmidt", 1779073200000000000, "auth", "auth_fail", 1], ["user", ".lisa.bauer", 1779073200000000000, "auth", "auth_fail", 1], ["user", ".thomas.weber", 1779073200000000000, "auth", "auth_fail", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "auth_fail", 2], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "auth_fail", 1], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "auth_fail", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "auth_fail", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "auth_fail", 1], ["user", ".anna.schmidt", 1779076800000000000, "auth", "auth_fail", 3], ["user", ".lisa.bauer", 1779076800000000000, "auth", "auth_fail", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "auth_fail", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "auth_fail", 2], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "auth_fail", 2], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "auth_fail", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "auth_fail", 1], ["user", ".anna.schmidt", 1779080400000000000, "auth", "auth_fail", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "auth_fail", 2], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "auth_fail", 2], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "auth_fail", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "auth_fail", 3], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "auth_fail", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "auth_fail", 1], ["user", ".anna.schmidt", 1779084000000000000, "auth", "auth_fail", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "auth_fail", 2], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "auth_fail", 1], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "auth_fail", 0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "auth_fail_ratio", 1.0], ["user", ".lisa.bauer", 1779058800000000000, "auth", "auth_fail_ratio", 1.0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "auth_fail_ratio", 1.0], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "auth_fail_ratio", 0.0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "auth_fail_ratio", 1.0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "auth_fail_ratio", 0.0], ["user", ".thomas.weber", 1779062400000000000, "auth", "auth_fail_ratio", 0.5], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "auth_fail_ratio", 0.6666666666666666], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "auth_fail_ratio", 0.5], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "auth_fail_ratio", 0.5], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "auth_fail_ratio", 0.2], ["user", ".lisa.bauer", 1779066000000000000, "auth", "auth_fail_ratio", 0.25], ["user", ".thomas.weber", 1779066000000000000, "auth", "auth_fail_ratio", 1.0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "auth_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "auth_fail_ratio", 1.0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "auth_fail_ratio", 1.0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "auth_fail_ratio", 0.3333333333333333], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "auth_fail_ratio", 0.5], ["user", ".anna.schmidt", 1779069600000000000, "auth", "auth_fail_ratio", 0.3333333333333333], ["user", ".lisa.bauer", 1779069600000000000, "auth", "auth_fail_ratio", 1.0], ["user", ".thomas.weber", 1779069600000000000, "auth", "auth_fail_ratio", 0.5], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "auth_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "auth_fail_ratio", 0.25], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "auth_fail_ratio", 0.5], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "auth_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "auth_fail_ratio", 0.3333333333333333], ["user", ".anna.schmidt", 1779073200000000000, "auth", "auth_fail_ratio", 1.0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "auth_fail_ratio", 1.0], ["user", ".thomas.weber", 1779073200000000000, "auth", "auth_fail_ratio", 0.3333333333333333], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "auth_fail_ratio", 0.6666666666666666], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "auth_fail_ratio", 0.3333333333333333], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "auth_fail_ratio", 0.0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "auth_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "auth_fail_ratio", 0.16666666666666666], ["user", ".anna.schmidt", 1779076800000000000, "auth", "auth_fail_ratio", 0.75], ["user", ".lisa.bauer", 1779076800000000000, "auth", "auth_fail_ratio", 0.0], ["user", ".thomas.weber", 1779076800000000000, "auth", "auth_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "auth_fail_ratio", 0.6666666666666666], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "auth_fail_ratio", 1.0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "auth_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "auth_fail_ratio", 0.3333333333333333], ["user", ".anna.schmidt", 1779080400000000000, "auth", "auth_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "auth_fail_ratio", 1.0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "auth_fail_ratio", 1.0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "auth_fail_ratio", 0.0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "auth_fail_ratio", 0.75], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "auth_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "auth_fail_ratio", 0.3333333333333333], ["user", ".anna.schmidt", 1779084000000000000, "auth", "auth_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "auth_fail_ratio", 1.0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "auth_fail_ratio", 0.5], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "auth_fail_ratio", 0.0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "auth_succ", 0], ["user", ".lisa.bauer", 1779058800000000000, "auth", "auth_succ", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "auth_succ", 0], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "auth_succ", 1], ["user", ".anna.schmidt", 1779062400000000000, "auth", "auth_succ", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "auth_succ", 1], ["user", ".thomas.weber", 1779062400000000000, "auth", "auth_succ", 2], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "auth_succ", 1], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "auth_succ", 2], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "auth_succ", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "auth_succ", 4], ["user", ".lisa.bauer", 1779066000000000000, "auth", "auth_succ", 3], ["user", ".thomas.weber", 1779066000000000000, "auth", "auth_succ", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "auth_succ", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "auth_succ", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "auth_succ", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "auth_succ", 2], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "auth_succ", 1], ["user", ".anna.schmidt", 1779069600000000000, "auth", "auth_succ", 2], ["user", ".lisa.bauer", 1779069600000000000, "auth", "auth_succ", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "auth_succ", 1], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "auth_succ", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "auth_succ", 3], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "auth_succ", 1], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "auth_succ", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "auth_succ", 2], ["user", ".anna.schmidt", 1779073200000000000, "auth", "auth_succ", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "auth_succ", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "auth_succ", 2], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "auth_succ", 1], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "auth_succ", 2], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "auth_succ", 1], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "auth_succ", 2], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "auth_succ", 5], ["user", ".anna.schmidt", 1779076800000000000, "auth", "auth_succ", 1], ["user", ".lisa.bauer", 1779076800000000000, "auth", "auth_succ", 1], ["user", ".thomas.weber", 1779076800000000000, "auth", "auth_succ", 1], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "auth_succ", 1], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "auth_succ", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "auth_succ", 1], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "auth_succ", 2], ["user", ".anna.schmidt", 1779080400000000000, "auth", "auth_succ", 1], ["user", ".lisa.bauer", 1779080400000000000, "auth", "auth_succ", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "auth_succ", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "auth_succ", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "auth_succ", 1], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "auth_succ", 2], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "auth_succ", 2], ["user", ".anna.schmidt", 1779084000000000000, "auth", "auth_succ", 1], ["user", ".lisa.bauer", 1779084000000000000, "auth", "auth_succ", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "auth_succ", 1], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "auth_succ", 2], ["user", ".anna.schmidt", 1779058800000000000, "auth", "auth_total", 1], ["user", ".lisa.bauer", 1779058800000000000, "auth", "auth_total", 1], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "auth_total", 1], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "auth_total", 1], ["user", ".anna.schmidt", 1779062400000000000, "auth", "auth_total", 1], ["user", ".lisa.bauer", 1779062400000000000, "auth", "auth_total", 1], ["user", ".thomas.weber", 1779062400000000000, "auth", "auth_total", 4], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "auth_total", 3], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "auth_total", 4], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "auth_total", 2], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "auth_total", 5], ["user", ".lisa.bauer", 1779066000000000000, "auth", "auth_total", 4], ["user", ".thomas.weber", 1779066000000000000, "auth", "auth_total", 2], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "auth_total", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "auth_total", 1], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "auth_total", 2], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "auth_total", 3], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "auth_total", 2], ["user", ".anna.schmidt", 1779069600000000000, "auth", "auth_total", 3], ["user", ".lisa.bauer", 1779069600000000000, "auth", "auth_total", 1], ["user", ".thomas.weber", 1779069600000000000, "auth", "auth_total", 2], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "auth_total", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "auth_total", 4], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "auth_total", 2], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "auth_total", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "auth_total", 3], ["user", ".anna.schmidt", 1779073200000000000, "auth", "auth_total", 1], ["user", ".lisa.bauer", 1779073200000000000, "auth", "auth_total", 1], ["user", ".thomas.weber", 1779073200000000000, "auth", "auth_total", 3], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "auth_total", 3], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "auth_total", 3], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "auth_total", 1], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "auth_total", 2], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "auth_total", 6], ["user", ".anna.schmidt", 1779076800000000000, "auth", "auth_total", 4], ["user", ".lisa.bauer", 1779076800000000000, "auth", "auth_total", 1], ["user", ".thomas.weber", 1779076800000000000, "auth", "auth_total", 1], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "auth_total", 3], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "auth_total", 2], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "auth_total", 1], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "auth_total", 3], ["user", ".anna.schmidt", 1779080400000000000, "auth", "auth_total", 1], ["user", ".lisa.bauer", 1779080400000000000, "auth", "auth_total", 2], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "auth_total", 2], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "auth_total", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "auth_total", 4], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "auth_total", 2], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "auth_total", 3], ["user", ".anna.schmidt", 1779084000000000000, "auth", "auth_total", 1], ["user", ".lisa.bauer", 1779084000000000000, "auth", "auth_total", 2], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "auth_total", 2], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "auth_total", 2], ["user", ".anna.schmidt", 1779058800000000000, "auth", "login_failure", 1], ["user", ".lisa.bauer", 1779058800000000000, "auth", "login_failure", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "login_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "login_failure", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "login_failure", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "login_failure", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "login_failure", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "login_failure", 0], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "login_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "login_failure", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "login_failure", 1], ["user", ".lisa.bauer", 1779066000000000000, "auth", "login_failure", 0], ["user", ".thomas.weber", 1779066000000000000, "auth", "login_failure", 1], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "login_failure", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "login_failure", 1], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "login_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "login_failure", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "login_failure", 1], ["user", ".anna.schmidt", 1779069600000000000, "auth", "login_failure", 0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "login_failure", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "login_failure", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "login_failure", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "login_failure", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "login_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "login_failure", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "login_failure", 0], ["user", ".anna.schmidt", 1779073200000000000, "auth", "login_failure", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "login_failure", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "login_failure", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "login_failure", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "login_failure", 1], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "login_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "login_failure", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "login_failure", 1], ["user", ".anna.schmidt", 1779076800000000000, "auth", "login_failure", 0], ["user", ".lisa.bauer", 1779076800000000000, "auth", "login_failure", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "login_failure", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "login_failure", 1], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "login_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "login_failure", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "login_failure", 0], ["user", ".anna.schmidt", 1779080400000000000, "auth", "login_failure", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "login_failure", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "login_failure", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "login_failure", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "login_failure", 1], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "login_failure", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "login_failure", 0], ["user", ".anna.schmidt", 1779084000000000000, "auth", "login_failure", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "login_failure", 1], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "login_failure", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "login_failure", 0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "login_success", 0], ["user", ".lisa.bauer", 1779058800000000000, "auth", "login_success", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "login_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "login_success", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "login_success", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "login_success", 1], ["user", ".thomas.weber", 1779062400000000000, "auth", "login_success", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "login_success", 1], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "login_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "login_success", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "login_success", 1], ["user", ".lisa.bauer", 1779066000000000000, "auth", "login_success", 0], ["user", ".thomas.weber", 1779066000000000000, "auth", "login_success", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "login_success", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "login_success", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "login_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "login_success", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "login_success", 0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "login_success", 0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "login_success", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "login_success", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "login_success", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "login_success", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "login_success", 1], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "login_success", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "login_success", 1], ["user", ".anna.schmidt", 1779073200000000000, "auth", "login_success", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "login_success", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "login_success", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "login_success", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "login_success", 0], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "login_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "login_success", 1], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "login_success", 0], ["user", ".anna.schmidt", 1779076800000000000, "auth", "login_success", 1], ["user", ".lisa.bauer", 1779076800000000000, "auth", "login_success", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "login_success", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "login_success", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "login_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "login_success", 1], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "login_success", 0], ["user", ".anna.schmidt", 1779080400000000000, "auth", "login_success", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "login_success", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "login_success", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "login_success", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "login_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "login_success", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "login_success", 1], ["user", ".anna.schmidt", 1779084000000000000, "auth", "login_success", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "login_success", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "login_success", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "login_success", 0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "logout", 0], ["user", ".lisa.bauer", 1779058800000000000, "auth", "logout", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "logout", 0], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "logout", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "logout", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "logout", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "logout", 1], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "logout", 0], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "logout", 0], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "logout", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "logout", 1], ["user", ".lisa.bauer", 1779066000000000000, "auth", "logout", 1], ["user", ".thomas.weber", 1779066000000000000, "auth", "logout", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "logout", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "logout", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "logout", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "logout", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "logout", 0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "logout", 0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "logout", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "logout", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "logout", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "logout", 2], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "logout", 0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "logout", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "logout", 0], ["user", ".anna.schmidt", 1779073200000000000, "auth", "logout", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "logout", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "logout", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "logout", 1], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "logout", 1], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "logout", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "logout", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "logout", 0], ["user", ".anna.schmidt", 1779076800000000000, "auth", "logout", 0], ["user", ".lisa.bauer", 1779076800000000000, "auth", "logout", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "logout", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "logout", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "logout", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "logout", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "logout", 0], ["user", ".anna.schmidt", 1779080400000000000, "auth", "logout", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "logout", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "logout", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "logout", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "logout", 1], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "logout", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "logout", 0], ["user", ".anna.schmidt", 1779084000000000000, "auth", "logout", 1], ["user", ".lisa.bauer", 1779084000000000000, "auth", "logout", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "logout", 1], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "logout", 1], ["user", ".anna.schmidt", 1779058800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779058800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "mfa_fail_ratio", 1.0], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "mfa_fail_ratio", 1.0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".thomas.weber", 1779062400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "mfa_fail_ratio", 1.0], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "mfa_fail_ratio", 1.0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779066000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".thomas.weber", 1779066000000000000, "auth", "mfa_fail_ratio", 1.0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".thomas.weber", 1779069600000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "mfa_fail_ratio", 0.5], ["user", ".anna.schmidt", 1779073200000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".thomas.weber", 1779073200000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".anna.schmidt", 1779076800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779076800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".thomas.weber", 1779076800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "mfa_fail_ratio", 1.0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".anna.schmidt", 1779080400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "mfa_fail_ratio", 1.0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "mfa_fail_ratio", 1.0], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".anna.schmidt", 1779084000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "mfa_failure", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "mfa_failure", 1], ["user", ".anna.schmidt", 1779062400000000000, "auth", "mfa_failure", 1], ["user", ".lisa.bauer", 1779062400000000000, "auth", "mfa_failure", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "mfa_failure", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "mfa_failure", 1], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "mfa_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "mfa_failure", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "mfa_failure", 0], ["user", ".lisa.bauer", 1779066000000000000, "auth", "mfa_failure", 0], ["user", ".thomas.weber", 1779066000000000000, "auth", "mfa_failure", 1], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "mfa_failure", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "mfa_failure", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "mfa_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "mfa_failure", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "mfa_failure", 0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "mfa_failure", 0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "mfa_failure", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "mfa_failure", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "mfa_failure", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "mfa_failure", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "mfa_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "mfa_failure", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "mfa_failure", 1], ["user", ".anna.schmidt", 1779073200000000000, "auth", "mfa_failure", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "mfa_failure", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "mfa_failure", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "mfa_failure", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "mfa_failure", 0], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "mfa_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "mfa_failure", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "mfa_failure", 0], ["user", ".anna.schmidt", 1779076800000000000, "auth", "mfa_failure", 0], ["user", ".lisa.bauer", 1779076800000000000, "auth", "mfa_failure", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "mfa_failure", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "mfa_failure", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "mfa_failure", 1], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "mfa_failure", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "mfa_failure", 0], ["user", ".anna.schmidt", 1779080400000000000, "auth", "mfa_failure", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "mfa_failure", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "mfa_failure", 1], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "mfa_failure", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "mfa_failure", 1], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "mfa_failure", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "mfa_failure", 0], ["user", ".anna.schmidt", 1779084000000000000, "auth", "mfa_failure", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "mfa_failure", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "mfa_failure", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "mfa_failure", 0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "mfa_success", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "mfa_success", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "mfa_success", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "mfa_success", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "mfa_success", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "mfa_success", 0], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "mfa_success", 1], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "mfa_success", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "mfa_success", 1], ["user", ".lisa.bauer", 1779066000000000000, "auth", "mfa_success", 1], ["user", ".thomas.weber", 1779066000000000000, "auth", "mfa_success", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "mfa_success", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "mfa_success", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "mfa_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "mfa_success", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "mfa_success", 0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "mfa_success", 0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "mfa_success", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "mfa_success", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "mfa_success", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "mfa_success", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "mfa_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "mfa_success", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "mfa_success", 1], ["user", ".anna.schmidt", 1779073200000000000, "auth", "mfa_success", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "mfa_success", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "mfa_success", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "mfa_success", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "mfa_success", 0], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "mfa_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "mfa_success", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "mfa_success", 2], ["user", ".anna.schmidt", 1779076800000000000, "auth", "mfa_success", 0], ["user", ".lisa.bauer", 1779076800000000000, "auth", "mfa_success", 1], ["user", ".thomas.weber", 1779076800000000000, "auth", "mfa_success", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "mfa_success", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "mfa_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "mfa_success", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "mfa_success", 1], ["user", ".anna.schmidt", 1779080400000000000, "auth", "mfa_success", 1], ["user", ".lisa.bauer", 1779080400000000000, "auth", "mfa_success", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "mfa_success", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "mfa_success", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "mfa_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "mfa_success", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "mfa_success", 0], ["user", ".anna.schmidt", 1779084000000000000, "auth", "mfa_success", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "mfa_success", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "mfa_success", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "mfa_success", 1], ["user", ".anna.schmidt", 1779058800000000000, "auth", "password_change", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "password_change", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "password_change", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "password_change", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "password_change", 1], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "password_change", 0], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "password_change", 1], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "password_change", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "password_change", 1], ["user", ".lisa.bauer", 1779066000000000000, "auth", "password_change", 1], ["user", ".thomas.weber", 1779066000000000000, "auth", "password_change", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "password_change", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "password_change", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "password_change", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "password_change", 1], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "password_change", 0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "password_change", 0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "password_change", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "password_change", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "password_change", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "password_change", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "password_change", 0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "password_change", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "password_change", 0], ["user", ".anna.schmidt", 1779073200000000000, "auth", "password_change", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "password_change", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "password_change", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "password_change", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "password_change", 1], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "password_change", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "password_change", 1], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "password_change", 1], ["user", ".anna.schmidt", 1779076800000000000, "auth", "password_change", 0], ["user", ".lisa.bauer", 1779076800000000000, "auth", "password_change", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "password_change", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "password_change", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "password_change", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "password_change", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "password_change", 0], ["user", ".anna.schmidt", 1779080400000000000, "auth", "password_change", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "password_change", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "password_change", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "password_change", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "password_change", 0], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "password_change", 2], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "password_change", 0], ["user", ".anna.schmidt", 1779084000000000000, "auth", "password_change", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "password_change", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "password_change", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "password_change", 0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "password_reset_req", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "password_reset_req", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "password_reset_req", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "password_reset_req", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "password_reset_req", 1], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "password_reset_req", 0], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "password_reset_req", 1], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "password_reset_req", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "password_reset_req", 0], ["user", ".lisa.bauer", 1779066000000000000, "auth", "password_reset_req", 1], ["user", ".thomas.weber", 1779066000000000000, "auth", "password_reset_req", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "password_reset_req", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "password_reset_req", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "password_reset_req", 1], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "password_reset_req", 1], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "password_reset_req", 0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "password_reset_req", 0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "password_reset_req", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "password_reset_req", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "password_reset_req", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "password_reset_req", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "password_reset_req", 0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "password_reset_req", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "password_reset_req", 0], ["user", ".anna.schmidt", 1779073200000000000, "auth", "password_reset_req", 1], ["user", ".lisa.bauer", 1779073200000000000, "auth", "password_reset_req", 1], ["user", ".thomas.weber", 1779073200000000000, "auth", "password_reset_req", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "password_reset_req", 1], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "password_reset_req", 0], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "password_reset_req", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "password_reset_req", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "password_reset_req", 0], ["user", ".anna.schmidt", 1779076800000000000, "auth", "password_reset_req", 1], ["user", ".lisa.bauer", 1779076800000000000, "auth", "password_reset_req", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "password_reset_req", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "password_reset_req", 1], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "password_reset_req", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "password_reset_req", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "password_reset_req", 0], ["user", ".anna.schmidt", 1779080400000000000, "auth", "password_reset_req", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "password_reset_req", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "password_reset_req", 1], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "password_reset_req", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "password_reset_req", 0], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "password_reset_req", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "password_reset_req", 0], ["user", ".anna.schmidt", 1779084000000000000, "auth", "password_reset_req", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "password_reset_req", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "password_reset_req", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "password_reset_req", 0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "session_timeout", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "session_timeout", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "session_timeout", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "session_timeout", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "session_timeout", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "session_timeout", 0], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "session_timeout", 0], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "session_timeout", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "session_timeout", 0], ["user", ".lisa.bauer", 1779066000000000000, "auth", "session_timeout", 0], ["user", ".thomas.weber", 1779066000000000000, "auth", "session_timeout", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "session_timeout", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "session_timeout", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "session_timeout", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "session_timeout", 1], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "session_timeout", 1], ["user", ".anna.schmidt", 1779069600000000000, "auth", "session_timeout", 2], ["user", ".lisa.bauer", 1779069600000000000, "auth", "session_timeout", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "session_timeout", 1], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "session_timeout", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "session_timeout", 1], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "session_timeout", 0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "session_timeout", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "session_timeout", 0], ["user", ".anna.schmidt", 1779073200000000000, "auth", "session_timeout", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "session_timeout", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "session_timeout", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "session_timeout", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "session_timeout", 0], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "session_timeout", 1], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "session_timeout", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "session_timeout", 2], ["user", ".anna.schmidt", 1779076800000000000, "auth", "session_timeout", 0], ["user", ".lisa.bauer", 1779076800000000000, "auth", "session_timeout", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "session_timeout", 1], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "session_timeout", 1], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "session_timeout", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "session_timeout", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "session_timeout", 1], ["user", ".anna.schmidt", 1779080400000000000, "auth", "session_timeout", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "session_timeout", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "session_timeout", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "session_timeout", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "session_timeout", 0], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "session_timeout", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "session_timeout", 1], ["user", ".anna.schmidt", 1779084000000000000, "auth", "session_timeout", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "session_timeout", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "session_timeout", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "session_timeout", 0], ["host", "avelios-app-01.berlin.local", 1779058800000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-app-03.berlin.local", 1779058800000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-int-01.berlin.local", 1779058800000000000, "endpoint", "host_auth_events", 0], ["host", "omniconnect-ber-01.local", 1779058800000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_auth_events", 4], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_auth_events", 8], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_auth_events", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_auth_events", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_auth_events", 4], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_auth_events", 7], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_auth_events", 6], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_auth_events", 7], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_auth_events", 6], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_auth_events", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_auth_events", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_auth_events", 5], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_auth_events", 8], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_auth_events", 5], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_auth_events", 8], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_auth_events", 4], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_auth_events", 6], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_auth_events", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_auth_events", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_auth_events", 4], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_auth_events", 5], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_auth_events", 3], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_auth_events", 8], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_auth_events", 6], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_auth_events", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_auth_events", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_auth_events", 9], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_auth_events", 7], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_auth_events", 4], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_auth_events", 4], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_auth_events", 4], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_auth_events", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_auth_events", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_auth_events", 6], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_auth_events", 2], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_auth_events", 4], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_auth_events", 6], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_auth_events", 6], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_auth_events", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_auth_events", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_auth_events", 4], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_auth_events", 9], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_auth_events", 4], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_auth_events", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_auth_events", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_auth_events", 3], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_auth_events", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_auth_events", 3], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-01.berlin.local", 1779058800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.berlin.local", 1779058800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.berlin.local", 1779058800000000000, "endpoint", "host_card_events", 0], ["host", "omniconnect-ber-01.local", 1779058800000000000, "endpoint", "host_card_events", 1], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_card_events", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_card_events", 4], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_card_events", 7], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_card_events", 6], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_card_events", 7], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_card_events", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_card_events", 5], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_card_events", 8], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_card_events", 5], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_card_events", 8], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_card_events", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_card_events", 4], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_card_events", 5], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_card_events", 3], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_card_events", 3], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_card_events", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_card_events", 9], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_card_events", 7], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_card_events", 4], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_card_events", 4], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_card_events", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_card_events", 6], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_card_events", 2], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_card_events", 4], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_card_events", 6], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_card_events", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_card_events", 4], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_card_events", 9], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_card_events", 4], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_card_events", 3], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_card_events", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_card_events", 3], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_card_events", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_card_events", 3], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_card_events", 2], ["host", "avelios-app-01.berlin.local", 1779058800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.berlin.local", 1779058800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-int-01.berlin.local", 1779058800000000000, "endpoint", "host_data_events", 1], ["host", "omniconnect-ber-01.local", 1779058800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_data_events", 7], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_data_events", 8], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_data_events", 6], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_data_events", 2], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_data_events", 7], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_data_events", 5], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_data_events", 10], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_data_events", 3], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_data_events", 6], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_data_events", 3], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_data_events", 6], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_data_events", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_data_events", 2], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_data_events", 2], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.berlin.local", 1779058800000000000, "endpoint", "host_events", 1], ["host", "avelios-app-03.berlin.local", 1779058800000000000, "endpoint", "host_events", 1], ["host", "avelios-int-01.berlin.local", 1779058800000000000, "endpoint", "host_events", 1], ["host", "omniconnect-ber-01.local", 1779058800000000000, "endpoint", "host_events", 1], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_events", 4], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_events", 1], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_events", 3], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_events", 2], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_events", 8], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_events", 2], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_events", 7], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_events", 8], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_events", 10], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_events", 12], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_events", 9], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_events", 7], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_events", 1], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_events", 3], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_events", 2], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_events", 6], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_events", 2], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_events", 1], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_events", 6], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_events", 2], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_events", 6], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_events", 10], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_events", 7], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_events", 10], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_events", 4], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_events", 2], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_events", 6], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_events", 1], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_events", 2], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_events", 2], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_events", 7], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_events", 5], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_events", 11], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_events", 9], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_events", 9], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_events", 8], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_events", 8], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_events", 2], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_events", 1], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_events", 6], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_events", 3], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_events", 10], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_events", 3], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_events", 10], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_events", 9], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_events", 7], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_events", 9], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_events", 2], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_events", 1], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_events", 3], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_events", 2], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_events", 4], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_events", 3], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_events", 6], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_events", 3], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_events", 10], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_events", 8], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_events", 7], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_events", 6], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_events", 2], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_events", 6], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_events", 2], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_events", 3], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_events", 2], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_events", 6], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_events", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_events", 9], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_events", 11], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_events", 4], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_events", 6], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_events", 3], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_events", 2], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_events", 1], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_events", 1], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_events", 2], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_events", 2], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_events", 7], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_events", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_events", 4], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_events", 2], ["host", "avelios-app-01.berlin.local", 1779058800000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-app-03.berlin.local", 1779058800000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-int-01.berlin.local", 1779058800000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779058800000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.3333333333333333], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.25], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.6], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.5], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.2222222222222222], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.42857142857142855], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.3333333333333333], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.5], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.6666666666666666], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.3], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.7142857142857143], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.4], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.5], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.3333333333333333], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.18181818181818182], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.1111111111111111], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.2222222222222222], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.375], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.125], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.6666666666666666], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.6666666666666666], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.3333333333333333], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.14285714285714285], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.3333333333333333], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.6666666666666666], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.5], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.6666666666666666], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.125], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.8333333333333334], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.5], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.3333333333333333], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.5], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.4444444444444444], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.09090909090909091], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.16666666666666666], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_failure_ratio", 0.3333333333333333], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_failure_ratio", 0.5714285714285714], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_failure_ratio", 0.25], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_failure_ratio", 0.5], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_failures", 4], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_failures", 2], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_failures", 2], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_failures", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_failures", 6], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_failures", 6], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_failures", 2], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_failures", 3], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_failures", 4], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_failures", 2], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_failures", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_failures", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_failures", 3], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_failures", 5], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_failures", 4], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_failures", 2], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_failures", 2], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_failures", 2], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_failures", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_failures", 2], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_failures", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_failures", 2], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_failures", 3], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_failures", 4], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_failures", 2], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_failures", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_failures", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_failures", 3], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_failures", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_failures", 3], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_failures", 2], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_failures", 2], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_failures", 2], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_failures", 2], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_failures", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_failures", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_failures", 5], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_failures", 1], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_failures", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_failures", 4], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_failures", 1], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_failures", 1], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_failures", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_failures", 4], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_failures", 1], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_high_severity", 4], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_high_severity", 6], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_high_severity", 2], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_high_severity", 1], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_high_severity", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_high_severity", 4], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_high_severity", 2], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_high_severity", 2], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_high_severity", 2], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_high_severity", 2], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_high_severity", 4], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_high_severity", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_high_severity", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_high_severity", 2], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_high_severity", 2], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_high_severity", 2], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_high_severity", 2], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_high_severity", 3], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_high_severity", 2], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_high_severity", 3], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_high_severity", 1], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_infos", 2], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_infos", 2], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_infos", 1], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_infos", 4], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_infos", 3], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_infos", 1], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_infos", 2], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_infos", 3], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_infos", 2], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_infos", 3], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_infos", 1], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_infos", 2], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_infos", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_infos", 3], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_infos", 1], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_infos", 3], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_infos", 3], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_infos", 2], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_infos", 1], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_infos", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_infos", 3], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_infos", 1], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_infos", 1], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_infos", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_infos", 1], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_ti_events", 6], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_ti_events", 5], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_ti_events", 3], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_ti_events", 1], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_ti_events", 2], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_ti_events", 2], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_ti_events", 2], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_ti_events", 7], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_ti_events", 4], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_ti_events", 6], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_ti_events", 5], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_ti_events", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_ti_events", 2], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_ti_events", 3], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_ti_events", 5], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_ti_events", 4], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_ti_events", 6], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_ti_events", 3], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_ti_events", 5], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_ti_events", 2], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_ti_events", 3], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_ti_events", 4], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_ti_events", 1], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "cert_expired", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "cert_expired", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "cert_expired", 1], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "cert_expired", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "cert_expired", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "cert_expired", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "cert_expired", 1], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "cert_expired", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "cert_expired", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "cert_expired", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "cert_expired", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "cert_expired", 1], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "cert_expired", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "cert_expired", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "cert_expired", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "cert_expired", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "cert_expired", 2], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "cert_expired", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "cert_expired", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "cert_expired", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "cert_expired", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "cert_expired", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "cert_expired", 1], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "cert_expired", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "cert_expired", 2], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "cert_expiring", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "cert_expiring", 2], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "cert_expiring", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "cert_expiring", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "cert_expiring", 1], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "cert_expiring", 1], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "cert_expiring", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "cert_expiring", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "cert_expiring", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "cert_expiring", 1], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "cert_expiring", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "cert_expiring", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "cert_expiring", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "cert_expiring", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "cert_expiring", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "cert_expiring", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "cert_valid", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "cert_valid", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "cert_valid", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "cert_valid", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "cert_valid", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "cert_valid", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "cert_valid", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "cert_valid", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "cert_valid", 1], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "cert_valid", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "cert_valid", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "cert_valid", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "cert_valid", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "cert_valid", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "cert_valid", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "cert_valid", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "cert_valid", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "cert_valid", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "cert_valid", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "cert_valid", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "cert_valid", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "cert_valid", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "cert_valid", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "high_sev_events", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "high_sev_events", 3], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "high_sev_events", 3], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "high_sev_events", 1], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "high_sev_events", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "high_sev_events", 1], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "high_sev_events", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "high_sev_events", 2], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "high_sev_events", 1], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "high_sev_events", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "high_sev_events", 2], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "high_sev_events", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "high_sev_events", 2], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "high_sev_events", 3], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "high_sev_events", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "high_sev_events", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "high_sev_events", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "high_sev_events", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "high_sev_events", 2], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "high_sev_events", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "high_sev_events", 2], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "high_sev_events", 2], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "high_sev_events", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "high_sev_events", 2], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "high_sev_events", 2], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "high_sev_events", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "high_sev_events", 2], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "high_sev_events", 1], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "konnektor_connected", 2], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "konnektor_connected", 1], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "konnektor_connected", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "konnektor_connected", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "konnektor_connected", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "konnektor_connected", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "konnektor_disconnected", 1], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "konnektor_disconnected", 2], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "konnektor_disconnected", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "konnektor_disconnected", 1], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "konnektor_disconnected", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "konnektor_flap_score", 2.0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "konnektor_flap_score", 1.0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "konnektor_flap_score", 1.0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "konnektor_flap_score", 2.0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "konnektor_flap_score", 2.0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "konnektor_flap_score", 1.0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "konnektor_flap_score", 1.0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "konnektor_flap_score", 1.0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "konnektor_flap_score", 1.0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "konnektor_flap_score", 1.0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "konnektor_health_check", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "konnektor_health_check", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "konnektor_health_check", 2], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "konnektor_health_check", 2], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "konnektor_health_check", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "konnektor_health_check", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "konnektor_health_check", 1], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "konnektor_health_check", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "ti_events", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "ti_events", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "ti_events", 6], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "ti_events", 5], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "ti_events", 3], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "ti_events", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "ti_events", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "ti_events", 1], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "ti_events", 2], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "ti_events", 2], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "ti_events", 2], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "ti_events", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "ti_events", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "ti_events", 7], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "ti_events", 4], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "ti_events", 6], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "ti_events", 5], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "ti_events", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "ti_events", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "ti_events", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "ti_events", 2], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "ti_events", 3], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "ti_events", 5], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "ti_events", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "ti_events", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "ti_events", 4], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "ti_events", 6], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "ti_events", 3], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "ti_events", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "ti_events", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "ti_events", 5], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "ti_events", 2], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "ti_events", 3], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "ti_events", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "ti_events", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "ti_events", 4], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "ti_events", 1], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "ti_failure_ratio", 0.5], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "ti_failure_ratio", 0.2], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "ti_failure_ratio", 0.3333333333333333], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "ti_failure_ratio", 0.5], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "ti_failure_ratio", 0.16666666666666666], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "ti_failure_ratio", 0.2], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "ti_failure_ratio", 0.3333333333333333], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "ti_failure_ratio", 0.4], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "ti_failure_ratio", 0.16666666666666666], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "ti_failure_ratio", 0.4], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "ti_failure_ratio", 0.5], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "ti_failure_ratio", 0.5], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "ti_failures", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "ti_failures", 3], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "ti_failures", 1], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "ti_failures", 1], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "ti_failures", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "ti_failures", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "ti_failures", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "ti_failures", 1], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "ti_failures", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "ti_failures", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "ti_failures", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "ti_failures", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "ti_failures", 1], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "ti_failures", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "ti_failures", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "ti_failures", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "ti_failures", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "ti_failures", 2], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "ti_failures", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "ti_failures", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "ti_failures", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "ti_failures", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "ti_failures", 2], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "ti_failures", 1], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "ti_failures", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "ti_failures", 2], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "ti_service_available", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "ti_service_available", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "ti_service_available", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "ti_service_available", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "ti_service_available", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "ti_service_available", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "ti_service_available", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "ti_service_available", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "ti_service_available", 1], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "ti_service_available", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "ti_service_available", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "ti_service_available", 2], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "ti_service_available", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "ti_service_available", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "ti_service_available", 2], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "ti_service_unavailable", 1], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "ti_service_unavailable", 1], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "vpn_tunnel_failed", 2], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "vpn_tunnel_failed", 1], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "vpn_tunnel_failed", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "vpn_tunnel_failed", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "vpn_tunnel_failed", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "vpn_tunnel_failed", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "vpn_tunnel_reconnect", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "vpn_tunnel_reconnect", 1], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "vpn_tunnel_reconnect", 1], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "vpn_tunnel_reconnect", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "vpn_tunnel_reconnect", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "vpn_tunnel_reconnect", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "vpn_tunnel_reconnect", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "vpn_tunnel_reconnect", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "dt_events", 1], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "dt_events", 1], ["user", ".thomas.weber", 1779062400000000000, "cloud", "dt_events", 3], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "dt_events", 3], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "dt_events", 3], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "dt_events", 4], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "dt_events", 3], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "dt_events", 1], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "dt_events", 1], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "dt_events", 2], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "dt_events", 1], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "dt_events", 3], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "dt_events", 1], ["user", ".thomas.weber", 1779069600000000000, "cloud", "dt_events", 1], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "dt_events", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "dt_events", 3], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "dt_events", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "dt_events", 2], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "dt_events", 2], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "dt_events", 2], ["user", ".thomas.weber", 1779073200000000000, "cloud", "dt_events", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "dt_events", 3], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "dt_events", 2], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "dt_events", 2], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "dt_events", 1], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "dt_events", 2], ["user", ".thomas.weber", 1779076800000000000, "cloud", "dt_events", 2], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "dt_events", 2], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "dt_events", 1], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "dt_events", 1], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "dt_events", 1], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "dt_events", 3], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "dt_events", 3], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "dt_events", 1], ["user", ".thomas.weber", 1779084000000000000, "cloud", "dt_events", 1], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "dt_events", 1], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "dt_events", 1], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "dt_events", 1], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "dt_failures", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "dt_failures", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "dt_failures", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "dt_failures", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "dt_failures", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "dt_failures", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "dt_failures", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "dt_failures", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "dt_failures", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "dt_failures", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "dt_failures", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "dt_failures", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "dt_failures", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "dt_failures", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "dt_failures", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "dt_failures", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "dt_failures", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "dt_failures", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "dt_failures", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "dt_failures", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "dt_failures", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "dt_failures", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "dt_failures", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "dt_failures", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "dt_failures", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "dt_failures", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "dt_failures", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "dt_failures", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "dt_failures", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "dt_failures", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "dt_failures", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "dt_failures", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "dt_failures", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "dt_failures", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "dt_failures", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "dt_failures", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "dt_failures", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "dt_failures", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "email_notifications", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "email_notifications", 1], ["user", ".thomas.weber", 1779062400000000000, "cloud", "email_notifications", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "email_notifications", 1], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "email_notifications", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "email_notifications", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "email_notifications", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "email_notifications", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "email_notifications", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "email_notifications", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "email_notifications", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "email_notifications", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "email_notifications", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "email_notifications", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "email_notifications", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "email_notifications", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "email_notifications", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "email_notifications", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "email_notifications", 1], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "email_notifications", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "email_notifications", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "email_notifications", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "email_notifications", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "email_notifications", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "email_notifications", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "email_notifications", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "email_notifications", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "email_notifications", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "email_notifications", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "email_notifications", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "email_notifications", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "email_notifications", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "email_notifications", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "email_notifications", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "email_notifications", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "email_notifications", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "email_notifications", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "email_notifications", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "export_completed", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "export_completed", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "export_completed", 1], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "export_completed", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "export_completed", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "export_completed", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "export_completed", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "export_completed", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "export_completed", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "export_completed", 1], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "export_completed", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "export_completed", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "export_completed", 1], ["user", ".thomas.weber", 1779069600000000000, "cloud", "export_completed", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "export_completed", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "export_completed", 1], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "export_completed", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "export_completed", 1], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "export_completed", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "export_completed", 1], ["user", ".thomas.weber", 1779073200000000000, "cloud", "export_completed", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "export_completed", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "export_completed", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "export_completed", 2], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "export_completed", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "export_completed", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "export_completed", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "export_completed", 1], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "export_completed", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "export_completed", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "export_completed", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "export_completed", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "export_completed", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "export_completed", 1], ["user", ".thomas.weber", 1779084000000000000, "cloud", "export_completed", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "export_completed", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "export_completed", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "export_completed", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "export_initiated", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "export_initiated", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "export_initiated", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "export_initiated", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "export_initiated", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "export_initiated", 1], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "export_initiated", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "export_initiated", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "export_initiated", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "export_initiated", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "export_initiated", 1], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "export_initiated", 1], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "export_initiated", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "export_initiated", 1], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "export_initiated", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "export_initiated", 1], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "export_initiated", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "export_initiated", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "export_initiated", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "export_initiated", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "export_initiated", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "export_initiated", 2], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "export_initiated", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "export_initiated", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "export_initiated", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "export_initiated", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "export_initiated", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "export_initiated", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "export_initiated", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "export_initiated", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "export_initiated", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "export_initiated", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "export_initiated", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "export_initiated", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "export_initiated", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "export_initiated", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "export_initiated", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "export_initiated", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "external_destinations", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "external_destinations", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "external_destinations", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "external_destinations", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "external_destinations", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "external_destinations", 1], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "external_destinations", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "external_destinations", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "external_destinations", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "external_destinations", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "external_destinations", 1], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "external_destinations", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "external_destinations", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "external_destinations", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "external_destinations", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "external_destinations", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "external_destinations", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "external_destinations", 1], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "external_destinations", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "external_destinations", 1], ["user", ".thomas.weber", 1779073200000000000, "cloud", "external_destinations", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "external_destinations", 1], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "external_destinations", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "external_destinations", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "external_destinations", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "external_destinations", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "external_destinations", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "external_destinations", 1], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "external_destinations", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "external_destinations", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "external_destinations", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "external_destinations", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "external_destinations", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "external_destinations", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "external_destinations", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "external_destinations", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "external_destinations", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "external_destinations", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "fhir_requests", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "fhir_requests", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "fhir_requests", 1], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "fhir_requests", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "fhir_requests", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "fhir_requests", 3], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "fhir_requests", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "fhir_requests", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "fhir_requests", 1], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "fhir_requests", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "fhir_requests", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "fhir_requests", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "fhir_requests", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "fhir_requests", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "fhir_requests", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "fhir_requests", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "fhir_requests", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "fhir_requests", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "fhir_requests", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "fhir_requests", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "fhir_requests", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "fhir_requests", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "fhir_requests", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "fhir_requests", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "fhir_requests", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "fhir_requests", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "fhir_requests", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "fhir_requests", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "fhir_requests", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "fhir_requests", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "fhir_requests", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "fhir_requests", 1], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "fhir_requests", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "fhir_requests", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "fhir_requests", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "fhir_requests", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "fhir_requests", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "fhir_requests", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "hl7_received", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "hl7_received", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "hl7_received", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "hl7_received", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "hl7_received", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "hl7_received", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "hl7_received", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "hl7_received", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "hl7_received", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "hl7_received", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "hl7_received", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "hl7_received", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "hl7_received", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "hl7_received", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "hl7_received", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "hl7_received", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "hl7_received", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "hl7_received", 1], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "hl7_received", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "hl7_received", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "hl7_received", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "hl7_received", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "hl7_received", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "hl7_received", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "hl7_received", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "hl7_received", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "hl7_received", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "hl7_received", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "hl7_received", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "hl7_received", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "hl7_received", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "hl7_received", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "hl7_received", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "hl7_received", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "hl7_received", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "hl7_received", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "hl7_received", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "hl7_received", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "hl7_sent", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "hl7_sent", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "hl7_sent", 1], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "hl7_sent", 1], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "hl7_sent", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "hl7_sent", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "hl7_sent", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "hl7_sent", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "hl7_sent", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "hl7_sent", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "hl7_sent", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "hl7_sent", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "hl7_sent", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "hl7_sent", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "hl7_sent", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "hl7_sent", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "hl7_sent", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "hl7_sent", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "hl7_sent", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "hl7_sent", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "hl7_sent", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "hl7_sent", 1], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "hl7_sent", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "hl7_sent", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "hl7_sent", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "hl7_sent", 1], ["user", ".thomas.weber", 1779076800000000000, "cloud", "hl7_sent", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "hl7_sent", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "hl7_sent", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "hl7_sent", 1], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "hl7_sent", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "hl7_sent", 2], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "hl7_sent", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "hl7_sent", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "hl7_sent", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "hl7_sent", 1], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "hl7_sent", 1], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "hl7_sent", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "import_completed", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "import_completed", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "import_completed", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "import_completed", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "import_completed", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "import_completed", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "import_completed", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "import_completed", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "import_completed", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "import_completed", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "import_completed", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "import_completed", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "import_completed", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "import_completed", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "import_completed", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "import_completed", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "import_completed", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "import_completed", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "import_completed", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "import_completed", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "import_completed", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "import_completed", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "import_completed", 1], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "import_completed", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "import_completed", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "import_completed", 1], ["user", ".thomas.weber", 1779076800000000000, "cloud", "import_completed", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "import_completed", 1], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "import_completed", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "import_completed", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "import_completed", 1], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "import_completed", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "import_completed", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "import_completed", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "import_completed", 1], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "import_completed", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "import_completed", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "import_completed", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "import_initiated", 1], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "import_initiated", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "import_initiated", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "import_initiated", 1], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "import_initiated", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "import_initiated", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "import_initiated", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "import_initiated", 1], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "import_initiated", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "import_initiated", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "import_initiated", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "import_initiated", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "import_initiated", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "import_initiated", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "import_initiated", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "import_initiated", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "import_initiated", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "import_initiated", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "import_initiated", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "import_initiated", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "import_initiated", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "import_initiated", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "import_initiated", 1], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "import_initiated", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "import_initiated", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "import_initiated", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "import_initiated", 1], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "import_initiated", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "import_initiated", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "import_initiated", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "import_initiated", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "import_initiated", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "import_initiated", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "import_initiated", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "import_initiated", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "import_initiated", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "import_initiated", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "import_initiated", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "print_jobs", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "print_jobs", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "print_jobs", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "print_jobs", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "print_jobs", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "print_jobs", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "print_jobs", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "print_jobs", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "print_jobs", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "print_jobs", 1], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "print_jobs", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "print_jobs", 1], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "print_jobs", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "print_jobs", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "print_jobs", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "print_jobs", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "print_jobs", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "print_jobs", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "print_jobs", 1], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "print_jobs", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "print_jobs", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "print_jobs", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "print_jobs", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "print_jobs", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "print_jobs", 1], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "print_jobs", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "print_jobs", 1], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "print_jobs", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "print_jobs", 1], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "print_jobs", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "print_jobs", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "print_jobs", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "print_jobs", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "print_jobs", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "print_jobs", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "print_jobs", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "print_jobs", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "print_jobs", 1], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "report_generated", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "report_generated", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "report_generated", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "report_generated", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "report_generated", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "report_generated", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "report_generated", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "report_generated", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "report_generated", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "report_generated", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "report_generated", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "report_generated", 1], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "report_generated", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "report_generated", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "report_generated", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "report_generated", 1], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "report_generated", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "report_generated", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "report_generated", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "report_generated", 1], ["user", ".thomas.weber", 1779073200000000000, "cloud", "report_generated", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "report_generated", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "report_generated", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "report_generated", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "report_generated", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "report_generated", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "report_generated", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "report_generated", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "report_generated", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "report_generated", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "report_generated", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "report_generated", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "report_generated", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "report_generated", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "report_generated", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "report_generated", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "report_generated", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "report_generated", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "total_records_exported", 0.0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "total_records_exported", 0.0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "total_records_exported", 268.0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "total_records_exported", 0.0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "total_records_exported", 8.0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "total_records_exported", 936.0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "total_records_exported", 216.0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "total_records_exported", 0.0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "total_records_exported", 0.0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "total_records_exported", 647.0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "total_records_exported", 107.0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "total_records_exported", 486.0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "total_records_exported", 477.0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "total_records_exported", 637.0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "total_records_exported", 591.0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "total_records_exported", 1217.0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "total_records_exported", 71.0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "total_records_exported", 625.0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "total_records_exported", 0.0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "total_records_exported", 606.0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "total_records_exported", 0.0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "total_records_exported", 1731.0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "total_records_exported", 0.0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "total_records_exported", 1551.0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "total_records_exported", 0.0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "total_records_exported", 0.0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "total_records_exported", 0.0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "total_records_exported", 11.0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "total_records_exported", 0.0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "total_records_exported", 0.0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "total_records_exported", 0.0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "total_records_exported", 0.0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "total_records_exported", 832.0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "total_records_exported", 107.0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "total_records_exported", 0.0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "total_records_exported", 0.0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "total_records_exported", 0.0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "total_records_exported", 0.0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_auth_failed", 2], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_auth_success", 2], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_auth_success", 3], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_decryption", 2], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_events", 3], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_events", 7], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_events", 5], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_events", 7], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_events", 5], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_events", 8], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_events", 5], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_events", 8], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_events", 4], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_events", 5], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_events", 3], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_events", 3], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_events", 9], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_events", 7], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_events", 4], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_events", 4], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_events", 6], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_events", 2], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_events", 4], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_events", 6], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_events", 4], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_events", 9], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_events", 4], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_events", 3], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_events", 3], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_events", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_events", 3], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_events", 2], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_failure_ratio", 0.6666666666666666], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_failure_ratio", 0.7142857142857143], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_failure_ratio", 0.2], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_failure_ratio", 0.42857142857142855], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_failure_ratio", 0.375], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_failure_ratio", 0.8], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_failure_ratio", 0.5], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_failure_ratio", 0.5], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_failure_ratio", 0.2], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_failure_ratio", 0.3333333333333333], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_failure_ratio", 0.6666666666666666], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_failure_ratio", 0.1111111111111111], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_failure_ratio", 0.42857142857142855], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_failure_ratio", 0.25], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_failure_ratio", 0.5], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_failure_ratio", 0.3333333333333333], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_failure_ratio", 0.6666666666666666], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_failure_ratio", 0.3333333333333333], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_failure_ratio", 0.5], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_failures", 2], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_failures", 5], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_failures", 1], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_failures", 3], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_failures", 3], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_failures", 4], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_failures", 4], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_failures", 2], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_failures", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_failures", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_failures", 2], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_failures", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_failures", 3], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_failures", 1], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_failures", 2], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_failures", 1], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_failures", 2], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_failures", 1], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_failures", 1], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_pin_blocked", 3], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_pin_blocked", 2], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_pin_failed", 2], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_read_failure", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_read_failure", 2], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_read_failure", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_read_failure", 2], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_read_failure", 1], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_read_failure", 1], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_read_failure", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_read_failure", 3], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_read_failure", 1], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_read_failure", 1], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_read_success", 2], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_read_success", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_read_success", 2], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_read_success", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_read_success", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_read_success", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_read_success", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_read_success", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_read_success", 2], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_read_success", 1], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_read_success", 1], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_removed", 2], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_removed", 2], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_removed", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_removed", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_removed", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_removed", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_signature_created", 2], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_signature_created", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_signature_created", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_signature_created", 1], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_signature_created", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_signature_created", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_signature_created", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "hba_events", 2], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "hba_events", 4], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "hba_events", 2], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "hba_events", 4], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "hba_events", 3], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "hba_events", 4], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "hba_events", 3], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "hba_events", 2], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "hba_events", 2], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "low_attempts_remaining", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "low_attempts_remaining", 1], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "low_attempts_remaining", 1], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "low_attempts_remaining", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "low_attempts_remaining", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "low_attempts_remaining", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "qes_pin_attempts", 2], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "qes_pin_attempts", 2], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "smcb_events", 3], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "smcb_events", 3], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "smcb_events", 3], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "smcb_events", 2], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "smcb_events", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "smcb_events", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "smcb_events", 3], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "smcb_events", 2], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "smcb_events", 3], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "smcb_events", 3], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "distinct_card_types", 4], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "distinct_card_types", 4], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "distinct_card_types", 4], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "distinct_card_types", 4], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "distinct_card_types", 4], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "distinct_card_types", 4], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "distinct_card_types", 4], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "distinct_card_types", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "distinct_cards", 3], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "distinct_cards", 6], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "distinct_cards", 5], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "distinct_cards", 7], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "distinct_cards", 5], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "distinct_cards", 8], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "distinct_cards", 5], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "distinct_cards", 8], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "distinct_cards", 4], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "distinct_cards", 5], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "distinct_cards", 3], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "distinct_cards", 3], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "distinct_cards", 9], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "distinct_cards", 7], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "distinct_cards", 4], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "distinct_cards", 4], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "distinct_cards", 6], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "distinct_cards", 2], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "distinct_cards", 4], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "distinct_cards", 6], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "distinct_cards", 4], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "distinct_cards", 9], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "distinct_cards", 4], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "distinct_cards", 3], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "distinct_cards", 3], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "distinct_cards", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "distinct_cards", 3], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "distinct_cards", 2], ["user", ".thomas.weber", 1779062400000000000, "cloud", "distinct_destinations", 2], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "distinct_destinations", 1], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "distinct_destinations", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "distinct_destinations", 1], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "distinct_destinations", 1], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "distinct_destinations", 1], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "distinct_destinations", 1], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "distinct_destinations", 1], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "distinct_destinations", 1], ["user", ".thomas.weber", 1779069600000000000, "cloud", "distinct_destinations", 1], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "distinct_destinations", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "distinct_destinations", 1], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "distinct_destinations", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "distinct_destinations", 2], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "distinct_destinations", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "distinct_destinations", 3], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "distinct_destinations", 2], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "distinct_destinations", 1], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "distinct_destinations", 1], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "distinct_destinations", 1], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "distinct_destinations", 1], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "distinct_destinations", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "distinct_destinations", 1], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "distinct_destinations", 1], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "distinct_destinations", 1], ["user", ".thomas.weber", 1779062400000000000, "cloud", "distinct_export_types", 1], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "distinct_export_types", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "distinct_export_types", 1], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "distinct_export_types", 1], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "distinct_export_types", 1], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "distinct_export_types", 1], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "distinct_export_types", 1], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "distinct_export_types", 1], ["user", ".thomas.weber", 1779069600000000000, "cloud", "distinct_export_types", 1], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "distinct_export_types", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "distinct_export_types", 2], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "distinct_export_types", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "distinct_export_types", 1], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "distinct_export_types", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "distinct_export_types", 1], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "distinct_export_types", 2], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "distinct_export_types", 1], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "distinct_export_types", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "distinct_export_types", 1], ["user", ".thomas.weber", 1779062400000000000, "cloud", "distinct_msg_types", 1], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "distinct_msg_types", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "distinct_msg_types", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "distinct_msg_types", 1], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "distinct_msg_types", 1], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "distinct_msg_types", 1], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "distinct_msg_types", 2], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "distinct_msg_types", 1], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "distinct_msg_types", 1], ["user", ".thomas.weber", 1779062400000000000, "auth", "distinct_src_host", 2], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "distinct_src_host", 2], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "distinct_src_host", 4], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "distinct_src_host", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "distinct_src_host", 2], ["user", ".lisa.bauer", 1779066000000000000, "auth", "distinct_src_host", 3], ["user", ".thomas.weber", 1779066000000000000, "auth", "distinct_src_host", 1], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "distinct_src_host", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "distinct_src_host", 1], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "distinct_src_host", 1], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "distinct_src_host", 2], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "distinct_src_host", 2], ["user", ".anna.schmidt", 1779069600000000000, "auth", "distinct_src_host", 2], ["user", ".lisa.bauer", 1779069600000000000, "auth", "distinct_src_host", 1], ["user", ".thomas.weber", 1779069600000000000, "auth", "distinct_src_host", 2], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "distinct_src_host", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "distinct_src_host", 4], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "distinct_src_host", 1], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "distinct_src_host", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "distinct_src_host", 3], ["user", ".anna.schmidt", 1779073200000000000, "auth", "distinct_src_host", 1], ["user", ".lisa.bauer", 1779073200000000000, "auth", "distinct_src_host", 1], ["user", ".thomas.weber", 1779073200000000000, "auth", "distinct_src_host", 3], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "distinct_src_host", 3], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "distinct_src_host", 2], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "distinct_src_host", 1], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "distinct_src_host", 2], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "distinct_src_host", 3], ["user", ".anna.schmidt", 1779076800000000000, "auth", "distinct_src_host", 3], ["user", ".lisa.bauer", 1779076800000000000, "auth", "distinct_src_host", 1], ["user", ".thomas.weber", 1779076800000000000, "auth", "distinct_src_host", 1], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "distinct_src_host", 2], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "distinct_src_host", 2], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "distinct_src_host", 1], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "distinct_src_host", 2], ["user", ".anna.schmidt", 1779080400000000000, "auth", "distinct_src_host", 1], ["user", ".lisa.bauer", 1779080400000000000, "auth", "distinct_src_host", 1], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "distinct_src_host", 2], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "distinct_src_host", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "distinct_src_host", 3], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "distinct_src_host", 2], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "distinct_src_host", 3], ["user", ".anna.schmidt", 1779084000000000000, "auth", "distinct_src_host", 1], ["user", ".lisa.bauer", 1779084000000000000, "auth", "distinct_src_host", 2], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "distinct_src_host", 2], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "distinct_src_host", 2], ["user", ".thomas.weber", 1779062400000000000, "auth", "distinct_src_ip", 4], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "distinct_src_ip", 3], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "distinct_src_ip", 4], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "distinct_src_ip", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "distinct_src_ip", 5], ["user", ".lisa.bauer", 1779066000000000000, "auth", "distinct_src_ip", 4], ["user", ".thomas.weber", 1779066000000000000, "auth", "distinct_src_ip", 2], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "distinct_src_ip", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "distinct_src_ip", 1], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "distinct_src_ip", 2], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "distinct_src_ip", 3], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "distinct_src_ip", 2], ["user", ".anna.schmidt", 1779069600000000000, "auth", "distinct_src_ip", 3], ["user", ".lisa.bauer", 1779069600000000000, "auth", "distinct_src_ip", 1], ["user", ".thomas.weber", 1779069600000000000, "auth", "distinct_src_ip", 2], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "distinct_src_ip", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "distinct_src_ip", 4], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "distinct_src_ip", 2], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "distinct_src_ip", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "distinct_src_ip", 3], ["user", ".anna.schmidt", 1779073200000000000, "auth", "distinct_src_ip", 1], ["user", ".lisa.bauer", 1779073200000000000, "auth", "distinct_src_ip", 1], ["user", ".thomas.weber", 1779073200000000000, "auth", "distinct_src_ip", 3], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "distinct_src_ip", 3], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "distinct_src_ip", 3], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "distinct_src_ip", 1], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "distinct_src_ip", 2], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "distinct_src_ip", 6], ["user", ".anna.schmidt", 1779076800000000000, "auth", "distinct_src_ip", 4], ["user", ".lisa.bauer", 1779076800000000000, "auth", "distinct_src_ip", 1], ["user", ".thomas.weber", 1779076800000000000, "auth", "distinct_src_ip", 1], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "distinct_src_ip", 3], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "distinct_src_ip", 2], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "distinct_src_ip", 1], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "distinct_src_ip", 3], ["user", ".anna.schmidt", 1779080400000000000, "auth", "distinct_src_ip", 1], ["user", ".lisa.bauer", 1779080400000000000, "auth", "distinct_src_ip", 2], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "distinct_src_ip", 2], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "distinct_src_ip", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "distinct_src_ip", 4], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "distinct_src_ip", 2], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "distinct_src_ip", 3], ["user", ".anna.schmidt", 1779084000000000000, "auth", "distinct_src_ip", 1], ["user", ".lisa.bauer", 1779084000000000000, "auth", "distinct_src_ip", 2], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "distinct_src_ip", 2], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "distinct_src_ip", 2], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "distinct_telematik_ids", 6], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "distinct_telematik_ids", 4], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "distinct_telematik_ids", 3], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "distinct_telematik_ids", 1], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "distinct_telematik_ids", 2], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "distinct_telematik_ids", 2], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "distinct_telematik_ids", 2], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "distinct_telematik_ids", 7], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "distinct_telematik_ids", 4], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "distinct_telematik_ids", 6], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "distinct_telematik_ids", 5], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "distinct_telematik_ids", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "distinct_telematik_ids", 2], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "distinct_telematik_ids", 3], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "distinct_telematik_ids", 5], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "distinct_telematik_ids", 4], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "distinct_telematik_ids", 6], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "distinct_telematik_ids", 3], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "distinct_telematik_ids", 5], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "distinct_telematik_ids", 2], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "distinct_telematik_ids", 3], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "distinct_telematik_ids", 4], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "distinct_telematik_ids", 1], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "distinct_terminals", 3], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "distinct_terminals", 5], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "distinct_terminals", 5], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "distinct_terminals", 7], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "distinct_terminals", 5], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "distinct_terminals", 8], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "distinct_terminals", 5], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "distinct_terminals", 8], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "distinct_terminals", 4], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "distinct_terminals", 5], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "distinct_terminals", 3], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "distinct_terminals", 3], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "distinct_terminals", 9], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "distinct_terminals", 7], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "distinct_terminals", 4], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "distinct_terminals", 4], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "distinct_terminals", 6], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "distinct_terminals", 2], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "distinct_terminals", 4], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "distinct_terminals", 6], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "distinct_terminals", 4], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "distinct_terminals", 9], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "distinct_terminals", 4], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "distinct_terminals", 3], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "distinct_terminals", 3], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "distinct_terminals", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "distinct_terminals", 3], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "distinct_terminals", 2], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 6], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 5], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 3], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 8], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 7], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 7], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 7], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 3], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 5], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 4], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 4], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 9], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 6], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 9], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 4], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 3], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 4], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 3], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 9], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 8], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 7], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 8], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 4], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 4], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 3], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 7], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 3], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 7], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 9], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 6], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 7], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 3], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 4], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 3], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 5], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 2], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 10], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 8], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 6], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 6], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 5], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 3], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 4], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 8], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 6], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 3], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 5], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 3], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 2], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 6], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 4], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_distinct_users", 3], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_distinct_users", 4], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_distinct_users", 5], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_distinct_users", 4], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_distinct_users", 5], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_distinct_users", 4], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_distinct_users", 4], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_distinct_users", 6], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_distinct_users", 4], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_distinct_users", 6], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_distinct_users", 5], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_distinct_users", 5], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_distinct_users", 3], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_distinct_users", 4], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_distinct_users", 3], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_distinct_users", 4], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_distinct_users", 3], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_distinct_users", 3], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_distinct_users", 3], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_distinct_users", 2]]} \ No newline at end of file diff --git a/parsers/ueba_peer_membership b/parsers/ueba_peer_membership new file mode 100644 index 0000000..008af32 --- /dev/null +++ b/parsers/ueba_peer_membership @@ -0,0 +1 @@ +{"columnNames": ["entity_type", "entity_id", "peer_id"], "rows": [["user", ".thomas.weber", "role=Physician|hosp=HOSP-003"], ["user", "admin.klaus.fischer", "role=SystemAdmin|hosp=HOSP-003"], ["user", "billing.clerk.peter.wolf", "role=BillingClerk|hosp=HOSP-001"], ["user", "nurse.maria.m\\u00fcller", "role=Nurse|hosp=HOSP-001"], ["user", "nurse.maria.m\\u00fcller", "role=Nurse|hosp=HOSP-002"], ["user", "nurse.maria.m\\u00fcller", "role=Nurse|hosp=HOSP-003"], ["user", "pharmacist.hans.meyer", "role=Pharmacist|hosp=HOSP-001"], ["user", "pharmacist.hans.meyer", "role=Pharmacist|hosp=HOSP-003"], ["host", "avelios-app-01.berlin.local", "host_fam=avelios|loc=Berlin"], ["host", "avelios-app-03.berlin.local", "host_fam=avelios|loc=Berlin"], ["host", "avelios-app-03.munich.local", "host_fam=avelios|loc=Munich"], ["host", "avelios-int-01.berlin.local", "host_fam=avelios|loc=Berlin"], ["host", "avelios-int-01.munich.local", "host_fam=avelios|loc=Munich"], ["host", "omniconnect-ber-01.local", "host_fam=omniconnect|loc=unknown"], ["host", "omniconnect-ber-01.local", "host_fam=omniconnect|loc=Berlin"], ["host", "omniconnect-fra-01.local", "host_fam=omniconnect|loc=unknown"], ["host", "omniconnect-fra-01.local", "host_fam=omniconnect|loc=Frankfurt"], ["host", "omniconnect-ham-01.local", "host_fam=omniconnect|loc=unknown"], ["host", "omniconnect-ham-01.local", "host_fam=omniconnect|loc=Hamburg"], ["host", "omniconnect-mun-01.local", "host_fam=omniconnect|loc=unknown"], ["host", "omniconnect-mun-01.local", "host_fam=omniconnect|loc=Munich"]]} \ No newline at end of file diff --git a/parsers/ueba_smoke_test b/parsers/ueba_smoke_test new file mode 100644 index 0000000..18f4492 --- /dev/null +++ b/parsers/ueba_smoke_test @@ -0,0 +1,4 @@ +{ + "columnNames": [], + "rows": [] +} \ No newline at end of file diff --git a/parsers/ueba_test_default b/parsers/ueba_test_default new file mode 100644 index 0000000..708bcd9 --- /dev/null +++ b/parsers/ueba_test_default @@ -0,0 +1,13 @@ +{ + "columnNames": ["entity_id", "feature_name", "value"], + "rows": [ + [".anna.schmidt", "featureD3", 16], + [".lisa.bauer", "featureD3", 9], + [".thomas.weber", "featureD3", 18], + ["admin.klaus.fischer", "featureD3", 17], + ["billing.clerk.peter.wolf", "featureD3", 19], + ["lab.tech.sarah.koch", "featureD3", 9], + ["nurse.maria.m\\u00fcller", "featureD3", 16], + ["pharmacist.hans.meyer", "featureD3", 17] + ] +} \ No newline at end of file diff --git a/parsers/ueba_test_merge b/parsers/ueba_test_merge new file mode 100644 index 0000000..37ae277 --- /dev/null +++ b/parsers/ueba_test_merge @@ -0,0 +1,13 @@ +{ + "columnNames": ["entity_id", "feature_name", "value"], + "rows": [ + [".anna.schmidt", "featureB3", 16], + [".lisa.bauer", "featureB3", 9], + [".thomas.weber", "featureB3", 18], + ["admin.klaus.fischer", "featureB3", 17], + ["billing.clerk.peter.wolf", "featureB3", 19], + ["lab.tech.sarah.koch", "featureB3", 9], + ["nurse.maria.m\\u00fcller", "featureB3", 16], + ["pharmacist.hans.meyer", "featureB3", 17] + ] +} \ No newline at end of file diff --git a/parsers/ueba_test_same_feat_merge b/parsers/ueba_test_same_feat_merge new file mode 100644 index 0000000..0d99c70 --- /dev/null +++ b/parsers/ueba_test_same_feat_merge @@ -0,0 +1,13 @@ +{ + "columnNames": ["entity_id", "feature_name", "value"], + "rows": [ + [".anna.schmidt", "featF_same", 16], + [".lisa.bauer", "featF_same", 9], + [".thomas.weber", "featF_same", 18], + ["admin.klaus.fischer", "featF_same", 17], + ["billing.clerk.peter.wolf", "featF_same", 19], + ["lab.tech.sarah.koch", "featF_same", 9], + ["nurse.maria.m\\u00fcller", "featF_same", 16], + ["pharmacist.hans.meyer", "featF_same", 17] + ] +} \ No newline at end of file diff --git a/parsers/ueba_test_same_feat_replace b/parsers/ueba_test_same_feat_replace new file mode 100644 index 0000000..1776fca --- /dev/null +++ b/parsers/ueba_test_same_feat_replace @@ -0,0 +1,13 @@ +{ + "columnNames": ["entity_id", "feature_name", "value"], + "rows": [ + [".anna.schmidt", "featG_same", 16], + [".lisa.bauer", "featG_same", 9], + [".thomas.weber", "featG_same", 18], + ["admin.klaus.fischer", "featG_same", 17], + ["billing.clerk.peter.wolf", "featG_same", 19], + ["lab.tech.sarah.koch", "featG_same", 9], + ["nurse.maria.m\\u00fcller", "featG_same", 16], + ["pharmacist.hans.meyer", "featG_same", 17] + ] +} \ No newline at end of file diff --git a/parsers/zscaler_logs-latest b/parsers/zscaler_logs-latest new file mode 100644 index 0000000..e3f8b3f --- /dev/null +++ b/parsers/zscaler_logs-latest @@ -0,0 +1,19 @@ +{ + // specify a time zone if the timestamps in your log are not in GMT + // timezone: "GMT-0800" + + formats: [ + + { + id: "format1", + format: ".*$=json{parse=dottedJson}$" + rewrites: [ + {input: "TimestampConnectionEnd", output: "timestamp", match: ".*", replace: "$0"} + // moved upstread wher it is more efficient + {input: "message", output: "message", match: "(.*\")(\\{\"\\w+\".*)", replace: "$2"} + + ] + } + + ] +} diff --git a/tools/probe_simulate_filter.py b/tools/probe_simulate_filter.py new file mode 100644 index 0000000..827577b --- /dev/null +++ b/tools/probe_simulate_filter.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python3 +"""Probe /api/ingest/simulate-filter using small 1-day windows + long client +timeouts to avoid urllib aborting before the SDL query returns. + +Run one case at a time and print elapsed time so we can tell whether failures +are HTTP errors or slow tenant queries. +""" +from __future__ import annotations +import json +import sys +import time +import urllib.request +import urllib.error + +URL = "http://localhost:8001/api/ingest/simulate-filter" +TIMEOUT = 600 # seconds — generous; SDL queries on large tenants can take >60s + +# Smallest windows first so cheap calls succeed before we try the expensive ones. +CASES = [ + ("empty body, 1d", {"days": 1}), + ("bogus source, 1d", {"source": "definitely-no-such-source", "days": 1}), + ("source only, 1d", {"source": "Avelios Medical", "days": 1}), + ("source only, 7d", {"source": "Avelios Medical", "days": 7}), + ("event_type only, 1d", {"event_type": "login", "days": 1}), + ("source + event_type, 7d", {"source": "Avelios Medical", "event_type": "login", "days": 7}), +] + + +def hit(body: dict) -> tuple[int, str, float]: + data = json.dumps(body).encode() + req = urllib.request.Request( + URL, + data=data, + headers={"Content-Type": "application/json"}, + method="POST", + ) + t0 = time.monotonic() + try: + with urllib.request.urlopen(req, timeout=TIMEOUT) as r: + return r.status, r.read().decode(), time.monotonic() - t0 + except urllib.error.HTTPError as e: + return e.code, e.read().decode(), time.monotonic() - t0 + except Exception as e: + return -1, f"{type(e).__name__}: {e or 'no detail'}", time.monotonic() - t0 + + +# Allow narrowing via CLI: `python3 probe_simulate_filter.py 2 3` runs cases 2 & 3. +indices = [int(x) for x in sys.argv[1:]] if len(sys.argv) > 1 else range(len(CASES)) + +for i in indices: + if i >= len(CASES): + continue + label, body = CASES[i] + print("=" * 78) + print(f"[{i}] {label:<32} body={body}") + sys.stdout.flush() + status, payload, elapsed = hit(body) + print(f" HTTP {status} elapsed={elapsed:.1f}s") + try: + parsed = json.loads(payload) + print(" " + json.dumps(parsed, indent=2).replace("\n", "\n ")) + except Exception: + print(f" raw: {payload[:800]}") diff --git a/tools/probe_sync_from_sdl.py b/tools/probe_sync_from_sdl.py new file mode 100644 index 0000000..f19d02d --- /dev/null +++ b/tools/probe_sync_from_sdl.py @@ -0,0 +1,80 @@ +#!/usr/bin/env python3 +"""Trigger /api/quality/sync-from-sdl and pretty-print the result. + +Then re-list /api/quality/parsers to confirm the new files appear in the +Parser Test Runner dropdown. +""" +from __future__ import annotations +import json +import sys +import time +import urllib.request +import urllib.error + +BACKEND = "http://localhost:8001" +TIMEOUT = 300 + + +def call(method: str, path: str) -> tuple[int, dict | str, float]: + req = urllib.request.Request(BACKEND + path, method=method) + t0 = time.monotonic() + try: + with urllib.request.urlopen(req, timeout=TIMEOUT) as r: + return r.status, json.loads(r.read().decode()), time.monotonic() - t0 + except urllib.error.HTTPError as e: + body = e.read().decode() + try: + return e.code, json.loads(body), time.monotonic() - t0 + except Exception: + return e.code, body, time.monotonic() - t0 + except Exception as e: + return -1, f"{type(e).__name__}: {e or 'no detail'}", time.monotonic() - t0 + + +print("=" * 72) +print("POST /api/quality/sync-from-sdl") +print("=" * 72) +status, body, elapsed = call("POST", "/api/quality/sync-from-sdl") +print(f"HTTP {status} elapsed={elapsed:.1f}s") +if isinstance(body, dict): + if "detail" in body: + print(f" ERROR: {body['detail']}") + else: + print(f" downloaded: {body.get('downloaded')}") + print(f" errors: {len(body.get('errors') or [])}") + print(f" directory: {body.get('directory')}") + names = body.get("parsers") or [] + print(f"\n sample of parser filenames (first 25):") + for n in names[:25]: + print(f" {n}") + if len(names) > 25: + print(f" ... and {len(names) - 25} more") + # Highlight anything that looks like a customer/custom parser + custom = [n for n in names if "avelios" in n.lower() or "ocsf" in n.lower()] + if custom: + print("\n matched custom-parser patterns (avelios / ocsf):") + for n in custom: + print(f" ✓ {n}") + errs = body.get("errors") or [] + if errs: + print(f"\n errors (first 5 of {len(errs)}):") + for e in errs[:5]: + print(f" - {e}") +else: + print(f" raw: {str(body)[:600]}") + +print() +print("=" * 72) +print("GET /api/quality/parsers (Parser Test Runner dropdown source)") +print("=" * 72) +status, body, elapsed = call("GET", "/api/quality/parsers") +print(f"HTTP {status} elapsed={elapsed:.1f}s") +if isinstance(body, dict): + print(f" count: {body.get('count')}") + print(f" parsers:") + for n in (body.get("parsers") or [])[:50]: + print(f" {n}") + if (body.get("count") or 0) > 50: + print(f" ... and {body['count'] - 50} more") +else: + print(f" raw: {str(body)[:400]}") diff --git a/tools/stormshield-verify/README.md b/tools/stormshield-verify/README.md new file mode 100644 index 0000000..13dbe34 --- /dev/null +++ b/tools/stormshield-verify/README.md @@ -0,0 +1,59 @@ +# Stormshield ingest verifier + +End-to-end regression test for the SDL Stormshield parser. Sends raw syslog +events to `/api/uploadLogs`, waits for ingest, and confirms the OCSF rewrites +(`src_endpoint.ip`, `dst_endpoint.ip`, `actor.user.name`, ...) populated by +the parser at ingest time. + +## Setup + +```bash +cp config.example.json config.json +chmod 600 config.json +# Fill in log_write_key, log_read_key — both are SDL Data Lake API keys. +# Generate them in the S1 console: Singularity Data Lake -> API Keys. +``` + +`config.json` is gitignored. Never commit real tokens. + +## Run + +```bash +# Single-event upload + 150s polling verifier (prints which OCSF fields landed) +python3 test.py + +# Burst of 4 varied events with current timestamps (different users, IPs, actions) +python3 send_burst.py + +# One-shot regression: burst + 40s wait + query last 15 min +bash run_and_verify.sh +``` + +## How to find the events afterwards + +The SDL console search field (and PowerQuery) attribute for the parser name +is **`parser`**, not `parser.name`: + +``` +parser="stormshield" | sort -timestamp | limit 10 +``` + +## Behaviour quirks worth knowing + +1. **`server-host` HTTP header is overwritten** to the literal string + `uploadLogs` on this tenant. Don't try to filter by `serverHost` for + precise event matching; use `parser='stormshield'` instead. +2. **`parser.name` is always None** on `uploadLogs`-ingested events. + Use the bare `parser` attribute. +3. **Embedded `time="..."`** in the syslog body is taken as the event's + canonical timestamp via `$timestamp=tsPattern$`. The scripts rewrite + this to "now" so events appear under recent activity in the console. +4. **Ingest latency** is 5-60s. `test.py` polls for up to 150s. + +## Files + +- `test.py` — single upload + polling verifier +- `send_burst.py` — N varied events with current timestamps +- `verify_query.py` — query last 15 min of stormshield events +- `run_and_verify.sh` — burst + sleep + verify (regression test) +- `config.example.json` — template, copy to `config.json` diff --git a/tools/stormshield-verify/config.example.json b/tools/stormshield-verify/config.example.json new file mode 100644 index 0000000..adc60f4 --- /dev/null +++ b/tools/stormshield-verify/config.example.json @@ -0,0 +1,12 @@ +{ + "_comment": "Copy to config.json (gitignored) and fill in your SDL keys. Generate them in the SentinelOne console under Singularity Data Lake -> API Keys. log_write_key needs 'Log Write Access'. log_read_key needs 'Log Read Access'. config_read_key needs 'Configuration Read'. config_write_key needs 'Configuration Write'. console_api_token is a regular console user/service-user API token; it works for query and config methods but NOT for uploadLogs (uploadLogs requires a real Log Write key).", + "base_url": "https://xdr.us1.sentinelone.net/", + "log_write_key": "REPLACE_WITH_LOG_WRITE_KEY", + "log_read_key": "REPLACE_WITH_LOG_READ_KEY", + "config_read_key": "REPLACE_WITH_CONFIG_READ_KEY", + "config_write_key": "REPLACE_WITH_CONFIG_WRITE_KEY", + "console_api_token": "REPLACE_WITH_CONSOLE_API_TOKEN_OR_LEAVE_EMPTY", + "s1_scope": "", + "verify_tls": true, + "timeout_seconds": 30 +} diff --git a/tools/stormshield-verify/run_and_verify.sh b/tools/stormshield-verify/run_and_verify.sh new file mode 100755 index 0000000..4b4b5ce --- /dev/null +++ b/tools/stormshield-verify/run_and_verify.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +set -e +cd /tmp/stormshield-verify +echo "============ STEP 1: send burst ============" +python3 send_burst.py +echo +echo "============ STEP 2: wait 40s for ingest ============" +sleep 40 +echo +echo "============ STEP 3: query SDL ============" +python3 verify_query.py diff --git a/tools/stormshield-verify/send_burst.py b/tools/stormshield-verify/send_burst.py new file mode 100644 index 0000000..7066319 --- /dev/null +++ b/tools/stormshield-verify/send_burst.py @@ -0,0 +1,89 @@ +#!/usr/bin/env python3 +"""Send N Stormshield events with current timestamps, varied src IPs/users, +so they appear as a recognizable cluster in the SDL console under +parser="stormshield".""" +import json, time, uuid, urllib.request, urllib.error +from datetime import datetime, timezone, timedelta + +CFG = json.load(open("./config.json")) +BASE = CFG["base_url"].rstrip("/") +WRITE_KEY = CFG["log_write_key"] +PARSER = "stormshield" + +# A handful of plausible variations +USERS = ["aimee.ndzodo", "luc.martin", "claire.dubois", "fatima.khelifi"] +SRCS = ["10.200.0.82", "10.200.0.91", "10.200.1.14", "10.200.2.55"] +DSTS = [("192.168.10.7","53","dns_udp","53"), + ("192.168.10.7","53","dns_udp","53"), + ("8.8.8.8","53","dns_udp","53"), + ("1.1.1.1","443","https","443")] +ACTIONS = ["pass", "pass", "pass", "block"] + + +def _local_now(): + tz = datetime.now(timezone.utc).astimezone().tzinfo + return datetime.now(tz).replace(microsecond=0) + + +def _ts(now): + syslog = now.strftime("%Y-%m-%dT%H:%M:%S%z") + syslog = syslog[:-2] + ":" + syslog[-2:] + time_ = now.strftime("%Y-%m-%d %H:%M:%S") + return syslog, time_ + + +def build_line(i): + now = _local_now() + timedelta(seconds=i) + syslog, time_ = _ts(now) + start = (now - timedelta(seconds=120)).strftime("%Y-%m-%d %H:%M:%S") + u, src, (dst, dport, dpname, dportname), act = USERS[i % 4], SRCS[i % 4], DSTS[i % 4], ACTIONS[i % 4] + sport = 50000 + i * 137 + return ( + f'<14>1 {syslog} stormshield-v.univ-evry.fr asqd - - - ' + f'?id=firewall time="{time_}" fw="stormshield-v.univ-evry.fr" ' + f'tz=+0200 startime="{start}" pri=5 confid=01 slotlevel=2 ruleid={34+i} ' + f'rulename="17209b9db27_{i+1}" user="{u}" domain="ueve.local" ' + f'srcif="sslvpn0" srcifname="sslvpn" ipproto=udp dstif="Ethernet1" dstifname="in" ' + f'proto={dpname} src={src} srcport={sport} srcportname=ephemeral_fw_udp ' + f'dst={dst} dstport={dport} dstportname={dportname} dstname=resolver.example.com ' + f'modsrc={src} modsrcport={sport} origdst={dst} origdstport={dport} ' + f'ipv=4 sent={80+i*8} rcvd={196+i*16} duration=0.0{i} action={act} logtype="connection"' + ) + + +def send_one(body, idx): + nonce = str(uuid.uuid4()) + req = urllib.request.Request( + f"{BASE}/api/uploadLogs", + method="POST", + data=body.encode(), + headers={ + "Authorization": f"Bearer {WRITE_KEY}", + "Content-Type": "text/plain", + "parser": PARSER, + "Nonce": nonce, + }, + ) + try: + with urllib.request.urlopen(req, timeout=30) as r: + print(f"[{idx}] HTTP {r.status} nonce={nonce[:8]}… body=`{body[:90]}...`") + return r.status + except urllib.error.HTTPError as e: + print(f"[{idx}] HTTP {e.code} {e.read().decode()[:120]}") + return e.code + + +def main(): + n = 4 + print(f"Sending {n} Stormshield events to {BASE} ...") + for i in range(n): + send_one(build_line(i), i) + time.sleep(1) + print(f"\nDone. Wait ~30-60s, then in https://demo.sentinelone.net search:") + print(f" parser=\"stormshield\"") + print("or run:") + print(f" parser='stormshield' | sort -timestamp | limit 10") + + +if __name__ == "__main__": + main() diff --git a/tools/stormshield-verify/test.py b/tools/stormshield-verify/test.py new file mode 100644 index 0000000..a4dc406 --- /dev/null +++ b/tools/stormshield-verify/test.py @@ -0,0 +1,181 @@ +#!/usr/bin/env python3 +""" +End-to-end test that the Stormshield parser is actually applied at ingest by +SentinelOne SDL. + +1. POSTs a raw Stormshield syslog line to /api/uploadLogs with `parser: stormshield`. +2. Polls SDL with PowerQuery to find the event we just ingested. +3. Inspects which OCSF fields are populated to confirm SDL parsed it correctly. + +Requires: log_write_key + log_read_key in ./config.json (see config.example.json) +""" +from __future__ import annotations +import json, time, uuid, urllib.request, urllib.error, sys, os + +CFG_PATH = "./config.json" +PARSER = "stormshield" +SERVER_HOST = f"siemtoolkit-test-{int(time.time())}" # unique tag to find our event back + +# Use current timestamps so events show up under "now" in the SDL console. +# The parser extracts `time="..."` as the canonical event timestamp via +# $timestamp=tsPattern$, so we must rewrite that field (not just the syslog +# header) to see the event under recent activity in https://demo.sentinelone.net. +from datetime import datetime, timezone, timedelta +import time as _time +_local_tz = datetime.now(timezone.utc).astimezone().tzinfo +_now = datetime.now(_local_tz).replace(microsecond=0) +_start = _now - timedelta(minutes=2) +SYSLOG_TS = _now.strftime("%Y-%m-%dT%H:%M:%S%z") # 2026-05-22T16:32:00+0200 +SYSLOG_TS = SYSLOG_TS[:-2] + ":" + SYSLOG_TS[-2:] # → 2026-05-22T16:32:00+02:00 +TIME_TS = _now.strftime("%Y-%m-%d %H:%M:%S") +START_TS = _start.strftime("%Y-%m-%d %H:%M:%S") +TZ_OFFSET = _now.strftime("%z") # +0200 +TZ_OFFSET = TZ_OFFSET[:-2] + TZ_OFFSET[-2:] # keep +0200 form + +LOG_LINE = ( + f'<14>1 {SYSLOG_TS} stormshield-v.univ-evry.fr asqd - - - ' + f'?id=firewall time="{TIME_TS}" fw="stormshield-v.univ-evry.fr" ' + f'tz={TZ_OFFSET} startime="{START_TS}" pri=5 confid=01 slotlevel=2 ruleid=34 ' + 'rulename="17209b9db27_4" user="aimee.ndzodo" domain="ueve.local" ' + 'srcif="sslvpn0" srcifname="sslvpn" ipproto=udp dstif="Ethernet1" dstifname="in" ' + 'proto=dns_udp src=10.200.0.82 srcport=56637 srcportname=ephemeral_fw_udp ' + 'dst=192.168.10.7 dstport=53 dstportname=dns_udp dstname=hyperion.univ-evry.fr ' + 'modsrc=10.200.0.82 modsrcport=56637 origdst=192.168.10.7 origdstport=53 ' + 'ipv=4 sent=80 rcvd=196 duration=0.00 action=pass logtype="connection"' +) + + +def _http(method, url, *, headers=None, data=None, timeout=60): + req = urllib.request.Request(url, method=method, headers=headers or {}, data=data) + try: + with urllib.request.urlopen(req, timeout=timeout) as r: + return r.status, r.read().decode("utf-8", "replace") + except urllib.error.HTTPError as e: + return e.code, e.read().decode("utf-8", "replace") + + +def main(): + with open(CFG_PATH) as f: + cfg = json.load(f) + base = cfg["base_url"].rstrip("/") + write_key = cfg["log_write_key"] + read_key = cfg["log_read_key"] + + nonce = str(uuid.uuid4()) + headers = { + "Authorization": f"Bearer {write_key}", + "Content-Type": "text/plain", + "parser": PARSER, + "server-host": SERVER_HOST, + "Nonce": nonce, + } + + print("=" * 70) + print("STEP 1 — POST /api/uploadLogs") + print("=" * 70) + print(f" url = {base}/api/uploadLogs") + print(f" parser = {PARSER}") + print(f" server_host = {SERVER_HOST}") + print(f" nonce = {nonce}") + print(f" body bytes = {len(LOG_LINE)}") + print(f" embedded ts = time=\"{TIME_TS}\" (parser uses this as event time)") + print(f" log line = {LOG_LINE[:140]}...") + status, body = _http("POST", f"{base}/api/uploadLogs", + headers=headers, data=LOG_LINE.encode()) + print(f" -> HTTP {status}") + print(f" -> {body[:300]}") + if status >= 400: + sys.exit(f"uploadLogs failed: {status}") + + # ── STEP 3: poll for the event ────────────────────────────────────── + # SDL ingest is typically visible in ~5-30s but can take up to 2 min. + # Note: `server-host` HTTP header is overwritten to "uploadLogs" by SDL, + # and `parser.name` is None on uploadLogs-ingested events. The reliable + # filter is `parser='stormshield' and dataSource.name='Stormshield'` + # constrained by Nonce (echoed back as an attribute) for our exact upload. + query = ( + f"parser='{PARSER}' and dataSource.name='Stormshield' " + "| columns timestamp, dataSource.name, parser, " + "src_endpoint.ip, src_endpoint.port, dst_endpoint.ip, dst_endpoint.port, " + "actor.user.name, unmapped.action, unmapped.proto, unmapped.fw, " + "unmapped.rulename, unmapped.duration, message " + "| sort -timestamp | limit 5" + ) + + print("=" * 70) + print(f"STEP 2 — poll /api/powerQuery (up to 150s)") + print("=" * 70) + print(f" query = {query}\n") + + matches: list = [] + columns: list = [] + deadline = time.time() + 150 + waited = 0 + while time.time() < deadline: + time.sleep(10); waited += 10 + end_ms = int(time.time() * 1000) + start_ms = end_ms - 15 * 60 * 1000 + pq_body = {"query": query, "startTime": str(start_ms), "endTime": str(end_ms)} + status, body = _http( + "POST", + f"{base}/api/powerQuery", + headers={"Authorization": f"Bearer {read_key}", + "Content-Type": "application/json"}, + data=json.dumps(pq_body).encode(), + ) + if status != 200: + print(f" t+{waited:3d}s: HTTP {status} — {body[:200]}") + continue + result = json.loads(body) + columns = result.get("columns") or [] + values = result.get("values") or [] + n = result.get("matchingEvents", len(values)) + print(f" t+{waited:3d}s: matchingEvents={n}") + if values: + matches = [{"values": v} for v in values] + break + + if not matches: + print("\n No events found after 150s. Either ingest is slow today, " + "or the upload was rejected silently. Inspect upload response above.") + sys.exit(2) + + # The response uses a columns/values layout. Discover column order. + columns = result.get("columns") or [] + col_names = [c.get("name") if isinstance(c, dict) else str(c) for c in columns] + print(f"\ncolumns: {col_names}") + print(f"matches: {len(matches)}") + + print("\n" + "=" * 70) + print("STEP 4 — parse results, check OCSF fields are populated") + print("=" * 70) + + EXPECTED = { + "src_endpoint.ip": "10.200.0.82", + "src_endpoint.port": "56637", + "dst_endpoint.ip": "192.168.10.7", + "dst_endpoint.port": "53", + "actor.user.name": "aimee.ndzodo", + } + + for i, m in enumerate(matches, 1): + vals = m.get("values") or m + row = dict(zip(col_names, vals)) if isinstance(vals, list) else vals + print(f"\n--- match {i} ---") + for k in col_names: + v = row.get(k) + mark = "" + if k in EXPECTED: + mark = " ✅" if str(v) == EXPECTED[k] else f" ❌ (expected {EXPECTED[k]!r})" + print(f" {k:25s} = {v!r}{mark}") + + # Summary + hits = sum(1 for k, want in EXPECTED.items() if str(row.get(k)) == want) + print(f"\n OCSF rewrites populated: {hits}/{len(EXPECTED)}") + if hits == len(EXPECTED): + print(" → SDL parser applied the rewrites correctly. ✅") + else: + print(" → Some rewrites missing — the SDL parser may not have run.") + +if __name__ == "__main__": + main() diff --git a/tools/stormshield-verify/verify_query.py b/tools/stormshield-verify/verify_query.py new file mode 100644 index 0000000..2fc5ed5 --- /dev/null +++ b/tools/stormshield-verify/verify_query.py @@ -0,0 +1,69 @@ +#!/usr/bin/env python3 +"""Query SDL to verify recent Stormshield events landed and were parsed.""" +import json, time, urllib.request, sys + +CFG = json.load(open("./config.json")) +BASE = CFG["base_url"].rstrip("/") +READ_KEY = CFG["log_read_key"] + +now_ms = int(time.time() * 1000) +start_ms = now_ms - 15 * 60 * 1000 # last 15 minutes + +QUERY = ( + "parser='stormshield' " + "| columns timestamp, dataSource.name, parser, " + "src_endpoint.ip, src_endpoint.port, dst_endpoint.ip, dst_endpoint.port, " + "actor.user.name, unmapped.action, unmapped.proto, unmapped.fw, unmapped.rulename " + "| sort -timestamp | limit 10" +) + +body = json.dumps({ + "query": QUERY, + "startTime": str(start_ms), + "endTime": str(now_ms), +}).encode() + +req = urllib.request.Request( + f"{BASE}/api/powerQuery", + method="POST", + data=body, + headers={ + "Authorization": f"Bearer {READ_KEY}", + "Content-Type": "application/json", + }, +) +with urllib.request.urlopen(req, timeout=60) as r: + resp = json.loads(r.read()) + +cols = [c["name"] for c in resp.get("columns", [])] +values = resp.get("values", []) +total = resp.get("matchingEvents", len(values)) + +print(f"query = {QUERY}") +print(f"window = last 15 min") +print(f"matchingEvents = {total}") +print(f"cols = {cols}") +print() + +if not values: + print("No events visible yet. SDL ingest can take 30-90s; re-run verify_query.py in a minute.") + sys.exit(1) + +print(f"{'timestamp(ns)':>20} {'src':<16} {'sport':<6} -> {'dst':<16} {'dport':<6} {'user':<20} {'action':<8} {'proto':<8}") +print("-" * 110) +for row in values: + d = dict(zip(cols, row)) + print( + f"{d.get('timestamp',''):>20} " + f"{str(d.get('src_endpoint.ip','')):<16} " + f"{str(d.get('src_endpoint.port','')):<6} -> " + f"{str(d.get('dst_endpoint.ip','')):<16} " + f"{str(d.get('dst_endpoint.port','')):<6} " + f"{str(d.get('actor.user.name','')):<20} " + f"{str(d.get('unmapped.action','')):<8} " + f"{str(d.get('unmapped.proto','')):<8}" + ) + +print() +print("✅ Events are visible in the SDL data lake under parser='stormshield'") +print(" Search in https://demo.sentinelone.net with: parser=\"stormshield\"")