From a9dcf48e65432032ac77ac6596f7d9e29fff73a6 Mon Sep 17 00:00:00 2001 From: marc Date: Fri, 22 May 2026 14:11:39 +0200 Subject: [PATCH] Snapshot 95 demo-tenant parsers (incl. stormshield) + un-ignore parsers/ The original upstream gitignores parsers/* on the assumption that each tenant has its own set. This fork commits a working snapshot so the Parser Test Runner and Parser Coverage features are usable out of the box. Stormshield parser exercises the new SDL key=value scanner, pattern references, and JS-style unquoted format keys added to backend/routers/quality.py. --- .gitignore | 7 +- parsers/Avelios-Medical-OCSF | 77 ++ parsers/CheckPoint-OCSF | 277 ++++ parsers/Darktrace-JSON-OCSF | 135 ++ parsers/Darktrace-OCSF | 173 +++ parsers/Developer-Workstation-OCSF | 118 ++ parsers/EntraID-OCSF | 87 ++ parsers/F5APM-OCSF | 84 ++ parsers/F5BigIP-OCSF | 86 ++ parsers/FortiGate-OCSF | 72 + parsers/HANADatabase-OCSF | 170 +++ parsers/ISCBIND-OCSF | 90 ++ parsers/LinuxOS-OCSF | 152 +++ parsers/MicrosoftDHCP-OCSF | 61 + parsers/MicrosoftDNS-OCSF | 48 + parsers/Omniconnect-OCSF | 88 ++ parsers/OracleRDBMS-OCSF | 62 + parsers/PaloAlto-OCSF | 72 + parsers/QRadar-OCSF | 58 + parsers/SIMGeneric-OCSF | 74 ++ parsers/WatchGuard-OCSF | 70 + parsers/WindowsSecurity-OCSF | 103 ++ parsers/alerts | 106 ++ parsers/aws_cloudtrail-latest | 327 +++++ parsers/bsi-nis2-healthcare-overview | 585 +++++++++ parsers/checkpoint | 385 ++++++ parsers/cisco_duo-latest | 181 +++ parsers/cisco_ise_logs-latest | 77 ++ parsers/cisco_umbrella-latest | 25 + parsers/claude_test_mikrotik | 136 ++ parsers/crowdstrike_falcon-latest | 363 +++++ parsers/darktrace_darktrace_logs-latest | 70 + parsers/f5_networks_logs-latest | 26 + .../fortinet_fortigate_candidate_logs-latest | 316 +++++ parsers/github_audit-latest | 75 ++ parsers/harness_ci-latest | 261 ++++ parsers/hashicorp_vault-latest | 287 ++++ parsers/imperva_waf_logs-latest | 84 ++ parsers/json-app-logs | 80 ++ parsers/marcparser | 59 + parsers/marcpfsense | 63 + parsers/microsoft_365_collaboration-latest | 147 +++ parsers/microsoft_azuread-latest | 327 +++++ parsers/microsoft_windows_eventlog-latest | 39 + parsers/mikrotik | 436 ++++++ parsers/netskope_netskope_logs-latest | 410 ++++++ parsers/npm_typosquats | 30 + parsers/ocsf-checkpoint | 197 +++ parsers/ocsf-entra-id | 242 ++++ parsers/ocsf-f5-apm | 312 +++++ parsers/ocsf-f5-bigip | 223 ++++ parsers/ocsf-fortigate | 169 +++ parsers/ocsf-hana-db | 308 +++++ parsers/ocsf-isc-bind | 259 ++++ parsers/ocsf-linux-os | 406 ++++++ parsers/ocsf-mitre-attack | 1 + parsers/ocsf-mitre-coverage | 160 +++ parsers/ocsf-mitre-coverage-v2 | 160 +++ parsers/ocsf-ms-dhcp | 163 +++ parsers/ocsf-ms-dns | 113 ++ parsers/ocsf-oracle-rdbms | 184 +++ parsers/ocsf-paloalto | 158 +++ parsers/ocsf-qradar | 96 ++ parsers/ocsf-security-overview | 84 ++ parsers/ocsf-security-overview-v2 | 221 ++++ parsers/ocsf-sim-generic | 184 +++ parsers/ocsf-threat-detection | 73 + parsers/ocsf-threat-detection-v2 | 93 ++ parsers/ocsf-watchguard | 216 +++ parsers/ocsf-windows-security | 219 +++ parsers/okta_authentication-latest | 291 ++++ parsers/paloalto_firewall-latest | 1169 +++++++++++++++++ parsers/pingone_mfa-latest | 289 ++++ parsers/pingprotect-latest | 309 +++++ parsers/proofpoint_proofpoint_logs-latest | 85 ++ parsers/sdl_skill_smoke_1776702106 | 1 + parsers/searches | 12 + parsers/sentinelone_endpoint-latest | 466 +++++++ parsers/sophos | 447 +++++++ parsers/sophos-edr | 33 + parsers/stormshield | 58 + parsers/ueba-healthcare | 204 +++ parsers/ueba_alerts | 1 + parsers/ueba_baselines_entity | 1 + parsers/ueba_baselines_peer | 1 + parsers/ueba_entity_risk | 1 + parsers/ueba_family_scores_hourly | 1 + parsers/ueba_feature_scores_hourly | 1 + parsers/ueba_features_hourly | 1 + parsers/ueba_peer_membership | 1 + parsers/ueba_smoke_test | 4 + parsers/ueba_test_default | 13 + parsers/ueba_test_merge | 13 + parsers/ueba_test_same_feat_merge | 13 + parsers/ueba_test_same_feat_replace | 13 + parsers/zscaler_logs-latest | 19 + 96 files changed, 14742 insertions(+), 5 deletions(-) create mode 100644 parsers/Avelios-Medical-OCSF create mode 100644 parsers/CheckPoint-OCSF create mode 100644 parsers/Darktrace-JSON-OCSF create mode 100644 parsers/Darktrace-OCSF create mode 100644 parsers/Developer-Workstation-OCSF create mode 100644 parsers/EntraID-OCSF create mode 100644 parsers/F5APM-OCSF create mode 100644 parsers/F5BigIP-OCSF create mode 100644 parsers/FortiGate-OCSF create mode 100644 parsers/HANADatabase-OCSF create mode 100644 parsers/ISCBIND-OCSF create mode 100644 parsers/LinuxOS-OCSF create mode 100644 parsers/MicrosoftDHCP-OCSF create mode 100644 parsers/MicrosoftDNS-OCSF create mode 100644 parsers/Omniconnect-OCSF create mode 100644 parsers/OracleRDBMS-OCSF create mode 100644 parsers/PaloAlto-OCSF create mode 100644 parsers/QRadar-OCSF create mode 100644 parsers/SIMGeneric-OCSF create mode 100644 parsers/WatchGuard-OCSF create mode 100644 parsers/WindowsSecurity-OCSF create mode 100644 parsers/alerts create mode 100644 parsers/aws_cloudtrail-latest create mode 100644 parsers/bsi-nis2-healthcare-overview create mode 100644 parsers/checkpoint create mode 100644 parsers/cisco_duo-latest create mode 100644 parsers/cisco_ise_logs-latest create mode 100644 parsers/cisco_umbrella-latest create mode 100644 parsers/claude_test_mikrotik create mode 100644 parsers/crowdstrike_falcon-latest create mode 100644 parsers/darktrace_darktrace_logs-latest create mode 100644 parsers/f5_networks_logs-latest create mode 100644 parsers/fortinet_fortigate_candidate_logs-latest create mode 100644 parsers/github_audit-latest create mode 100644 parsers/harness_ci-latest create mode 100644 parsers/hashicorp_vault-latest create mode 100644 parsers/imperva_waf_logs-latest create mode 100644 parsers/json-app-logs create mode 100644 parsers/marcparser create mode 100644 parsers/marcpfsense create mode 100644 parsers/microsoft_365_collaboration-latest create mode 100644 parsers/microsoft_azuread-latest create mode 100644 parsers/microsoft_windows_eventlog-latest create mode 100644 parsers/mikrotik create mode 100644 parsers/netskope_netskope_logs-latest create mode 100644 parsers/npm_typosquats create mode 100644 parsers/ocsf-checkpoint create mode 100644 parsers/ocsf-entra-id create mode 100644 parsers/ocsf-f5-apm create mode 100644 parsers/ocsf-f5-bigip create mode 100644 parsers/ocsf-fortigate create mode 100644 parsers/ocsf-hana-db create mode 100644 parsers/ocsf-isc-bind create mode 100644 parsers/ocsf-linux-os create mode 100644 parsers/ocsf-mitre-attack create mode 100644 parsers/ocsf-mitre-coverage create mode 100644 parsers/ocsf-mitre-coverage-v2 create mode 100644 parsers/ocsf-ms-dhcp create mode 100644 parsers/ocsf-ms-dns create mode 100644 parsers/ocsf-oracle-rdbms create mode 100644 parsers/ocsf-paloalto create mode 100644 parsers/ocsf-qradar create mode 100644 parsers/ocsf-security-overview create mode 100644 parsers/ocsf-security-overview-v2 create mode 100644 parsers/ocsf-sim-generic create mode 100644 parsers/ocsf-threat-detection create mode 100644 parsers/ocsf-threat-detection-v2 create mode 100644 parsers/ocsf-watchguard create mode 100644 parsers/ocsf-windows-security create mode 100644 parsers/okta_authentication-latest create mode 100644 parsers/paloalto_firewall-latest create mode 100644 parsers/pingone_mfa-latest create mode 100644 parsers/pingprotect-latest create mode 100644 parsers/proofpoint_proofpoint_logs-latest create mode 100644 parsers/sdl_skill_smoke_1776702106 create mode 100644 parsers/searches create mode 100644 parsers/sentinelone_endpoint-latest create mode 100644 parsers/sophos create mode 100644 parsers/sophos-edr create mode 100644 parsers/stormshield create mode 100644 parsers/ueba-healthcare create mode 100644 parsers/ueba_alerts create mode 100644 parsers/ueba_baselines_entity create mode 100644 parsers/ueba_baselines_peer create mode 100644 parsers/ueba_entity_risk create mode 100644 parsers/ueba_family_scores_hourly create mode 100644 parsers/ueba_feature_scores_hourly create mode 100644 parsers/ueba_features_hourly create mode 100644 parsers/ueba_peer_membership create mode 100644 parsers/ueba_smoke_test create mode 100644 parsers/ueba_test_default create mode 100644 parsers/ueba_test_merge create mode 100644 parsers/ueba_test_same_feat_merge create mode 100644 parsers/ueba_test_same_feat_replace create mode 100644 parsers/zscaler_logs-latest diff --git a/.gitignore b/.gitignore index aba9209..2be6c64 100644 --- a/.gitignore +++ b/.gitignore @@ -6,10 +6,7 @@ node_modules/ .next/ frontend/out/ pgdata/ -parsers/*.json data/ -# Tenant-synced parsers (downloaded via /api/quality/sync-from-sdl) - -# do not commit; each tenant generates its own set -parsers/* -!parsers/.gitkeep +# Parsers ARE committed in this fork (snapshot of the demo tenant). +# .env still excluded for safety. diff --git a/parsers/Avelios-Medical-OCSF b/parsers/Avelios-Medical-OCSF new file mode 100644 index 0000000..b11d684 --- /dev/null +++ b/parsers/Avelios-Medical-OCSF @@ -0,0 +1,77 @@ +{ + // Avelios Medical OCSF Parser - OCSF v1.3.0 + // Hospital Information System (HIS) - BSI / NIS2 compliance events + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Avelios", + "metadata.product.name": "Avelios Medical HIS", + "metadata.log_provider": "hec", + "Category": "healthcare", + "dataSource.vendor": "Avelios", + "dataSource.name": "Avelios Medical", + "dataSource.category": "Healthcare" + }, + + formats: [ + { + // Auto-extract every JSON top-level field as an attribute + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + // ─── OCSF classification by event_category ────────────────────── + { input: "event_category", output: "category_uid", match: "authentication", replace: "3" }, + { input: "event_category", output: "category_name", match: "authentication", replace: "Identity & Access Management" }, + { input: "event_category", output: "class_uid", match: "authentication", replace: "3002" }, + { input: "event_category", output: "class_name", match: "authentication", replace: "Authentication" }, + + { input: "event_category", output: "category_uid", match: "patient_access", replace: "6" }, + { input: "event_category", output: "category_name", match: "patient_access", replace: "Application Activity" }, + { input: "event_category", output: "class_uid", match: "patient_access", replace: "6001" }, + { input: "event_category", output: "class_name", match: "patient_access", replace: "Web Resources Activity" }, + + { input: "event_category", output: "category_uid", match: "administrative", replace: "6" }, + { input: "event_category", output: "category_name", match: "administrative", replace: "Application Activity" }, + { input: "event_category", output: "class_uid", match: "administrative", replace: "6001" }, + { input: "event_category", output: "class_name", match: "administrative", replace: "Web Resources Activity" }, + + { input: "event_category", output: "category_uid", match: "data_transfer", replace: "4" }, + { input: "event_category", output: "category_name", match: "data_transfer", replace: "Network Activity" }, + { input: "event_category", output: "class_uid", match: "data_transfer", replace: "4001" }, + { input: "event_category", output: "class_name", match: "data_transfer", replace: "Network Activity" }, + + { input: "event_category", output: "category_uid", match: "security", replace: "2" }, + { input: "event_category", output: "category_name", match: "security", replace: "Findings" }, + { input: "event_category", output: "class_uid", match: "security", replace: "2001" }, + { input: "event_category", output: "class_name", match: "security", replace: "Security Finding" }, + + { input: "event_category", output: "category_uid", match: "system", replace: "6" }, + { input: "event_category", output: "category_name", match: "system", replace: "Application Activity" }, + { input: "event_category", output: "class_uid", match: "system", replace: "6007" }, + { input: "event_category", output: "class_name", match: "system", replace: "Application Lifecycle" }, + + // ─── Severity mapping (string + OCSF int 0-6) ─────────────────── + { input: "severity", output: "severity_id", match: "(?i)critical", replace: "6" }, + { input: "severity", output: "severity_id", match: "(?i)high", replace: "5" }, + { input: "severity", output: "severity_id", match: "(?i)medium", replace: "4" }, + { input: "severity", output: "severity_id", match: "(?i)low", replace: "2" }, + { input: "severity", output: "severity_id", match: "(?i)info", replace: "1" }, + { input: "severity", output: "severity_str", match: ".*", replace: "$0" }, + + // ─── Status mapping ───────────────────────────────────────────── + { input: "outcome", output: "status_id", match: "success", replace: "1" }, + { input: "outcome", output: "status_id", match: "failure", replace: "2" }, + { input: "outcome", output: "status_id", match: "detected", replace: "2" }, + { input: "outcome", output: "status", match: ".*", replace: "$0" }, + + // ─── Activity / message ───────────────────────────────────────── + { input: "event_type", output: "activity_name", match: ".*", replace: "$0" }, + { input: "event_type", output: "finding_info.title", match: ".*", replace: "$0" }, + { input: "event_id", output: "finding_info.uid", match: ".*", replace: "$0" }, + { input: "timestamp", output: "finding_info.created_time_dt", match: ".*", replace: "$0" }, + + // ─── Compliance tags (BSI / NIS2 / GDPR) ──────────────────────── + { input: "event_category", output: "compliance.standard", match: ".*", replace: "BSI-Grundschutz,NIS2,GDPR" } + ] + } + ] +} diff --git a/parsers/CheckPoint-OCSF b/parsers/CheckPoint-OCSF new file mode 100644 index 0000000..0322516 --- /dev/null +++ b/parsers/CheckPoint-OCSF @@ -0,0 +1,277 @@ +{ + // Check Point pipe-delimited parser — OCSF v1.3.0 (v3: Gateway + Mgmt) + // + // Discrimination is done via the `format:` string (Scalyr ignores `match:`). + // Rules are ordered most-specific → most-generic with halt:true. + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Check Point", + "metadata.product.name": "Quantum Security", + "metadata.log_provider": "syslog", + "Category": "security", + "dataSource.vendor": "Check Point", + "dataSource.name": "Check Point" + }, + + patterns: { + word: "[^|]+", + num: "\\d+", + ip: "\\d+\\.\\d+\\.\\d+\\.\\d+" + }, + + formats: [ + + // 1. MGMT — SmartCenter Server + { + id: "cp_mgmt_smartcenter", + attributes: { + "dataSource.category": "management", + category_uid: 6, category_name: "Application Activity", + class_uid: 6003, class_name: "API Activity", + activity_id: 3, activity_name: "Update", + type_uid: 600303, + severity_id: 2, severity: "Low", + status_id: 1, status: "Success" + }, + format: ".*[|]product=SmartCenter Server.*", + halt: true, + rewrites: [ + { input: "message", output: "user_name", match: ".*[|]administrator=([^|]*).*", replace: "$1" }, + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "device_host", match: ".*[|]origin=([^|]+).*", replace: "$1" }, + { input: "message", output: "object_name", match: ".*[|]objectname=([^|]+).*", replace: "$1" }, + { input: "message", output: "object_type", match: ".*[|]objecttype=([^|]+).*", replace: "$1" }, + { input: "message", output: "client_name", match: ".*[|]client_name=([^|]+).*", replace: "$1" }, + { input: "message", output: "operation", match: ".*[|]operation=([^|]+).*", replace: "$1" }, + { input: "operation", output: "finding_title", match: "(.*)", replace: "Check Point Management Audit: $1" } + ] + }, + + // 2. MGMT — Multi-Domain Server + { + id: "cp_mgmt_mds", + attributes: { + "dataSource.category": "management", + category_uid: 6, category_name: "Application Activity", + class_uid: 6003, class_name: "API Activity", + activity_id: 1, activity_name: "Create", + type_uid: 600301, + severity_id: 2, severity: "Low", + status_id: 1, status: "Success" + }, + format: ".*[|]product=Multi-Domain Server.*", + halt: true, + rewrites: [ + { input: "message", output: "user_name", match: ".*[|]administrator=([^|]*).*", replace: "$1" }, + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "device_host", match: ".*[|]origin=([^|]+).*", replace: "$1" }, + { input: "message", output: "operation", match: ".*[|]operation=([^|]+).*", replace: "$1" }, + { input: "operation", output: "finding_title", match: "(.*)", replace: "Check Point Management Audit: $1" } + ] + }, + + // 3. MGMT — Endpoint Security Mgmt + { + id: "cp_mgmt_endpoint", + attributes: { + "dataSource.category": "management", + category_uid: 6, category_name: "Application Activity", + class_uid: 6003, class_name: "API Activity", + activity_id: 3, activity_name: "Update", + type_uid: 600303, + severity_id: 2, severity: "Low", + status_id: 1, status: "Success" + }, + format: ".*[|]product=Endpoint Security Management.*", + halt: true, + rewrites: [ + { input: "message", output: "user_name", match: ".*[|]administrator=([^|]*).*", replace: "$1" }, + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "device_host", match: ".*[|]origin=([^|]+).*", replace: "$1" }, + { input: "message", output: "object_name", match: ".*[|]objectname=([^|]+).*", replace: "$1" }, + { input: "message", output: "operation", match: ".*[|]operation=([^|]+).*", replace: "$1" }, + { input: "operation", output: "finding_title", match: "(.*)", replace: "Check Point Management Audit: $1" } + ] + }, + + // 4. IPS — discriminator: protection_type=ips + { + id: "cp_ips", + attributes: { + "dataSource.category": "ids", + category_uid: 2, category_name: "Findings", + class_uid: 2004, class_name: "Detection Finding", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + severity_id: 4, severity: "High", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*[|]protection_type=ips.*", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" }, + { input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" }, + { input: "message", output: "attack", match: ".*[|]attack=([^|]+).*", replace: "$1" }, + { input: "message", output: "protection", match: ".*[|]protection_name=([^|]+).*", replace: "$1" }, + { input: "message", output: "cp_severity", match: ".*[|]severity=([^|]+).*", replace: "$1" }, + { input: "cp_severity", output: "severity", match: "(?si)^\\s*critical\\s*$", replace: "Critical" }, + { input: "cp_severity", output: "severity_id", match: "(?si)^\\s*critical\\s*$", replace: "5" }, + { input: "attack", output: "finding_title", match: "(?i).*", replace: "Check Point IPS: $0" } + ] + }, + + // 5. ANTI-BOT / AV / TE — discriminator: malware_family=… + { + id: "cp_antibot_av", + attributes: { + "dataSource.category": "antivirus", + category_uid: 2, category_name: "Findings", + class_uid: 2004, class_name: "Detection Finding", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*[|]malware_family=$malware_family=word$.*", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "malware_name", match: ".*[|]malware_name=([^|]+).*", replace: "$1" }, + { input: "message", output: "malware_action", match: ".*[|]malware_action=([^|]+).*", replace: "$1" }, + { input: "message", output: "ioc_url", match: ".*[|]resource=([^|]+).*", replace: "$1" }, + { input: "message", output: "cp_action", match: ".*[|]action=([^|]+).*", replace: "$1" }, + { input: "cp_action", output: "disposition", match: "(?i)^detect$", replace: "Allowed" }, + { input: "cp_action", output: "disposition_id", match: "(?i)^detect$", replace: "1" }, + { input: "malware_name", output: "finding_title", match: "(?i).*", replace: "Check Point Malware: $0" } + ] + }, + + // 6. APP CTRL / URL FILTERING — discriminator: app_name=… + { + id: "cp_app_control", + attributes: { + "dataSource.category": "application", + category_uid: 4, category_name: "Network Activity", + class_uid: 4002, class_name: "HTTP Activity", + activity_id: 1, activity_name: "Connection", + type_uid: 400201, + severity_id: 2, severity: "Low", + disposition_id: 1, disposition: "Allowed" + }, + format: ".*[|]app_name=$app_name=word$.*", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" }, + { input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" }, + { input: "message", output: "app_category", match: ".*[|]app_category=([^|]+).*", replace: "$1" }, + { input: "message", output: "app_risk", match: ".*[|]app_risk=([^|]+).*", replace: "$1" }, + { input: "message", output: "user_name", match: ".*[|]user=([^|]+).*", replace: "$1" }, + { input: "message", output: "url", match: ".*[|]resource=([^|]+).*", replace: "$1" }, + { input: "message", output: "cp_action", match: ".*[|]action=([^|]+).*", replace: "$1" }, + { input: "cp_action", output: "disposition", match: "(?i)^drop$|^reject$", replace: "Blocked" }, + { input: "cp_action", output: "disposition_id", match: "(?i)^drop$|^reject$", replace: "2" } + ] + }, + + // 7. FW Drop fallback — discriminator: action=Drop + { + id: "cp_drop", + attributes: { + "dataSource.category": "firewall", + category_uid: 2, category_name: "Findings", + class_uid: 2004, class_name: "Detection Finding", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + finding_title: "Check Point Firewall Drop", + severity_id: 3, severity: "Medium", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*[|]action=Drop.*", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" }, + { input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" }, + { input: "message", output: "protocol", match: ".*[|]proto=([^|]+).*", replace: "$1" } + ] + }, + + // 8. FW Reject — discriminator: action=Reject + { + id: "cp_reject", + attributes: { + "dataSource.category": "firewall", + category_uid: 2, category_name: "Findings", + class_uid: 2004, class_name: "Detection Finding", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + finding_title: "Check Point Firewall Reject", + severity_id: 3, severity: "Medium", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*[|]action=Reject.*", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" }, + { input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" }, + { input: "message", output: "protocol", match: ".*[|]proto=([^|]+).*", replace: "$1" } + ] + }, + + // 9. FW Accept — discriminator: action=Accept + { + id: "cp_accept", + attributes: { + "dataSource.category": "firewall", + category_uid: 4, category_name: "Network Activity", + class_uid: 4001, class_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106, + disposition_id: 1, disposition: "Allowed", + severity_id: 1, severity: "Informational" + }, + format: ".*[|]action=Accept.*", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" }, + { input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" }, + { input: "message", output: "protocol", match: ".*[|]proto=([^|]+).*", replace: "$1" } + ] + }, + + // 10. CATCH-ALL — any Check Point log not matched above + { + id: "cp_catchall", + attributes: { + "dataSource.category": "security", + category_uid: 5, category_name: "Discovery", + class_uid: 5001, class_name: "Device Inventory Info", + activity_id: 1, activity_name: "Log", + type_uid: 500101, + severity_id: 1, severity: "Informational" + }, + format: ".*time=\\d+[|].*", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" }, + { input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" }, + { input: "message", output: "protocol", match: ".*[|]proto=([^|]+).*", replace: "$1" }, + { input: "message", output: "cp_product", match: ".*[|]product=([^|]+).*", replace: "$1" }, + { input: "message", output: "cp_action", match: ".*[|]action=([^|]+).*", replace: "$1" } + ] + } + + ] +} diff --git a/parsers/Darktrace-JSON-OCSF b/parsers/Darktrace-JSON-OCSF new file mode 100644 index 0000000..2d50d61 --- /dev/null +++ b/parsers/Darktrace-JSON-OCSF @@ -0,0 +1,135 @@ +{ + // Darktrace JSON parser - OCSF v1.3.0 + // Handles JSON-formatted Darktrace events from serverHost='darktrace_darktrace_logs-latest' + // + // Supports: + // 1. Model Breach events (with "model.name", "device.*", "score") + // 2. AI Analyst Incidents (with "summary", "title", "incidentId", "groupSeverity") + // + // Maps to OCSF Detection Finding (class_uid 2004) for Library Detection compatibility. + + attributes: { + "marc_ocsf_signature": "MARC-OCSF-PARSER-ACTIVE-77777", + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Darktrace", + "metadata.product.name": "Enterprise Immune System", + "metadata.log_provider": "darktrace-integration", + + "dataSource.vendor": "Darktrace", + "dataSource.name": "Darktrace", + "dataSource.category": "ndr", + + "category_uid": 2, + "category_name": "Findings", + "class_uid": 2004, + "class_name": "Detection Finding", + "type_uid": 200401, + "activity_id": 1, + + "event.type": "Create", + "event.category": "security", + + "status_id": 1, + "status": "New" + }, + + formats: [ + // ============================================================ + // 1. Model Breach (has "model.name" and "pbid") + // ============================================================ + { + id: "dt_model_breach_json", + attributes: { + finding_title: "Darktrace Model Breach" + }, + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + // Extract nested JSON fields via regex on raw message (parse=json doesn't flatten nested) + { input: "message", output: "unmapped.model.then.name", + match: ".*\"model\"\\s*:\\s*\\{[^}]*\"name\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "model_name", + match: ".*\"model\"\\s*:\\s*\\{[^}]*\"name\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "finding_title", + match: ".*\"model\"\\s*:\\s*\\{[^}]*\"name\"\\s*:\\s*\"([^\"]+)\".*", replace: "Darktrace: $1" }, + + // Device → asset/host fields (extract from nested device object) + { input: "message", output: "src_ip", + match: ".*\"device\"\\s*:\\s*\\{[^}]*\"ip\"\\s*:\\s*\"([0-9.]+)\".*", replace: "$1" }, + { input: "message", output: "src_hostname", + match: ".*\"device\"\\s*:\\s*\\{[^}]*\"hostname\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "endpoint.name", + match: ".*\"device\"\\s*:\\s*\\{[^}]*\"hostname\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "endpoint.os", + match: ".*\"device\"\\s*:\\s*\\{[^}]*\"os\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "src_mac", + match: ".*\"device\"\\s*:\\s*\\{[^}]*\"mac\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + + // Score (0.0-1.0) → severity_id (OCSF 0-6) + { input: "score", output: "severity_id", match: "^0\\.[0-1].*", replace: "1" }, // Info + { input: "score", output: "severity_id", match: "^0\\.[2-3].*", replace: "2" }, // Low + { input: "score", output: "severity_id", match: "^0\\.[4-5].*", replace: "3" }, // Medium + { input: "score", output: "severity_id", match: "^0\\.[6-7].*", replace: "4" }, // High + { input: "score", output: "severity_id", match: "^0\\.[8-9].*", replace: "5" }, // Critical + { input: "score", output: "severity_id", match: "^1(\\.0)?$", replace: "5" }, // Critical + + { input: "score", output: "severity", match: "^0\\.[0-1].*", replace: "Informational" }, + { input: "score", output: "severity", match: "^0\\.[2-3].*", replace: "Low" }, + { input: "score", output: "severity", match: "^0\\.[4-5].*", replace: "Medium" }, + { input: "score", output: "severity", match: "^0\\.[6-7].*", replace: "High" }, + { input: "score", output: "severity", match: "^0\\.[8-9].*", replace: "Critical" }, + { input: "score", output: "severity", match: "^1(\\.0)?$", replace: "Critical" }, + + // IDs (top-level pbid works, nested model.id/uuid via regex) + { input: "pbid", output: "external_id", match: ".*", replace: "$0" }, + { input: "message", output: "rule_uid", + match: ".*\"model\"\\s*:\\s*\\{[^}]*\"id\"\\s*:\\s*([0-9]+).*", replace: "$1" }, + { input: "message", output: "rule_uuid", + match: ".*\"model\"\\s*:\\s*\\{[^}]*\"uuid\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + + // Timestamps + { input: "creationTime", output: "finding_info.created_time", match: ".*", replace: "$0" }, + { input: "time", output: "finding_info.last_seen_time", match: ".*", replace: "$0" } + ] + }, + + // ============================================================ + // 2. AI Analyst Incident (has "title", "summary", "incidentId") + // ============================================================ + { + id: "dt_aianalyst_json", + attributes: { + finding_title: "Darktrace AI Analyst Incident", + severity_id: 4, + severity: "High" + }, + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + // Title → model name (so Library Detections can match) + { input: "title", output: "unmapped.model.then.name", match: ".*", replace: "AI Analyst / $0" }, + { input: "title", output: "model_name", match: ".*", replace: "AI Analyst / $0" }, + { input: "title", output: "finding_title", match: ".*", replace: "Darktrace AI Analyst: $0" }, + { input: "summary", output: "finding_info.desc", match: ".*", replace: "$0" }, + + // groupSeverity (0-100) → severity_id + { input: "groupSeverity", output: "severity_id", match: "^[0-1]?[0-9]$", replace: "1" }, // 0-19 = Info + { input: "groupSeverity", output: "severity_id", match: "^[2-3][0-9]$", replace: "2" }, // 20-39 = Low + { input: "groupSeverity", output: "severity_id", match: "^[4-5][0-9]$", replace: "3" }, // 40-59 = Medium + { input: "groupSeverity", output: "severity_id", match: "^[6-7][0-9]$", replace: "4" }, // 60-79 = High + { input: "groupSeverity", output: "severity_id", match: "^([8-9][0-9]|100)$", replace: "5" }, // 80-100 = Critical + + // First device IP/hostname from devices array (regex on raw message) + { input: "message", output: "src_ip", + match: ".*\"devices\"\\s*:\\s*\\[\\s*\\{[^}]*\"ip\"\\s*:\\s*\"([0-9.]+)\".*", replace: "$1" }, + { input: "message", output: "src_hostname", + match: ".*\"devices\"\\s*:\\s*\\[\\s*\\{[^}]*\"hostname\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "endpoint.name", + match: ".*\"devices\"\\s*:\\s*\\[\\s*\\{[^}]*\"hostname\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" }, + + // IDs + { input: "incidentId", output: "external_id", match: ".*", replace: "$0" } + ] + } + ] +} diff --git a/parsers/Darktrace-OCSF b/parsers/Darktrace-OCSF new file mode 100644 index 0000000..997ca38 --- /dev/null +++ b/parsers/Darktrace-OCSF @@ -0,0 +1,173 @@ +{ + // Darktrace CEF / syslog parser — OCSF v1.3.0 + // + // Supports the four canonical Darktrace log streams: + // 1. Model Breach → Detection Finding (severity from score) + // 2. AI Analyst Incident → Detection Finding (Critical) + // 3. Antigena (autonomous response) → Detection Finding (action: Blocked) + // 4. Admin / authentication events → Authentication (3002) + // + // Wire format is CEF: pipe-separated header + space-separated key=value extension. + // CEF:0|Darktrace|||||| + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Darktrace", + "metadata.product.name": "Enterprise Immune System", + "metadata.log_provider": "syslog", + "Category": "security", + "dataSource.vendor": "Darktrace", + "dataSource.name": "Darktrace", + "dataSource.category": "ndr", + "event.type": "Alert", + "event.category": "security", + "category_uid": 2, + "category_name": "Findings", + "class_uid": 2004, + "class_name": "Detection Finding", + "activity_id": 1, + "type_uid": 200401, + "severity_id": 3 + }, + + patterns: { + word: "[^ |]+", + phrase: "[^|]+", + rest: ".*", + num: "\\d+", + ip: "\\d+\\.\\d+\\.\\d+\\.\\d+", + ext: ".*" + }, + + formats: [ + // ============================================================ + // 1. MODEL BREACH — sigID 100, name="Model Breach" + // Example: + // CEF:0|Darktrace|DCIP|6.1|100|Model Breach|7|src=10.1.1.5 dst=8.8.8.8 + // spt=54321 dpt=443 cs1=Anomalous Connection / Suspicious Self-Signed SSL + // cs1Label=Model cn1=85 cn1Label=Score duser=jsmith deviceExternalId=12345 + // cs2=Compliance cs2Label=Category act=alert + // ============================================================ + { + id: "dt_model_breach", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Darktrace Model Breach", + "event.type": "Alert", "event.category": "security", + severity_id: 4, + severity: "High", + disposition_id: 1, disposition: "Allowed", + status_id: 1, status: "Detected" + }, + format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]100[|]Model Breach[|]$cef_severity=num$[|]$cef_extension=ext$", + halt: true, + rewrites: [ + // Pull common fields out of the CEF extension key=value bag + { input: "message", output: "src_ip", match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "src_port", match: ".*spt=(\\d+).*", replace: "$1" }, + { input: "message", output: "dst_port", match: ".*dpt=(\\d+).*", replace: "$1" }, + { input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "device_id", match: ".*deviceExternalId=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "model_name", match: ".*cs1=([^=\\n]+?)\\s+\\w+=.*", replace: "$1" }, + { input: "message", output: "model_category",match: ".*cs2=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "score", match: ".*cn1=(\\d+).*", replace: "$1" }, + { input: "model_name", output: "finding_title", match: "(?i).*", + replace: "Darktrace Model Breach: $0" } + ] + }, + + // ============================================================ + // 2. AI ANALYST INCIDENT — sigID 200, name contains "AI Analyst" + // ============================================================ + { + id: "dt_aianalyst", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Darktrace AI Analyst Incident", + "event.type": "Alert", "event.category": "security", + severity_id: 5, severity: "Critical", + disposition_id: 1, disposition: "Allowed", + status_id: 1, status: "Detected" + }, + format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]200[|]$incident_name=phrase$[|]$cef_severity=num$[|]$cef_extension=ext$", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "device_id", match: ".*deviceExternalId=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "incident_id", match: ".*externalId=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "summary", match: ".*msg=([^=\\n]+?)(?:\\s+\\w+=.*|$)", replace: "$1" }, + { input: "incident_name", output: "finding_title",match: ".*", replace: "Darktrace $0" } + ] + }, + + // ============================================================ + // 3. ANTIGENA (Autonomous Response) — sigID 300 + // ============================================================ + { + id: "dt_antigena", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Darktrace Antigena Autonomous Action", + "event.type": "Action", "event.category": "security", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked", + status_id: 1, status: "Detected" + }, + format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]300[|]Antigena Action[|]$cef_severity=num$[|]$cef_extension=ext$", + halt: true, + rewrites: [ + { input: "message", output: "src_ip", match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "dst_ip", match: ".*dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }, + { input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "device_id", match: ".*deviceExternalId=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "action", match: ".*act=([^ \\n]+).*", replace: "$1" } + ] + }, + + // ============================================================ + // 4. ADMIN / AUTH EVENTS — sigID 400 (login success/failure) + // ============================================================ + { + id: "dt_auth_fail", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + type_uid: 300201, activity_id: 1, + "event.type": "Login", "event.category": "authentication", + status_id: 2, status: "Failure", + finding_title: "Darktrace Admin Login Failure" + }, + format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]400[|]Admin Login Failure[|]$cef_severity=num$[|]$cef_extension=ext$", + halt: true, + rewrites: [ + { input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "src_ip", match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" } + ] + }, + + { + id: "dt_auth_ok", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + type_uid: 300201, activity_id: 1, + "event.type": "Login", "event.category": "authentication", + status_id: 1, status: "Success" + }, + format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]400[|]Admin Login Success[|]$cef_severity=num$[|]$cef_extension=ext$", + halt: true, + rewrites: [ + { input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*", replace: "$1" }, + { input: "message", output: "src_ip", match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" } + ] + } + ] +} diff --git a/parsers/Developer-Workstation-OCSF b/parsers/Developer-Workstation-OCSF new file mode 100644 index 0000000..81c4291 --- /dev/null +++ b/parsers/Developer-Workstation-OCSF @@ -0,0 +1,118 @@ +{ + // Developer-Workstation OCSF Parser — OCSF v1.3.0 + // Endpoint EDR-style events for software-supply-chain hunts (H1..H18) + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Synthetic", + "metadata.product.name": "Developer Workstation EDR", + "metadata.log_provider": "hec", + "Category": "endpoint", + "dataSource.vendor": "Synthetic", + "dataSource.name": "Developer Workstation", + "dataSource.category": "Endpoint" + }, + + formats: [ + { + // Auto-extract every JSON top-level + nested field as attributes. + // Nested objects flatten with dot-notation: process.image_name, + // endpoint.name, file.path, dns.query, registry.key_path, etc. + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + // ─── OCSF classification by event_type ────────────────────────── + { input: "event_type", output: "category_uid", match: "PROCESS_START", replace: "1" }, + { input: "event_type", output: "category_name", match: "PROCESS_START", replace: "System Activity" }, + { input: "event_type", output: "class_uid", match: "PROCESS_START", replace: "1007" }, + { input: "event_type", output: "class_name", match: "PROCESS_START", replace: "Process Activity" }, + + { input: "event_type", output: "category_uid", match: "FILE_CREATE", replace: "1" }, + { input: "event_type", output: "category_name", match: "FILE_CREATE", replace: "System Activity" }, + { input: "event_type", output: "class_uid", match: "FILE_CREATE", replace: "1001" }, + { input: "event_type", output: "class_name", match: "FILE_CREATE", replace: "File System Activity" }, + + { input: "event_type", output: "category_uid", match: "FILE_WRITE", replace: "1" }, + { input: "event_type", output: "category_name", match: "FILE_WRITE", replace: "System Activity" }, + { input: "event_type", output: "class_uid", match: "FILE_WRITE", replace: "1001" }, + { input: "event_type", output: "class_name", match: "FILE_WRITE", replace: "File System Activity" }, + + { input: "event_type", output: "category_uid", match: "FILE_READ", replace: "1" }, + { input: "event_type", output: "category_name", match: "FILE_READ", replace: "System Activity" }, + { input: "event_type", output: "class_uid", match: "FILE_READ", replace: "1001" }, + { input: "event_type", output: "class_name", match: "FILE_READ", replace: "File System Activity" }, + + { input: "event_type", output: "category_uid", match: "DNS_QUERY", replace: "4" }, + { input: "event_type", output: "category_name", match: "DNS_QUERY", replace: "Network Activity" }, + { input: "event_type", output: "class_uid", match: "DNS_QUERY", replace: "4003" }, + { input: "event_type", output: "class_name", match: "DNS_QUERY", replace: "DNS Activity" }, + + { input: "event_type", output: "category_uid", match: "REGISTRY_SET", replace: "1" }, + { input: "event_type", output: "category_name", match: "REGISTRY_SET", replace: "System Activity" }, + { input: "event_type", output: "class_uid", match: "REGISTRY_SET", replace: "201101" }, + { input: "event_type", output: "class_name", match: "REGISTRY_SET", replace: "Registry Key Activity" }, + + // ─── Severity mapping (string + OCSF int 0-6) ─────────────────── + { input: "severity", output: "severity_id", match: "(?i)critical", replace: "6" }, + { input: "severity", output: "severity_id", match: "(?i)high", replace: "5" }, + { input: "severity", output: "severity_id", match: "(?i)medium", replace: "4" }, + { input: "severity", output: "severity_id", match: "(?i)low", replace: "2" }, + { input: "severity", output: "severity_id", match: "(?i)info", replace: "1" }, + { input: "severity", output: "severity_str", match: ".*", replace: "$0" }, + + // ─── Activity / finding ───────────────────────────────────────── + { input: "event_type", output: "activity_name", match: ".*", replace: "$0" }, + { input: "event_id", output: "finding_info.uid", match: ".*", replace: "$0" }, + { input: "timestamp", output: "finding_info.created_time_dt", match: ".*", replace: "$0" }, + + // ─── Compliance tags ───────────────────────────────────────── + { input: "event_type", output: "compliance.standard", match: ".*", replace: "NIS2,SLSA,SSDF" }, + + // ─── Explicit extraction of nested fields from the raw message blob + // (the auto-flatten only handles top-level keys; nested objects like + // process.image_name remain inside `message`). + { input: "message", output: "endpoint.name", + match: "^.*?\"endpoint\":\\s*\\{\"name\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "endpoint.os", + match: "^.*?\"endpoint\":\\s*\\{\"name\":\\s*\"[^\"]+\",\\s*\"os\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "actor.user.name", + match: "^.*?\"actor\":\\s*\\{\"user\":\\s*\\{\"name\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "process.image_name", + match: "^.*?\"process\":\\s*\\{\"image_name\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "process.image_path", + match: "^.*?\"process\":\\s*\\{\"image_name\":\\s*\"[^\"]+\",\\s*\"image_path\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "process.command_line", + match: "^.*?\"image_path\":\\s*\"[^\"]+\",\\s*\"command_line\":\\s*\"((?:[^\"\\\\]|\\\\.)*)\".*$", + replace: "$1" }, + { input: "message", output: "process.parent.image_name", + match: "^.*?\"parent\":\\s*\\{\"image_name\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "process.parent.command_line", + match: "^.*?\"parent\":\\s*\\{\"image_name\":\\s*\"[^\"]+\",\\s*\"command_line\":\\s*\"((?:[^\"\\\\]|\\\\.)*)\".*$", + replace: "$1" }, + { input: "message", output: "file.path", + match: "^.*?\"file\":\\s*\\{\"path\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "file.action", + match: "^.*?\"file\":\\s*\\{\"path\":\\s*\"[^\"]+\",\\s*\"action\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "file.content", + match: "^.*?\"content_sample\":\\s*\"((?:[^\"\\\\]|\\\\.)*)\".*$", + replace: "$1" }, + { input: "message", output: "dns.query", + match: "^.*?\"dns\":\\s*\\{\"query\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "registry.key_path", + match: "^.*?\"registry\":\\s*\\{\"key_path\":\\s*\"([^\"]+)\".*$", + replace: "$1" }, + { input: "message", output: "scenario", + match: "^.*?\"_scenario\":\\s*\"([^\"]+)\".*$", + replace: "$1" } + ] + } + ] +} diff --git a/parsers/EntraID-OCSF b/parsers/EntraID-OCSF new file mode 100644 index 0000000..2123b19 --- /dev/null +++ b/parsers/EntraID-OCSF @@ -0,0 +1,87 @@ +{ + // Microsoft Entra ID (Azure AD) JSON parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Microsoft", + "metadata.product.name": "Entra ID", + "metadata.log_provider": "azure-monitor", + "Category": "iam", + "dataSource.vendor": "Microsoft", + "dataSource.name": "Entra ID", + "dataSource.category": "identity", + "category_uid": 3, + "category_name": "IAM", + "class_uid": 3002, + "class_name": "Authentication", + "activity_id": 1, + "activity_name": "Logon", + "type_uid": 300201, + "status_id": 1, + "status": "Success", + "severity_id": 1, + "severity": "Informational" + }, + + formats: [ + { + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + // Top-level fields + { input: "callerIpAddress", output: "src_endpoint.ip", match: ".*", replace: "$0" }, + { input: "callerIpAddress", output: "src_ip", match: ".*", replace: "$0" }, + { input: "tenantId", output: "tenant_id", match: ".*", replace: "$0" }, + { input: "correlationId", output: "correlation_id", match: ".*", replace: "$0" }, + { input: "category", output: "metadata.event_type", match: ".*", replace: "$0" }, + { input: "resultType", output: "result_code", match: ".*", replace: "$0" }, + { input: "resultDescription", output: "status_detail", match: ".*", replace: "$0" }, + { input: "identity", output: "actor.user.name", match: ".*", replace: "$0" }, + + // Status: errorCode 0 = Success, anything else = Failure + { input: "resultType", output: "status_id", match: "^0$", replace: "1" }, + { input: "resultType", output: "status", match: "^0$", replace: "Success" }, + { input: "resultType", output: "status_id", match: "^[1-9].*", replace: "2" }, + { input: "resultType", output: "status", match: "^[1-9].*", replace: "Failure" }, + { input: "resultType", output: "status_id", match: "^Success$", replace: "1" }, + { input: "resultType", output: "status", match: "^Success$", replace: "Success" }, + + // ═══════════ DETECTION FINDING PROMOTION ═══════════ + + // 1) High risk sign-in + { input: "riskLevelAggregated", output: "class_uid", match: "^high$", replace: "2004" }, + { input: "riskLevelAggregated", output: "class_name", match: "^high$", replace: "Detection Finding" }, + { input: "riskLevelAggregated", output: "category_uid", match: "^high$", replace: "2" }, + { input: "riskLevelAggregated", output: "category_name", match: "^high$", replace: "Findings" }, + { input: "riskLevelAggregated", output: "type_uid", match: "^high$", replace: "200401" }, + { input: "riskLevelAggregated", output: "finding_title", match: "^high$", replace: "Entra ID High-Risk Sign-In" }, + { input: "riskLevelAggregated", output: "finding_info.title", match: "^high$", replace: "Entra ID High-Risk Sign-In" }, + { input: "riskLevelAggregated", output: "severity_id", match: "^high$", replace: "5" }, + { input: "riskLevelAggregated", output: "severity", match: "^high$", replace: "Critical" }, + { input: "riskLevelAggregated", output: "severity_id", match: "^medium$", replace: "4" }, + { input: "riskLevelAggregated", output: "severity", match: "^medium$", replace: "High" }, + + // 2) Tor exit node detected (riskDetail field) + { input: "riskDetail", output: "class_uid", match: "(?i)^.*Tor.*$", replace: "2004" }, + { input: "riskDetail", output: "class_name", match: "(?i)^.*Tor.*$", replace: "Detection Finding" }, + { input: "riskDetail", output: "category_uid", match: "(?i)^.*Tor.*$", replace: "2" }, + { input: "riskDetail", output: "category_name", match: "(?i)^.*Tor.*$", replace: "Findings" }, + { input: "riskDetail", output: "type_uid", match: "(?i)^.*Tor.*$", replace: "200401" }, + { input: "riskDetail", output: "finding_title", match: "(?i)^.*Tor.*$", replace: "Entra ID Tor Exit Node Sign-In" }, + { input: "riskDetail", output: "finding_info.title", match: "(?i)^.*Tor.*$", replace: "Entra ID Tor Exit Node Sign-In" }, + { input: "riskDetail", output: "severity_id", match: "(?i)^.*Tor.*$", replace: "5" }, + { input: "riskDetail", output: "severity", match: "(?i)^.*Tor.*$", replace: "Critical" }, + + // 3) Failed authentication (resultType non-zero) + { input: "resultDescription", output: "class_uid", match: "(?i)^.*Invalid username or password.*$", replace: "2004" }, + { input: "resultDescription", output: "class_name", match: "(?i)^.*Invalid username or password.*$", replace: "Detection Finding" }, + { input: "resultDescription", output: "category_uid", match: "(?i)^.*Invalid username or password.*$", replace: "2" }, + { input: "resultDescription", output: "category_name", match: "(?i)^.*Invalid username or password.*$", replace: "Findings" }, + { input: "resultDescription", output: "type_uid", match: "(?i)^.*Invalid username or password.*$", replace: "200401" }, + { input: "resultDescription", output: "finding_title", match: "(?i)^.*Invalid username or password.*$", replace: "Entra ID Authentication Failure" }, + { input: "resultDescription", output: "finding_info.title", match: "(?i)^.*Invalid username or password.*$", replace: "Entra ID Authentication Failure" }, + { input: "resultDescription", output: "severity_id", match: "(?i)^.*Invalid username or password.*$", replace: "4" }, + { input: "resultDescription", output: "severity", match: "(?i)^.*Invalid username or password.*$", replace: "High" } + ] + } + ] +} diff --git a/parsers/F5APM-OCSF b/parsers/F5APM-OCSF new file mode 100644 index 0000000..d362b78 --- /dev/null +++ b/parsers/F5APM-OCSF @@ -0,0 +1,84 @@ +{ + // F5 BIG-IP APM (VPN/Access) parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "F5", + "metadata.product.name": "BIG-IP APM", + "metadata.log_provider": "syslog", + "Category": "iam", + "dataSource.vendor": "F5", + "dataSource.name": "BIG-IP APM", + "dataSource.category": "vpn", + "category_uid": 3, + "category_name": "IAM", + "class_uid": 3005, + "class_name": "User Access Management", + "activity_id": 1, + "type_uid": 300501, + "status_id": 1, + "severity_id": 1 + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + word: "\\S+", + untilC: "[^\\n]*?", + rest: ".*" + }, + + formats: [ + // Session authentication failed → Detection Finding (HIGH) + { + id: "apm_auth_fail", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "F5 APM Authentication Failure", + severity_id: 4, severity: "High", + disposition_id: 2, disposition: "Blocked", + status_id: 2, status: "Failure" + }, + format: ".*Session authentication failed - User: $user_name=word$ Client IP: $src_ip=ipv4$.*", + halt: true + }, + + // Access policy denied → Detection Finding + { + id: "apm_access_deny", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "F5 APM Access Policy Deny", + severity_id: 4, severity: "High", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*Access policy result: Deny.*$reason=rest$", + halt: true + }, + + // New session created + { + id: "apm_new_session", + attributes: { + class_uid: 3005, class_name: "User Access Management", + type_uid: 300501 + }, + format: ".*New session created - Client IP: $src_ip=ipv4$.*", + halt: true + }, + + // Successful AD auth + { + id: "apm_ad_success", + attributes: { + class_uid: 3002, class_name: "Authentication", + activity_id: 1, type_uid: 300201, + status_id: 1, status: "Success" + }, + format: ".*AD Auth query - User: $user_name=word$ Domain: $domain=word$.*Result: Success.*", + halt: true + } + ] +} diff --git a/parsers/F5BigIP-OCSF b/parsers/F5BigIP-OCSF new file mode 100644 index 0000000..86738ff --- /dev/null +++ b/parsers/F5BigIP-OCSF @@ -0,0 +1,86 @@ +{ + // F5 BIG-IP LTM iRule + ASM parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "F5", + "metadata.product.name": "BIG-IP LTM", + "metadata.log_provider": "syslog", + "Category": "network", + "dataSource.vendor": "F5", + "dataSource.name": "BIG-IP LTM", + "dataSource.category": "load-balancer", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4002, + "class_name": "HTTP Activity", + "activity_id": 1, + "type_uid": 400201, + "status_id": 1, + "severity_id": 1 + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + word: "\\S+", + untilSpace: "[^ ]+", + untilC: "[^\\n]*?", + rest: ".*" + }, + + formats: [ + // BLOCKED iRule WAF event → Detection Finding (CRITICAL) + { + id: "f5_blocked", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "F5 BIG-IP WAF Block", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*BLOCKED.*Client $src_ip=ipv4$:$src_port=word$.*", + halt: true + }, + + // SSL handshake failed → Detection Finding (MEDIUM) + { + id: "f5_ssl_fail", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "F5 SSL Handshake Failure", + severity_id: 3, severity: "Medium" + }, + format: ".*SSL Handshake failed for TCP $src_ip=ipv4$:$src_port=word$.*", + halt: true + }, + + // ASM violation (key=value style) + { + id: "f5_asm_violation", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "F5 ASM Web Application Attack", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*ASM:.*ip_client=\"$src_ip=ipv4$\".*", + halt: true + }, + + // Standard HTTP request (informational) + { + id: "f5_http", + attributes: { + class_uid: 4002, class_name: "HTTP Activity", + type_uid: 400201 + }, + format: ".*Client $src_ip=ipv4$:$src_port=word$ -> VIP $vip_ip=ipv4$:$vip_port=word$.*", + halt: true + } + ] +} diff --git a/parsers/FortiGate-OCSF b/parsers/FortiGate-OCSF new file mode 100644 index 0000000..43310a3 --- /dev/null +++ b/parsers/FortiGate-OCSF @@ -0,0 +1,72 @@ +{ + // FortiGate KV-format parser — OCSF v1.3.0 + // Uses explicit anchors around each KV pair instead of generic kv type + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Fortinet", + "metadata.product.name": "FortiGate", + "metadata.log_provider": "syslog", + "Category": "network", + "dataSource.vendor": "Fortinet", + "dataSource.name": "FortiGate", + "dataSource.category": "firewall", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4001, + "class_name": "Network Activity", + "activity_id": 6, + "type_uid": 400106, + "status_id": 1, + "severity_id": 1 + }, + + patterns: { + qval: "(\"[^\"]*\"|\\S+)", + word: "\\S+", + rest: ".*" + }, + + formats: [ + // IPS / UTM threat → Detection Finding + { + id: "fgt_ips", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "FortiGate IPS Detection", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*type=\"ips\".* srcip=$src_ip=word$ .*dstip=$dst_ip=word$ .*attack=\"$attack=qval$\".*", + halt: true + }, + + // Forward traffic - Deny + { + id: "fgt_deny", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "FortiGate Firewall Deny", + severity_id: 3, severity: "Medium", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*action=\"deny\".* srcip=$src_ip=word$ .*srcport=$src_port=word$ .*dstip=$dst_ip=word$ .*dstport=$dst_port=word$ .*proto=$protocol=word$.*", + halt: true + }, + + // Forward traffic - Allow (passes through to default) + { + id: "fgt_traffic", + attributes: { + class_uid: 4001, class_name: "Network Activity", + type_uid: 400106, + disposition_id: 1, disposition: "Allowed" + }, + format: ".* srcip=$src_ip=word$ .*srcport=$src_port=word$ .*dstip=$dst_ip=word$ .*dstport=$dst_port=word$ .*proto=$protocol=word$ .*action=\"$action=qval$\".*", + halt: true + } + ] +} diff --git a/parsers/HANADatabase-OCSF b/parsers/HANADatabase-OCSF new file mode 100644 index 0000000..f92408a --- /dev/null +++ b/parsers/HANADatabase-OCSF @@ -0,0 +1,170 @@ +{ + // SAP HANA Database SDL Parser + // OCSF v1.3.0 — emits Detection Finding (2004) for risky events + // so they appear in XDR / AI SIEM Findings UI + + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "SAP", + "metadata.product.name": "HANA Database", + "metadata.log_provider": "hana-audit", + "Category": "database", + "dataSource.vendor": "SAP", + "dataSource.name": "HANA Database", + "dataSource.category": "database", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4001, + "class_name": "Database Activity", + "activity_id": 0, + "activity_name": "Unknown", + "type_uid": 400100, + "status_id": 1, + "status": "Success", + "severity_id": 1, + "severity": "Informational", + "disposition_id": 0, + "disposition": "Unknown" + }, + + formats: [ + { + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + // Field extraction + { input: "user_name", output: "actor.user.name", match: ".*", replace: "$0" }, + { input: "user_name", output: "user.name", match: ".*", replace: "$0" }, + { input: "application_user", output: "actor.user.account.name", match: ".*", replace: "$0" }, + { input: "application_name", output: "app_name", match: ".*", replace: "$0" }, + { input: "client_ip", output: "src_endpoint.ip", match: ".*", replace: "$0" }, + { input: "client_ip", output: "src_ip", match: ".*", replace: "$0" }, + { input: "client_port", output: "src_endpoint.port", match: ".*", replace: "$0" }, + { input: "host", output: "device.hostname", match: ".*", replace: "$0" }, + { input: "component", output: "device.type", match: ".*", replace: "$0" }, + { input: "connection_id", output: "actor.session.uid", match: ".*", replace: "$0" }, + { input: "connection_id", output: "session.uid", match: ".*", replace: "$0" }, + { input: "transaction_id", output: "transaction.uid", match: ".*", replace: "$0" }, + { input: "statement_id", output: "query_info.uid", match: ".*", replace: "$0" }, + { input: "statement", output: "query_info.query_string", match: ".*", replace: "$0" }, + { input: "executed_statement", output: "query_info.executed_query", match: ".*", replace: "$0" }, + { input: "rows_affected", output: "query_info.rows_affected", match: ".*", replace: "$0" }, + { input: "execution_time_ms", output: "query_info.duration", match: ".*", replace: "$0" }, + { input: "audit_action", output: "activity_name", match: ".*", replace: "$0" }, + { input: "audit_action", output: "query_info.query_type", match: ".*", replace: "$0" }, + { input: "audit_policy_name", output: "policy.name", match: ".*", replace: "$0" }, + { input: "comment", output: "raw_data", match: ".*", replace: "$0" }, + + // Status + { input: "error_code", output: "status_id", match: "^0$", replace: "1" }, + { input: "error_code", output: "status", match: "^0$", replace: "Success" }, + { input: "error_code", output: "status_id", match: "^[1-9].*", replace: "2" }, + { input: "error_code", output: "status", match: "^[1-9].*", replace: "Failure" }, + { input: "error_code", output: "status_code", match: ".*", replace: "$0" }, + { input: "error_message", output: "status_detail", match: ".*", replace: "$0" }, + + // OCSF class routing by audit_action — Authentication + { input: "audit_action", output: "class_uid", match: "^(CONNECT|DISCONNECT)$", replace: "3002" }, + { input: "audit_action", output: "class_name", match: "^(CONNECT|DISCONNECT)$", replace: "Authentication" }, + { input: "audit_action", output: "category_uid", match: "^(CONNECT|DISCONNECT)$", replace: "3" }, + { input: "audit_action", output: "category_name", match: "^(CONNECT|DISCONNECT)$", replace: "IAM" }, + { input: "audit_action", output: "activity_id", match: "^CONNECT$", replace: "1" }, + { input: "audit_action", output: "type_uid", match: "^CONNECT$", replace: "300201" }, + { input: "audit_action", output: "activity_id", match: "^DISCONNECT$", replace: "2" }, + { input: "audit_action", output: "type_uid", match: "^DISCONNECT$", replace: "300202" }, + + // Authorization (GRANT / REVOKE) + { input: "audit_action", output: "class_uid", match: "^(GRANT|REVOKE)$", replace: "3003" }, + { input: "audit_action", output: "class_name", match: "^(GRANT|REVOKE)$", replace: "Authorization" }, + { input: "audit_action", output: "category_uid", match: "^(GRANT|REVOKE)$", replace: "3" }, + { input: "audit_action", output: "category_name", match: "^(GRANT|REVOKE)$", replace: "IAM" }, + { input: "audit_action", output: "activity_id", match: "^GRANT$", replace: "1" }, + { input: "audit_action", output: "type_uid", match: "^GRANT$", replace: "300301" }, + { input: "audit_action", output: "activity_id", match: "^REVOKE$", replace: "2" }, + + // Database Activity (DML / DDL / Backup) + { input: "audit_action", output: "class_uid", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "4001" }, + { input: "audit_action", output: "class_name", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "Database Activity" }, + { input: "audit_action", output: "category_uid", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "4" }, + { input: "audit_action", output: "category_name", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "Network Activity" }, + { input: "audit_action", output: "activity_id", match: "^SELECT$", replace: "1" }, + { input: "audit_action", output: "activity_id", match: "^INSERT$", replace: "2" }, + { input: "audit_action", output: "activity_id", match: "^UPDATE$", replace: "3" }, + { input: "audit_action", output: "activity_id", match: "^DELETE$", replace: "4" }, + { input: "audit_action", output: "activity_id", match: "^BACKUP DATA$", replace: "5" }, + + // Severity from audit_level + { input: "audit_level", output: "severity_id", match: "(?i)info", replace: "1" }, + { input: "audit_level", output: "severity", match: "(?i)info", replace: "Informational" }, + { input: "audit_level", output: "severity_id", match: "(?i)warning", replace: "3" }, + { input: "audit_level", output: "severity", match: "(?i)warning", replace: "Medium" }, + { input: "audit_level", output: "severity_id", match: "(?i)alert", replace: "4" }, + { input: "audit_level", output: "severity", match: "(?i)alert", replace: "High" }, + { input: "audit_level", output: "severity_id", match: "(?i)critical", replace: "5" }, + { input: "audit_level", output: "severity", match: "(?i)critical", replace: "Critical" }, + + // Promote risky events to Detection Finding (2004) so they show in XDR + + // 1) Failed authentication + { input: "error_code", output: "class_uid", match: "^[1-9].*", replace: "2004" }, + { input: "error_code", output: "class_name", match: "^[1-9].*", replace: "Detection Finding" }, + { input: "error_code", output: "category_uid", match: "^[1-9].*", replace: "2" }, + { input: "error_code", output: "category_name", match: "^[1-9].*", replace: "Findings" }, + { input: "error_code", output: "activity_id", match: "^[1-9].*", replace: "1" }, + { input: "error_code", output: "type_uid", match: "^[1-9].*", replace: "200401" }, + { input: "error_code", output: "finding_title", match: "^[1-9].*", replace: "HANA Authentication Failure" }, + { input: "error_code", output: "finding_info.title", match: "^[1-9].*", replace: "HANA Authentication Failure" }, + { input: "error_code", output: "disposition_id", match: "^[1-9].*", replace: "2" }, + { input: "error_code", output: "disposition", match: "^[1-9].*", replace: "Blocked" }, + { input: "error_code", output: "severity_id", match: "^[1-9].*", replace: "4" }, + { input: "error_code", output: "severity", match: "^[1-9].*", replace: "High" }, + + // 2) Mass data extraction (rows_affected >= 10000) + { input: "rows_affected", output: "class_uid", match: "^[1-9][0-9]{4,}$", replace: "2004" }, + { input: "rows_affected", output: "class_name", match: "^[1-9][0-9]{4,}$", replace: "Detection Finding" }, + { input: "rows_affected", output: "category_uid", match: "^[1-9][0-9]{4,}$", replace: "2" }, + { input: "rows_affected", output: "category_name", match: "^[1-9][0-9]{4,}$", replace: "Findings" }, + { input: "rows_affected", output: "type_uid", match: "^[1-9][0-9]{4,}$", replace: "200401" }, + { input: "rows_affected", output: "finding_title", match: "^[1-9][0-9]{4,}$", replace: "HANA Mass Data Extraction" }, + { input: "rows_affected", output: "finding_info.title", match: "^[1-9][0-9]{4,}$", replace: "HANA Mass Data Extraction" }, + { input: "rows_affected", output: "severity_id", match: "^[1-9][0-9]{4,}$", replace: "5" }, + { input: "rows_affected", output: "severity", match: "^[1-9][0-9]{4,}$", replace: "Critical" }, + + // 3) SQL injection signature (more specific than mass extraction — wins on overlap) + { input: "statement", output: "class_uid", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "2004" }, + { input: "statement", output: "class_name", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Detection Finding" }, + { input: "statement", output: "category_uid", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "2" }, + { input: "statement", output: "category_name", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Findings" }, + { input: "statement", output: "type_uid", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "200401" }, + { input: "statement", output: "finding_title", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "HANA SQL Injection Detected" }, + { input: "statement", output: "finding_info.title", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "HANA SQL Injection Detected" }, + { input: "statement", output: "severity_id", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "5" }, + { input: "statement", output: "severity", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Critical" }, + { input: "statement", output: "disposition_id", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "2" }, + { input: "statement", output: "disposition", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Blocked" }, + + // 4) GRANT ALL PRIVILEGES (anchor with ^...$) + { input: "statement", output: "class_uid", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "2004" }, + { input: "statement", output: "class_name", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "Detection Finding" }, + { input: "statement", output: "category_uid", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "2" }, + { input: "statement", output: "category_name", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "Findings" }, + { input: "statement", output: "type_uid", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "200401" }, + { input: "statement", output: "finding_title", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "HANA Privilege Escalation" }, + { input: "statement", output: "finding_info.title", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "HANA Privilege Escalation" }, + { input: "statement", output: "severity_id", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "5" }, + { input: "statement", output: "severity", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "Critical" }, + + // 5) Backup to /tmp/ (anchor with ^...$) + { input: "statement", output: "class_uid", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "2004" }, + { input: "statement", output: "class_name", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "Detection Finding" }, + { input: "statement", output: "category_uid", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "2" }, + { input: "statement", output: "category_name", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "Findings" }, + { input: "statement", output: "type_uid", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "200401" }, + { input: "statement", output: "finding_title", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "HANA Suspicious Backup Location" }, + { input: "statement", output: "finding_info.title", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "HANA Suspicious Backup Location" }, + { input: "statement", output: "severity_id", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "5" }, + { input: "statement", output: "severity", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "Critical" } + ] + } + ] +} diff --git a/parsers/ISCBIND-OCSF b/parsers/ISCBIND-OCSF new file mode 100644 index 0000000..24816a1 --- /dev/null +++ b/parsers/ISCBIND-OCSF @@ -0,0 +1,90 @@ +{ + // ISC BIND DNS query log parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "ISC", + "metadata.product.name": "BIND", + "metadata.log_provider": "syslog", + "Category": "network", + "dataSource.vendor": "ISC", + "dataSource.name": "BIND", + "dataSource.category": "dns", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4003, + "class_name": "DNS Activity", + "activity_id": 1, + "activity_name": "Query", + "type_uid": 400301, + "status_id": 1, + "status": "Success", + "severity_id": 1, + "severity": "Informational" + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + word: "\\S+", + rest: ".*" + }, + + formats: [ + // Standard query log + { + id: "bind_query", + attributes: { + class_uid: 4003, class_name: "DNS Activity", + category_uid: 4, activity_id: 1, type_uid: 400301 + }, + format: ".*queries: info: client @$session_handle=word$ $src_ip=ipv4$#$src_port=word$ \\($query_name=word$\\): query: $query_name2=word$ IN $query_type=word$ .*", + halt: true, + rewrites: [ + // AXFR zone transfer attempt → Detection Finding + { input: "query_type", output: "class_uid", match: "^AXFR$", replace: "2004" }, + { input: "query_type", output: "class_name", match: "^AXFR$", replace: "Detection Finding" }, + { input: "query_type", output: "category_uid", match: "^AXFR$", replace: "2" }, + { input: "query_type", output: "category_name", match: "^AXFR$", replace: "Findings" }, + { input: "query_type", output: "type_uid", match: "^AXFR$", replace: "200401" }, + { input: "query_type", output: "finding_title", match: "^AXFR$", replace: "BIND DNS Zone Transfer Attempt" }, + { input: "query_type", output: "finding_info.title", match: "^AXFR$", replace: "BIND DNS Zone Transfer Attempt" }, + { input: "query_type", output: "severity_id", match: "^AXFR$", replace: "4" }, + { input: "query_type", output: "severity", match: "^AXFR$", replace: "High" }, + + // Long base64-looking query → DNS tunneling + { input: "query_name", output: "class_uid", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "2004" }, + { input: "query_name", output: "class_name", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "Detection Finding" }, + { input: "query_name", output: "category_uid", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "2" }, + { input: "query_name", output: "category_name", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "Findings" }, + { input: "query_name", output: "type_uid", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "200401" }, + { input: "query_name", output: "finding_title", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "BIND DNS Tunneling Suspected" }, + { input: "query_name", output: "finding_info.title", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "BIND DNS Tunneling Suspected" }, + { input: "query_name", output: "severity_id", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "5" }, + { input: "query_name", output: "severity", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "Critical" }, + + // Known-bad TLDs (dyndns, no-ip, etc.) → Suspicious DNS + { input: "query_name", output: "class_uid", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "2004" }, + { input: "query_name", output: "class_name", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "Detection Finding" }, + { input: "query_name", output: "category_uid", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "2" }, + { input: "query_name", output: "category_name", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "Findings" }, + { input: "query_name", output: "type_uid", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "200401" }, + { input: "query_name", output: "finding_title", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "BIND Suspicious Dynamic DNS Query" }, + { input: "query_name", output: "finding_info.title", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "BIND Suspicious Dynamic DNS Query" }, + { input: "query_name", output: "severity_id", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "4" }, + { input: "query_name", output: "severity", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "High" } + ] + }, + + // Security warning (zone transfer denied, etc) + { + id: "bind_security", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, type_uid: 200401, + finding_title: "BIND Security Warning", + severity_id: 4, severity: "High" + }, + format: ".*security: warning: $detail=rest$", + halt: true + } + ] +} diff --git a/parsers/LinuxOS-OCSF b/parsers/LinuxOS-OCSF new file mode 100644 index 0000000..5d2290f --- /dev/null +++ b/parsers/LinuxOS-OCSF @@ -0,0 +1,152 @@ +{ + // Linux syslog/auditd parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Linux", + "metadata.product.name": "Linux OS", + "metadata.log_provider": "syslog", + "Category": "host", + "dataSource.vendor": "Linux", + "dataSource.name": "Linux OS", + "dataSource.category": "host", + "category_uid": 1, + "category_name": "System Activity", + "class_uid": 1001, + "class_name": "File System Activity", + "activity_id": 0, + "activity_name": "Unknown", + "type_uid": 100100, + "status_id": 1, + "status": "Success", + "severity_id": 1, + "severity": "Informational" + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + word: "\\S+", + rest: ".*", + creds: "(mimikatz|hashdump|secretsdump|kerbrute)", + revshell: ".*socket\\.socket.*" + }, + + formats: [ + // SSH failed authentication + { + id: "ssh_failed", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + finding_title: "Linux SSH Authentication Failure", + severity_id: 4, severity: "High", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*Failed password for $user_name=word$ from $src_ip=ipv4$ port $src_port=word$.*", + halt: true + }, + + // SSH successful authentication + { + id: "ssh_success", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "IAM", + activity_id: 1, activity_name: "Logon", + type_uid: 300201, + status_id: 1, status: "Success" + }, + format: ".*Accepted password for $user_name=word$ from $src_ip=ipv4$ port $src_port=word$.*", + halt: true + }, + + // sudo NOT in sudoers (priv-esc attempt) + { + id: "sudo_not_in_sudoers", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + finding_title: "Linux Sudo Not In Sudoers", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*sudo: $user_name=word$ : user NOT in sudoers ; TTY=$tty=word$ ; PWD=$pwd=word$ ; USER=$target_user=word$ ; COMMAND=$process_cmd_line=rest$", + halt: true + }, + + // useradd — new user account created + { + id: "useradd", + attributes: { + class_uid: 3001, class_name: "Account Change", + category_uid: 3, category_name: "IAM", + activity_id: 1, activity_name: "Create", + type_uid: 300101, + finding_title: "Linux New User Account Created", + severity_id: 4, severity: "High" + }, + format: ".*useradd\\[$pid=word$\\]: new user: name=$new_user=word$, UID=$uid=word$, GID=$gid=word$.*", + halt: true + }, + + // Mimikatz / credential dumping signatures + { + id: "credential_dump", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Linux Credential Dumping Tool", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*$tool=creds$.*", + halt: true + }, + + // Reverse shell (python -c socket) + { + id: "reverse_shell", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Linux Reverse Shell Execution", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*python$ver=word$ -c $cmd=revshell$.*", + halt: true + }, + + // Generic auditd EXECVE + { + id: "auditd_execve", + attributes: { + class_uid: 1007, class_name: "Process Activity", + category_uid: 1, category_name: "System Activity", + activity_id: 1, activity_name: "Launch", + type_uid: 100701 + }, + format: ".*auditd\\[$pid=word$\\]: EXECVE argc=$argc=word$ a0=\"$process_name=word$\" $cmdline=rest$", + halt: true + }, + + // Cron job executed (suspicious if from /tmp/.hidden) + { + id: "cron_suspicious", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Linux Suspicious Cron Job", + severity_id: 4, severity: "High" + }, + format: ".*cron\\[$pid=word$\\]: \\($cron_user=word$\\) CMD \\($cron_cmd=rest$\\)", + halt: true + } + ] +} diff --git a/parsers/MicrosoftDHCP-OCSF b/parsers/MicrosoftDHCP-OCSF new file mode 100644 index 0000000..a8cd7f7 --- /dev/null +++ b/parsers/MicrosoftDHCP-OCSF @@ -0,0 +1,61 @@ +{ + // Microsoft DHCP server CSV parser — OCSF v1.3.0 + // Format: ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name,... + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Microsoft", + "metadata.product.name": "DHCP Server", + "Category": "network", + "dataSource.vendor": "Microsoft", + "dataSource.name": "DHCP Server", + "dataSource.category": "network", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4004, + "class_name": "DHCP Activity", + "activity_id": 1, + "type_uid": 400401, + "status_id": 1, + "severity_id": 1 + }, + + patterns: { + csv: "[^,]*" + }, + + formats: [ + // Standard DHCP event + { + id: "dhcp_event", + attributes: { + class_uid: 4004, class_name: "DHCP Activity", + type_uid: 400401 + }, + format: "$event_id=csv$,$date=csv$,$time=csv$,$action=csv$,$client_ip=csv$,$host_name=csv$,$mac=csv$,$user_name=csv$,.*", + halt: true, + rewrites: [ + { input: "client_ip", output: "src_endpoint.ip", match: ".*", replace: "$0" }, + { input: "client_ip", output: "src_ip", match: ".*", replace: "$0" }, + { input: "mac", output: "src_endpoint.mac", match: ".*", replace: "$0" }, + { input: "host_name", output: "device.hostname", match: ".*", replace: "$0" }, + { input: "user_name", output: "actor.user.name", match: ".*", replace: "$0" }, + { input: "action", output: "activity_name", match: ".*", replace: "$0" }, + + // Activity ID by event_id + { input: "event_id", output: "activity_id", match: "^10$", replace: "1" }, // Assign + { input: "event_id", output: "activity_id", match: "^11$", replace: "2" }, // Renew + { input: "event_id", output: "activity_id", match: "^12$", replace: "3" }, // Release + { input: "event_id", output: "activity_id", match: "^13$", replace: "4" }, // Conflict + + // Detection Finding: rogue DHCP / IP conflict + { input: "event_id", output: "class_uid", match: "^13$", replace: "2004" }, + { input: "event_id", output: "class_name", match: "^13$", replace: "Detection Finding" }, + { input: "event_id", output: "category_uid", match: "^13$", replace: "2" }, + { input: "event_id", output: "type_uid", match: "^13$", replace: "200401" }, + { input: "event_id", output: "finding_title", match: "^13$", replace: "DHCP IP Address Conflict" }, + { input: "event_id", output: "severity_id", match: "^13$", replace: "4" }, + { input: "event_id", output: "severity", match: "^13$", replace: "High" } + ] + } + ] +} diff --git a/parsers/MicrosoftDNS-OCSF b/parsers/MicrosoftDNS-OCSF new file mode 100644 index 0000000..1a7c717 --- /dev/null +++ b/parsers/MicrosoftDNS-OCSF @@ -0,0 +1,48 @@ +{ + // Microsoft DNS debug log parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Microsoft", + "metadata.product.name": "DNS Server", + "Category": "network", + "dataSource.vendor": "Microsoft", + "dataSource.name": "DNS Server", + "dataSource.category": "dns", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4003, + "class_name": "DNS Activity", + "activity_id": 1, + "type_uid": 400301, + "status_id": 1, + "severity_id": 1 + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + word: "\\S+", + rest: ".*" + }, + + formats: [ + { + id: "msdns_query", + attributes: { + class_uid: 4003, class_name: "DNS Activity", + type_uid: 400301 + }, + format: ".* $proto=word$ $direction=word$ $src_ip=ipv4$ .* Q .* $query_type=word$ .* $query_name=rest$", + halt: true, + rewrites: [ + // DNS tunneling (very long query) + { input: "query_name", output: "class_uid", match: "^.{120,}$", replace: "2004" }, + { input: "query_name", output: "class_name", match: "^.{120,}$", replace: "Detection Finding" }, + { input: "query_name", output: "category_uid", match: "^.{120,}$", replace: "2" }, + { input: "query_name", output: "type_uid", match: "^.{120,}$", replace: "200401" }, + { input: "query_name", output: "finding_title", match: "^.{120,}$", replace: "MS-DNS Suspected Tunneling (long query)" }, + { input: "query_name", output: "severity_id", match: "^.{120,}$", replace: "4" }, + { input: "query_name", output: "severity", match: "^.{120,}$", replace: "High" } + ] + } + ] +} diff --git a/parsers/Omniconnect-OCSF b/parsers/Omniconnect-OCSF new file mode 100644 index 0000000..7d06ebc --- /dev/null +++ b/parsers/Omniconnect-OCSF @@ -0,0 +1,88 @@ +{ + // Omniconnect TI Gateway OCSF Parser - OCSF v1.3.0 + // Secures HIS <-> German Telematics Infrastructure (TI) traffic + // BSI / NIS2 / gematik compliance events + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Omniconnect", + "metadata.product.name": "Omniconnect TI Gateway", + "metadata.log_provider": "hec", + "Category": "healthcare", + "dataSource.vendor": "Omniconnect", + "dataSource.name": "Omniconnect", + "dataSource.category": "Healthcare" + }, + + formats: [ + { + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + // ─── OCSF classification by event_category ────────────────────── + { input: "event_category", output: "category_uid", match: "ti_connection", replace: "4" }, + { input: "event_category", output: "category_name", match: "ti_connection", replace: "Network Activity" }, + { input: "event_category", output: "class_uid", match: "ti_connection", replace: "4001" }, + { input: "event_category", output: "class_name", match: "ti_connection", replace: "Network Activity" }, + + { input: "event_category", output: "category_uid", match: "card_operations", replace: "3" }, + { input: "event_category", output: "category_name", match: "card_operations", replace: "Identity & Access Management" }, + { input: "event_category", output: "class_uid", match: "card_operations", replace: "3002" }, + { input: "event_category", output: "class_name", match: "card_operations", replace: "Authentication" }, + + { input: "event_category", output: "category_uid", match: "vsdm", replace: "6" }, + { input: "event_category", output: "category_name", match: "vsdm", replace: "Application Activity" }, + { input: "event_category", output: "class_uid", match: "vsdm", replace: "6001" }, + { input: "event_category", output: "class_name", match: "vsdm", replace: "Web Resources Activity" }, + + { input: "event_category", output: "category_uid", match: "erezept", replace: "6" }, + { input: "event_category", output: "category_name", match: "erezept", replace: "Application Activity" }, + { input: "event_category", output: "class_uid", match: "erezept", replace: "6001" }, + { input: "event_category", output: "class_name", match: "erezept", replace: "Web Resources Activity" }, + + { input: "event_category", output: "category_uid", match: "epa", replace: "6" }, + { input: "event_category", output: "category_name", match: "epa", replace: "Application Activity" }, + { input: "event_category", output: "class_uid", match: "epa", replace: "6001" }, + { input: "event_category", output: "class_name", match: "epa", replace: "Web Resources Activity" }, + + { input: "event_category", output: "category_uid", match: "kim", replace: "4" }, + { input: "event_category", output: "category_name", match: "kim", replace: "Network Activity" }, + { input: "event_category", output: "class_uid", match: "kim", replace: "4009" }, + { input: "event_category", output: "class_name", match: "kim", replace: "Email Activity" }, + + { input: "event_category", output: "category_uid", match: "security", replace: "2" }, + { input: "event_category", output: "category_name", match: "security", replace: "Findings" }, + { input: "event_category", output: "class_uid", match: "security", replace: "2001" }, + { input: "event_category", output: "class_name", match: "security", replace: "Security Finding" }, + + { input: "event_category", output: "category_uid", match: "system", replace: "6" }, + { input: "event_category", output: "category_name", match: "system", replace: "Application Activity" }, + { input: "event_category", output: "class_uid", match: "system", replace: "6007" }, + { input: "event_category", output: "class_name", match: "system", replace: "Application Lifecycle" }, + + // ─── Severity ─────────────────────────────────────────────────── + { input: "severity", output: "severity_id", match: "(?i)critical", replace: "6" }, + { input: "severity", output: "severity_id", match: "(?i)high", replace: "5" }, + { input: "severity", output: "severity_id", match: "(?i)medium", replace: "4" }, + { input: "severity", output: "severity_id", match: "(?i)low", replace: "2" }, + { input: "severity", output: "severity_id", match: "(?i)info", replace: "1" }, + { input: "severity", output: "severity_str", match: ".*", replace: "$0" }, + + // ─── Status ───────────────────────────────────────────────────── + { input: "outcome", output: "status_id", match: "success", replace: "1" }, + { input: "outcome", output: "status_id", match: "failure", replace: "2" }, + { input: "outcome", output: "status_id", match: "detected", replace: "2" }, + { input: "outcome", output: "status_id", match: "revoked", replace: "3" }, + { input: "outcome", output: "status", match: ".*", replace: "$0" }, + + // ─── Activity / finding ───────────────────────────────────────── + { input: "event_type", output: "activity_name", match: ".*", replace: "$0" }, + { input: "event_type", output: "finding_info.title", match: ".*", replace: "$0" }, + { input: "event_id", output: "finding_info.uid", match: ".*", replace: "$0" }, + { input: "timestamp", output: "finding_info.created_time_dt", match: ".*", replace: "$0" }, + + // ─── Compliance tags (BSI / NIS2 / gematik / GDPR) ────────────── + { input: "event_category", output: "compliance.standard", match: ".*", replace: "BSI-Grundschutz,NIS2,gematik-TI,GDPR" } + ] + } + ] +} diff --git a/parsers/OracleRDBMS-OCSF b/parsers/OracleRDBMS-OCSF new file mode 100644 index 0000000..2cd24bf --- /dev/null +++ b/parsers/OracleRDBMS-OCSF @@ -0,0 +1,62 @@ +{ + // Oracle RDBMS audit trail parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Oracle", + "metadata.product.name": "Database", + "Category": "database", + "dataSource.vendor": "Oracle", + "dataSource.name": "Oracle Database", + "dataSource.category": "database", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4001, + "class_name": "Database Activity", + "activity_id": 1, + "type_uid": 400101, + "status_id": 1, + "severity_id": 1 + }, + + patterns: { + word: "\\S+", + rest: ".*" + }, + + formats: [ + { + id: "oracle_audit", + attributes: { + class_uid: 4001, class_name: "Database Activity", + type_uid: 400101 + }, + format: "Audit trail: ACTION: $action_id=word$ TIMESTAMP: $ts=word$ $tz=word$ SESSIONID: $session_id=word$ ENTRYID: $entry_id=word$ STATEMENT: $stmt_id=word$ USERID: $user_name=word$ USERHOST: $user_host=word$ TERMINAL: $terminal=word$ ACTION_NAME: $activity_name=word$ RETURNCODE: $return_code=word$ $rest=rest$", + halt: true, + rewrites: [ + { input: "user_name", output: "actor.user.name", match: ".*", replace: "$0" }, + { input: "user_host", output: "device.hostname", match: ".*", replace: "$0" }, + { input: "session_id", output: "actor.session.uid", match: ".*", replace: "$0" }, + + // Failed (return_code != 0) → Detection Finding + { input: "return_code", output: "class_uid", match: "^[1-9].*", replace: "2004" }, + { input: "return_code", output: "class_name", match: "^[1-9].*", replace: "Detection Finding" }, + { input: "return_code", output: "category_uid", match: "^[1-9].*", replace: "2" }, + { input: "return_code", output: "type_uid", match: "^[1-9].*", replace: "200401" }, + { input: "return_code", output: "finding_title", match: "^[1-9].*", replace: "Oracle Database Failed Operation" }, + { input: "return_code", output: "severity_id", match: "^[1-9].*", replace: "4" }, + { input: "return_code", output: "severity", match: "^[1-9].*", replace: "High" }, + { input: "return_code", output: "status_id", match: "^[1-9].*", replace: "2" }, + { input: "return_code", output: "status", match: "^[1-9].*", replace: "Failure" }, + + // Privilege grants → Detection Finding + { input: "activity_name", output: "class_uid", match: "^GRANT$", replace: "2004" }, + { input: "activity_name", output: "class_name", match: "^GRANT$", replace: "Detection Finding" }, + { input: "activity_name", output: "category_uid", match: "^GRANT$", replace: "2" }, + { input: "activity_name", output: "type_uid", match: "^GRANT$", replace: "200401" }, + { input: "activity_name", output: "finding_title", match: "^GRANT$", replace: "Oracle Privilege Grant" }, + { input: "activity_name", output: "severity_id", match: "^GRANT$", replace: "4" }, + { input: "activity_name", output: "severity", match: "^GRANT$", replace: "High" } + ] + } + ] +} diff --git a/parsers/PaloAlto-OCSF b/parsers/PaloAlto-OCSF new file mode 100644 index 0000000..e9732ca --- /dev/null +++ b/parsers/PaloAlto-OCSF @@ -0,0 +1,72 @@ +{ + // Palo Alto PAN-OS CSV parser — OCSF v1.3.0 + // Format: domain,receive_time,serial,type,subtype,...,src_ip,dst_ip,natsrc_ip,natdst_ip,rule,... + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.product.name": "PAN-OS", + "Category": "network", + "dataSource.vendor": "Palo Alto Networks", + "dataSource.name": "PAN-OS", + "dataSource.category": "firewall", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4001, + "class_name": "Network Activity", + "activity_id": 6, + "type_uid": 400106, + "status_id": 1, + "status": "Success", + "severity_id": 1 + }, + + patterns: { + word: "[^,]*", + csv: "[^,]+" + }, + + formats: [ + // TRAFFIC log + { + id: "panos_traffic", + attributes: { + class_uid: 4001, class_name: "Network Activity", + type_uid: 400106 + }, + format: "$domain=csv$,$receive_time=csv$,$serial=csv$,TRAFFIC,$subtype=csv$,$config_ver=csv$,$gen_time=csv$,$src_ip=csv$,$dst_ip=csv$,$natsrc_ip=word$,$natdst_ip=word$,$rule=csv$,$src_user=word$,$dst_user=word$,$application=csv$,.*", + halt: true + }, + + // THREAT log → Detection Finding + { + id: "panos_threat", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Palo Alto Threat Detected", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: "$domain=csv$,$receive_time=csv$,$serial=csv$,THREAT,$threat_subtype=csv$,$config_ver=csv$,$gen_time=csv$,$src_ip=csv$,$dst_ip=csv$,$natsrc_ip=word$,$natdst_ip=word$,$rule=csv$,$src_user=word$,$dst_user=word$,$application=csv$,.*", + halt: true, + rewrites: [ + { input: "threat_subtype", output: "finding_title", match: "(?i)^.*vulnerability.*$", replace: "Palo Alto Vulnerability Exploit Attempt" }, + { input: "threat_subtype", output: "finding_title", match: "(?i)^.*virus.*$", replace: "Palo Alto Malware Detected" }, + { input: "threat_subtype", output: "finding_title", match: "(?i)^.*spyware.*$", replace: "Palo Alto Spyware/C2 Detected" }, + { input: "threat_subtype", output: "finding_title", match: "(?i)^.*url.*$", replace: "Palo Alto Malicious URL" } + ] + }, + + // URL filtering log + { + id: "panos_url", + attributes: { + class_uid: 4002, class_name: "HTTP Activity", + type_uid: 400201 + }, + format: "$domain=csv$,$receive_time=csv$,$serial=csv$,URL,.*", + halt: true + } + ] +} diff --git a/parsers/QRadar-OCSF b/parsers/QRadar-OCSF new file mode 100644 index 0000000..bbf7328 --- /dev/null +++ b/parsers/QRadar-OCSF @@ -0,0 +1,58 @@ +{ + // QRadar JSON parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "IBM", + "metadata.product.name": "QRadar", + "Category": "siem", + "dataSource.vendor": "IBM", + "dataSource.name": "QRadar", + "dataSource.category": "siem", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4001, + "class_name": "Network Activity", + "activity_id": 6, + "type_uid": 400106, + "status_id": 1, + "status": "Success", + "severity_id": 1, + "severity": "Informational" + }, + + formats: [ + { + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + { input: "sourceIP", output: "src_endpoint.ip", match: ".*", replace: "$0" }, + { input: "sourceIP", output: "src_ip", match: ".*", replace: "$0" }, + { input: "sourcePort", output: "src_endpoint.port", match: ".*", replace: "$0" }, + { input: "destinationIP", output: "dst_endpoint.ip", match: ".*", replace: "$0" }, + { input: "destinationIP", output: "dst_ip", match: ".*", replace: "$0" }, + { input: "destinationPort", output: "dst_endpoint.port", match: ".*", replace: "$0" }, + { input: "protocol", output: "connection_info.protocol_name", match: ".*", replace: "$0" }, + { input: "username", output: "actor.user.name", match: ".*", replace: "$0" }, + { input: "username", output: "user_name", match: ".*", replace: "$0" }, + { input: "category", output: "metadata.event_type", match: ".*", replace: "$0" }, + + // QRadar magnitude → severity + { input: "magnitude", output: "severity_id", match: "^[1-3]$", replace: "2" }, + { input: "magnitude", output: "severity_id", match: "^[4-6]$", replace: "3" }, + { input: "magnitude", output: "severity_id", match: "^[7-8]$", replace: "4" }, + { input: "magnitude", output: "severity_id", match: "^(9|10)$", replace: "5" }, + + // Detection Finding for "Suspicious" / "Authentication" categories + { input: "category", output: "class_uid", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "2004" }, + { input: "category", output: "class_name", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "Detection Finding" }, + { input: "category", output: "category_uid", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "2" }, + { input: "category", output: "category_name", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "Findings" }, + { input: "category", output: "type_uid", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "200401" }, + { input: "category", output: "finding_title", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "$0" }, + { input: "category", output: "finding_info.title", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "$0" }, + { input: "category", output: "severity_id", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "4" }, + { input: "category", output: "severity", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "High" } + ] + } + ] +} diff --git a/parsers/SIMGeneric-OCSF b/parsers/SIMGeneric-OCSF new file mode 100644 index 0000000..e9949c5 --- /dev/null +++ b/parsers/SIMGeneric-OCSF @@ -0,0 +1,74 @@ +{ + // Generic SIM application syslog parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Generic", + "metadata.product.name": "SIM Generic Application", + "Category": "application", + "dataSource.vendor": "Generic", + "dataSource.name": "Generic Application", + "dataSource.category": "application", + "category_uid": 3, + "category_name": "IAM", + "class_uid": 3002, + "class_name": "Authentication", + "activity_id": 1, + "type_uid": 300201, + "status_id": 1, + "severity_id": 1 + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + word: "\\S+", + rest: ".*" + }, + + formats: [ + // Successful login + { + id: "generic_login_success", + attributes: { + class_uid: 3002, class_name: "Authentication", + type_uid: 300201, + status_id: 1, status: "Success" + }, + format: ".*INFO User login successful user=$user_name=word$ src_ip=$src_ip=ipv4$ session_id=$session_id=word$", + halt: true + }, + + // Failed authentication → Detection Finding + { + id: "generic_auth_fail", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, type_uid: 200401, + finding_title: "Generic Application Authentication Failure", + severity_id: 4, severity: "High", + disposition_id: 2, disposition: "Blocked", + status_id: 2, status: "Failure" + }, + format: ".*WARNING Failed authentication attempt user=$user_name=word$ src_ip=$src_ip=ipv4$ reason=$reason=word$ attempts=$attempts=word$", + halt: true, + rewrites: [ + // Bump severity if attempts >= 5 (likely brute force) + { input: "attempts", output: "finding_title", match: "^[5-9]$|^\\d{2,}$", replace: "Generic Application Brute Force" }, + { input: "attempts", output: "severity_id", match: "^[5-9]$|^\\d{2,}$", replace: "5" }, + { input: "attempts", output: "severity", match: "^[5-9]$|^\\d{2,}$", replace: "Critical" } + ] + }, + + // Generic ERROR + { + id: "generic_error", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, type_uid: 200401, + finding_title: "Generic Application Error", + severity_id: 3, severity: "Medium" + }, + format: ".*ERROR $detail=rest$", + halt: true + } + ] +} diff --git a/parsers/WatchGuard-OCSF b/parsers/WatchGuard-OCSF new file mode 100644 index 0000000..4fa13cd --- /dev/null +++ b/parsers/WatchGuard-OCSF @@ -0,0 +1,70 @@ +{ + // WatchGuard Fireware syslog parser — OCSF v1.3.0 + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "WatchGuard", + "metadata.product.name": "Fireware", + "Category": "network", + "dataSource.vendor": "WatchGuard", + "dataSource.name": "Fireware", + "dataSource.category": "firewall", + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4001, + "class_name": "Network Activity", + "activity_id": 6, + "type_uid": 400106, + "status_id": 1, + "status": "Success", + "severity_id": 1 + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + word: "\\S+", + rest: ".*" + }, + + formats: [ + // Allowed traffic + { + id: "wg_allow", + attributes: { + class_uid: 4001, class_name: "Network Activity", + type_uid: 400106, + disposition_id: 1, disposition: "Allowed" + }, + format: "$ts=rest$ firewall Allow $src_ip=ipv4$ $dst_ip=ipv4$ $service=word$ $src_port=word$ $dst_port=word$ .*", + halt: true + }, + + // Denied traffic → Detection Finding + { + id: "wg_deny", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "WatchGuard Firewall Deny", + severity_id: 3, severity: "Medium", + disposition_id: 2, disposition: "Blocked" + }, + format: "$ts=rest$ firewall Deny $src_ip=ipv4$ $dst_ip=ipv4$ $service=word$ $src_port=word$ $dst_port=word$ .*", + halt: true + }, + + // IPS detection (proxy) + { + id: "wg_ips", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, type_uid: 200401, + finding_title: "WatchGuard IPS Detection", + severity_id: 5, severity: "Critical", + disposition_id: 2, disposition: "Blocked" + }, + format: ".*IPS-detected $detail=rest$", + halt: true + } + ] +} diff --git a/parsers/WindowsSecurity-OCSF b/parsers/WindowsSecurity-OCSF new file mode 100644 index 0000000..54ddcfb --- /dev/null +++ b/parsers/WindowsSecurity-OCSF @@ -0,0 +1,103 @@ +{ + // Windows Security Event XML parser — OCSF v1.3.0 + // Uses non-greedy patterns that stop at the next XML tag/quote + attributes: { + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "Microsoft", + "metadata.product.name": "Windows Security", + "metadata.log_provider": "winlogbeat", + "Category": "host", + "dataSource.vendor": "Microsoft", + "dataSource.name": "Windows Security", + "dataSource.category": "endpoint", + "category_uid": 3, + "category_name": "IAM", + "class_uid": 3002, + "class_name": "Authentication", + "activity_id": 1, + "type_uid": 300201, + "status_id": 1, + "severity_id": 1 + }, + + patterns: { + // Anything until next "<" — perfect for XML content + untilLT: "[^<]*", + // Anything until next ">" + untilGT: "[^>]*", + word: "\\S+", + rest: ".*" + }, + + formats: [ + // 4625 = Failed logon → Detection Finding (HIGH) + { + id: "win_4625", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Windows Logon Failure (4625)", + severity_id: 4, severity: "High", + disposition_id: 2, disposition: "Blocked", + status_id: 2, status: "Failure" + }, + format: ".*4625.*$user_name=untilLT$.*$src_ip=untilLT$.*", + halt: true + }, + + // 4720 = User account created → Detection Finding (HIGH) + { + id: "win_4720", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Windows New User Account Created (4720)", + severity_id: 4, severity: "High" + }, + format: ".*4720.*$new_user=untilLT$.*", + halt: true + }, + + // 4732 = User added to security group → Detection Finding (CRITICAL) + { + id: "win_4732", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Windows User Added to Privileged Group (4732)", + severity_id: 5, severity: "Critical" + }, + format: ".*4732.*$member=untilLT$.*$group_name=untilLT$.*", + halt: true + }, + + // 1102 = Audit log cleared (anti-forensics) → Detection Finding (CRITICAL) + { + id: "win_1102", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + type_uid: 200401, + finding_title: "Windows Audit Log Cleared (1102)", + severity_id: 5, severity: "Critical" + }, + format: ".*1102.*", + halt: true + }, + + // 4624 = Successful logon (informational) + { + id: "win_4624", + attributes: { + class_uid: 3002, class_name: "Authentication", + activity_id: 1, type_uid: 300201, + status_id: 1, status: "Success" + }, + format: ".*4624.*$user_name=untilLT$.*$src_ip=untilLT$.*", + halt: true + } + ] +} diff --git a/parsers/alerts b/parsers/alerts new file mode 100644 index 0000000..101a84d --- /dev/null +++ b/parsers/alerts @@ -0,0 +1,106 @@ +{ + "alerts": [ + { + "trigger": "class_uid='2004' AND severity_id='5' | group n=count() by serverHost, finding_title | filter n >= 1", + "alertTime": 300, + "renotifyPeriodMinutes": 60, + "description": "[Critical] Critical OCSF Detection Findings (any source) \u2014 Fires when any data source reports a Detection Finding with severity_id=5 (Critical). Catches HANA Mass Exfil, SQL Injection, Linux reverse shells, Windows audit clearing, F5 WAF blocks, Palo Alto threats." + }, + { + "trigger": "class_uid='2004' AND severity_id='4' | group n=count() by serverHost, finding_title | filter n >= 1", + "alertTime": 300, + "renotifyPeriodMinutes": 120, + "description": "[High] High-Severity Detection Findings \u2014 All HIGH severity OCSF findings \u2014 SSH brute force, sudo not in sudoers, F5 auth failures, Windows logon failures, Entra ID risky sign-ins." + }, + { + "trigger": "serverHost='linux-ocsf' | parse 'Failed password for $f_user$ from $f_ip$' | parse 'Accepted password for $a_user$ from $a_ip$' | group fails=count(f_user), success=count(a_user) by serverHost, f_ip | filter fails >= 3 and success >= 1", + "alertTime": 600, + "renotifyPeriodMinutes": 60, + "description": "[Critical] Linux SSH Brute-Force Then Successful Logon (Correlation) \u2014 Detects 3+ failed SSH logins followed by a successful logon from the same source IP \u2014 classic credential stuffing kill chain." + }, + { + "trigger": "class_uid='2004' AND src_ip != null | group sources=count() by src_ip | filter sources >= 5", + "alertTime": 3600, + "renotifyPeriodMinutes": 60, + "description": "[Critical] Multi-Source Coordinated Attack (Correlation) \u2014 Same source IP triggers Detection Findings across 2+ different data sources within 1h \u2014 indicates coordinated multi-stage attack (e.g., port scan + brute force + exfil)." + }, + { + "trigger": "serverHost='hana-ocsf' AND class_uid='2004' AND (finding_title contains 'SQL Injection' OR finding_title contains 'Mass Data Extraction')", + "alertTime": 300, + "renotifyPeriodMinutes": 30, + "description": "[Critical] HANA Database SQL Injection or Mass Exfiltration \u2014 Critical SAP HANA detection: SQL injection patterns OR rows_affected > 1000 indicating data exfiltration." + }, + { + "trigger": "(serverHost='bind-ocsf' OR serverHost='msdns-ocsf') AND class_uid='2004' | group n=count() by finding_title | filter n >= 1", + "alertTime": 600, + "renotifyPeriodMinutes": 60, + "description": "[High] DNS Suspicious Activity (BIND or Microsoft DNS) \u2014 BIND or Microsoft DNS detected suspicious query \u2014 security warnings, AXFR zone transfers, base64 tunneling, or dynamic DNS." + }, + { + "trigger": "serverHost='entra-ocsf' AND class_uid='2004' | group n=count() by finding_title | filter n >= 1", + "alertTime": 300, + "renotifyPeriodMinutes": 30, + "description": "[High] Cloud Identity Risky Sign-In \u2014 Microsoft Entra ID flagged a sign-in failure or risky activity (auth failure, high-risk, Tor exit node, etc.)." + }, + { + "trigger": "serverHost='f5ltm-ocsf' AND class_uid='2004' AND (finding_title contains 'WAF' OR finding_title contains 'ASM')", + "alertTime": 300, + "renotifyPeriodMinutes": 30, + "description": "[Critical] Web Application Attack (F5 WAF) \u2014 F5 BIG-IP WAF blocked SQL injection, XSS, or other web attack pattern." + }, + { + "trigger": "serverHost='paloalto-ocsf' AND class_uid='2004'", + "alertTime": 300, + "renotifyPeriodMinutes": 30, + "description": "[Critical] Palo Alto Threat / C2 Detection \u2014 Palo Alto IPS/threat engine detected vulnerability exploit, spyware/C2, or malware." + }, + { + "trigger": "serverHost='windows-ocsf' AND class_uid='2004' | group n=count() by finding_title | filter n >= 1", + "alertTime": 300, + "renotifyPeriodMinutes": 30, + "description": "[High] Windows Security Detection Finding \u2014 Any Windows Security Detection Finding \u2014 failed logons (4625), new accounts (4720), privileged group changes (4732), or audit log clearing (1102)." + }, + { + "trigger": "serverHost='windows-ocsf' AND class_uid='2004' AND (finding_title contains '4720' OR finding_title contains '4732')", + "alertTime": 600, + "renotifyPeriodMinutes": 60, + "description": "[High] Windows New User Account Or Privilege Escalation \u2014 EventID 4720 (new user) or 4732 (added to privileged group) \u2014 persistence + privesc." + }, + { + "trigger": "class_uid='3002' AND status_id='2' | group attempts=count() by user_name | filter attempts >= 10", + "alertTime": 300, + "renotifyPeriodMinutes": 30, + "description": "[High] Authentication Failure Burst (Cross-Source) \u2014 10+ authentication failures (class_uid=3002 status=Failure) across all IAM sources within 5 min \u2014 likely brute force." + }, + { + "trigger": "serverHost='linux-ocsf' AND class_uid='2004' AND (finding_title contains 'Reverse Shell' OR finding_title contains 'Credential Dumping')", + "alertTime": 300, + "renotifyPeriodMinutes": 30, + "description": "[Critical] Linux Reverse Shell or Credential Dumping Tool \u2014 Linux process activity detected mimikatz / hashdump / kerbrute / python socket reverse shell." + }, + { + "trigger": "(serverHost='fortigate-ocsf' OR serverHost='checkpoint-ocsf') AND class_uid='2004' | group n=count() by serverHost, src_ip | filter n >= 10", + "alertTime": 600, + "renotifyPeriodMinutes": 60, + "description": "[High] Network Firewall Deny / Block (Spike) \u2014 FortiGate or Check Point firewall denied 10+ connections \u2014 likely port scan, lateral movement attempt, or C2 callback." + }, + { + "trigger": "serverHost='darktrace-ocsf' AND class_uid='2004' AND finding_title contains 'AI Analyst' | group n=count() by finding_title | filter n >= 1", + "alertTime": 300, + "renotifyPeriodMinutes": 30, + "description": "[Critical] Darktrace AI Analyst Incident \u2014 Darktrace AI Analyst raised an incident (lateral movement, data exfil, suspicious SaaS activity, etc.) \u2014 top-priority NDR alert." + }, + { + "trigger": "serverHost='darktrace-ocsf' AND class_uid='2004' AND finding_title contains 'Antigena' | group n=count() by finding_title | filter n >= 1", + "alertTime": 300, + "renotifyPeriodMinutes": 60, + "description": "[High] Darktrace Antigena Autonomous Response Triggered \u2014 Darktrace Antigena autonomously blocked traffic \u2014 confirms a high-confidence threat that the system already mitigated." + }, + { + "trigger": "serverHost='darktrace-ocsf' AND class_uid='2004' AND finding_title contains 'Model Breach' | group n=count() by finding_title | filter n >= 1", + "alertTime": 600, + "renotifyPeriodMinutes": 60, + "description": "[High] Darktrace Model Breach High Score (>=80) \u2014 Darktrace Model Breach with anomaly score >=80 (out of 100) \u2014 high-confidence behavioural anomaly worth investigating." + } + ] +} \ No newline at end of file diff --git a/parsers/aws_cloudtrail-latest b/parsers/aws_cloudtrail-latest new file mode 100644 index 0000000..21e032c --- /dev/null +++ b/parsers/aws_cloudtrail-latest @@ -0,0 +1,327 @@ +{ + "attributes": { + "dataSource.vendor": "AWS", + "dataSource.name": "CloudTrail", + "dataSource.category": "security", + "metadata.product.vendor_name": "AWS", + "metadata.product.name": "AWS CloudTrail", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [ + { + "input": "unmapped.eventTime", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "constant": { + "value": 4002, + "field": "class_uid" + } + }, + { + "constant": { + "value": "HTTP Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "copy": { + "from": "unmapped.eventTime", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "copy": { + "from": "unmapped.eventId", + "to": "metadata.uid" + } + }, + { + "copy": { + "from": "unmapped.eventName", + "to": "message" + } + }, + { + "copy": { + "from": "unmapped.eventName", + "to": "activity_name" + } + }, + { + "copy": { + "from": "unmapped.eventSource", + "to": "http_request.url.hostname" + } + }, + { + "copy": { + "from": "unmapped.userIdentity.type", + "to": "user.type" + } + }, + { + "copy": { + "from": "unmapped.userIdentity.principalId", + "to": "user.uid" + } + }, + { + "copy": { + "from": "unmapped.userIdentity.arn", + "to": "user.name" + } + }, + { + "copy": { + "from": "unmapped.userIdentity.accountId", + "to": "user.account_uid" + } + }, + { + "copy": { + "from": "unmapped.userIdentity.userName", + "to": "user.name" + } + }, + { + "copy": { + "from": "unmapped.sourceIPAddress", + "to": "src_endpoint.ip" + } + }, + { + "copy": { + "from": "unmapped.userAgent", + "to": "http_request.user_agent" + } + }, + { + "copy": { + "from": "unmapped.awsRegion", + "to": "cloud.region" + } + }, + { + "copy": { + "from": "unmapped.errorCode", + "to": "http_response.code" + } + }, + { + "copy": { + "from": "unmapped.errorMessage", + "to": "status_detail" + } + }, + { + "copy": { + "from": "unmapped.requestParameters", + "to": "http_request.body" + } + }, + { + "copy": { + "from": "unmapped.responseElements", + "to": "http_response.body" + } + }, + { + "copy": { + "from": "unmapped.requestId", + "to": "metadata.correlation_uid" + } + }, + { + "copy": { + "from": "unmapped.eventType", + "to": "type_name" + } + }, + { + "copy": { + "from": "unmapped.recipientAccountId", + "to": "cloud.account_uid" + } + }, + { + "copy": { + "from": "unmapped.serviceEventDetails", + "to": "metadata.extensions.service_details" + } + }, + { + "copy": { + "from": "unmapped.sharedEventID", + "to": "metadata.extensions.shared_event_id" + } + }, + { + "copy": { + "from": "unmapped.vpcEndpointId", + "to": "dst_endpoint.uid" + } + }, + { + "copy": { + "from": "unmapped.resources[0].accountId", + "to": "cloud.account_uid" + } + }, + { + "copy": { + "from": "unmapped.resources[0].type", + "to": "dst_endpoint.type" + } + }, + { + "copy": { + "from": "unmapped.resources[0].ARN", + "to": "dst_endpoint.name" + } + }, + { + "copy": { + "from": "unmapped.apiVersion", + "to": "metadata.extensions.api_version" + } + }, + { + "copy": { + "from": "unmapped.managementEvent", + "to": "metadata.extensions.management_event" + } + }, + { + "copy": { + "from": "unmapped.readOnly", + "to": "metadata.extensions.read_only" + } + }, + { + "copy": { + "from": "unmapped.eventCategory", + "to": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.errorCode == \"\"" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id", + "predicate": "unmapped.errorCode != \"\"" + } + }, + { + "constant": { + "value": 1, + "field": "severity_id", + "predicate": "unmapped.errorCode == \"\"" + } + }, + { + "constant": { + "value": 3, + "field": "severity_id", + "predicate": "unmapped.errorCode != \"\"" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "unmapped.errorCode == \"\"" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "unmapped.errorCode != \"\"" + } + }, + { + "constant": { + "value": "Success", + "field": "status", + "predicate": "unmapped.errorCode == \"\"" + } + }, + { + "constant": { + "value": "Failure", + "field": "status", + "predicate": "unmapped.errorCode != \"\"" + } + } + ] + } + ] + }, + "observables": { + "fields": [ + { + "name": "user.name", + "type": "User" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address" + }, + { + "name": "user.uid", + "type": "User" + }, + { + "name": "cloud.account_uid", + "type": "Other" + }, + { + "name": "dst_endpoint.name", + "type": "Other" + }, + { + "name": "metadata.correlation_uid", + "type": "Other" + } + ] + } +} \ No newline at end of file diff --git a/parsers/bsi-nis2-healthcare-overview b/parsers/bsi-nis2-healthcare-overview new file mode 100644 index 0000000..0ae8c30 --- /dev/null +++ b/parsers/bsi-nis2-healthcare-overview @@ -0,0 +1,585 @@ +{ + "configType": "TABBED", + "duration": "24h", + "description": "BSI / NIS2 healthcare compliance \u2014 Avelios Medical HIS + Omniconnect TI Gateway", + "tabs": [ + { + "tabName": "Overview", + "graphs": [ + { + "title": "BSI / NIS2 Healthcare Compliance \u2014 Overview", + "graphStyle": "markdown", + "markdown": "**Scope:** Avelios Medical Hospital Information System (HIS) + Omniconnect HIS\u2194Telematics Infrastructure (TI) gateway.\n\n**Frameworks:** BSI-Grundschutz \u00b7 NIS2 \u00b7 GDPR \u00b7 gematik TI.\n\nAll events are OCSF-enriched (v1.3.0) by the deployed parsers `Avelios-Medical-OCSF` and `Omniconnect-OCSF`.", + "layout": { + "w": 60, + "h": 4, + "x": 0, + "y": 0 + } + }, + { + "title": "Total Healthcare Events", + "graphStyle": "number", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": " events" + }, + "layout": { + "w": 15, + "h": 8, + "x": 0, + "y": 4 + } + }, + { + "title": "Avelios Events", + "graphStyle": "number", + "query": "serverHost='avelios-medical' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 15, + "y": 4 + } + }, + { + "title": "Omniconnect Events", + "graphStyle": "number", + "query": "serverHost='omniconnect' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 30, + "y": 4 + } + }, + { + "title": "Critical Findings", + "graphStyle": "number", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') severity_id='6' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 45, + "y": 4 + } + }, + { + "title": "Events by Source", + "graphStyle": "donut", + "maxPieSlices": 10, + "dataLabelType": "PERCENTAGE", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') | group ct=count() by serverHost", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 12 + } + }, + { + "title": "OCSF Severity Distribution", + "graphStyle": "donut", + "maxPieSlices": 10, + "dataLabelType": "PERCENTAGE", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') severity_str=* | group ct=count() by severity_str", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 12 + } + }, + { + "title": "Events by OCSF Class (per source)", + "graphStyle": "stacked_bar", + "xAxis": "grouped_data", + "yScale": "linear", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') class_name=* | group ct=count() by class_name, serverHost | sort -ct", + "layout": { + "w": 60, + "h": 16, + "x": 0, + "y": 26 + } + }, + { + "title": "Recent HIGH / CRITICAL events", + "graphStyle": "table", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') (severity_str='HIGH' or severity_str='CRITICAL') | columns timestamp, serverHost, event_category, event_type, severity_str | sort -timestamp | limit 25", + "layout": { + "w": 60, + "h": 18, + "x": 0, + "y": 42 + } + } + ] + }, + { + "tabName": "Avelios HIS", + "graphs": [ + { + "title": "Avelios Medical \u2014 Hospital Information System", + "graphStyle": "markdown", + "markdown": "Patient-data access (PHI / GDPR Art. 32), authentication, administrative changes and security findings.\n\n**Relevant BSI controls:** ORP.4 (Identity Management), OPS.1.1 (Logging), CON.3 (Data Protection), DER.1 (Detection).", + "layout": { + "w": 60, + "h": 4, + "x": 0, + "y": 0 + } + }, + { + "title": "Total Avelios Events", + "graphStyle": "number", + "query": "serverHost='avelios-medical' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 0, + "y": 4 + } + }, + { + "title": "PHI Access Events", + "graphStyle": "number", + "query": "serverHost='avelios-medical' event_category='patient_access' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 15, + "y": 4 + } + }, + { + "title": "Auth Failures", + "graphStyle": "number", + "query": "serverHost='avelios-medical' event_category='authentication' outcome='failure' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 30, + "y": 4 + } + }, + { + "title": "Security Findings", + "graphStyle": "number", + "query": "serverHost='avelios-medical' category_uid='2' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 45, + "y": 4 + } + }, + { + "title": "Avelios \u2014 Event Categories", + "graphStyle": "donut", + "maxPieSlices": 10, + "dataLabelType": "PERCENTAGE", + "query": "serverHost='avelios-medical' event_category=* | group ct=count() by event_category", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 12 + } + }, + { + "title": "Avelios \u2014 Severity Mix", + "graphStyle": "donut", + "maxPieSlices": 10, + "dataLabelType": "PERCENTAGE", + "query": "serverHost='avelios-medical' severity_str=* | group ct=count() by severity_str", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 12 + } + }, + { + "title": "PHI Access (BSI CON.3 / GDPR Art. 32)", + "graphStyle": "table", + "query": "serverHost='avelios-medical' event_category='patient_access' | group ct=count() by event_type, severity_str | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 26 + } + }, + { + "title": "Authentication Outcomes", + "graphStyle": "table", + "query": "serverHost='avelios-medical' event_category='authentication' | group ct=count() by event_type, outcome | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 26 + } + }, + { + "title": "Administrative Changes (BSI ORP.4)", + "graphStyle": "table", + "query": "serverHost='avelios-medical' event_category='administrative' | group ct=count() by event_type, outcome | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 40 + } + }, + { + "title": "Avelios Security Findings", + "graphStyle": "table", + "query": "serverHost='avelios-medical' category_uid='2' | columns timestamp, event_type, severity_str | sort -timestamp | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 40 + } + } + ] + }, + { + "tabName": "Omniconnect", + "graphs": [ + { + "title": "Omniconnect \u2014 HIS \u2194 Telematics Infrastructure (TI)", + "graphStyle": "markdown", + "markdown": "Konnektor health, eGK / HBA / SMC-B card operations, eRezept, ePA, VSDM and KIM secure messaging.\n\n**Relevant frameworks:** gematik TI, BSI TR-03116, NIS2 Annex II.", + "layout": { + "w": 60, + "h": 4, + "x": 0, + "y": 0 + } + }, + { + "title": "Total Omniconnect Events", + "graphStyle": "number", + "query": "serverHost='omniconnect' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 0, + "y": 4 + } + }, + { + "title": "TI Connection Events", + "graphStyle": "number", + "query": "serverHost='omniconnect' event_category='ti_connection' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 15, + "y": 4 + } + }, + { + "title": "Card Operations", + "graphStyle": "number", + "query": "serverHost='omniconnect' event_category='card_operations' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 30, + "y": 4 + } + }, + { + "title": "Cert / Crypto Failures", + "graphStyle": "number", + "query": "serverHost='omniconnect' (event_type='CERTIFICATE_EXPIRED' or event_type='CERTIFICATE_VALIDATION_FAILED' or event_type='ENCRYPTION_FAILED' or event_type='SIGNATURE_VERIFICATION_FAILED') | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 45, + "y": 4 + } + }, + { + "title": "Omniconnect \u2014 Event Categories", + "graphStyle": "donut", + "maxPieSlices": 10, + "dataLabelType": "PERCENTAGE", + "query": "serverHost='omniconnect' event_category=* | group ct=count() by event_category", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 12 + } + }, + { + "title": "Omniconnect \u2014 Severity Mix", + "graphStyle": "donut", + "maxPieSlices": 10, + "dataLabelType": "PERCENTAGE", + "query": "serverHost='omniconnect' severity_str=* | group ct=count() by severity_str", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 12 + } + }, + { + "title": "TI Connection Issues", + "graphStyle": "table", + "query": "serverHost='omniconnect' event_category='ti_connection' outcome!='success' | group ct=count() by event_type, severity_str | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 26 + } + }, + { + "title": "Card Operations (eGK / HBA / SMC-B)", + "graphStyle": "table", + "query": "serverHost='omniconnect' event_category='card_operations' | group ct=count() by event_type, outcome | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 26 + } + }, + { + "title": "eRezept Activity", + "graphStyle": "table", + "query": "serverHost='omniconnect' event_category='erezept' | group ct=count() by event_type, outcome | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 40 + } + }, + { + "title": "ePA / KIM Activity", + "graphStyle": "table", + "query": "serverHost='omniconnect' (event_category='epa' or event_category='kim') | group ct=count() by event_category, event_type | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 40 + } + } + ] + }, + { + "tabName": "Compliance", + "graphs": [ + { + "title": "BSI / NIS2 Compliance Findings", + "graphStyle": "markdown", + "markdown": "OCSF Security Findings (`category_uid=2`) across both healthcare platforms, mapped to BSI-Grundschutz controls and NIS2 Annex II obligations (incident handling, encryption, access control, supply-chain security).", + "layout": { + "w": 60, + "h": 4, + "x": 0, + "y": 0 + } + }, + { + "title": "Total Findings", + "graphStyle": "number", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') category_uid='2' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 0, + "y": 4 + } + }, + { + "title": "CRITICAL Findings", + "graphStyle": "number", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') category_uid='2' severity_str='CRITICAL' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 15, + "y": 4 + } + }, + { + "title": "HIGH Findings", + "graphStyle": "number", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') category_uid='2' severity_str='HIGH' | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 30, + "y": 4 + } + }, + { + "title": "Auth Failures (24h)", + "graphStyle": "number", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type='USER_LOGIN_FAILURE' or event_type='CARD_AUTHENTICATION_FAILED' or event_type='CARD_PIN_FAILED') | group ct=count() | limit 1", + "options": { + "format": "auto", + "precision": "0", + "suffix": "" + }, + "layout": { + "w": 15, + "h": 8, + "x": 45, + "y": 4 + } + }, + { + "title": "Findings by Type per Source (NIS2 Annex II)", + "graphStyle": "stacked_bar", + "xAxis": "grouped_data", + "yScale": "linear", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') category_uid='2' | group ct=count() by event_type, serverHost | sort -ct", + "layout": { + "w": 60, + "h": 18, + "x": 0, + "y": 12 + } + }, + { + "title": "BSI ORP.4 \u2014 Identity & Access Anomalies", + "graphStyle": "table", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type='ACCOUNT_LOCKED' or event_type='UNAUTHORIZED_ACCESS_ATTEMPT' or event_type='PRIVILEGE_ESCALATION_ATTEMPT' or event_type='CARD_PIN_BLOCKED') | group ct=count() by serverHost, event_type, severity_str | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 30 + } + }, + { + "title": "BSI CON.1 \u2014 Crypto / Certificate Issues", + "graphStyle": "table", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type contains 'CERTIFICATE' or event_type contains 'ENCRYPTION' or event_type contains 'SIGNATURE') outcome!='success' | group ct=count() by serverHost, event_type, severity_str | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 30 + } + }, + { + "title": "BSI DER.1 \u2014 Threats & Intrusions", + "graphStyle": "table", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type='MALWARE_DETECTED' or event_type='INTRUSION_DETECTED' or event_type='TAMPER_DETECTION' or event_type='SECURITY_POLICY_VIOLATION') | columns timestamp, serverHost, event_type, severity_str | sort -timestamp | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 44 + } + }, + { + "title": "GDPR Art. 32 \u2014 Data-Processing Events", + "graphStyle": "table", + "query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type='EMERGENCY_ACCESS_OVERRIDE' or event_type='PATIENT_RECORD_DELETE' or event_type='DATA_EXPORT_INITIATED' or event_type='AUDIT_LOG_EXPORT' or event_type='EPA_EMERGENCY_ACCESS') | group ct=count() by serverHost, event_type | sort -ct | limit 25", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 44 + } + }, + { + "title": "Compliance Control Mapping", + "graphStyle": "markdown", + "markdown": "| Control | BSI / NIS2 ref | Evidence query |\n|---|---|---|\n| Identity & Access | BSI ORP.4 / NIS2 Art. 21(2)(i) | `event_category in (authentication, card_operations)` |\n| Logging & Audit | BSI OPS.1.1 / NIS2 Art. 21(2)(b) | All ingested events |\n| Cryptography | BSI CON.1 / NIS2 Art. 21(2)(h) | `event_type contains CERTIFICATE/ENCRYPTION/SIGNATURE` |\n| Incident Detection | BSI DER.1 / NIS2 Art. 21(2)(c) | `category_uid=2` |\n| Data Protection | BSI CON.3 / GDPR Art. 32 | `event_category=patient_access OR epa` |\n| Supply Chain (TI) | BSI TR-03116 / NIS2 Art. 21(2)(d) | `event_category=ti_connection` |", + "layout": { + "w": 60, + "h": 12, + "x": 0, + "y": 58 + } + } + ] + } + ] +} \ No newline at end of file diff --git a/parsers/checkpoint b/parsers/checkpoint new file mode 100644 index 0000000..818ed87 --- /dev/null +++ b/parsers/checkpoint @@ -0,0 +1,385 @@ +{ + attributes: { + "metadata.version": "3.0.0", + "dataSource.vendor": "Check Point", + "dataSource.name": "Check Point Firewall", + "dataSource.category": "security", + "metadata.product.vendor_name": "Check Point", + "metadata.product.name": "Next Generation Firewall", + "metadata.log_provider": "syslog", + "severity_id": 1, + "severity": "Informational" + }, + + patterns: { + ip: "\\d+\\.\\d+\\.\\d+\\.\\d+", + num: "\\d+", + word: "[\\w-]+", + qval: "[^;\"]+", + uuid: "\\{[^}]+\\}", + rest: ".*" + }, + + formats: [ + // ═══════════════════════════════════════════════════════════════════════════ + // PIPE-DELIMITED: time=...|action=...|src=...|dst=... + // ═══════════════════════════════════════════════════════════════════════════ + + // PIPE - Firewall Accept + { + id: "cp_pipe_accept", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106, + disposition_id: 1, disposition: "Allowed" + }, + format: "time=$time_epoch=num$[|]hostname=$cp_hostname=word$[|]product=$cp_product=word$[|]layer_name=$layer_name=word$[|]action=Accept[|]rule_uid=$rule_uid=qval$[|]ifdir=$iface_dir=word$[|]ifname=$iface_name=word$[|]loguid=$log_uid=uuid$[|]origin=$origin_ip=ip$[|]src=$src_ip=ip$[|]dst=$dst_ip=ip$[|]proto=$proto_num=num$[|]s_port=$src_port=num$[|]service=$dst_port=num$.*", + halt: true + }, + + // PIPE - Firewall Drop + { + id: "cp_pipe_drop", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + disposition_id: 2, disposition: "Blocked", + severity_id: 3, severity: "Medium", + "finding_info.title": "Check Point Firewall Block", + confidence_id: 3, confidence: "High" + }, + format: "time=$time_epoch=num$[|]hostname=$cp_hostname=word$[|]product=$cp_product=word$.*action=Drop.*src=$src_ip=ip$[|]dst=$dst_ip=ip$[|]proto=$proto_num=num$.*", + halt: true + }, + + // PIPE - Generic firewall fallback (any pipe format with src/dst) + { + id: "cp_pipe_fw", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106 + }, + format: "time=$time_epoch=num$[|].*src=$src_ip=ip$[|]dst=$dst_ip=ip$.*", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // SEMICOLON FORMAT: [field:"value"; ...] + // Fields appear in alphabetical order in CP Log Exporter + // ═══════════════════════════════════════════════════════════════════════════ + + // IDENTITY AWARENESS - Auth Success (no dst field, must precede generic Accept) + { + id: "cp_auth_ok", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 1, activity_name: "Logon", + type_uid: 300201, + status_id: 1, status: "Success" + }, + format: ".*action:\"Accept\";.*product:\"Identity Awareness\";.*user:\"$user_name=qval$\";.*auth_method:\"$auth_method=qval$\";.*identity_src:\"$identity_src=qval$\";.*src:\"$src_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // IDENTITY AWARENESS - Auth Failure + { + id: "cp_auth_fail", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 1, activity_name: "Logon", + type_uid: 300201, + status_id: 2, status: "Failure", + severity_id: 3, severity: "Medium" + }, + format: ".*action:\"Reject\";.*product:\"Identity Awareness\";.*user:\"$user_name=qval$\";.*auth_method:\"$auth_method=qval$\";.*reason:\"$status_detail=qval$\";.*src:\"$src_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // ANTI-BOT + { + id: "cp_antibot", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + severity_id: 5, severity: "Critical", + "finding_info.title": "Check Point Anti-Bot Detection", + confidence_id: 3, confidence: "High" + }, + format: ".*action:\"$cp_action=word$\";.*product:\"Anti-Bot\";.*malware_name:\"$malware_name=qval$\";.*protection_name:\"$protection=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // ANTI-VIRUS + { + id: "cp_antivirus", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + severity_id: 5, severity: "Critical", + "finding_info.title": "Check Point Anti-Virus Detection", + confidence_id: 3, confidence: "High" + }, + format: ".*action:\"$cp_action=word$\";.*product:\"Anti-Virus\";.*malware:\"$malware_name=qval$\";.*file_name:\"$file_name=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // THREAT EMULATION + { + id: "cp_te", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + severity_id: 6, severity: "Fatal", + "finding_info.title": "Check Point Threat Emulation", + confidence_id: 3, confidence: "High" + }, + format: ".*action:\"$cp_action=word$\";.*product:\"Threat Emulation\";.*malware:\"$malware_name=qval$\";.*file_name:\"$file_name=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // IPS + { + id: "cp_ips", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + severity_id: 4, severity: "High", + "finding_info.title": "Check Point IPS Detection", + confidence_id: 3, confidence: "High" + }, + format: ".*action:\"$cp_action=word$\";.*product:\"IPS\";.*attack:\"$attack=qval$\";.*protection_name:\"$protection=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // SMARTDEFENSE (Legacy IPS) + { + id: "cp_smartdef", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + severity_id: 4, severity: "High", + "finding_info.title": "Check Point SmartDefense" + }, + format: ".*action:\"$cp_action=word$\";.*product:\"SmartDefense\";.*attack:\"$attack=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // URL FILTERING - Block + { + id: "cp_urlf_block", + attributes: { + class_uid: 4002, class_name: "HTTP Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400206, + disposition_id: 2, disposition: "Blocked", + severity_id: 2, severity: "Low" + }, + format: ".*action:\"Block\";.*product:\"URL Filtering\";.*resource:\"$url=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // URL FILTERING - Allow + { + id: "cp_urlf_allow", + attributes: { + class_uid: 4002, class_name: "HTTP Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400206, + disposition_id: 1, disposition: "Allowed" + }, + format: ".*action:\"$cp_action=word$\";.*product:\"URL Filtering\";.*resource:\"$url=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // APPLICATION CONTROL + { + id: "cp_appc", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106 + }, + format: ".*action:\"$cp_action=word$\";.*product:\"Application Control\";.*appi_name:\"$app_name=qval$\";.*app_category:\"$app_cat=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // VPN + { + id: "cp_vpn", + attributes: { + class_uid: 4014, class_name: "Tunnel Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Open", + type_uid: 401401, + status_id: 1, status: "Success" + }, + format: ".*action:\"$cp_action=qval$\";.*product:\"VPN\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*user:\"$user_name=qval$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // DLP + { + id: "cp_dlp", + attributes: { + class_uid: 2006, class_name: "Data Security Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200601, + severity_id: 4, severity: "High", + "finding_info.title": "Check Point DLP Violation" + }, + format: ".*action:\"$cp_action=word$\";.*product:\"DLP\";.*dlp_rule_name:\"$dlp_rule=qval$\";.*file_name:\"$file_name=qval$\";.*src:\"$src_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // SMARTCONSOLE Audit + { + id: "cp_audit", + attributes: { + class_uid: 3004, class_name: "Entity Management", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 0, activity_name: "Unknown", + type_uid: 300400 + }, + format: ".*product:\"SmartConsole\";.*administrator:\"$admin_user=qval$\";.*operation:\"$operation=qval$\";.*object_name:\"$obj_name=qval$\";.*object_type:\"$obj_type=qval$\";.*src:\"$src_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*", + halt: true + }, + + // FIREWALL ACCEPT - generic with rule_name + { + id: "cp_fw_accept", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106, + disposition_id: 1, disposition: "Allowed" + }, + format: ".*action:\"Accept\";.*loguid:\"$log_uid=uuid$\";.*origin:\"$origin_ip=ip$\";.*product:\"$cp_product=qval$\";.*proto:\"$proto_num=num$\";.*rule_name:\"$rule_name=qval$\";.*s_port:\"$src_port=num$\";.*service:\"$dst_port=num$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*", + halt: true + }, + + // FIREWALL ACCEPT - without rule_name + { + id: "cp_fw_accept_norule", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106, + disposition_id: 1, disposition: "Allowed" + }, + format: ".*action:\"Accept\";.*loguid:\"$log_uid=uuid$\";.*origin:\"$origin_ip=ip$\";.*product:\"$cp_product=qval$\";.*proto:\"$proto_num=num$\";.*s_port:\"$src_port=num$\";.*service:\"$dst_port=num$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*", + halt: true + }, + + // FIREWALL DROP + { + id: "cp_fw_drop", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + disposition_id: 2, disposition: "Blocked", + severity_id: 3, severity: "Medium", + "finding_info.title": "Check Point Firewall Block", + confidence_id: 3, confidence: "High" + }, + format: ".*action:\"Drop\";.*loguid:\"$log_uid=uuid$\";.*origin:\"$origin_ip=ip$\";.*product:\"$cp_product=qval$\";.*proto:\"$proto_num=num$\";.*rule_name:\"$rule_name=qval$\";.*s_port:\"$src_port=num$\";.*service:\"$dst_port=num$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*", + halt: true + }, + + // FIREWALL REJECT + { + id: "cp_fw_reject", + attributes: { + class_uid: 2004, class_name: "Detection Finding", + category_uid: 2, category_name: "Findings", + activity_id: 1, activity_name: "Create", + type_uid: 200401, + disposition_id: 2, disposition: "Blocked", + severity_id: 3, severity: "Medium", + "finding_info.title": "Check Point Firewall Reject", + confidence_id: 3, confidence: "High" + }, + format: ".*action:\"Reject\";.*loguid:\"$log_uid=uuid$\";.*origin:\"$origin_ip=ip$\";.*product:\"$cp_product=qval$\";.*proto:\"$proto_num=num$\";.*rule_name:\"$rule_name=qval$\";.*s_port:\"$src_port=num$\";.*service:\"$dst_port=num$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*", + halt: true + }, + + // GENERIC FALLBACK - just extract src/dst if present + { + id: "cp_fallback", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 0, activity_name: "Unknown", + type_uid: 400100 + }, + format: ".*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*" + } + ], + + mappings: { + version: 1, + mappings: [ + { + transformations: [ + { rename: { from: "src_ip", to: "src_endpoint.ip" } }, + { rename: { from: "dst_ip", to: "dst_endpoint.ip" } }, + { rename: { from: "src_port", to: "src_endpoint.port" } }, + { rename: { from: "dst_port", to: "dst_endpoint.port" } }, + { rename: { from: "iface_name", to: "src_endpoint.interface_name" } }, + { rename: { from: "proto_num", to: "connection_info.protocol_num" } }, + { rename: { from: "iface_dir", to: "connection_info.direction" } }, + { rename: { from: "user_name", to: "actor.user.name" } }, + { rename: { from: "admin_user", to: "actor.user.name" } }, + { rename: { from: "rule_name", to: "firewall_rule.name" } }, + { rename: { from: "rule_uid", to: "firewall_rule.uid" } }, + { rename: { from: "app_name", to: "app.name" } }, + { rename: { from: "app_cat", to: "app.category" } }, + { rename: { from: "url", to: "http_request.url.original" } }, + { rename: { from: "malware_name", to: "malware.name" } }, + { rename: { from: "attack", to: "finding_info.title" } }, + { rename: { from: "protection", to: "finding_info.desc" } }, + { rename: { from: "file_name", to: "file.name" } }, + { rename: { from: "auth_method", to: "auth_protocol" } }, + { rename: { from: "dlp_rule", to: "policy.name" } }, + { rename: { from: "operation", to: "activity_name" } }, + { rename: { from: "obj_name", to: "entity.name" } }, + { rename: { from: "obj_type", to: "entity.type" } }, + { rename: { from: "status_detail", to: "status_detail" } }, + { rename: { from: "origin_ip", to: "device.ip" } }, + { rename: { from: "cp_hostname", to: "device.hostname" } }, + { rename: { from: "cp_product", to: "metadata.product.feature.name" } }, + { rename: { from: "log_uid", to: "metadata.uid" } }, + { rename: { from: "cp_action", to: "unmapped.action" } }, + { rename: { from: "layer_name", to: "unmapped.layer_name" } }, + { rename: { from: "identity_src", to: "unmapped.identity_source" } }, + { rename: { from: "time_epoch", to: "unmapped.time_epoch" } } + ] + } + ] + } +} diff --git a/parsers/cisco_duo-latest b/parsers/cisco_duo-latest new file mode 100644 index 0000000..0a6b770 --- /dev/null +++ b/parsers/cisco_duo-latest @@ -0,0 +1,181 @@ +{ + "attributes": { + "dataSource.vendor": "Cisco", + "dataSource.name": "Cisco Duo Security", + "dataSource.category": "security", + "metadata.product.vendor_name": "Cisco", + "metadata.product.name": "Cisco Duo Security", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [ + { + "input": "unmapped.timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.time", + "output": "time", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "unmapped.class_uid = '3002'", + "transformations": [ + { + "constant": { + "value": 3002, + "field": "class_uid" + } + }, + { + "constant": { + "value": "Authentication", + "field": "class_name" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "copy": { + "from": "unmapped.activity_id", + "to": "activity_id" + } + }, + { + "copy": { + "from": "unmapped.activity_name", + "to": "activity_name" + } + }, + { + "copy": { + "from": "unmapped.type_uid", + "to": "type_uid" + } + }, + { + "copy": { + "from": "unmapped.severity_id", + "to": "severity_id" + } + }, + { + "copy": { + "from": "unmapped.status_id", + "to": "status_id" + } + }, + { + "copy": { + "from": "unmapped.status", + "to": "status" + } + }, + { + "copy": { + "from": "unmapped.message", + "to": "message" + } + }, + { + "copy": { + "from": "unmapped.user.name", + "to": "user.name" + } + }, + { + "copy": { + "from": "unmapped.user.account_uid", + "to": "user.account_uid" + } + }, + { + "copy": { + "from": "unmapped.user.account_type", + "to": "user.account_type" + } + }, + { + "copy": { + "from": "unmapped.src_endpoint.ip", + "to": "src_endpoint.ip" + } + }, + { + "copy": { + "from": "unmapped.src_endpoint.location.desc", + "to": "src_endpoint.location.desc" + } + }, + { + "copy": { + "from": "unmapped.src_endpoint.location.city", + "to": "src_endpoint.location.city" + } + }, + { + "copy": { + "from": "unmapped.src_endpoint.location.country", + "to": "src_endpoint.location.country" + } + }, + { + "copy": { + "from": "unmapped.auth_protocol", + "to": "auth_protocol" + } + }, + { + "copy": { + "from": "unmapped.auth_protocol_id", + "to": "auth_protocol_id" + } + }, + { + "copy": { + "from": "unmapped.mfa_factors", + "to": "mfa_factors" + } + } + ] + } + ] + }, + "observables": { + "fields": [ + { + "name": "user.name", + "type": "User" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address" + }, + { + "name": "auth_protocol", + "type": "Other" + } + ] + } +} \ No newline at end of file diff --git a/parsers/cisco_ise_logs-latest b/parsers/cisco_ise_logs-latest new file mode 100644 index 0000000..49ad85a --- /dev/null +++ b/parsers/cisco_ise_logs-latest @@ -0,0 +1,77 @@ +{ + attributes: { + "dataSource.category": "security", + "dataSource.name": "Cisco ISE", + "dataSource.vendor": "Cisco", + "metadata.product.name": "Cisco Identity Services Engine", + "metadata.product.vendor_name": "Cisco", + "metadata.version": "1.0.0" + }, + patterns: { + timestamp: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{3})?[+-]\\d{2}:\\d{2}|\\w{3}\\s+\\d{1,2}\\s+\\d{2}:\\d{2}:\\d{2}", + ipv4: "(?:\\d{1,3}\\.){3}\\d{1,3}", + macaddr: "([0-9a-fA-F]{2}[:-]){5}[0-9a-fA-F]{2}" + }, + formats: [ + { + attributes: { + class_uid: "3002", + category_uid: "3", + severity_id: "1", + class_name: "Authentication", + category_name: "Identity & Access Management", + "metadata.product.name": "Cisco Identity Services Engine", + "metadata.product.vendor_name": "Cisco", + "dataSource.category": "security", + "dataSource.name": "Cisco ISE", + "dataSource.vendor": "Cisco" + }, + format: "$timestamp=timestamp$ $hostname$ CISE_System_Alarms $log_id$,$log_id2$,$severity$,$category$,$message$,$user$,$ip=ipv4$,$mac=macaddr$,$endpoint_id$,$auth_method$,$auth_protocol$" + }, + { + attributes: { + class_uid: "3002", + category_uid: "3", + severity_id: "2", + class_name: "Authentication", + category_name: "Identity & Access Management", + "metadata.product.name": "Cisco Identity Services Engine", + "metadata.product.vendor_name": "Cisco", + "dataSource.category": "security", + "dataSource.name": "Cisco ISE", + "dataSource.vendor": "Cisco" + }, + format: "$timestamp=timestamp$ $hostname$ CISE_Passed_Authentications $log_id$,$log_id2$,$severity$,$category$,User-Name=$user$,NAS-IP-Address=$nas_ip=ipv4$,Calling-Station-Id=$mac=macaddr$,Framed-IP-Address=$ip=ipv4$,Authentication passed" + }, + { + attributes: { + class_uid: "3002", + category_uid: "3", + severity_id: "4", + class_name: "Authentication", + category_name: "Identity & Access Management", + "metadata.product.name": "Cisco Identity Services Engine", + "metadata.product.vendor_name": "Cisco", + "dataSource.category": "security", + "dataSource.name": "Cisco ISE", + "dataSource.vendor": "Cisco" + }, + format: "$timestamp=timestamp$ $hostname$ CISE_Failed_Attempts $log_id$,$log_id2$,$severity$,$category$,User-Name=$user$,NAS-IP-Address=$nas_ip=ipv4$,Calling-Station-Id=$mac=macaddr$,Authentication failed,$failure_reason$" + }, + { + attributes: { + class_uid: "3001", + category_uid: "3", + severity_id: "2", + class_name: "Account Change", + category_name: "Identity & Access Management", + "metadata.product.name": "Cisco Identity Services Engine", + "metadata.product.vendor_name": "Cisco", + "dataSource.category": "security", + "dataSource.name": "Cisco ISE", + "dataSource.vendor": "Cisco" + }, + format: "$timestamp=timestamp$ $hostname$ CISE_Administrator $log_id$,$log_id2$,$severity$,$category$,Admin-Name=$admin_user$,Admin-Session-Id=$session_id$,Object-Name=$object_name$,Change-Type=$change_type$,Object-Type=$object_type$" + } + ] +} \ No newline at end of file diff --git a/parsers/cisco_umbrella-latest b/parsers/cisco_umbrella-latest new file mode 100644 index 0000000..e8e5ea5 --- /dev/null +++ b/parsers/cisco_umbrella-latest @@ -0,0 +1,25 @@ +{ + // specify a time zone if the timestamps in your log are not in GMT + // timezone: "GMT-0800" + + patterns: { + tsPattern: "\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}" + }, + formats: [ + { + format: "\"$timestamp=tsPattern$\",\"$PolicyIdentityLabel$\",\"$InternalClientIP$\",\"$ExternalClientIP$\",\"$DestinationIP$\",\"$ContentType$\",\"$Action$\",\"$url$\",\"$Referer$\",\"$UserAgent$\",\"$StatusCode$\",\"$RequestSize$\",\"$ResponseSize$\",\"$ResponseBodySize$\",\"$SHA-SHA256$\",\"$Categories$\",\"$AVDetections$\",\"$PUAs$\",\"$AMPDisposition$\",\"$AMPMalwareName$\",\"$AMPScore$\",\"$PolicyIdentityType$\",\"$BlockedCategories$\",\"$Identities$\",\"$IdentityTypes$\",\"$RequestMethod$\",\"$DLPStatus$\",\"$CertificateErrors$\",\"$Filename$\",\"$RulesetID$\",\"$RuleID$\",\"$DestinationsListIDs$\"", + attributes: {"dataSource.vendor": "Cisco", "dataSource.name": "Cisco Umbrella", "LogType": "proxylogs"}, + halt: true + }, + { + format: "\"$timestamp=tsPattern$\",\"$MostGranularIdentity$\",\"$Identities$\",\"$InternalIP$\",\"$ExternalIP$\",\"$Action$\",\"$QueryType$\",\"$ResponseCode$\",\"$Domain$\",\"$Categories$\",\"$MostGranularIdentityType$\",\"$IdentityTypes$\",\"$BlockedCategories$\"", + attributes: {"dataSource.vendor": "Cisco", "dataSource.name": "Cisco Umbrella", "LogType": "dnslogs"}, + halt: true + }, + { + format: "\"$ID$\",\"$timestamp=tsPattern$\",\"$Email$\",\"$User$\",\"$Type$\",\"$Action$\",\"$LoggedInFrom$\",\"$Before$\",\"$After$\"", + attributes: {"dataSource.vendor": "Cisco", "dataSource.name": "Cisco Umbrella", "LogType": "auditlogs"}, + halt: true + } + ] +} \ No newline at end of file diff --git a/parsers/claude_test_mikrotik b/parsers/claude_test_mikrotik new file mode 100644 index 0000000..7ec859c --- /dev/null +++ b/parsers/claude_test_mikrotik @@ -0,0 +1,136 @@ +{ + attributes: { + // Required pipeline defaults + "metadata.version": "1.1.0", + "dataSource.vendor": "MikroTik", + "dataSource.name": "MikroTik RouterOS", + "dataSource.category": "network", + // Product metadata + "metadata.product.vendor_name": "MikroTik", + "metadata.product.name": "RouterOS", + "metadata.log_provider": "syslog" + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + mac: "[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}", + number: "\\d+", + word: "\\w+", + iface: "[\\w.-]+" + }, + + formats: [ + // ───────────────────────────────────────────────────────────────────────── + // FIREWALL (Network Activity 4001) + // ───────────────────────────────────────────────────────────────────────── + { + // forward in:ether1 out:ether2, src-mac 00:11:22:33:44:55, proto TCP, 192.168.1.10:54321->8.8.8.8:443, len 64 + id: "firewall_full", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic" + }, + format: + "$disposition=word$ in:$src_endpoint.interface_name=iface$ out:$dst_endpoint.interface_name=iface$, " + + "src-mac $src_endpoint.mac=mac$, proto $connection_info.protocol_name=word$, " + + "$src_endpoint.ip=ipv4$:$src_endpoint.port=number$->$dst_endpoint.ip=ipv4$:$dst_endpoint.port=number$, len $traffic.bytes=number$", + halt: true + }, + { + // forward: in:ether1 out:ether2, src-address 192.168.1.10, dst-address 8.8.8.8 + id: "firewall_simple", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic" + }, + format: + "$disposition=word$: in:$src_endpoint.interface_name=iface$ out:$dst_endpoint.interface_name=iface$, " + + "src-address $src_endpoint.ip=ipv4$, dst-address $dst_endpoint.ip=ipv4$", + halt: true + }, + + // ───────────────────────────────────────────────────────────────────────── + // DHCP (DHCP Activity 4004) + // ───────────────────────────────────────────────────────────────────────── + { + // dhcp,info leased 192.168.1.100 for 00:11:22:33:44:55 + id: "dhcp_lease", + attributes: { + class_uid: 4004, class_name: "DHCP Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Lease" + }, + format: "$dhcp.action=word$ $dst_endpoint.ip=ipv4$ for $dst_endpoint.mac=mac$", + halt: true + }, + + // ───────────────────────────────────────────────────────────────────────── + // WIRELESS (Network Activity 4001) + // ───────────────────────────────────────────────────────────────────────── + { + // connected, 00:11:22:33:44:55@wlan1, signal-strength=-65 + id: "wireless", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Open" + }, + format: "$status=word$, $src_endpoint.mac=mac$@$src_endpoint.interface_name=iface$, signal-strength=$unmapped.wireless_signal$", + halt: true + }, + + // ───────────────────────────────────────────────────────────────────────── + // AUTHENTICATION (Authentication 3002) + // ───────────────────────────────────────────────────────────────────────── + { + // user admin logged in from 192.168.1.5 via winbox + id: "login", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 1, activity_name: "Logon" + }, + format: "user $actor.user.name=word$ $status$ from $src_endpoint.ip=ipv4$ via $auth_protocol=word$", + halt: true + }, + { + // connected from 203.0.113.50 + id: "vpn_connect", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 1, activity_name: "Logon", + auth_protocol: "PPP" + }, + format: "<$actor.user.name$> $status=word$ from $src_endpoint.ip=ipv4$", + halt: true + }, + { + // disconnected, uptime 1h30m, bytes-in=12345, bytes-out=67890 + id: "vpn_disconnect", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 2, activity_name: "Logoff", + auth_protocol: "PPP" + }, + format: "<$actor.user.name$> disconnected, uptime $session.duration$, bytes-in=$traffic.bytes_in=number$, bytes-out=$traffic.bytes_out=number$", + halt: true + }, + + // ───────────────────────────────────────────────────────────────────────── + // GENERIC FALLBACK + // ───────────────────────────────────────────────────────────────────────── + { + id: "generic", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 0, activity_name: "Unknown" + }, + format: "$unmapped.facility=word$,$unmapped.topic=word$: $unmapped.body$" + } + ] +} diff --git a/parsers/crowdstrike_falcon-latest b/parsers/crowdstrike_falcon-latest new file mode 100644 index 0000000..7d9a34f --- /dev/null +++ b/parsers/crowdstrike_falcon-latest @@ -0,0 +1,363 @@ +{ + "attributes": { + "dataSource.vendor": "CrowdStrike", + "dataSource.name": "CrowdStrike Endpoint", + "dataSource.category": "security", + "metadata.product.vendor_name": "CrowdStrike", + "metadata.product.name": "CrowdStrike Falcon", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [ + { + "input": "unmapped.timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "constant": { + "value": 1001, + "field": "class_uid" + } + }, + { + "constant": { + "value": "Process Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": 1, + "field": "category_uid" + } + }, + { + "constant": { + "value": "System Activity", + "field": "category_name" + } + }, + { + "copy": { + "from": "unmapped.timestamp", + "to": "time" + } + }, + { + "replace": { + "field": "time", + "regexp": "(\\d+)\\d{3}", + "replacement": "$1" + } + }, + { + "copy": { + "from": "unmapped.event_id", + "to": "metadata.uid" + } + }, + { + "copy": { + "from": "unmapped.name", + "to": "message" + } + }, + { + "copy": { + "from": "unmapped.event_simpleName", + "to": "activity_name" + } + }, + { + "copy": { + "from": "unmapped.ComputerName", + "to": "device.hostname" + } + }, + { + "copy": { + "from": "unmapped.aid", + "to": "device.uid" + } + }, + { + "copy": { + "from": "unmapped.aip", + "to": "device.ip" + } + }, + { + "copy": { + "from": "unmapped.cid", + "to": "device.org.uid" + } + }, + { + "copy": { + "from": "unmapped.UserName", + "to": "actor.user.name" + } + }, + { + "copy": { + "from": "unmapped.FileName", + "to": "process.file.name" + } + }, + { + "copy": { + "from": "unmapped.FilePath", + "to": "process.file.path" + } + }, + { + "copy": { + "from": "unmapped.CommandLine", + "to": "process.cmd_line" + } + }, + { + "copy": { + "from": "unmapped.ProcessId", + "to": "process.pid" + } + }, + { + "copy": { + "from": "unmapped.RawProcessId", + "to": "process.pid" + } + }, + { + "copy": { + "from": "unmapped.ParentProcessId", + "to": "process.parent_process.pid" + } + }, + { + "copy": { + "from": "unmapped.ParentBaseFileName", + "to": "process.parent_process.file.name" + } + }, + { + "copy": { + "from": "unmapped.SHA256HashData", + "to": "process.file.hashes[0].value" + } + }, + { + "copy": { + "from": "unmapped.SHA1HashData", + "to": "process.file.hashes[1].value" + } + }, + { + "copy": { + "from": "unmapped.MD5HashData", + "to": "process.file.hashes[2].value" + } + }, + { + "copy": { + "from": "unmapped.LocalIP", + "to": "src_endpoint.ip" + } + }, + { + "copy": { + "from": "unmapped.LocalPort", + "to": "src_endpoint.port" + } + }, + { + "copy": { + "from": "unmapped.RemoteIP", + "to": "dst_endpoint.ip" + } + }, + { + "copy": { + "from": "unmapped.RemotePort", + "to": "dst_endpoint.port" + } + }, + { + "copy": { + "from": "unmapped.Protocol", + "to": "connection_info.protocol_name" + } + }, + { + "copy": { + "from": "unmapped.RegObjectName", + "to": "registry.key" + } + }, + { + "copy": { + "from": "unmapped.RegValueName", + "to": "registry.value" + } + }, + { + "copy": { + "from": "unmapped.DetectName", + "to": "finding.title" + } + }, + { + "copy": { + "from": "unmapped.DetectDescription", + "to": "finding.desc" + } + }, + { + "copy": { + "from": "unmapped.Severity", + "to": "severity_id" + } + }, + { + "copy": { + "from": "unmapped.Tactic", + "to": "finding.supporting_data.tactic" + } + }, + { + "copy": { + "from": "unmapped.Technique", + "to": "finding.supporting_data.technique" + } + }, + { + "copy": { + "from": "unmapped.IOCType", + "to": "finding.supporting_data.ioc_type" + } + }, + { + "copy": { + "from": "unmapped.IOCValue", + "to": "finding.supporting_data.ioc_value" + } + }, + { + "copy": { + "from": "unmapped.FalconHostLink", + "to": "metadata.extensions.falcon_link" + } + }, + { + "copy": { + "from": "unmapped.SensorId", + "to": "device.uid" + } + }, + { + "copy": { + "from": "unmapped.ExternalApiType", + "to": "metadata.extensions.api_type" + } + }, + { + "copy": { + "from": "unmapped.PatternDisposition", + "to": "finding.supporting_data.pattern_disposition" + } + }, + { + "constant": { + "value": "SHA256", + "field": "process.file.hashes[0].type_id", + "predicate": "unmapped.SHA256HashData != \"\"" + } + }, + { + "constant": { + "value": "SHA1", + "field": "process.file.hashes[1].type_id", + "predicate": "unmapped.SHA1HashData != \"\"" + } + }, + { + "constant": { + "value": "MD5", + "field": "process.file.hashes[2].type_id", + "predicate": "unmapped.MD5HashData != \"\"" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id" + } + }, + { + "constant": { + "value": 1, + "field": "status_id" + } + } + ] + } + ] + }, + "observables": { + "fields": [ + { + "name": "device.hostname", + "type": "Hostname" + }, + { + "name": "actor.user.name", + "type": "User" + }, + { + "name": "process.file.name", + "type": "File Name" + }, + { + "name": "process.file.path", + "type": "File Name" + }, + { + "name": "process.file.hashes[0].value", + "type": "File Hash" + }, + { + "name": "process.file.hashes[1].value", + "type": "File Hash" + }, + { + "name": "process.file.hashes[2].value", + "type": "File Hash" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address" + }, + { + "name": "dst_endpoint.ip", + "type": "IP Address" + }, + { + "name": "finding.supporting_data.ioc_value", + "type": "Other" + } + ] + } +} \ No newline at end of file diff --git a/parsers/darktrace_darktrace_logs-latest b/parsers/darktrace_darktrace_logs-latest new file mode 100644 index 0000000..6a6d85b --- /dev/null +++ b/parsers/darktrace_darktrace_logs-latest @@ -0,0 +1,70 @@ +{ + "attributes": { + "dataSource.vendor": "Darktrace", + "dataSource.name": "Darktrace", + "marc_test_signature": "MARC-PARSER-ACTIVE-99999", + "dataSource.category": "ndr", + "metadata.product.vendor_name": "Darktrace", + "metadata.product.name": "Enterprise Immune System", + "metadata.version": "1.3.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { "constant": { "value": 2, "field": "category_uid" } }, + { "constant": { "value": "Findings", "field": "category_name" } }, + { "constant": { "value": 2004, "field": "class_uid" } }, + { "constant": { "value": "Detection Finding", "field": "class_name" } }, + { "constant": { "value": 200401, "field": "type_uid" } }, + { "constant": { "value": "Detection Finding: Create", "field": "type_name" } }, + { "constant": { "value": 1, "field": "activity_id" } }, + { "constant": { "value": "Create", "field": "activity_name" } }, + { "constant": { "value": 1, "field": "status_id" } }, + { "constant": { "value": "New", "field": "status" } }, + + { "copy": { "from": "unmapped.creationTime", "to": "time" } }, + { "copy": { "from": "unmapped.creationTime", "to": "finding_info.created_time" } }, + { "copy": { "from": "unmapped.time", "to": "finding_info.last_seen_time" } }, + + { "copy": { "from": "unmapped.pbid", "to": "external_id" } }, + { "copy": { "from": "unmapped.pbid", "to": "metadata.correlation_uid" } }, + { "copy": { "from": "unmapped.incidentId", "to": "external_id" } }, + + { "copy": { "from": "unmapped.title", "to": "finding_title" } }, + { "copy": { "from": "unmapped.title", "to": "finding.title" } }, + { "copy": { "from": "unmapped.summary", "to": "finding_info.desc" } }, + { "copy": { "from": "unmapped.category", "to": "metadata.product.feature.uid" } }, + + { "copy": { "from": "unmapped.model.name", "to": "finding_title" } }, + { "copy": { "from": "unmapped.model.name", "to": "finding.title" } }, + { "copy": { "from": "unmapped.model.uuid", "to": "finding_uid" } }, + { "copy": { "from": "unmapped.model.uuid", "to": "finding.uid" } }, + { "copy": { "from": "unmapped.model.description", "to": "finding_info.description" } }, + + { "copy": { "from": "unmapped.device.ip", "to": "src_ip" } }, + { "copy": { "from": "unmapped.device.ip", "to": "src_endpoint.ip" } }, + { "copy": { "from": "unmapped.device.ip", "to": "device.ip" } }, + { "copy": { "from": "unmapped.device.hostname", "to": "src_endpoint.hostname" } }, + { "copy": { "from": "unmapped.device.hostname", "to": "device.hostname" } }, + { "copy": { "from": "unmapped.device.hostname", "to": "device.name" } }, + { "copy": { "from": "unmapped.device.mac", "to": "src_endpoint.mac" } }, + { "copy": { "from": "unmapped.device.mac", "to": "device.mac" } }, + { "copy": { "from": "unmapped.device.os", "to": "device.os.name" } }, + { "copy": { "from": "unmapped.device.type", "to": "device.type" } }, + + { "copy": { "from": "unmapped.score", "to": "risk_score" } }, + { "copy": { "from": "unmapped.score", "to": "confidence_score" } } + ] + } + ] + } +} diff --git a/parsers/f5_networks_logs-latest b/parsers/f5_networks_logs-latest new file mode 100644 index 0000000..a748cb8 --- /dev/null +++ b/parsers/f5_networks_logs-latest @@ -0,0 +1,26 @@ +{ + attributes: { + class_uid: "5002", + category_uid: "4", + severity_id: "0", + class_name: "F5 Web Traffic", + category_name: "F5 HTTP Access Logs", + "metadata.product.name": "F5 BIG-IP", + "metadata.product.vendor_name": "F5 Networks", + "dataSource.category": "network", + "dataSource.name": "F5 BIG-IP", + "dataSource.vendor": "F5" + }, + patterns: { + timestamp: "\\d{4}/\\d{2}/\\d{2}\\s+\\d{2}:\\d{2}:\\d{2}", + ipv4: "(?:\\d{1,3}\\.){3}\\d{1,3}", + quote: "\"[^\"]*\"", + number: "\\d+" + }, + formats: [ + { + format: ".*$_=identifier$=$_$(?:\\,|\\r)", + repeat: true + } + ] +} \ No newline at end of file diff --git a/parsers/fortinet_fortigate_candidate_logs-latest b/parsers/fortinet_fortigate_candidate_logs-latest new file mode 100644 index 0000000..6c8a052 --- /dev/null +++ b/parsers/fortinet_fortigate_candidate_logs-latest @@ -0,0 +1,316 @@ +{ + /* + * A parser for Fortigate syslog. + * + * It will split every key/value pair to a field 'fortinet.fieldname' + * Uses rewrites to rewrite the field to OCSF field used by SentinelOne SDL + * + * Instructions: + * + * - Use the format "default" in FortiGate configuration: + * - ssh to fg device + * commands: + * config log syslogd settings + * set format default + * end + * + * - fill in site ID if you want the data to be surfaced in the context of a SITE, or remove the attribute below. + * + * + * Contributors: Mischa Deden , Jan Tietze (original parser) + */ + "patterns": + { + "dateTimePattern": "date=\\d+-\\d+-\\d+ time=\\d+:\\d+:\\d+" + }, + + "attributes": + { + "dataSource.category": "security", + "dataSource.name": "Fortigate", + "dataSource.vendor": "Fortinet" + }, + + "formats": [ + { + "format": "^<$syslog.priority{parse=syslogPriority}$>$datetime=dateTimePattern$", + "rewrites": [ + { + "input": "datetime", + "output": "timestamp", + "match": "date=(\\d+-\\d+-\\d+) time=(\\d+:\\d+:\\d+)", + "replace": "$1 $2" + } + ] + }, { + "format": ".*$_=identifier$=$fortinet._=quoteOrSpace$", + "repeat": true, + "rewrites": [ + { + "input": "fortinet.action", + "output": "event.network.connectionStatus", + "match": ".*", + "replace": "$0" + }, + { + "input": "fortinet.subtype", + "output": "event.network.direction", + "match": ".*", + "replace": "$0" + }, + { + "input": "fortinet.service", + "output": "event.network.protocolName", + "match": ".*", + "replace": "$0" + }, + { + "input": "fortinet.srcip", + "match": ".*", + "output": "event.source", + "replace": "$0" + }, + { + "input": "fortinet.srcip", + "match": ".*", + "output": "src_endpoint.ip", + "replace": "$0" + }, + { + "input": "fortinet.srcport", + "match": ".*", + "output": "src_endpoint.port", + "replace": "$0" + }, + { + "input": "fortinet.srcmac", + "match": ".*", + "output": "src_endpoint.mac", + "replace": "$0" + }, + { + "input": "fortinet.dstip", + "match": ".*", + "output": "dst_endpoint.ip", + "replace": "$0" + }, + { + "input": "fortinet.dstip", + "match": ".*", + "output": "dst.ipaddress", + "replace": "$0" + }, + { + "input": "fortinet.dstip", + "match": ".*", + "output": "event.target", + "replace": "$0" + }, + { + "input": "fortinet.dstport", + "match": ".*", + "output": "dst_endpoint.port", + "replace": "$0" + }, + { + "input": "fortinet.dstport", + "match": ".*", + "output": "dst.port.number", + "replace": "$0" + }, + { + "input": "fortinet.dstmac", + "match": ".*", + "output": "dst_endpoint.mac", + "replace": "$0" + }, + { + "input": "fortinet.subtype", + "match": ".*", + "output": "activity_name", + "replace": "$0" + }, + { + "input": "fortinet.subtype", + "match": ".*", + "output": "activity_id", + "replace": "$0" + }, + { + "input": "fortinet.subtype", + "match": ".*", + "output": "event.type", + "replace": "$0" + }, + { + "input": "fortinet.severity", + "match": ".*", + "output": "severity_id", + "replace": "99" + }, + { + "input": "fortinet.severity", + "match": "^information$", + "output": "severity_id", + "replace": "1" + }, + { + "input": "fortinet.severity", + "match": "^critical$", + "output": "severity_id", + "replace": "5" + }, + { + "input": "fortinet.severity", + "match": "^Emergency$", + "output": "severity_id", + "replace": "6" + }, + { + "input": "fortinet.severity", + "match": "^information$", + "output": "severity_id", + "replace": "1" + }, + { + "input": "fortinet.severity", + "match": "^critical$", + "output": "severity_id", + "replace": "5" + }, + { + "input": "fortinet.severity", + "match": "^Emergency$", + "output": "severity_id", + "replace": "6" + }, + { + "input": "fortinet.action", + "match": ".*", + "output": "activity_name", + "replace": "$0" + }, + { + "input": "fortinet.action", + "match": "^(accept|permit)$", + "output": "activity_name", + "replace": "Open" + }, + { + "input": "fortinet.action", + "match": "^(dropped|close|shutdown)$", + "output": "activity_name", + "replace": "Close" + }, + { + "input": "fortinet.action", + "match": "^clear_session", + "output": "activity_name", + "replace": "Reset" + }, + { + "input": "fortinet.action", + "match": "^(block|blocked)$", + "output": "activity_name", + "replace": "Refuse" + }, + { + "input": "activity_name", + "match": ".*", + "output": "activity_id", + "replace": "99" + }, + { + "input": "activity_name", + "match": "^Open", + "output": "activity_id", + "replace": "1" + }, + { + "input": "activity_name", + "match": "^Close", + "output": "activity_id", + "replace": "2" + }, + { + "input": "activity_name", + "match": "^Reset", + "output": "activity_id", + "replace": "3" + }, + { + "input": "activity_name", + "match": "^Refuse", + "output": "activity_id", + "replace": "5" + }, + { + "input": "activity_name", + "match": ".*", + "output": "event.type", + "replace": "$0" + }, + { + "input": "fortinet.severity", + "match": ".*", + "output": "severity_id", + "replace": "99" + }, + { + "input": "fortinet.severity", + "match": "^(information|Information)$", + "output": "severity_id", + "replace": "1" + }, + { + "input": "fortinet.severity", + "match": "^(critical|Critical)$", + "output": "severity_id", + "replace": "5" + }, + { + "input": "fortinet.severity", + "match": "^(emergency|Emergency)$", + "output": "severity_id", + "replace": "6" + }, + { + "input": "activity_id", + "match": "(.*)", + "output": "type_uid", + "replace": "40010$0" + }, + { + "input": "activity_id", + "match": "99", + "output": "type_uid", + "replace": "400199" + }, + { + "input": "activity_name", + "match": "(.*)", + "output": "type_name", + "replace": "Network Activity: $0" + }, + { + "input": "fortinet.sentbyte", + "match": "(.*)", + "output": "traffic.bytes_in", + "replace": "$0" + }, + { + "input": "fortinet.rcvdbyte", + "match": "(.*)", + "output": "traffic.bytes_out", + "replace": "$0" + }, + { + "input": "message", + "match": ".*srcip\\=(\\S+)\\s.*dstip\\=(\\S+)\\s.*dstmac\\=\"(.*?)\"\\s.*", + "output": "observables", + "replace": "\\[\\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"fortinet.srcip\"\\, \"value\"\\: \"$1\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"fortinet.dstip\"\\, \"value\"\\: \"$2\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"fortinet.dstmac\"\\, \"value\"\\: \"$3\"\\}\\]" + } + ] + } + ] + } diff --git a/parsers/github_audit-latest b/parsers/github_audit-latest new file mode 100644 index 0000000..0bfd4b1 --- /dev/null +++ b/parsers/github_audit-latest @@ -0,0 +1,75 @@ +{ + "attributes": { + "dataSource.vendor": "GitHub", + "dataSource.name": "GitHub Audit", + "dataSource.category": "security", + "dataSource.technology": "source_control" + }, + + "formats": [ + { + "id": "github_audit_json", + "format": "$unmapped.{parse=gron}$", + "attributes": { + "class_uid": 8001, + "class_name": "DevOps Activity", + "category_uid": 8, + "category_name": "System Activity", + "type_uid": 800101, + "activity_id": 1, + "activity_name": "Repository Activity", + "severity_id": 1 + }, + "rewrites": [ + { + "input": "timestamp", + "output": "time", + "match": ".*", + "replace": "$0" + }, + { + "input": "actor", + "output": "user.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "source_ip", + "output": "src_endpoint.ip", + "match": ".*", + "replace": "$0" + }, + { + "input": "org", + "output": "metadata.tenant_uid", + "match": ".*", + "replace": "$0" + }, + { + "input": "repository", + "output": "resource.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "action", + "output": "activity_name", + "match": ".*", + "replace": "$0" + }, + { + "input": "outcome", + "output": "status", + "match": ".*", + "replace": "$0" + }, + { + "input": "description", + "output": "message", + "match": ".*", + "replace": "$0" + } + ] + } + ] +} \ No newline at end of file diff --git a/parsers/harness_ci-latest b/parsers/harness_ci-latest new file mode 100644 index 0000000..e9c3ebc --- /dev/null +++ b/parsers/harness_ci-latest @@ -0,0 +1,261 @@ +{ + "attributes": { + "dataSource.vendor": "Harness", + "dataSource.name": "Harness CI/CD", + "dataSource.category": "security", + "metadata.product.vendor_name": "Harness", + "metadata.product.name": "Harness CI/CD", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$timestamp$ Harness pipelineId=\"$pipeline_id$\" executionId=\"$execution_id$\" status=\"$status$\" trigger=\"$trigger$\" initiator=\"$initiator$\" message=\"$message$\"", + "rewrites": [ + { + "input": "timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "pipeline_id", + "output": "job.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "execution_id", + "output": "job.uid", + "match": ".*", + "replace": "$0" + }, + { + "input": "status", + "output": "status_detail", + "match": ".*", + "replace": "$0" + }, + { + "input": "trigger", + "output": "job.run_type", + "match": ".*", + "replace": "$0" + }, + { + "input": "initiator", + "output": "actor.user.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "message", + "output": "message", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "status_detail = *", + "transformations": [ + { + "constant": { + "value": 6003, + "field": "class_uid" + } + }, + { + "constant": { + "value": "Job Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": 6, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Application Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "status_detail = 'STARTED' OR status_detail = 'RUNNING'" + } + }, + { + "constant": { + "value": "Start", + "field": "activity_name", + "predicate": "status_detail = 'STARTED' OR status_detail = 'RUNNING'" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id", + "predicate": "status_detail = 'SUCCEEDED'" + } + }, + { + "constant": { + "value": "Complete", + "field": "activity_name", + "predicate": "status_detail = 'SUCCEEDED'" + } + }, + { + "constant": { + "value": 3, + "field": "activity_id", + "predicate": "status_detail = 'CANCELLED' OR status_detail = 'PAUSED'" + } + }, + { + "constant": { + "value": "Cancel", + "field": "activity_name", + "predicate": "status_detail = 'CANCELLED' OR status_detail = 'PAUSED'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "status_detail = 'FAILED'" + } + }, + { + "constant": { + "value": "Other", + "field": "activity_name", + "predicate": "status_detail = 'FAILED'" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "status_detail = 'SUCCEEDED' OR status_detail = 'STARTED' OR status_detail = 'RUNNING'" + } + }, + { + "constant": { + "value": "Success", + "field": "status", + "predicate": "status_detail = 'SUCCEEDED' OR status_detail = 'STARTED' OR status_detail = 'RUNNING'" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "status_detail = 'FAILED'" + } + }, + { + "constant": { + "value": "Failure", + "field": "status", + "predicate": "status_detail = 'FAILED'" + } + }, + { + "constant": { + "value": 99, + "field": "status_id", + "predicate": "status_detail = 'CANCELLED' OR status_detail = 'PAUSED'" + } + }, + { + "constant": { + "value": "Other", + "field": "status", + "predicate": "status_detail = 'CANCELLED' OR status_detail = 'PAUSED'" + } + }, + { + "constant": { + "value": 1, + "field": "severity_id" + } + }, + { + "constant": { + "value": "Informational", + "field": "severity" + } + }, + { + "constant": { + "value": 600301, + "field": "type_uid" + } + }, + { + "copy": { + "from": "job.name", + "to": "job.name" + } + }, + { + "copy": { + "from": "job.uid", + "to": "job.uid" + } + }, + { + "copy": { + "from": "job.run_type", + "to": "job.run_type" + } + }, + { + "copy": { + "from": "actor.user.name", + "to": "actor.user.name" + } + }, + { + "copy": { + "from": "status_detail", + "to": "status_detail" + } + }, + { + "copy": { + "from": "message", + "to": "message" + } + } + ] + } + ] + }, + "observables": { + "fields": [ + { + "name": "actor.user.name", + "type": "User" + }, + { + "name": "job.name", + "type": "Other" + }, + { + "name": "job.uid", + "type": "Other" + } + ] + } +} \ No newline at end of file diff --git a/parsers/hashicorp_vault-latest b/parsers/hashicorp_vault-latest new file mode 100644 index 0000000..b717200 --- /dev/null +++ b/parsers/hashicorp_vault-latest @@ -0,0 +1,287 @@ +{ + "attributes": { + "dataSource.vendor": "HashiCorp", + "dataSource.name": "HashiCorp Vault", + "dataSource.category": "security", + "metadata.product.vendor_name": "HashiCorp", + "metadata.product.name": "HashiCorp Vault", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [ + { + "input": "unmapped.time", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "constant": { + "value": 6001, + "field": "class_uid" + } + }, + { + "constant": { + "value": "Vault Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": 6, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Application Activity", + "field": "category_name" + } + }, + { + "copy": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "copy": { + "from": "unmapped.timestamp", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "copy": { + "from": "unmapped.request.id", + "to": "metadata.uid" + } + }, + { + "copy": { + "from": "unmapped.type", + "to": "message" + } + }, + { + "copy": { + "from": "unmapped.request.operation", + "to": "activity_name" + } + }, + { + "copy": { + "from": "unmapped.auth.display_name", + "to": "user.name" + } + }, + { + "copy": { + "from": "unmapped.auth.entity_id", + "to": "user.uid" + } + }, + { + "copy": { + "from": "unmapped.auth.token_type", + "to": "user.type" + } + }, + { + "copy": { + "from": "unmapped.request.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "copy": { + "from": "unmapped.request.client_token", + "to": "session.uid" + } + }, + { + "copy": { + "from": "unmapped.request.path", + "to": "http_request.url.path" + } + }, + { + "copy": { + "from": "unmapped.request.namespace.path", + "to": "http_request.url.path" + } + }, + { + "copy": { + "from": "unmapped.response.data.accessor", + "to": "dst_endpoint.uid" + } + }, + { + "copy": { + "from": "unmapped.response.data.entity_id", + "to": "dst_endpoint.uid" + } + }, + { + "copy": { + "from": "unmapped.error", + "to": "status_detail" + } + }, + { + "copy": { + "from": "unmapped.auth.policies", + "to": "metadata.extensions.policies" + } + }, + { + "copy": { + "from": "unmapped.request.mount_type", + "to": "metadata.extensions.mount_type" + } + }, + { + "copy": { + "from": "unmapped.request.mount_point", + "to": "metadata.extensions.mount_point" + } + }, + { + "copy": { + "from": "unmapped.response.mount_type", + "to": "metadata.extensions.mount_type" + } + }, + { + "copy": { + "from": "unmapped.response.secret", + "to": "metadata.extensions.secret" + } + }, + { + "copy": { + "from": "unmapped.response.data.lease_id", + "to": "metadata.extensions.lease_id" + } + }, + { + "copy": { + "from": "unmapped.response.data.lease_duration", + "to": "metadata.extensions.lease_duration" + } + }, + { + "copy": { + "from": "unmapped.response.data.renewable", + "to": "metadata.extensions.renewable" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.error == \"\"" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id", + "predicate": "unmapped.error != \"\"" + } + }, + { + "constant": { + "value": 1, + "field": "severity_id", + "predicate": "unmapped.error == \"\"" + } + }, + { + "constant": { + "value": 3, + "field": "severity_id", + "predicate": "unmapped.error != \"\"" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "unmapped.error == \"\"" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "unmapped.error != \"\"" + } + }, + { + "constant": { + "value": "Success", + "field": "status", + "predicate": "unmapped.error == \"\"" + } + }, + { + "constant": { + "value": "Failure", + "field": "status", + "predicate": "unmapped.error != \"\"" + } + } + ] + } + ] + }, + "observables": { + "fields": [ + { + "name": "user.name", + "type": "User" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address" + }, + { + "name": "session.uid", + "type": "Other" + }, + { + "name": "http_request.url.path", + "type": "Other" + }, + { + "name": "metadata.extensions.lease_id", + "type": "Other" + } + ] + } +} \ No newline at end of file diff --git a/parsers/imperva_waf_logs-latest b/parsers/imperva_waf_logs-latest new file mode 100644 index 0000000..e598b35 --- /dev/null +++ b/parsers/imperva_waf_logs-latest @@ -0,0 +1,84 @@ +{ + // specify a time zone if the timestamps in your log are not in GMT + // timezone: "GMT-0800" + attributes: { + "dataSource.name": "Imperva WAF", + "dataSource.vendor": "Imperva", + "dataSource.category": "security" + "metadata.product.name": "Imperva WAF", + "metadata.product.vendor_name": "Imperva" + }, + + patterns: { + tsPattern: "\\d+", + value: "[^\\s]+", + toDrop: "^(?!CEF).*$" + }, + + formats: [ + //drop logs + { + id: "drop", + format: "$unwanted=toDrop$", + discard: true + }, + + { + format: "$unmapped.cef.version$\\|$metadata.vendor_name$\\|$metadata.product$\\|$metadata.product.version$\\|$unmapped.signature$\\|$event.type$\\|$severity$\\|", + }, + { + format: ".*\\sstart=$timestamp=tsPattern$", + }, + { + format: ".*requestClientApplication=$unmapped.requestClientApplication$\\sdeviceFacility", + }, + { + format: ".*\\scs2=$unmapped.cs2$\\scs2Label=$unmapped.cs2Label$\\scs3=$unmapped.cs3$\\scs3Label=$unmapped.cs3Label$\\scs1=$unmapped.cs1$\\scs1Label=$unmapped.cs1Label$\\scs4=$unmapped.cs4$\\scs4Label=$unmapped.cs4Label$\\scs5=$unmapped.cs5$\\scs5Label=$unmapped.cs5Label$\\scs6=$unmapped.cs6$\\scs6Label=$unmapped.cs6Label$\\scs7=$unmapped.cs7$\\scs7Label=$unmapped.cs7Label$\\scs8=$unmapped.cs8$\\scs8Label=$unmapped.cs8Label$\\sCustomer", + }, + { + format: ".*\\scs10=$unmapped.cs10$\\scs10Label=$unmapped.cs10Label$\\scpt", + }, + { + format: ".*\\sver=$unmapped.ver$\\s$unmapped.cipher$\\s", + }, + { + format: ".*$_=identifier$=$unmapped._=value$", + repeat: true + } + ], + mappings: { + version: 0, + mappings: [ + { + predicate: "", + renames: [ + { + inputs : ["unmapped.dst"], + output : "dst_endpoint.ip", + type: "string" + }, + { + inputs: ["unmapped.dpt"], + output: "dst_endpoint.port", + type: "string" + }, + { + inputs: ["unmapped.src"], + output: "src_endpoint.ip", + type: "string" + }, + { + inputs: ["unmapped.spt"], + output: "src_endpoint.port", + type: "string" + }, + { + inputs: ["unmapped.Customer"], + output: "Account Name", + type: "string" + } + ] + } + ] + } +} \ No newline at end of file diff --git a/parsers/json-app-logs b/parsers/json-app-logs new file mode 100644 index 0000000..7466161 --- /dev/null +++ b/parsers/json-app-logs @@ -0,0 +1,80 @@ +{ + // OCSF-compliant parser for JSON application logs + // Schema: OCSF v1.3.0 - Security Finding (class_uid 2001) + // https://schema.ocsf.io/1.3.0/classes/security_finding + + attributes: { + // ─── OCSF Metadata ────────────────────────────────────────────── + "metadata.version": "1.3.0", + "metadata.product.vendor_name": "GenericApp", + "metadata.product.name": "Application Logger", + "metadata.product.version": "1.0.0", + "metadata.log_provider": "hec", + + // ─── OCSF Classification (Security Finding) ────────────────────── + "category_uid": 2, + "category_name": "Findings", + "class_uid": 2001, + "class_name": "Security Finding", + "activity_id": 1, + "activity_name": "Create", + "type_uid": 200101, + "type_name": "Security Finding: Create", + + // ─── OCSF Finding state defaults (overridable via rewrites) ───── + "status_id": 1, // 1=New + "status": "New", + "disposition_id": 0, // 0=Unknown + "disposition": "Unknown", + + // ─── SDL/S1 routing fields (non-OCSF) ─────────────────────────── + "Category": "security", + "dataSource.vendor": "GenericApp", + "dataSource.name": "alert", + "dataSource.category": "security", + "finding_info.types": ["Authentication"] + }, + + formats: [ + { + // Auto-extract every JSON top-level field as an attribute + format: "$=json{parse=json}$", + halt: true, + rewrites: [ + // ─── Time handling ───────────────────────────────────────────── + // Source JSON uses `event_iso` (ISO string). NEVER use the bare + // `time` attr (SDL reserved, expects epoch ms) or any `*_time` + // suffix (AI SIEM auto-parses as date, shows "Invalid Date" for + // ISO strings). + { input: "event_iso", output: "finding_info.created_time_dt", match: ".*", replace: "$0" }, + + // ─── Actor (user) ─────────────────────────────────────────── + { input: "user", output: "actor.user.name", match: ".*", replace: "$0" }, + { input: "user", output: "actor.user.uid", match: ".*", replace: "$0" }, + + // ─── Finding info ─────────────────────────────────────────── + { input: "msg", output: "finding_info.title", match: ".*", replace: "$0" }, + { input: "msg", output: "finding_info.desc", match: ".*", replace: "$0" }, + // finding_info.uid: use the original log line hash; SDL has no hash fn, + // so fall back to msg+user concatenation (callers SHOULD add an `id` field) + { input: "msg", output: "finding_info.uid", match: ".*", replace: "$0" }, + + // ─── Raw log preservation (OCSF: raw_data) ────────────────── + { input: "msg", output: "raw_data", match: ".*", replace: "$0" }, + + // ─── Severity (string + int, OCSF v1.3.0 ranges) ──────────── + // NOTE: SDL reserves the bare `severity` field name and renames our + // attribute to `severity_`. We populate `severity_str` (queryable) and + // `severity_id` (OCSF integer 0-6). + { input: "level", output: "severity_id", match: "(?i)error", replace: "5" }, + { input: "level", output: "severity_id", match: "(?i)warn", replace: "4" }, + { input: "level", output: "severity_id", match: "(?i)info", replace: "3" }, + { input: "level", output: "severity_id", match: "(?i)debug", replace: "1" }, + { input: "level", output: "severity_str", match: "(?i)error", replace: "Critical" }, + { input: "level", output: "severity_str", match: "(?i)warn", replace: "High" }, + { input: "level", output: "severity_str", match: "(?i)info", replace: "Informational" }, + { input: "level", output: "severity_str", match: "(?i)debug", replace: "Other" } + ] + } + ] +} diff --git a/parsers/marcparser b/parsers/marcparser new file mode 100644 index 0000000..01b91d1 --- /dev/null +++ b/parsers/marcparser @@ -0,0 +1,59 @@ +{ + attributes: { + "dataSource.vendor": "pfSense", + "dataSource.name": "pfSense Firewall", + "dataSource.category": "security" + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + ipv6: "[0-9A-Fa-f:]+", + ipv46: "(\\d+\\.\\d+\\.\\d+\\.\\d+|[0-9A-Fa-f:]+)", + number: "\\d+" + }, + + formats: [ + { + // ACCEPT TCP 4f48:...:55177 -> f7b0:...:10680 - Rule: 4891 - Bytes: 1234 + id: "flow", + format: + "$pf_action$ $network_protocol$ " + + "$src_ip=ipv46$:$src_port=number$ -> " + + "$dst_ip=ipv46$:$dst_port=number$ - Rule: " + + "$fw_rule_id=number$ - Bytes: $bytes=number$", + halt: true + }, + { + // INTRUSION DETECTED: DDoS from 92.191.154.186 - Blocked by rule 7936 - Severity: HIGH + id: "ids", + format: + "INTRUSION DETECTED: $attack_type$ from " + + "$src_ip=ipv4$ - Blocked by rule $fw_rule_id=number$ - Severity: $severity$", + halt: true + } + ], + + mappings: { + version: 1, + mappings: [ + { + predicate: "true", + transformations: [ + { "rename": { "from": "src_ip", "to": "src.ip.address" } }, + { "rename": { "from": "dst_ip", "to": "dst.ip.address" } }, + { "rename": { "from": "src_port", "to": "src.port.number" } }, + { "rename": { "from": "dst_port", "to": "dst.port.number" } }, + { "rename": { "from": "network_protocol", "to": "network.protocol" } }, + { "rename": { "from": "fw_rule_id", "to": "unmapped.firewall.rule_id" } }, + { "rename": { "from": "bytes", "to": "network.bytes" } }, + { "rename": { "from": "pf_action", "to": "event.outcome" } }, + { "rename": { "from": "severity", "to": "severity" } }, + { "rename": { "from": "attack_type", "to": "unmapped.attack.type" } }, + + { "constant": { "field": "event.category", "value": "network" } }, + { "constant": { "field": "class_name", "value": "Network Activity" } } + ] + } + ] + } +} \ No newline at end of file diff --git a/parsers/marcpfsense b/parsers/marcpfsense new file mode 100644 index 0000000..7c1b220 --- /dev/null +++ b/parsers/marcpfsense @@ -0,0 +1,63 @@ +{ + attributes: { + "dataSource.vendor": "pfSense", + "dataSource.name": "pfSense", + "dataSource.category": "security" + }, + + patterns: { + tsPattern: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2}", + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + ipv6: "[a-fA-F0-9:]+", + ipv46: "(\\d+\\.\\d+\\.\\d+\\.\\d+|[a-zA-Z0-9:]+)", + ipv: "(4|6)", + hex: "([a-f0-9]+x[a-f0-9]+){0,1}", + tcpflags: "[SA\\.FRPUEW]+", + numberOrNone: "[0-9]{0,}", + textOrNone: "[a-zA-Z-\\.0-9]{0,}" + }, + + formats: [ + { + // Base filterlog header + format: "$timestamp=tsPattern$ $hostname=ipv46$ filterlog: " + + "$pfRule=numberOrNone$,$pfSubRule=numberOrNone$," + + "$pfAnchor=textOrNone$,$pfTracker=numberOrNone$," + + "$pfInterface$,$pfReason=identifier$," + + "$pfAction=identifier$,$pfDirection=identifier$,.*" + }, + { + // IPv4 header-specific fields + attributes: { pfIpv: 4 }, + format: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2} " + + "(\\d+\\.\\d+\\.\\d+\\.\\d+|[a-zA-Z0-9:]+) filterlog: " + + "([a-zA-Z0-9-\\.]+,|,){8}4," + + "$pfTos=hex$,$pfEcn$,$pfTtl=numberOrNone$," + + "$pfPacketId=numberOrNone$,$pfOffset=numberOrNone$," + + "$pfIPFlags=identifier$,$pfProtocolID$,$msg$" + }, + { + // TCP flow + attributes: { pfProtocol: "tcp" }, + format: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2} " + + "(\\d+\\.\\d+\\.\\d+\\.\\d+|[a-zA-Z0-9:]+) filterlog: " + + "([a-zA-Z0-9-\\.]+,|,){16}tcp," + + "$pfPacketLen=number$,$pfSourceIP=ipv4$,$pfDestIP=ipv4$," + + "$pfSourcePort=number$,$pfDestPort=number$," + + "$pfDataLen=number$,$pfTCPFlags=tcpflags$," + + "$pfSeq=numberOrNone$,$pfAck=numberOrNone$," + + "$pfWindow=numberOrNone$,$pfUrg=textOrNone$,$pfTcpOptions$", + halt: true + }, + { + // UDP flow + attributes: { pfProtocol: "udp" }, + format: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2} " + + "(\\d+\\.\\d+\\.\\d+\\.\\d+|[a-zA-Z0-9:]+) filterlog: " + + "([a-zA-Z0-9-\\.]+,|,){16}udp," + + "$pfPacketLen=number$,$pfSourceIP=ipv4$,$pfDestIP=ipv4$," + + "$pfSourcePort=number$,$pfDestPort=number$,$pfDataLen=number$", + halt: true + } + ] +} \ No newline at end of file diff --git a/parsers/microsoft_365_collaboration-latest b/parsers/microsoft_365_collaboration-latest new file mode 100644 index 0000000..29e2a89 --- /dev/null +++ b/parsers/microsoft_365_collaboration-latest @@ -0,0 +1,147 @@ +{ + "attributes": { + "dataSource.name": "Microsoft 365 Collaboration", + "dataSource.vendor": "Microsoft", + "dataSource.category": "security", + "metadata.product.name": "Microsoft 365 SharePoint/OneDrive", + "metadata.product.vendor_name": "Microsoft", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.TimeStamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "constant": { + "value": 1, + "field": "activity_id" + } + }, + { + "constant": { + "value": "Create", + "field": "activity_name" + } + }, + { + "constant": { + "value": 1, + "field": "category_uid" + } + }, + { + "constant": { + "value": 1006, + "field": "class_uid" + } + }, + { + "constant": { + "value": "File Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "System Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 100601, + "field": "type_uid" + } + }, + { + "constant": { + "value": "File Activity: Create", + "field": "type_name" + } + }, + { + "copy": { + "from": "unmapped.TimeStamp", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.UserId", + "to": "actor.user.email_addr" + } + }, + { + "rename": { + "from": "unmapped.Operation", + "to": "activity_name" + } + }, + { + "rename": { + "from": "unmapped.SiteUrl", + "to": "src_endpoint.url.url_string" + } + }, + { + "rename": { + "from": "unmapped.ObjectId", + "to": "file.path" + } + }, + { + "rename": { + "from": "unmapped.FileName", + "to": "file.name" + } + }, + { + "rename": { + "from": "unmapped.TargetUser", + "to": "user.email_addr" + } + }, + { + "rename": { + "from": "unmapped.RequestedBy", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.Details", + "to": "message" + } + }, + { + "constant": { + "value": "Microsoft 365", + "field": "cloud.provider" + } + } + ] + } + ] + } +} \ No newline at end of file diff --git a/parsers/microsoft_azuread-latest b/parsers/microsoft_azuread-latest new file mode 100644 index 0000000..b246386 --- /dev/null +++ b/parsers/microsoft_azuread-latest @@ -0,0 +1,327 @@ +{ + "attributes": { + "dataSource.vendor": "Microsoft", + "dataSource.name": "Azure AD", + "dataSource.category": "security", + "metadata.product.vendor_name": "Microsoft", + "metadata.product.name": "Azure Active Directory", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [ + { + "input": "unmapped.time", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.activityDateTime", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "constant": { + "value": 3002, + "field": "class_uid" + } + }, + { + "constant": { + "value": "Authentication", + "field": "class_name" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "copy": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "copy": { + "from": "unmapped.activityDateTime", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "copy": { + "from": "unmapped.id", + "to": "metadata.uid" + } + }, + { + "copy": { + "from": "unmapped.activityDisplayName", + "to": "message" + } + }, + { + "copy": { + "from": "unmapped.activity", + "to": "activity_name" + } + }, + { + "copy": { + "from": "unmapped.userPrincipalName", + "to": "user.name" + } + }, + { + "copy": { + "from": "unmapped.displayName", + "to": "user.full_name" + } + }, + { + "copy": { + "from": "unmapped.userId", + "to": "user.uid" + } + }, + { + "copy": { + "from": "unmapped.ipAddress", + "to": "src_endpoint.ip" + } + }, + { + "copy": { + "from": "unmapped.clientAppUsed", + "to": "http_request.user_agent" + } + }, + { + "copy": { + "from": "unmapped.userAgent", + "to": "http_request.user_agent" + } + }, + { + "copy": { + "from": "unmapped.location.city", + "to": "src_endpoint.location.city" + } + }, + { + "copy": { + "from": "unmapped.location.state", + "to": "src_endpoint.location.region" + } + }, + { + "copy": { + "from": "unmapped.location.countryOrRegion", + "to": "src_endpoint.location.country" + } + }, + { + "copy": { + "from": "unmapped.location.geoCoordinates.latitude", + "to": "src_endpoint.location.coordinates[0]" + } + }, + { + "copy": { + "from": "unmapped.location.geoCoordinates.longitude", + "to": "src_endpoint.location.coordinates[1]" + } + }, + { + "copy": { + "from": "unmapped.result", + "to": "status" + } + }, + { + "copy": { + "from": "unmapped.resultReason", + "to": "status_detail" + } + }, + { + "copy": { + "from": "unmapped.operationType", + "to": "activity_name" + } + }, + { + "copy": { + "from": "unmapped.category", + "to": "category_name" + } + }, + { + "copy": { + "from": "unmapped.correlationId", + "to": "metadata.correlation_uid" + } + }, + { + "copy": { + "from": "unmapped.resourceDisplayName", + "to": "dst_endpoint.name" + } + }, + { + "copy": { + "from": "unmapped.resourceId", + "to": "dst_endpoint.uid" + } + }, + { + "copy": { + "from": "unmapped.targetResources[0].displayName", + "to": "dst_endpoint.name" + } + }, + { + "copy": { + "from": "unmapped.targetResources[0].id", + "to": "dst_endpoint.uid" + } + }, + { + "copy": { + "from": "unmapped.targetResources[0].userPrincipalName", + "to": "dst_endpoint.name" + } + }, + { + "copy": { + "from": "unmapped.authenticationDetails[0].authenticationMethod", + "to": "auth_protocol" + } + }, + { + "copy": { + "from": "unmapped.authenticationDetails[0].succeeded", + "to": "status" + } + }, + { + "copy": { + "from": "unmapped.conditionalAccessStatus", + "to": "metadata.extensions.conditional_access_status" + } + }, + { + "copy": { + "from": "unmapped.isInteractive", + "to": "metadata.extensions.is_interactive" + } + }, + { + "copy": { + "from": "unmapped.riskLevel", + "to": "risk_level" + } + }, + { + "copy": { + "from": "unmapped.riskState", + "to": "risk_level_id" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.result = 'success'" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id", + "predicate": "unmapped.result = 'failure'" + } + }, + { + "constant": { + "value": 1, + "field": "severity_id", + "predicate": "unmapped.result = 'success'" + } + }, + { + "constant": { + "value": 3, + "field": "severity_id", + "predicate": "unmapped.result = 'failure'" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "unmapped.result = 'success'" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "unmapped.result = 'failure'" + } + } + ] + } + ] + }, + "observables": { + "fields": [ + { + "name": "user.name", + "type": "User" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address" + }, + { + "name": "user.uid", + "type": "User" + }, + { + "name": "dst_endpoint.name", + "type": "Other" + }, + { + "name": "metadata.correlation_uid", + "type": "Other" + } + ] + } +} \ No newline at end of file diff --git a/parsers/microsoft_windows_eventlog-latest b/parsers/microsoft_windows_eventlog-latest new file mode 100644 index 0000000..37a730e --- /dev/null +++ b/parsers/microsoft_windows_eventlog-latest @@ -0,0 +1,39 @@ +{ + // Default Attributes + attributes: { + "dataSource.category": "security", + "dataSource.name": "Windows Event Logs", + "dataSource.vendor": "Microsoft", + "event.type": "Windows Event Log Creation" + }, + patterns: { + SystemTimePattern: "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{7}Z" + }, + formats: [ + { + // Match Event ID : 4743 + format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":null,\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",\"Correlation\":$winEventLog.correlation$,\"Computer\":\"$endpoint.name$\",\"Channel\":\"$winEventLog.channel$\"},\"RenderingInfo\":\\{\"Task\":\"$winEventLog.rendering_info.task$\",\"Provider\":\"$winEventLog.rendering_info.provider$\",\"Opcode\":\"$winEventLog.rendering_info.opcode$\",\"Message\":\"$winEventLog.message$\",\"Level\":\"$winEventLog.rendering_info.level$\",\"Keywords\":\\{\"Keyword\":\"$winEventLog.rendering_info.keywords.keyword$\"},\"Channel\":\"$winEventLog.rendering_info.channel$\",\"Culture\":\"$winEventLog.rendering_info.culture$\"},\"EventData\":\\{\"Data\":\\{\"SubjectUserSid\":\\{\"Text\":\"$winEventLog.EventData.userSID$\"},\"SubjectUserName\":\\{\"Text\":\"$winEventLog.EventData.userName$\"},\"SubjectLogonId\":\\{\"Text\":\"$winEventLog.EventData.logonId$\"},\"SubjectDomainName\":\\{\"Text\":\"$winEventLog.EventData.domainName$\"},\"PrivilegeList\":\\{\"Text\":\"$winEventLog.EventData.PrivilegeList$\"}}},\"xmlns\":\"$winEventLog.xmlns$\"},\"timestamp\":\"$winEventLog.timestamp=SystemTimePattern$\",\"name\":\"$winEventLog.name$\",\"monitor\":\"$winEventLog.monitor$\"}" + halt: true + }, + { + // Match Event ID : 4742 + format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":null,\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",\"Correlation\":$winEventLog.correlation$,\"Computer\":\"$endpoint.name$\",\"Channel\":\"$winEventLog.channel$\"},\"RenderingInfo\":\\{\"Task\":\"$winEventLog.rendering_info.Task$\",\"Provider\":\"$winEventLog.rendering_info.Provider$\",\"Opcode\":\"$winEventLog.rendering_info.Opcode$\",\"Message\":\"$winEventLog.rendering_info.Message$\",\"Level\":\"$winEventLog.rendering_info.Level$\",\"Keywords\":\\{\"Keyword\":\"$winEventLog.rendering_info.Keywords.Keyword$\"},\"Channel\":\"$winEventLog.rendering_info.channel$\",\"Culture\":\"$winEventLog.rendering_info.Culture$\"},\"EventData\":\\{\"Data\":\\{\"UserWorkstations\":\\{\"Text\":\"$winEventLog.EventData.UserWorkstations$\"},\"UserPrincipalName\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"UserParameters\":\\{\"Text\":\"$winEventLog.EventData.UserParameters$\"},\"UserAccountControl\":\\{\"Text\":\"$winEventLog.EventData.UserAccountControl$\"},\"TargetUserName\":\\{\"Text\":\"$winEventLog.EventData.TargetUserName$\"},\"TargetSid\":\\{\"Text\":\"$winEventLog.EventData.TargetSid$\"},\"TargetDomainName\":\\{\"Text\":\"$winEventLog.EventData.TargetDomainName$\"},\"SubjectUserSid\":\\{\"Text\":\"$winEventLog.EventData.SubjectUserSid$\"},\"SubjectUserName\":\\{\"Text\":\"$winEventLog.EventData.SubjectUserName$\"},\"SubjectLogonId\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"SubjectDomainName\":\\{\"Text\":\"$winEventLog.EventData.SubjectDomainName$\"},\"SidHistory\":\\{\"Text\":\"$winEventLog.EventData.SidHistory$\"},\"ServicePrincipalNames\":\\{\"Text\":\"$winEventLog.EventData.ServicePrincipalNames$\"},\"ScriptPath\":\\{\"Text\":\"$winEventLog.EventData.ScriptPath$\"},\"SamAccountName\":\\{\"Text\":\"$winEventLog.EventData.SamAccountName$\"},\"ProfilePath\":\\{\"Text\":\"$winEventLog.EventData.ProfilePath$\"},\"PrivilegeList\":\\{\"Text\":\"$winEventLog.EventData.PrivilegeList$\"},\"PrimaryGroupId\":\\{\"Text\":\"$winEventLog.EventData.PrimaryGroupId$\"},\"PasswordLastSet\":\\{\"Text\":\"$winEventLog.EventData.PasswordLastSet$\"},\"OldUacValue\":\\{\"Text\":\"$winEventLog.EventData.OldUacValue$\"},\"NewUacValue\":\\{\"Text\":\"$winEventLog.EventData.NewUacValue$\"},\"LogonHours\":\\{\"Text\":\"$winEventLog.EventData.LogonHours$\"},\"HomePath\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"HomeDirectory\":\\{\"Text\":\"$winEventLog.EventData.HomeDirectory$\"},\"DnsHostName\":\\{\"Text\":\"$winEventLog.EventData.DnsHostName$\"},\"DisplayName\":\\{\"Text\":\"$winEventLog.EventData.DisplayName$\"},\"ComputerAccountChange\":\\{\"Text\":\"$winEventLog.EventData.ComputerAccountChange$\"},\"AllowedToDelegateTo\":\\{\"Text\":\"$winEventLog.EventData.AllowedToDelegateTo$\"},\"AccountExpires\":\\{\"Text\":\"$winEventLog.EventData.AccountExpires$\"}}},\"xmlns\":\"$winEventLog.xmlns$\"},\"timestamp\":\"$winEventLog.timestamp=SystemTimePattern$\",\"name\":\"$winEventLog.name$\",\"monitor\":\"$winEventLog.monitor$\"}" + halt: true + }, + { + // Match Event ID : 4741 + format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":null,\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",\"Correlation\":$winEventLog.correlation$,\"Computer\":\"$endpoint.name$\",\"Channel\":\"$winEventLog.channel$\"},\"RenderingInfo\":\\{\"Task\":\"$winEventLog.rendering_info.task$\",\"Provider\":\"$winEventLog.rendering_info.provider$\",\"Opcode\":\"$winEventLog.rendering_info.opcode$\",\"Message\":\"$winEventLog.message$\",\"Level\":\"$winEventLog.rendering_info.level$\",\"Keywords\":\\{\"Keyword\":\"$winEventLog.rendering_info.keywords.keyword$\"},\"Channel\":\"$winEventLog.rendering_info.channel$\",\"Culture\":\"$winEventLog.rendering_info.culture$\"},\"EventData\":\\{\"Data\":\\{\"UserWorkstations\":\\{\"Text\":\"$winEventLog.EventData.UserWorkstations$\"},\"UserPrincipalName\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"UserParameters\":\\{\"Text\":\"$winEventLog.EventData.UserParameters$\"},\"UserAccountControl\":\\{\"Text\":\"$winEventLog.EventData.UserAccountControl$\"},\"TargetUserName\":\\{\"Text\":\"$winEventLog.EventData.TargetUserName$\"},\"TargetSid\":\\{\"Text\":\"$winEventLog.EventData.TargetSid$\"},\"TargetDomainName\":\\{\"Text\":\"$winEventLog.EventData.TargetDomainName$\"},\"SubjectUserSid\":\\{\"Text\":\"$winEventLog.EventData.userSID$\"},\"SubjectUserName\":\\{\"Text\":\"$winEventLog.EventData.SubjectUserName$\"},\"SubjectLogonId\":\\{\"Text\":\"$winEventLog.EventData.logonId$\"},\"SubjectDomainName\":\\{\"Text\":\"$winEventLog.EventData.SubjectDomainName$\"},\"SidHistory\":\\{\"Text\":\"$winEventLog.EventData.SidHistory$\"},\"ServicePrincipalNames\":\\{\"Text\":\"$winEventLog.EventData.ServicePrincipalNames$\"},\"ScriptPath\":\\{\"Text\":\"$winEventLog.EventData.ScriptPath$\"},\"SamAccountName\":\\{\"Text\":\"$winEventLog.EventData.SamAccountName$\"},\"ProfilePath\":\\{\"Text\":\"$winEventLog.EventData.ProfilePath$\"},\"PrivilegeList\":\\{\"Text\":\"$winEventLog.EventData.PrivilegeList$\"},\"PrimaryGroupId\":\\{\"Text\":\"$winEventLog.EventData.PrimaryGroupId$\"},\"PasswordLastSet\":\\{\"Text\":\"$winEventLog.EventData.PasswordLastSet$\"},\"OldUacValue\":\\{\"Text\":\"$winEventLog.EventData.OldUacValue$\"},\"NewUacValue\":\\{\"Text\":\"$winEventLog.EventData.NewUacValue$\"},\"LogonHours\":\\{\"Text\":\"$winEventLog.EventData.LogonHours$\"},\"HomePath\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"HomeDirectory\":\\{\"Text\":\"$winEventLog.EventData.HomeDirectory$\"},\"DnsHostName\":\\{\"Text\":\"$winEventLog.EventData.DnsHostName$\"},\"DisplayName\":\\{\"Text\":\"$winEventLog.EventData.DisplayName$\"},\"AllowedToDelegateTo\":\\{\"Text\":\"$winEventLog.EventData.AllowedToDelegateTo$\"},\"AccountExpires\":\\{\"Text\":\"$winEventLog.EventData.AccountExpires$\"}}},\"xmlns\":\"$winEventLog.xmlns$\"},\"timestamp\":\"$winEventLog.timestamp=SystemTimePattern$\",\"name\":\"$winEventLog.name$\",\"monitor\":\"$winEventLog.monitor$\"}" + halt: true + }, + { + // Match Event ID : 8002 + format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":\\{\"UserID\":\"$winEventLog.user_id$\"},\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",\"Correlation\":$winEventLog.correlation$,\"Computer\":\"$endpoint.name$\",\"Channel\":\"$winEventLog.channel$\"},\"RenderingInfo\":\\{\"Task\":\"$winEventLog.rendering_info.task$\",\"Provider\":\"$winEventLog.rendering_info.provider$\",\"Opcode\":\"$winEventLog.rendering_info.opcode$\",\"Message\":\"$winEventLog.message$\",\"Level\":\"$winEventLog.rendering_info.level$\",\"Keywords\":$winEventLog.rendering_info.keywords$,\"Channel\":\"$winEventLog.rendering_info.channel$\",\"Culture\":\"$winEventLog.rendering_info.culture$\"},\"EventData\":\\{\"Data\":\\{\"ProcessName\":\\{\"Text\":\"$src.process.name$\"},\"MechanismOID\":\\{\"Text\":\"$src.process.mechanism_oid$\"},\"ClientUserName\":\\{\"Text\":\"$src.process.user$\"},\"ClientLUID\":\\{\"Text\":\"$src.process.uid$\"},\"ClientDomainName\":\\{\"Text\":\"$src.process.domain$\"},\"CallerPID\":\\{\"Text\":\"$src.process.callerid$\"}}},\"xmlns\":\"$winEventLog.xmlns$\"},\"timestamp\":\"$winEventLog.timestamp=SystemTimePattern$\",\"name\":\"$winEventLog.name$\",\"monitor\":\"$winEventLog.monitor$\"}" + halt: true + }, + { + // Match all rest + format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":null,\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",$winEventLog.rest$" + } + ] +} + diff --git a/parsers/mikrotik b/parsers/mikrotik new file mode 100644 index 0000000..931e11b --- /dev/null +++ b/parsers/mikrotik @@ -0,0 +1,436 @@ +{ + attributes: { + "metadata.version": "2.0.0", + "dataSource.vendor": "MikroTik", + "dataSource.name": "MikroTik RouterOS", + "dataSource.category": "security", + "Category": "security", + "metadata.product.vendor_name": "MikroTik", + "metadata.product.name": "RouterOS", + "metadata.log_provider": "syslog", + "severity_id": 1, + "severity": "Informational" + }, + + patterns: { + ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", + ipv6: "[0-9a-fA-F:]+", + mac: "[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}", + num: "\\d+", + word: "\\w+", + iface: "[\\w().-]+", + proto: "[A-Z]+", + signal: "-?\\d+", + ts: "\\w+/\\d+/\\d+ \\d+:\\d+:\\d+|\\d+:\\d+:\\d+", + rest: ".*" + }, + + formats: [ + // ═══════════════════════════════════════════════════════════════════════════ + // FIREWALL (Network Activity 4001) + // ═══════════════════════════════════════════════════════════════════════════ + + // input: in:ether1 out:(none), src-mac 00:21:29:6d:82:07, proto UDP, 10.1.101.1:520->10.1.101.255:520, len 452 + { + id: "firewall_full", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106 + }, + format: "$chain=word$: in:$in_iface=iface$ out:$out_iface=iface$, src-mac $src_mac=mac$, proto $protocol=proto$, $src_ip=ipv4$:$src_port=num$->$dst_ip=ipv4$:$dst_port=num$, len $pkt_len=num$", + halt: true + }, + + // forward: in:ether1 out:ether2, connection-state:established, src-mac 00:11:22:33:44:55 + { + id: "firewall_conntrack", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106 + }, + format: "$chain=word$: in:$in_iface=iface$ out:$out_iface=iface$, connection-state:$conn_state=word$, src-mac $src_mac=mac$", + halt: true + }, + + // Firewall DROP - appears in XDR as Detection Finding + // drop: in:ether1 out:(none), src-mac 00:21:29:6d:82:07, proto TCP, 10.1.101.1:12345->10.1.101.255:22, len 64 + { + id: "firewall_drop", + attributes: { + class_uid: 4002, class_name: "Detection Finding", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Create", + type_uid: 400201, + disposition_id: 2, disposition: "Blocked", + severity_id: 3, severity: "Medium", + "finding_info.title": "MikroTik Firewall Drop", + "finding_info.types": ["Network"], + confidence_id: 3, confidence: "High" + }, + format: "drop: in:$in_iface=iface$ out:$out_iface=iface$, src-mac $src_mac=mac$, proto $protocol=proto$, $src_ip=ipv4$:$src_port=num$->$dst_ip=ipv4$:$dst_port=num$, len $pkt_len=num$", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // DHCP (DHCP Activity 4004) + // ═══════════════════════════════════════════════════════════════════════════ + + // defconf deassigned 192.168.88.37 for B0:E4:5C:27:EF:F2 Samsung + { + id: "dhcp_deassign", + attributes: { + class_uid: 4004, class_name: "DHCP Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 2, activity_name: "Release", + type_uid: 400402 + }, + format: "$dhcp_server=word$ deassigned $client_ip=ipv4$ for $client_mac=mac$ $hostname=rest$", + halt: true + }, + + // defconf assigned 192.168.88.37 for B0:E4:5C:27:EF:F2 Samsung + { + id: "dhcp_assign", + attributes: { + class_uid: 4004, class_name: "DHCP Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Lease", + type_uid: 400401 + }, + format: "$dhcp_server=word$ assigned $client_ip=ipv4$ for $client_mac=mac$ $hostname=rest$", + halt: true + }, + + // dhcp1 got address 192.168.1.100 from 192.168.1.1 + { + id: "dhcp_client", + attributes: { + class_uid: 4004, class_name: "DHCP Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Lease", + type_uid: 400401 + }, + format: "$dhcp_client=word$ got address $client_ip=ipv4$ from $dhcp_server_ip=ipv4$", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // AUTHENTICATION (Authentication 3002) + // ═══════════════════════════════════════════════════════════════════════════ + + // user admin logged in from 10.1.101.212 via winbox + { + id: "login", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 1, activity_name: "Logon", + type_uid: 300201, + status_id: 1, status: "Success" + }, + format: "user $user=word$ logged in from $src_ip=ipv4$ via $method=word$", + halt: true + }, + + // user admin logged out from 10.1.101.212 via telnet + { + id: "logout", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 2, activity_name: "Logoff", + type_uid: 300202, + status_id: 1, status: "Success" + }, + format: "user $user=word$ logged out from $src_ip=ipv4$ via $method=word$", + halt: true + }, + + // login failure for user admin from 10.1.101.50 via ssh + // Using Detection Finding class for XDR visibility + { + id: "login_failure", + attributes: { + class_uid: 4002, class_name: "Detection Finding", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Create", + type_uid: 400201, + status_id: 2, status: "Failure", + severity_id: 3, severity: "Medium", + "finding_info.title": "MikroTik Login Failure", + "finding_info.types": ["Authentication"], + confidence_id: 3, confidence: "High" + }, + format: "login failure for user $user=word$ from $src_ip=ipv4$ via $method=word$", + halt: true + }, + + // connected from 203.0.113.50 + { + id: "ppp_connect", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 1, activity_name: "Logon", + type_uid: 300201, + status_id: 1, status: "Success", + auth_protocol: "PPP" + }, + format: "<$user$> connected from $src_ip=ipv4$", + halt: true + }, + + // disconnected + { + id: "ppp_disconnect", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 2, activity_name: "Logoff", + type_uid: 300202, + auth_protocol: "PPP" + }, + format: "<$user$> disconnected", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // CONFIGURATION (Entity Management 5004) + // ═══════════════════════════════════════════════════════════════════════════ + + // mangle rule added by admin + { + id: "config_added", + attributes: { + class_uid: 5004, class_name: "Entity Management", + category_uid: 5, category_name: "Discovery", + activity_id: 1, activity_name: "Create", + type_uid: 500401 + }, + format: "$object=rest$ added by $user=word$", + halt: true + }, + + // mangle rule changed by admin + { + id: "config_changed", + attributes: { + class_uid: 5004, class_name: "Entity Management", + category_uid: 5, category_name: "Discovery", + activity_id: 3, activity_name: "Update", + type_uid: 500403 + }, + format: "$object=rest$ changed by $user=word$", + halt: true + }, + + // mangle rule moved by admin + { + id: "config_moved", + attributes: { + class_uid: 5004, class_name: "Entity Management", + category_uid: 5, category_name: "Discovery", + activity_id: 3, activity_name: "Update", + type_uid: 500403 + }, + format: "$object=rest$ moved by $user=word$", + halt: true + }, + + // item removed by admin + { + id: "config_removed", + attributes: { + class_uid: 5004, class_name: "Entity Management", + category_uid: 5, category_name: "Discovery", + activity_id: 2, activity_name: "Delete", + type_uid: 500402 + }, + format: "$object=rest$ removed by $user=word$", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // SYSTEM (Operating System Patch State 6003) + // ═══════════════════════════════════════════════════════════════════════════ + + // router rebooted + { + id: "system_reboot", + attributes: { + class_uid: 6003, class_name: "Operating System Patch State", + category_uid: 6, category_name: "Application Activity", + activity_id: 0, activity_name: "Unknown", + type_uid: 600300, + severity_id: 2, severity: "Low" + }, + format: "router rebooted", + halt: true + }, + + // system,error,critical kernel failure + { + id: "system_critical", + attributes: { + class_uid: 6003, class_name: "Operating System Patch State", + category_uid: 6, category_name: "Application Activity", + activity_id: 0, activity_name: "Unknown", + type_uid: 600300, + severity_id: 5, severity: "Critical" + }, + format: "kernel $error_msg=rest$", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // WIRELESS (Network Activity 4001) + // ═══════════════════════════════════════════════════════════════════════════ + + // connected, 00:11:22:33:44:55@wlan1, signal-strength=-65 + { + id: "wireless_connect", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Open", + type_uid: 400101 + }, + format: "connected, $client_mac=mac$@$iface=iface$, signal-strength=$signal=signal$", + halt: true + }, + + // disconnected, 00:11:22:33:44:55@wlan1 + { + id: "wireless_disconnect", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 2, activity_name: "Close", + type_uid: 400102 + }, + format: "disconnected, $client_mac=mac$@$iface=iface$", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // DNS (DNS Activity 4003) + // ═══════════════════════════════════════════════════════════════════════════ + + // dns query from 192.168.1.10: example.com A + { + id: "dns_query", + attributes: { + class_uid: 4003, class_name: "DNS Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Query", + type_uid: 400301 + }, + format: "dns query from $src_ip=ipv4$: $query_hostname=rest$", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // ROUTING (Network Activity 4001) + // ═══════════════════════════════════════════════════════════════════════════ + + // ospf neighbor 10.0.0.1 state changed to Full + { + id: "ospf_neighbor", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 5, activity_name: "Update", + type_uid: 400105 + }, + format: "ospf neighbor $neighbor_ip=ipv4$ state changed to $neighbor_state=word$", + halt: true + }, + + // bgp peer 10.0.0.2 established + { + id: "bgp_established", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Open", + type_uid: 400101 + }, + format: "bgp peer $peer_ip=ipv4$ established", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // IPSEC/VPN (Tunnel Activity 4014) + // ═══════════════════════════════════════════════════════════════════════════ + + // ipsec,info phase1 negotiation succeeded for 203.0.113.1 + { + id: "ipsec_phase1", + attributes: { + class_uid: 4014, class_name: "Tunnel Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Open", + type_uid: 401401 + }, + format: "phase1 negotiation $ipsec_result=word$ for $peer_ip=ipv4$", + halt: true + }, + + // ═══════════════════════════════════════════════════════════════════════════ + // GENERIC FALLBACK + // ═══════════════════════════════════════════════════════════════════════════ + { + id: "generic", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 0, activity_name: "Unknown", + type_uid: 400100 + }, + format: "$body=rest$" + } + ], + + mappings: { + version: 1, + mappings: [ + { + transformations: [ + { rename: { from: "src_ip", to: "src_endpoint.ip" } }, + { rename: { from: "dst_ip", to: "dst_endpoint.ip" } }, + { rename: { from: "src_port", to: "src_endpoint.port" } }, + { rename: { from: "dst_port", to: "dst_endpoint.port" } }, + { rename: { from: "src_mac", to: "src_endpoint.mac" } }, + { rename: { from: "in_iface", to: "src_endpoint.interface_name" } }, + { rename: { from: "out_iface", to: "dst_endpoint.interface_name" } }, + { rename: { from: "protocol", to: "connection_info.protocol_name" } }, + { rename: { from: "pkt_len", to: "traffic.bytes" } }, + { rename: { from: "client_ip", to: "dst_endpoint.ip" } }, + { rename: { from: "client_mac", to: "dst_endpoint.mac" } }, + { rename: { from: "user", to: "actor.user.name" } }, + { rename: { from: "method", to: "auth_protocol" } }, + { rename: { from: "iface", to: "src_endpoint.interface_name" } }, + { rename: { from: "signal", to: "unmapped.wireless_signal" } }, + { rename: { from: "chain", to: "unmapped.firewall_chain" } }, + { rename: { from: "dhcp_server", to: "unmapped.dhcp_server" } }, + { rename: { from: "dhcp_server_ip", to: "unmapped.dhcp_server_ip" } }, + { rename: { from: "dhcp_client", to: "unmapped.dhcp_client" } }, + { rename: { from: "hostname", to: "dst_endpoint.hostname" } }, + { rename: { from: "object", to: "unmapped.config_object" } }, + { rename: { from: "conn_state", to: "connection_info.state" } }, + { rename: { from: "neighbor_ip", to: "dst_endpoint.ip" } }, + { rename: { from: "neighbor_state", to: "unmapped.ospf_state" } }, + { rename: { from: "peer_ip", to: "dst_endpoint.ip" } }, + { rename: { from: "query_hostname", to: "query.hostname" } }, + { rename: { from: "ipsec_result", to: "unmapped.ipsec_result" } }, + { rename: { from: "error_msg", to: "unmapped.error_message" } }, + { rename: { from: "body", to: "unmapped.raw_body" } } + ] + } + ] + } +} diff --git a/parsers/netskope_netskope_logs-latest b/parsers/netskope_netskope_logs-latest new file mode 100644 index 0000000..d01d9cf --- /dev/null +++ b/parsers/netskope_netskope_logs-latest @@ -0,0 +1,410 @@ +{ + attributes: { + "dataSource.category": "security", + "dataSource.name": "Netskope", + "dataSource.vendor": "Netskope" + }, + formats: [ + { + format: ".*${parse=json}{attrWhitelist=(_id|action|activity|device|category|app_name|count|dst_country|dst_region|malware_severity|malware_type|request_id|severity|severity_id|src_country|src_location|src_region|type|_category_id|_category_tags|_correlation_id|_detection_name|_event_id|_nshostname|_resource_name|_service_identifier|account_name|alert_id|alert_name|alert_type|appcategory|breach_date|breach_description|breach_id|breach_score|connection_id|dlp_file|dlp_incident_id|dlp_rule|dlp_rule_count|dst_latitude|dst_longitude|dst_timezone|dst_zipcode|dstip|event_type|file_name|file_size|file_type|hostname|incident_id|instance_id|local_md5|malsite_country|malware_name|matched_username|md5|os|os10|os11|policy|policy_id|protocol|severity_level|severity_level_id|src_latitude|src_longitude|src_time|src_timezone|src_zipcode|srcip|timestamp|transaction_id|true_obj_type|url|user|user_id|userip|userkey|local_sha256)}$" + rewrites: [ + { + input: "_category_id", + output: "security_finding.category_uid", + match: ".*", + replace: "$0" + }, + { + input: "_category_tags", + output: "security_finding.category_tags", + match: ".*", + replace: "$0" + }, + { + input: "_correlation_id", + output: "metadata.correlation_uid", + match: ".*", + replace: "$0" + }, + { + input: "_detection_name", + output: "detection.name", + match: ".*", + replace: "$0" + }, + { + input: "_event_id", + output: "security_finding.activity_id", + match: ".*", + replace: "$0" + }, + { + input: "_id", + output: "security_finding.type_uid", + match: ".*", + replace: "$0" + }, + { + input: "_nshostname", + output: "network_endpoint.sender_hostname", + match: ".*", + replace: "$0" + }, + { + input: "_resource_name", + output: "resource.name", + match: ".*", + replace: "$0" + }, + { + input: "_service_identifier", + output: "service.identifier", + match: ".*", + replace: "$0" + }, + { + input: "account_name", + output: "account.name", + match: ".*", + replace: "$0" + }, + { + input: "action", + output: "security_finding.action", + match: ".*", + replace: "$0" + }, + { + input: "alert_id", + output: "alert.uid", + match: ".*", + replace: "$0" + }, + { + input: "alert_name", + output: "alert.name", + match: ".*", + replace: "$0" + }, + { + input: "alert_type", + output: "event.type", + match: ".*", + replace: "$0" + }, + { + input: "appcategory", + output: "security_finding.app_category", + match: ".*", + replace: "$0" + }, + { + input: "breach_date", + output: "breach.date", + match: ".*", + replace: "$0" + }, + { + input: "breach_description", + output: "breach.desc", + match: ".*", + replace: "$0" + }, + { + input: "breach_id", + output: "breach.uid", + match: ".*", + replace: "$0" + }, + { + input: "breach_score", + output: "breach.score", + match: ".*", + replace: "$0" + }, + { + input: "category", + output: "security_finding.category_name", + match: ".*", + replace: "$0" + }, + { + input: "connection_id", + output: "security_finding.connection_id", + match: ".*", + replace: "$0" + }, + { + input: "device", + output: "device.name", + match: ".*", + replace: "$0" + }, + { + input: "dlp_file", + output: "dlp.file_name", + match: ".*", + replace: "$0" + }, + { + input: "dlp_incident_id", + output: "dlp.incident_id", + match: ".*", + replace: "$0" + }, + { + input: "dlp_rule", + output: "dlp.rule", + match: ".*", + replace: "$0" + }, + { + input: "dlp_rule_count", + output: "dlp.rule_count", + match: ".*", + replace: "$0" + }, + { + input: "dst_latitude", + output: "geo_coordinates.dst_latitude", + match: ".*", + replace: "$0" + }, + { + input: "dst_longitude", + output: "geo_coordinates.dst_longitude", + match: ".*", + replace: "$0" + }, + { + input: "dst_timezone", + output: "location.dst_timezone", + match: ".*", + replace: "$0" + }, + { + input: "dst_zipcode", + output: "location.dst_zipcode", + match: ".*", + replace: "$0" + }, + { + input: "dstip", + output: "dst.ip.address", + match: ".*", + replace: "$0" + }, + { + input: "event_type", + output: "security_finding.ref_event_name", + match: ".*", + replace: "$0" + }, + { + input: "file_name", + output: "file.name", + match: ".*", + replace: "$0" + }, + { + input: "file_size", + output: "file.size", + match: ".*", + replace: "$0" + }, + { + input: "file_type", + output: "file.type", + match: ".*", + replace: "$0" + }, + { + input: "hostname", + output: "device.hostname", + match: ".*", + replace: "$0" + }, + { + input: "incident_id", + output: "security_finding.incident_id", + match: ".*", + replace: "$0" + }, + { + input: "instance_id", + output: "device.instance_uid", + match: ".*", + replace: "$0" + }, + { + input: "local_md5", + output: "file.local_md5", + match: ".*", + replace: "$0" + }, + { + input: "malsite_country", + output: "security_finding.malsite_country", + match: ".*", + replace: "$0" + }, + { + input: "malware_name", + output: "malware.name", + match: ".*", + replace: "$0" + }, + { + input: "matched_username", + output: "security_finding.matched_username", + match: ".*", + replace: "$0" + }, + { + input: "md5", + output: "file.md5", + match: ".*", + replace: "$0" + }, + { + input: "os", + output: "os.name", + match: ".*", + replace: "$0" + }, + { + input: "os10", + output: "device.os10", + match: ".*", + replace: "$0" + }, + { + input: "os11", + output: "device.os11", + match: ".*", + replace: "$0" + }, + { + input: "policy", + output: "policy.name", + match: ".*", + replace: "$0" + }, + { + input: "policy_id ", + output: "policy.uid", + match: ".*", + replace: "$0" + }, + { + input: "protocol", + output: "network_connection_info.protocol_name", + match: ".*", + replace: "$0" + }, + { + input: "severity_level", + output: "security_finding.severity", + match: ".*", + replace: "$0" + }, + { + input: "severity_level_id", + output: "security_finding.severity_level_id", + match: ".*", + replace: "$0" + }, + { + input: "src_latitude", + output: "geo_coordinates.src_latitude", + match: ".*", + replace: "$0" + }, + { + input: "src_longitude", + output: "geo_coordinates.src_longitude", + match: ".*", + replace: "$0" + }, + { + input: "src_time", + output: "security_finding.src_time", + match: ".*", + replace: "$0" + }, + { + input: "src_timezone", + output: "location.src_timezone", + match: ".*", + replace: "$0" + }, + { + input: "src_zipcode", + output: "location.src_zipcode", + match: ".*", + replace: "$0" + }, + { + input: "srcip", + output: "src.ip.address", + match: ".*", + replace: "$0" + }, + { + input: "timestamp", + output: "security_finding.time", + match: ".*", + replace: "$0" + }, + { + input: "transaction_id", + output: "security_finding.transaction_id", + match: ".*", + replace: "$0" + }, + { + input: "true_obj_type", + output: "file.type", + match: ".*", + replace: "$0" + }, + { + input: "url", + output: "url.text", + match: ".*", + replace: "$0" + }, + { + input: "user", + output: "user.name", + match: ".*", + replace: "$0" + }, + { + input: "user_id", + output: "user.uid", + match: ".*", + replace: "$0" + }, + { + input: "userip", + output: "user.ip", + match: ".*", + replace: "$0" + }, + { + input: "userkey", + output: "user.key", + match: ".*", + replace: "$0" + }, + { + input: "local_sha256", + output: "file.local_sha256", + match: ".*", + replace: "$0" + }, + ] + } + ] + } \ No newline at end of file diff --git a/parsers/npm_typosquats b/parsers/npm_typosquats new file mode 100644 index 0000000..a60fcf2 --- /dev/null +++ b/parsers/npm_typosquats @@ -0,0 +1,30 @@ +{ + "columnNames": ["suspect_name", "known_target"], + "rows": [ + ["expres", "express"], + ["loadash", "lodash"], + ["colorss", "colors"], + ["requesst", "request"], + ["eslint-config-airbnb-pro", "eslint-config-airbnb"], + ["event-stream-helper", "event-stream"], + ["ua-parser-utils", "ua-parser-js"], + ["lodash-utils", "lodash"], + ["lodaash", "lodash"], + ["expresss", "express"], + ["axios-lib", "axios"], + ["axioss", "axios"], + ["reactt", "react"], + ["react-utility", "react"], + ["vuetify-utils", "vuetify"], + ["commaander", "commander"], + ["yargs-plus", "yargs"], + ["chalkk", "chalk"], + ["chalk-cli", "chalk"], + ["nextt", "next"], + ["webpackk", "webpack"], + ["typescriptt", "typescript"], + ["debugg", "debug"], + ["moment-tz", "moment"], + ["uuid-gen", "uuid"] + ] +} \ No newline at end of file diff --git a/parsers/ocsf-checkpoint b/parsers/ocsf-checkpoint new file mode 100644 index 0000000..f8cc2cf --- /dev/null +++ b/parsers/ocsf-checkpoint @@ -0,0 +1,197 @@ +// SentinelOne AI SIEM Parser: Check Point Security Gateway +// OCSF Schema Version: 1.1.0 +// Maps Check Point pipe-delimited logs to OCSF classes +// Primary Classes: Network Activity (4001), Security Finding (2001), Detection Finding (2004) + +{ + "parserName": "CheckPoint-OCSF", + "version": "1.0.0", + "vendor": "Check Point", + "product": "Security Gateway", + "format": "kv", + "delimiter": "|", + "kvSeparator": "=", + + "patterns": [ + // Firewall Traffic logs + { + "pattern": "product=VPN-1 & FireWall-1", + "rewrites": [ + {"set": "class_uid", "value": "4001"}, + {"set": "class_name", "value": "Network Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + // Activity mapping + {"lookup": "action", "map": { + "Accept": 1, "Drop": 2, "Reject": 2, "Block": 2, "Log": 0, "Detect": 1 + }, "to": "activity_id"}, + {"lookup": "action", "map": { + "Accept": "Traffic Allowed", "Drop": "Traffic Denied", "Reject": "Traffic Rejected", + "Block": "Traffic Blocked", "Log": "Traffic Logged", "Detect": "Traffic Detected" + }, "to": "activity_name"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Check Point Firewall"}, + {"set": "metadata.product.vendor_name", "value": "Check Point"}, + {"copy": "loguid", "to": "metadata.uid"}, + {"copy": "origin", "to": "device.ip"}, + {"copy": "originsicname", "to": "device.name"}, + {"copy": "sequencenum", "to": "metadata.sequence"}, + + // Time + {"copy": "time", "to": "time", "transform": "epochToISO"}, + + // Source endpoint + {"copy": "src", "to": "src_endpoint.ip"}, + {"copy": "s_port", "to": "src_endpoint.port"}, + {"copy": "ifname", "to": "src_endpoint.interface_name"}, + + // Destination endpoint + {"copy": "dst", "to": "dst_endpoint.ip"}, + {"copy": "service", "to": "dst_endpoint.port"}, + + // Connection info + {"copy": "proto", "to": "connection_info.protocol_num"}, + {"lookup": "proto", "map": {"6": "TCP", "17": "UDP", "1": "ICMP"}, "to": "connection_info.protocol_name"}, + {"copy": "conn_direction", "to": "connection_info.direction"}, + + // NAT + {"copy": "xlatesrc", "to": "proxy.ip"}, + {"copy": "xlatesport", "to": "proxy.port"}, + {"copy": "xlatedst", "to": "dst_endpoint.intermediate_ips"}, + + // Policy + {"copy": "rule_uid", "to": "policy.uid"}, + {"copy": "rule_name", "to": "policy.name"}, + {"copy": "layer_name", "to": "policy.group.name"}, + {"copy": "rule_action", "to": "policy.rule.action"}, + + // Status + {"lookup": "action", "map": {"Accept": 1, "Drop": 2, "Reject": 2, "Block": 2}, "to": "status_id"}, + {"lookup": "action", "map": {"Accept": "Success", "Drop": "Failure", "Reject": "Failure", "Block": "Failure"}, "to": "status"} + ] + }, + + // IPS/SmartDefense logs + { + "pattern": "product=SmartDefense", + "rewrites": [ + {"set": "class_uid", "value": "2004"}, + {"set": "class_name", "value": "Detection Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Check Point IPS"}, + {"set": "metadata.product.vendor_name", "value": "Check Point"}, + + // Finding info + {"copy": "attack", "to": "finding_info.title"}, + {"copy": "attack_info", "to": "finding_info.desc"}, + {"copy": "protection_id", "to": "finding_info.uid"}, + {"copy": "protection_name", "to": "finding_info.types"}, + {"copy": "protection_type", "to": "finding_info.type_uid"}, + + // Severity + {"lookup": "severity", "map": {"Critical": 5, "High": 4, "Medium": 3, "Low": 2, "Info": 1}, "to": "severity_id"}, + {"copy": "severity", "to": "severity"}, + + // Confidence + {"lookup": "confidence_level", "map": {"High": 3, "Medium": 2, "Low": 1}, "to": "confidence_id"}, + {"copy": "confidence_level", "to": "confidence"}, + + // Performance impact + {"copy": "performance_impact", "to": "impact_score"}, + + // Endpoints + {"copy": "src", "to": "src_endpoint.ip"}, + {"copy": "s_port", "to": "src_endpoint.port"}, + {"copy": "dst", "to": "dst_endpoint.ip"}, + {"copy": "service", "to": "dst_endpoint.port"}, + + // Action + {"lookup": "action", "map": {"Drop": 2, "Detect": 1, "Prevent": 2, "Log": 0}, "to": "activity_id"} + ] + }, + + // Management/Audit logs + { + "pattern": "product=SmartCenter Server", + "rewrites": [ + {"set": "class_uid", "value": "6002"}, + {"set": "class_name", "value": "API Activity"}, + {"set": "category_uid", "value": "6"}, + {"set": "category_name", "value": "Application Activity"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Check Point SmartCenter"}, + {"set": "metadata.product.vendor_name", "value": "Check Point"}, + + // Actor + {"copy": "administrator", "to": "actor.user.name"}, + {"copy": "client_name", "to": "actor.app_name"}, + {"copy": "client_version", "to": "actor.app_version"}, + {"copy": "src", "to": "actor.session.ip"}, + + // Operation + {"copy": "operation", "to": "activity_name"}, + {"copy": "objectname", "to": "resources.name"}, + {"copy": "objecttype", "to": "resources.type"}, + {"copy": "fieldschanges", "to": "resources.data"} + ] + }, + + // Application Control logs + { + "pattern": "product=Application Control", + "rewrites": [ + {"set": "class_uid", "value": "4002"}, + {"set": "class_name", "value": "HTTP Activity"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Check Point Application Control"}, + {"set": "metadata.product.vendor_name", "value": "Check Point"}, + + // Application + {"copy": "app_name", "to": "app_name"}, + {"copy": "app_id", "to": "app.uid"}, + {"copy": "app_category", "to": "app.category"}, + {"copy": "app_risk", "to": "app.risk_level"}, + {"copy": "appi_name", "to": "app.feature.name"}, + + // User + {"copy": "user", "to": "actor.user.name"}, + {"copy": "matched_category", "to": "http_request.url.categories"} + ] + }, + + // Anti-Bot/Threat Prevention logs + { + "pattern": "product=Anti-Bot", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "finding_info.types", "value": ["Malware", "Command and Control"]}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Check Point Anti-Bot"}, + {"set": "metadata.product.vendor_name", "value": "Check Point"}, + + // Malware info + {"copy": "malware_name", "to": "malware.name"}, + {"copy": "malware_family", "to": "malware.classification.family"}, + {"copy": "malware_action", "to": "activity_name"}, + {"copy": "resource", "to": "malware.path"}, + + // Severity + {"lookup": "severity", "map": {"Critical": 5, "High": 4, "Medium": 3, "Low": 2}, "to": "severity_id"}, + {"copy": "severity", "to": "severity"}, + + // Confidence + {"copy": "confidence_level", "to": "confidence"} + ] + } + ] +} diff --git a/parsers/ocsf-entra-id b/parsers/ocsf-entra-id new file mode 100644 index 0000000..7caac88 --- /dev/null +++ b/parsers/ocsf-entra-id @@ -0,0 +1,242 @@ +// SentinelOne AI SIEM Parser: Microsoft Entra ID (Azure AD) +// OCSF Schema Version: 1.1.0 +// Maps Entra ID JSON audit/sign-in logs to OCSF classes +// Primary Classes: Authentication (3002), Account Change (3001), Group Membership (3004) + +{ + "parserName": "EntraID-OCSF", + "version": "1.0.0", + "vendor": "Microsoft", + "product": "Entra ID", + "format": "json", + + "patterns": [ + // Sign-in logs (successful) + { + "pattern": "\"category\":\\s*\"SignInLogs\".*\"resultType\":\\s*\"0\"", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "type_uid", "value": "300201"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft Entra ID"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + {"jsonPath": "$.tenantId", "to": "metadata.tenant_uid"}, + {"jsonPath": "$.correlationId", "to": "metadata.correlation_uid"}, + {"jsonPath": "$.properties.id", "to": "metadata.uid"}, + + // Time + {"jsonPath": "$.time", "to": "time"}, + + // User + {"jsonPath": "$.properties.userDisplayName", "to": "user.full_name"}, + {"jsonPath": "$.properties.userPrincipalName", "to": "user.email_addr"}, + {"jsonPath": "$.properties.userId", "to": "user.uid"}, + + // Source endpoint + {"jsonPath": "$.callerIpAddress", "to": "src_endpoint.ip"}, + {"jsonPath": "$.properties.ipAddress", "to": "src_endpoint.ip"}, + {"jsonPath": "$.properties.deviceDetail.displayName", "to": "src_endpoint.name"}, + {"jsonPath": "$.properties.deviceDetail.deviceId", "to": "src_endpoint.uid"}, + {"jsonPath": "$.properties.deviceDetail.operatingSystem", "to": "src_endpoint.os.name"}, + {"jsonPath": "$.properties.deviceDetail.browser", "to": "src_endpoint.browser"}, + + // Device compliance + {"jsonPath": "$.properties.deviceDetail.isCompliant", "to": "src_endpoint.is_compliant"}, + {"jsonPath": "$.properties.deviceDetail.isManaged", "to": "src_endpoint.is_managed"}, + {"jsonPath": "$.properties.deviceDetail.trustType", "to": "src_endpoint.trust_type"}, + + // Location + {"jsonPath": "$.properties.location.city", "to": "src_endpoint.location.city"}, + {"jsonPath": "$.properties.location.state", "to": "src_endpoint.location.region"}, + {"jsonPath": "$.properties.location.countryOrRegion", "to": "src_endpoint.location.country"}, + {"jsonPath": "$.properties.location.geoCoordinates.latitude", "to": "src_endpoint.location.lat"}, + {"jsonPath": "$.properties.location.geoCoordinates.longitude", "to": "src_endpoint.location.long"}, + + // Application + {"jsonPath": "$.properties.appDisplayName", "to": "app_name"}, + {"jsonPath": "$.properties.appId", "to": "app.uid"}, + {"jsonPath": "$.properties.clientAppUsed", "to": "auth_protocol"}, + {"jsonPath": "$.properties.userAgent", "to": "http_request.user_agent"}, + + // MFA + {"jsonPath": "$.properties.mfaDetail.authMethod", "to": "mfa.method"}, + {"jsonPath": "$.properties.mfaDetail.authDetail", "to": "mfa.detail"}, + + // Conditional Access + {"jsonPath": "$.properties.conditionalAccessStatus", "to": "policy.result"}, + + // Risk + {"jsonPath": "$.properties.riskDetail", "to": "risk_detail"}, + {"jsonPath": "$.properties.riskLevelAggregated", "to": "risk_level"}, + {"jsonPath": "$.properties.riskLevelDuringSignIn", "to": "risk_level_signin"}, + {"jsonPath": "$.properties.riskState", "to": "risk_state"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Sign-in logs (failed) + { + "pattern": "\"category\":\\s*\"SignInLogs\".*\"resultType\":\\s*\"[^0]", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft Entra ID"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + + {"jsonPath": "$.time", "to": "time"}, + {"jsonPath": "$.properties.userPrincipalName", "to": "user.email_addr"}, + {"jsonPath": "$.callerIpAddress", "to": "src_endpoint.ip"}, + {"jsonPath": "$.resultType", "to": "status_code"}, + {"jsonPath": "$.resultDescription", "to": "status_detail"}, + {"jsonPath": "$.properties.status.errorCode", "to": "error.code"}, + {"jsonPath": "$.properties.status.failureReason", "to": "error.message"}, + + // Location + {"jsonPath": "$.properties.location.countryOrRegion", "to": "src_endpoint.location.country"}, + + // Risk + {"jsonPath": "$.properties.riskLevelAggregated", "to": "risk_level"}, + + // Severity based on risk + {"lookup": "risk_level", "map": {"high": 4, "medium": 3, "low": 2, "none": 1}, "to": "severity_id"}, + {"lookup": "risk_level", "map": {"high": "High", "medium": "Medium", "low": "Low", "none": "Informational"}, "to": "severity"} + ] + }, + + // Risky sign-ins + { + "pattern": "\"category\":\\s*\"RiskySignIns\"", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + {"set": "finding_info.types", "value": ["Identity Risk"]}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft Entra ID Protection"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + + {"jsonPath": "$.time", "to": "time"}, + {"jsonPath": "$.properties.userDisplayName", "to": "user.full_name"}, + {"jsonPath": "$.properties.userPrincipalName", "to": "user.email_addr"}, + {"jsonPath": "$.properties.userId", "to": "user.uid"}, + {"jsonPath": "$.callerIpAddress", "to": "src_endpoint.ip"}, + + // Risk details + {"jsonPath": "$.properties.riskDetail", "to": "finding_info.title"}, + {"jsonPath": "$.properties.riskEventTypes", "to": "finding_info.types"}, + {"jsonPath": "$.properties.riskLevelAggregated", "to": "risk_level"}, + {"jsonPath": "$.properties.riskState", "to": "risk_state"}, + + // Location + {"jsonPath": "$.properties.location.countryOrRegion", "to": "src_endpoint.location.country"}, + + // Severity + {"lookup": "risk_level", "map": {"high": 5, "medium": 4, "low": 3}, "to": "severity_id"}, + {"lookup": "risk_level", "map": {"high": "Critical", "medium": "High", "low": "Medium"}, "to": "severity"} + ] + }, + + // Audit logs - Group membership + { + "pattern": "\"category\":\\s*\"AuditLogs\".*\"activityDisplayName\":\\s*\"Add member to group\"", + "rewrites": [ + {"set": "class_uid", "value": "3004"}, + {"set": "class_name", "value": "Group Membership"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Add"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft Entra ID"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + + {"jsonPath": "$.time", "to": "time"}, + + // Actor + {"jsonPath": "$.properties.initiatedBy.user.displayName", "to": "actor.user.full_name"}, + {"jsonPath": "$.properties.initiatedBy.user.userPrincipalName", "to": "actor.user.email_addr"}, + {"jsonPath": "$.properties.initiatedBy.user.id", "to": "actor.user.uid"}, + {"jsonPath": "$.properties.initiatedBy.user.ipAddress", "to": "src_endpoint.ip"}, + + // Group + {"jsonPath": "$.properties.targetResources[0].displayName", "to": "group.name"}, + {"jsonPath": "$.properties.targetResources[0].id", "to": "group.uid"}, + + // User added + {"jsonPath": "$.properties.targetResources[1].displayName", "to": "user.full_name"}, + {"jsonPath": "$.properties.targetResources[1].userPrincipalName", "to": "user.email_addr"}, + {"jsonPath": "$.properties.targetResources[1].id", "to": "user.uid"}, + + // Status + {"jsonPath": "$.properties.result", "to": "status"}, + {"lookup": "status", "map": {"success": 1, "failure": 2}, "to": "status_id"} + ] + }, + + // Audit logs - Password reset + { + "pattern": "\"category\":\\s*\"AuditLogs\".*\"activityDisplayName\":\\s*\"Reset user password\"", + "rewrites": [ + {"set": "class_uid", "value": "3001"}, + {"set": "class_name", "value": "Account Change"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "3"}, + {"set": "activity_name", "value": "Password Reset"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft Entra ID"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + + {"jsonPath": "$.time", "to": "time"}, + + // Actor + {"jsonPath": "$.properties.initiatedBy.user.displayName", "to": "actor.user.full_name"}, + {"jsonPath": "$.properties.initiatedBy.user.userPrincipalName", "to": "actor.user.email_addr"}, + {"jsonPath": "$.properties.initiatedBy.user.ipAddress", "to": "src_endpoint.ip"}, + + // Target user + {"jsonPath": "$.properties.targetResources[0].displayName", "to": "user.full_name"}, + {"jsonPath": "$.properties.targetResources[0].userPrincipalName", "to": "user.email_addr"}, + {"jsonPath": "$.properties.targetResources[0].id", "to": "user.uid"}, + + // Status + {"jsonPath": "$.properties.result", "to": "status"}, + {"lookup": "status", "map": {"success": 1, "failure": 2}, "to": "status_id"}, + + // Severity for password changes + {"set": "severity_id", "value": "3"}, + {"set": "severity", "value": "Medium"} + ] + } + ], + + "error_code_mappings": { + "50126": "Invalid username or password", + "50053": "Account locked", + "50057": "Account disabled", + "50055": "Password expired", + "50076": "MFA required", + "50074": "Strong authentication required", + "53003": "Blocked by Conditional Access" + } +} diff --git a/parsers/ocsf-f5-apm b/parsers/ocsf-f5-apm new file mode 100644 index 0000000..692ccc8 --- /dev/null +++ b/parsers/ocsf-f5-apm @@ -0,0 +1,312 @@ +// SentinelOne AI SIEM Parser: F5 Networks BIG-IP APM +// OCSF Schema Version: 1.1.0 +// Maps F5 BIG-IP APM access policy logs to OCSF classes +// Primary Classes: Authentication (3002), Session Activity (3005) + +{ + "parserName": "F5APM-OCSF", + "version": "1.0.0", + "vendor": "F5 Networks", + "product": "BIG-IP APM", + "format": "syslog", + + "patterns": [ + // Session created + { + "pattern": "apmd\\[\\d+\\]:\\s+(\\d+):(\\d+):\\s+(/\\S+):Common:(\\S+):\\s+(?:New\\s+)?[Ss]ession\\s+created", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "type_uid", "value": "300201"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + {"group": 1, "to": "metadata.log_level"}, + {"group": 2, "to": "metadata.facility"}, + + // Policy and session + {"group": 3, "to": "policy.name"}, + {"group": 4, "to": "session.uid"}, + + // Extract client IP + {"regex": "Client IP:\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + + // Extract user agent + {"regex": "User Agent:\\s+(.+?)(?:\\s+$|\\s+\\w+:)", "group": 1, "to": "http_request.user_agent"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Session variable set (username) + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Session variable\\s+'session\\.logon\\.last\\.username'\\s+set to\\s+'([^']+)'", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "0"}, + {"set": "activity_name", "value": "Session Update"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "user.name"} + ] + }, + + // AD Authentication + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+AD Auth query\\s+-\\s+User:\\s+(\\S+)\\s+Domain:\\s+(\\S+)\\s+Server:\\s+(\\S+)\\s+Result:\\s+(\\w+)", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "user.name"}, + {"group": 4, "to": "user.domain"}, + {"group": 5, "to": "auth_server"}, + {"group": 6, "to": "auth_result"}, + + {"set": "auth_protocol", "value": "Active Directory"}, + + // Status + {"lookup": "auth_result", "map": {"Success": 1, "Failure": 2, "Failed": 2}, "to": "status_id"}, + {"lookup": "auth_result", "map": {"Success": "Success", "Failure": "Failure", "Failed": "Failure"}, "to": "status"} + ] + }, + + // AD Group query + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+AD Group query\\s+-\\s+User:\\s+(\\S+)\\s+Groups:\\s+(.+?)$", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "0"}, + {"set": "activity_name", "value": "Group Query"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "user.name"}, + {"group": 4, "to": "user.groups", "transform": "splitComma"} + ] + }, + + // MFA Challenge + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+MFA\\s+(Challenge sent|Response received)\\s+-\\s+(?:Method:\\s+(\\S+))?\\s*(?:Server:\\s+(\\S+))?\\s*(?:Result:\\s+(\\w+))?", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "99"}, + {"set": "activity_name", "value": "MFA"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "mfa.status"}, + {"group": 4, "to": "mfa.method"}, + {"group": 5, "to": "mfa.server"}, + {"group": 6, "to": "mfa.result"}, + + // Status + {"lookup": "mfa.result", "map": {"Success": 1, "Failure": 2}, "to": "status_id"}, + {"lookup": "mfa.result", "map": {"Success": "Success", "Failure": "Failure"}, "to": "status"} + ] + }, + + // Access policy result + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Access policy result:\\s+(\\w+)(?:\\s+-\\s+(.+))?", + "rewrites": [ + {"set": "class_uid", "value": "3003"}, + {"set": "class_name", "value": "Authorization"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "policy.result"}, + {"group": 4, "to": "policy.detail"}, + + // Activity + {"lookup": "policy.result", "map": {"Allow": 1, "Deny": 2}, "to": "activity_id"}, + {"lookup": "policy.result", "map": {"Allow": "Grant", "Deny": "Deny"}, "to": "activity_name"}, + + // Status + {"lookup": "policy.result", "map": {"Allow": 1, "Deny": 2}, "to": "status_id"}, + {"lookup": "policy.result", "map": {"Allow": "Success", "Deny": "Failure"}, "to": "status"}, + + // Extract assigned resources + {"regex": "Assigned resources:\\s+(.+?)$", "group": 1, "to": "resources.names"} + ] + }, + + // Network Access tunnel + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Network Access tunnel established\\s+-\\s+Assigned IP:\\s+([\\d.]+)\\s+Lease Pool:\\s+(\\S+)", + "rewrites": [ + {"set": "class_uid", "value": "4001"}, + {"set": "class_name", "value": "Network Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "VPN Connect"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "src_endpoint.ip"}, + {"group": 4, "to": "connection_info.pool"}, + + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Session authentication failed + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Session authentication failed\\s+-\\s+User:\\s+(\\S+)\\s+Client IP:\\s+([\\d.]+)\\s+Reason:\\s+(.+?)$", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "user.name"}, + {"group": 4, "to": "src_endpoint.ip"}, + {"group": 5, "to": "status_detail"}, + + {"set": "severity_id", "value": "3"}, + {"set": "severity", "value": "Medium"} + ] + }, + + // Session terminated + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Session terminated\\s+-\\s+User:\\s+(\\S+)\\s+Reason:\\s+(\\S+)\\s+Duration:\\s+(\\d+)\\s+seconds\\s+Bytes In:\\s+(\\d+)\\s+Bytes Out:\\s+(\\d+)", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Logoff"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "user.name"}, + {"group": 4, "to": "logoff_type"}, + {"group": 5, "to": "session.duration"}, + {"group": 6, "to": "traffic.bytes_in"}, + {"group": 7, "to": "traffic.bytes_out"}, + + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Anomaly detected + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Anomaly detected\\s+-\\s+User:\\s+(\\S+)\\s+Client IP:\\s+([\\d.]+)\\s+Risk:\\s+(.+?)$", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + {"set": "finding_info.types", "value": ["User Behavior Anomaly"]}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "user.name"}, + {"group": 4, "to": "src_endpoint.ip"}, + {"group": 5, "to": "finding_info.title"}, + + {"set": "severity_id", "value": "4"}, + {"set": "severity", "value": "High"} + ] + }, + + // Endpoint inspection + { + "pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Endpoint inspection\\s+-\\s+OS:\\s+(\\S+)\\s+Antivirus:\\s+([^)]+\\))\\s+Firewall:\\s+(\\w+)\\s+Compliant:\\s+(\\w+)", + "rewrites": [ + {"set": "class_uid", "value": "5002"}, + {"set": "class_name", "value": "Compliance"}, + {"set": "category_uid", "value": "5"}, + {"set": "category_name", "value": "Discovery"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Endpoint Check"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "policy.name"}, + {"group": 2, "to": "session.uid"}, + {"group": 3, "to": "device.os.name"}, + {"group": 4, "to": "device.antivirus"}, + {"group": 5, "to": "device.firewall_status"}, + {"group": 6, "to": "compliance.status"}, + + // Status + {"lookup": "compliance.status", "map": {"Yes": 1, "No": 2}, "to": "status_id"}, + {"lookup": "compliance.status", "map": {"Yes": "Compliant", "No": "Non-Compliant"}, "to": "status"} + ] + } + ], + + "transforms": { + "splitComma": { + "delimiter": ", ", + "type": "array" + } + } +} diff --git a/parsers/ocsf-f5-bigip b/parsers/ocsf-f5-bigip new file mode 100644 index 0000000..e0f4b6f --- /dev/null +++ b/parsers/ocsf-f5-bigip @@ -0,0 +1,223 @@ +// SentinelOne AI SIEM Parser: AMS - F5 Network Big IP +// OCSF Schema Version: 1.1.0 +// Maps F5 BIG-IP LTM/ASM/APM logs to OCSF classes +// Primary Classes: HTTP Activity (4002), Security Finding (2001), Network Activity (4001) + +{ + "parserName": "F5BigIP-OCSF", + "version": "1.0.0", + "vendor": "F5 Networks", + "product": "BIG-IP", + "format": "syslog", + + "patterns": [ + // iRule HTTP Request logs + { + "pattern": "Rule\\s+(/\\S+)\\s+:", + "rewrites": [ + {"set": "class_uid", "value": "4002"}, + {"set": "class_name", "value": "HTTP Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Request"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP LTM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + {"group": 1, "to": "policy.name"}, + + // Client + {"regex": "Client\\s+([\\d.]+):(\\d+)", "group": 1, "to": "src_endpoint.ip"}, + {"regex": "Client\\s+([\\d.]+):(\\d+)", "group": 2, "to": "src_endpoint.port"}, + + // VIP + {"regex": "VIP\\s+([\\d.]+):(\\d+)", "group": 1, "to": "dst_endpoint.ip"}, + {"regex": "VIP\\s+([\\d.]+):(\\d+)", "group": 2, "to": "dst_endpoint.port"}, + + // Pool/Member + {"regex": "Pool\\s+(\\S+)", "group": 1, "to": "dst_endpoint.svc_name"}, + {"regex": "Member\\s+([\\d.]+):(\\d+)", "group": 1, "to": "dst_endpoint.intermediate_ips"}, + + // HTTP details + {"regex": "URI\\s+(\\S+)", "group": 1, "to": "http_request.url.path"}, + {"regex": "Method\\s+(\\w+)", "group": 1, "to": "http_request.http_method"}, + {"regex": "Host\\s+(\\S+)", "group": 1, "to": "http_request.url.hostname"}, + {"regex": "User-Agent\\s+(.+?)(?:\\s+\\w+=|$)", "group": 1, "to": "http_request.user_agent"} + ] + }, + + // iRule Security blocks + { + "pattern": "Rule\\s+(/\\S+)\\s+:\\s+BLOCKED", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Block"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP iRule"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + // Extract attack info + {"regex": "BLOCKED\\s+-\\s+(.+?)\\s+Client", "group": 1, "to": "finding_info.title"}, + {"regex": "Client\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + {"regex": "URI\\s+(\\S+)", "group": 1, "to": "finding_info.src_url"}, + {"regex": "Pattern matched:\\s+(.+?)$", "group": 1, "to": "finding_info.desc"}, + + {"set": "severity_id", "value": "4"}, + {"set": "severity", "value": "High"} + ] + }, + + // SSL Handshake failures + { + "pattern": "SSL Handshake failed", + "rewrites": [ + {"set": "class_uid", "value": "4001"}, + {"set": "class_name", "value": "Network Activity"}, + {"set": "activity_id", "value": "6"}, + {"set": "activity_name", "value": "Fail"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP SSL"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 1, "to": "src_endpoint.ip"}, + {"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 2, "to": "src_endpoint.port"}, + {"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 3, "to": "dst_endpoint.ip"}, + {"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 4, "to": "dst_endpoint.port"}, + + {"regex": "-\\s+(.+)$", "group": 1, "to": "status_detail"}, + + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + {"set": "severity_id", "value": "3"}, + {"set": "severity", "value": "Medium"} + ] + }, + + // APM Session events + { + "pattern": "apmd\\[\\d+\\]:", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP APM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + // Session + {"regex": ":Common:(\\w+):", "group": 1, "to": "session.uid"}, + + // User + {"regex": "User:\\s+(\\S+)", "group": 1, "to": "user.name"}, + + // Client IP + {"regex": "Client IP:\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + + // Activity based on message + {"set": "activity_id", "value": "1", "if": "Session created|session created"}, + {"set": "activity_name", "value": "Logon", "if": "Session created|session created"}, + {"set": "activity_id", "value": "2", "if": "Session terminated|terminated"}, + {"set": "activity_name", "value": "Logoff", "if": "Session terminated|terminated"}, + + // Status + {"set": "status_id", "value": "1", "if": "Allow|Success|success"}, + {"set": "status", "value": "Success", "if": "Allow|Success|success"}, + {"set": "status_id", "value": "2", "if": "Deny|failed|failure"}, + {"set": "status", "value": "Failure", "if": "Deny|failed|failure"} + ] + }, + + // ASM (WAF) logs + { + "pattern": "ASM:", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP ASM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + // Parse ASM fields + {"regex": "unit_hostname=\"([^\"]+)\"", "group": 1, "to": "device.hostname"}, + {"regex": "management_ip_address=\"([^\"]+)\"", "group": 1, "to": "device.ip"}, + {"regex": "policy_name=\"([^\"]+)\"", "group": 1, "to": "policy.name"}, + {"regex": "violations=\"([^\"]+)\"", "group": 1, "to": "finding_info.title"}, + {"regex": "request_status=\"([^\"]+)\"", "group": 1, "to": "activity_name"}, + {"regex": "response_code=\"([^\"]+)\"", "group": 1, "to": "http_response.code"}, + {"regex": "ip_client=\"([^\"]+)\"", "group": 1, "to": "src_endpoint.ip"}, + {"regex": "method=\"([^\"]+)\"", "group": 1, "to": "http_request.http_method"}, + {"regex": "protocol=\"([^\"]+)\"", "group": 1, "to": "connection_info.protocol_name"}, + {"regex": "uri=\"([^\"]+)\"", "group": 1, "to": "http_request.url.path"}, + {"regex": "sig_ids=\"([^\"]+)\"", "group": 1, "to": "finding_info.uid"}, + {"regex": "sig_names=\"([^\"]+)\"", "group": 1, "to": "finding_info.desc"}, + {"regex": "severity=\"([^\"]+)\"", "group": 1, "to": "severity"}, + {"regex": "attack_type=\"([^\"]+)\"", "group": 1, "to": "finding_info.types"}, + + // Severity mapping + {"lookup": "severity", "map": {"Critical": 5, "High": 4, "Medium": 3, "Low": 2, "Informational": 1}, "to": "severity_id"}, + + // Activity + {"lookup": "activity_name", "map": {"blocked": 2, "passed": 1, "alarmed": 1}, "to": "activity_id"} + ] + }, + + // Pool member status + { + "pattern": "Pool\\s+(/\\S+)\\s+member\\s+([\\d.]+):(\\d+)\\s+monitor status\\s+(\\w+)", + "rewrites": [ + {"set": "class_uid", "value": "4001"}, + {"set": "class_name", "value": "Network Activity"}, + {"set": "activity_id", "value": "99"}, + {"set": "activity_name", "value": "Health Check"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP LTM"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "dst_endpoint.svc_name"}, + {"group": 2, "to": "dst_endpoint.ip"}, + {"group": 3, "to": "dst_endpoint.port"}, + {"group": 4, "to": "status"}, + + {"lookup": "status", "map": {"up": 1, "down": 2}, "to": "status_id"} + ] + }, + + // Audit logs + { + "pattern": "AUDIT\\s+-\\s+user\\s+(\\S+)", + "rewrites": [ + {"set": "class_uid", "value": "6002"}, + {"set": "class_name", "value": "API Activity"}, + {"set": "category_uid", "value": "6"}, + {"set": "category_name", "value": "Application Activity"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "F5 BIG-IP"}, + {"set": "metadata.product.vendor_name", "value": "F5 Networks"}, + + {"group": 1, "to": "actor.user.name"}, + {"regex": "from host\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + {"regex": "modified object\\s+(\\S+)", "group": 1, "to": "resources.name"}, + {"regex": "state from\\s+(\\w+)\\s+to\\s+(\\w+)", "group": 1, "to": "prev_state"}, + {"regex": "state from\\s+(\\w+)\\s+to\\s+(\\w+)", "group": 2, "to": "state"}, + + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Update"} + ] + } + ] +} diff --git a/parsers/ocsf-fortigate b/parsers/ocsf-fortigate new file mode 100644 index 0000000..4826849 --- /dev/null +++ b/parsers/ocsf-fortigate @@ -0,0 +1,169 @@ +// SentinelOne AI SIEM Parser: Fortinet FortiGate Security Gateway +// OCSF Schema Version: 1.1.0 +// Maps FortiGate key=value logs to OCSF classes +// Primary Classes: Network Activity (4001), Security Finding (2001), Detection Finding (2004) + +{ + "parserName": "FortiGate-OCSF", + "version": "1.0.0", + "vendor": "Fortinet", + "product": "FortiGate", + "format": "kv", + "delimiter": " ", + "kvSeparator": "=", + + "patterns": [ + // Traffic logs + { + "pattern": "type=\"traffic\"", + "rewrites": [ + {"set": "class_uid", "value": "4001"}, + {"set": "class_name", "value": "Network Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + // Activity mapping + {"lookup": "action", "map": {"accept": 1, "deny": 2, "drop": 5, "close": 4}, "to": "activity_id"}, + {"lookup": "action", "map": {"accept": "Traffic Allowed", "deny": "Traffic Denied", "drop": "Traffic Dropped", "close": "Connection Closed"}, "to": "activity_name"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "FortiGate"}, + {"set": "metadata.product.vendor_name", "value": "Fortinet"}, + {"copy": "devname", "to": "metadata.product.feature.uid"}, + {"copy": "devid", "to": "device.uid"}, + {"copy": "logid", "to": "metadata.log_name"}, + + // Time + {"parseTimestamp": "date time", "format": "yyyy-MM-dd HH:mm:ss", "to": "time"}, + {"copy": "eventtime", "to": "time", "transform": "epochToISO"}, + + // Source endpoint + {"copy": "srcip", "to": "src_endpoint.ip"}, + {"copy": "srcport", "to": "src_endpoint.port"}, + {"copy": "srcintf", "to": "src_endpoint.interface_name"}, + {"copy": "srccountry", "to": "src_endpoint.location.country"}, + + // Destination endpoint + {"copy": "dstip", "to": "dst_endpoint.ip"}, + {"copy": "dstport", "to": "dst_endpoint.port"}, + {"copy": "dstintf", "to": "dst_endpoint.interface_name"}, + {"copy": "dstcountry", "to": "dst_endpoint.location.country"}, + + // Connection info + {"copy": "proto", "to": "connection_info.protocol_num"}, + {"lookup": "proto", "map": {"6": "TCP", "17": "UDP", "1": "ICMP"}, "to": "connection_info.protocol_name"}, + {"copy": "sessionid", "to": "connection_info.session.uid"}, + {"copy": "duration", "to": "connection_info.session.duration"}, + + // Traffic stats + {"copy": "sentbyte", "to": "traffic.bytes_out"}, + {"copy": "rcvdbyte", "to": "traffic.bytes_in"}, + {"copy": "sentpkt", "to": "traffic.packets_out"}, + {"copy": "rcvdpkt", "to": "traffic.packets_in"}, + + // Policy + {"copy": "policyid", "to": "policy.uid"}, + {"copy": "policyname", "to": "policy.name"}, + + // Application + {"copy": "app", "to": "app_name"}, + {"copy": "appcat", "to": "app.category"}, + {"copy": "apprisk", "to": "app.risk_level"}, + + // NAT + {"copy": "transip", "to": "proxy.ip"}, + {"copy": "transport", "to": "proxy.port"}, + + // Status + {"set": "status_id", "value": "1"}, + {"lookup": "action", "map": {"accept": "Success", "deny": "Failure", "drop": "Failure"}, "to": "status"} + ] + }, + + // IPS/UTM logs + { + "pattern": "type=\"utm\" subtype=\"ips\"", + "rewrites": [ + {"set": "class_uid", "value": "2004"}, + {"set": "class_name", "value": "Detection Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "FortiGate IPS"}, + {"set": "metadata.product.vendor_name", "value": "Fortinet"}, + + // Finding info + {"copy": "attack", "to": "finding_info.title"}, + {"copy": "attackid", "to": "finding_info.uid"}, + {"copy": "ref", "to": "finding_info.src_url"}, + {"copy": "msg", "to": "finding_info.desc"}, + + // Severity + {"lookup": "severity", "map": {"critical": 5, "high": 4, "medium": 3, "low": 2, "info": 1}, "to": "severity_id"}, + {"copy": "severity", "to": "severity"}, + + // Endpoints + {"copy": "srcip", "to": "src_endpoint.ip"}, + {"copy": "srcport", "to": "src_endpoint.port"}, + {"copy": "dstip", "to": "dst_endpoint.ip"}, + {"copy": "dstport", "to": "dst_endpoint.port"}, + + // Action + {"lookup": "action", "map": {"dropped": 2, "blocked": 2, "detected": 1, "pass": 0}, "to": "activity_id"} + ] + }, + + // Virus/Malware logs + { + "pattern": "type=\"utm\" subtype=\"virus\"", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "finding_info.types", "value": ["Malware"]}, + + {"copy": "virusname", "to": "malware.name"}, + {"copy": "filename", "to": "file.name"}, + {"copy": "analyticscksum", "to": "file.hashes.sha256"}, + {"copy": "dtype", "to": "file.type_id"}, + + {"lookup": "action", "map": {"blocked": 2, "detected": 1, "quarantined": 3}, "to": "activity_id"} + ] + }, + + // Web filter logs + { + "pattern": "type=\"utm\" subtype=\"webfilter\"", + "rewrites": [ + {"set": "class_uid", "value": "4002"}, + {"set": "class_name", "value": "HTTP Activity"}, + + {"copy": "hostname", "to": "http_request.url.hostname"}, + {"copy": "url", "to": "http_request.url.path"}, + {"copy": "method", "to": "http_request.http_method"}, + {"copy": "cat", "to": "http_request.url.category_ids"}, + {"copy": "catdesc", "to": "http_request.url.categories"}, + + {"lookup": "action", "map": {"blocked": 2, "passthrough": 1, "warning": 3}, "to": "activity_id"} + ] + }, + + // System/Auth logs + { + "pattern": "type=\"event\" subtype=\"system\"", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + + {"copy": "user", "to": "actor.user.name"}, + {"copy": "ui", "to": "src_endpoint.name"}, + {"copy": "action", "to": "activity_name"}, + + {"lookup": "status", "map": {"success": 1, "failed": 2}, "to": "status_id"}, + {"copy": "reason", "to": "status_detail"}, + {"copy": "msg", "to": "message"} + ] + } + ] +} diff --git a/parsers/ocsf-hana-db b/parsers/ocsf-hana-db new file mode 100644 index 0000000..1b6b3e3 --- /dev/null +++ b/parsers/ocsf-hana-db @@ -0,0 +1,308 @@ +// SentinelOne AI SIEM Parser: SAP HANA Database +// OCSF Schema Version: 1.1.0 +// Maps SAP HANA audit JSON logs to OCSF classes +// Primary Classes: Database Activity (4003), Authentication (3002), Authorization (3003) + +{ + "parserName": "HANADatabase-OCSF", + "version": "1.0.0", + "vendor": "SAP", + "product": "HANA Database", + "format": "json", + + "patterns": [ + // Connection events (CONNECT/DISCONNECT) + { + "pattern": "\"audit_action\":\\s*\"CONNECT\"", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "type_uid", "value": "300201"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "SAP HANA"}, + {"set": "metadata.product.vendor_name", "value": "SAP"}, + {"jsonPath": "$.host", "to": "device.hostname"}, + {"jsonPath": "$.component", "to": "metadata.product.feature.name"}, + {"jsonPath": "$.source_file", "to": "metadata.log_name"}, + {"jsonPath": "$.source_line", "to": "metadata.log_line"}, + {"jsonPath": "$.thread_id", "to": "metadata.uid"}, + + // Time + {"jsonPath": "$.timestamp", "to": "time"}, + + // User + {"jsonPath": "$.user_name", "to": "user.name"}, + {"jsonPath": "$.application_user", "to": "actor.user.name"}, + {"jsonPath": "$.application_name", "to": "app_name"}, + + // Session + {"jsonPath": "$.connection_id", "to": "session.uid"}, + + // Source endpoint + {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"}, + {"jsonPath": "$.client_port", "to": "src_endpoint.port"}, + + // Audit policy + {"jsonPath": "$.audit_policy_name", "to": "policy.name"}, + {"jsonPath": "$.audit_level", "to": "severity"}, + + // Comment + {"jsonPath": "$.comment", "to": "message"}, + + // Status - check for error + {"set": "status_id", "value": "1", "if": "\"error_code\":\\s*null|\"error_code\":\\s*0"}, + {"set": "status", "value": "Success", "if": "\"error_code\":\\s*null|\"error_code\":\\s*0"} + ] + }, + + // Failed connection + { + "pattern": "\"audit_action\":\\s*\"CONNECT\".*\"error_code\":\\s*[1-9]", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "SAP HANA"}, + {"set": "metadata.product.vendor_name", "value": "SAP"}, + + {"jsonPath": "$.timestamp", "to": "time"}, + {"jsonPath": "$.user_name", "to": "user.name"}, + {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"}, + {"jsonPath": "$.error_code", "to": "status_code"}, + {"jsonPath": "$.error_message", "to": "status_detail"}, + + // Severity + {"set": "severity_id", "value": "3"}, + {"set": "severity", "value": "Medium"} + ] + }, + + // Disconnect + { + "pattern": "\"audit_action\":\\s*\"DISCONNECT\"", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Logoff"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "SAP HANA"}, + {"set": "metadata.product.vendor_name", "value": "SAP"}, + + {"jsonPath": "$.timestamp", "to": "time"}, + {"jsonPath": "$.user_name", "to": "user.name"}, + {"jsonPath": "$.connection_id", "to": "session.uid"}, + {"jsonPath": "$.session_duration_seconds", "to": "session.duration"}, + + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // SELECT queries + { + "pattern": "\"audit_action\":\\s*\"SELECT\"", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "Database Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Query"}, + {"set": "type_uid", "value": "400301"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "SAP HANA"}, + {"set": "metadata.product.vendor_name", "value": "SAP"}, + + {"jsonPath": "$.timestamp", "to": "time"}, + {"jsonPath": "$.user_name", "to": "actor.user.name"}, + {"jsonPath": "$.connection_id", "to": "actor.session.uid"}, + {"jsonPath": "$.transaction_id", "to": "transaction.uid"}, + {"jsonPath": "$.statement_id", "to": "query_info.uid"}, + + // Query details + {"jsonPath": "$.statement", "to": "query_info.query_string"}, + {"jsonPath": "$.executed_statement", "to": "query_info.executed_query"}, + {"set": "query_info.query_type", "value": "SELECT"}, + + // Performance + {"jsonPath": "$.rows_affected", "to": "query_info.rows_affected"}, + {"jsonPath": "$.execution_time_ms", "to": "query_info.duration"}, + + // Source + {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"}, + {"jsonPath": "$.application_name", "to": "app_name"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Data modification (INSERT/UPDATE/DELETE) + { + "pattern": "\"audit_action\":\\s*\"(INSERT|UPDATE|DELETE)\"", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "Database Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + {"jsonPath": "$.audit_action", "to": "activity_name"}, + {"lookup": "activity_name", "map": {"INSERT": 2, "UPDATE": 3, "DELETE": 4}, "to": "activity_id"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "SAP HANA"}, + {"set": "metadata.product.vendor_name", "value": "SAP"}, + + {"jsonPath": "$.timestamp", "to": "time"}, + {"jsonPath": "$.user_name", "to": "actor.user.name"}, + {"jsonPath": "$.connection_id", "to": "actor.session.uid"}, + {"jsonPath": "$.transaction_id", "to": "transaction.uid"}, + + // Query + {"jsonPath": "$.statement", "to": "query_info.query_string"}, + {"jsonPath": "$.executed_statement", "to": "query_info.executed_query"}, + {"jsonPath": "$.rows_affected", "to": "query_info.rows_affected"}, + {"jsonPath": "$.execution_time_ms", "to": "query_info.duration"}, + + // Source + {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"}, + + // Severity for data modification + {"set": "severity_id", "value": "2"}, + {"set": "severity", "value": "Low"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // GRANT/REVOKE (privilege changes) + { + "pattern": "\"audit_action\":\\s*\"GRANT\"", + "rewrites": [ + {"set": "class_uid", "value": "3003"}, + {"set": "class_name", "value": "Authorization"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Grant"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "SAP HANA"}, + {"set": "metadata.product.vendor_name", "value": "SAP"}, + + {"jsonPath": "$.timestamp", "to": "time"}, + {"jsonPath": "$.user_name", "to": "actor.user.name"}, + {"jsonPath": "$.connection_id", "to": "actor.session.uid"}, + + // Privilege details + {"jsonPath": "$.statement", "to": "message"}, + {"jsonPath": "$.executed_statement", "to": "privileges"}, + + // Source + {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"}, + + // Severity for privilege grants + {"set": "severity_id", "value": "4"}, + {"set": "severity", "value": "High"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Backup operations + { + "pattern": "\"audit_action\":\\s*\"BACKUP DATA\"", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "Database Activity"}, + {"set": "activity_id", "value": "5"}, + {"set": "activity_name", "value": "Backup"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "SAP HANA"}, + {"set": "metadata.product.vendor_name", "value": "SAP"}, + + {"jsonPath": "$.timestamp", "to": "time"}, + {"jsonPath": "$.user_name", "to": "actor.user.name"}, + {"jsonPath": "$.application_user", "to": "actor.user.account.name"}, + {"jsonPath": "$.application_name", "to": "app_name"}, + + // Backup details + {"jsonPath": "$.statement", "to": "message"}, + {"jsonPath": "$.backup_id", "to": "backup.uid"}, + {"jsonPath": "$.backup_size_mb", "to": "backup.size"}, + + // Source + {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Critical audit level events + { + "pattern": "\"audit_level\":\\s*\"CRITICAL\"", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + {"set": "finding_info.types", "value": ["Database Security Event"]}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "SAP HANA"}, + {"set": "metadata.product.vendor_name", "value": "SAP"}, + + {"jsonPath": "$.timestamp", "to": "time"}, + {"jsonPath": "$.user_name", "to": "actor.user.name"}, + {"jsonPath": "$.audit_action", "to": "finding_info.title"}, + {"jsonPath": "$.comment", "to": "finding_info.desc"}, + {"jsonPath": "$.statement", "to": "finding_info.data_sources"}, + + // Source + {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"}, + + // Severity + {"set": "severity_id", "value": "5"}, + {"set": "severity", "value": "Critical"} + ] + } + ], + + "audit_action_mappings": { + "CONNECT": {"class": "Authentication", "activity": "Logon"}, + "DISCONNECT": {"class": "Authentication", "activity": "Logoff"}, + "SELECT": {"class": "Database Activity", "activity": "Query"}, + "INSERT": {"class": "Database Activity", "activity": "Insert"}, + "UPDATE": {"class": "Database Activity", "activity": "Update"}, + "DELETE": {"class": "Database Activity", "activity": "Delete"}, + "CREATE": {"class": "Database Activity", "activity": "Create"}, + "DROP": {"class": "Database Activity", "activity": "Delete"}, + "ALTER": {"class": "Database Activity", "activity": "Update"}, + "GRANT": {"class": "Authorization", "activity": "Grant"}, + "REVOKE": {"class": "Authorization", "activity": "Revoke"}, + "BACKUP DATA": {"class": "Database Activity", "activity": "Backup"}, + "RESTORE": {"class": "Database Activity", "activity": "Restore"} + } +} diff --git a/parsers/ocsf-isc-bind b/parsers/ocsf-isc-bind new file mode 100644 index 0000000..f96b017 --- /dev/null +++ b/parsers/ocsf-isc-bind @@ -0,0 +1,259 @@ +// SentinelOne AI SIEM Parser: ISC BIND DNS Server +// OCSF Schema Version: 1.1.0 +// Maps ISC BIND query/security logs to OCSF classes +// Primary Class: DNS Activity (4003) + +{ + "parserName": "ISCBIND-OCSF", + "version": "1.0.0", + "vendor": "ISC", + "product": "BIND", + "format": "syslog", + + "patterns": [ + // Query logs + { + "pattern": "queries:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+query:\\s+(\\S+)\\s+IN\\s+(\\w+)", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "DNS Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Query"}, + {"set": "type_uid", "value": "400301"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "ISC BIND"}, + {"set": "metadata.product.vendor_name", "value": "ISC"}, + {"group": 1, "to": "metadata.uid"}, + + // Time (from syslog header) + {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"}, + + // Client + {"group": 2, "to": "src_endpoint.ip"}, + {"group": 3, "to": "src_endpoint.port"}, + + // Query info + {"group": 4, "to": "query_info.opcode"}, + {"group": 5, "to": "query_info.hostname"}, + {"group": 6, "to": "query_info.type"}, + + // DNS server + {"regex": "\\(([\\d.]+)\\)$", "group": 1, "to": "dst_endpoint.ip"}, + + // Observables + {"array": "observables", "append": {"type": "IP Address", "type_id": 2, "value": "$2"}}, + {"array": "observables", "append": {"type": "Hostname", "type_id": 1, "value": "$5"}}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Security - Zone transfer denied + { + "pattern": "security:\\s+warning:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+zone transfer\\s+'([^']+)'\\s+denied", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + {"set": "finding_info.types", "value": ["DNS Zone Transfer Attempt"]}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "ISC BIND"}, + {"set": "metadata.product.vendor_name", "value": "ISC"}, + + // Time + {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"}, + + // Client + {"group": 2, "to": "src_endpoint.ip"}, + {"group": 3, "to": "src_endpoint.port"}, + + // Zone + {"group": 5, "to": "finding_info.title"}, + {"set": "finding_info.desc", "value": "Unauthorized zone transfer attempt"}, + + // Severity + {"set": "severity_id", "value": "4"}, + {"set": "severity", "value": "High"}, + + // Status + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Deny"} + ] + }, + + // Security - Query denied + { + "pattern": "security:\\s+error:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+query\\s+\\(cache\\)\\s+'([^']+)'\\s+denied", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "DNS Activity"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Query Denied"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "ISC BIND"}, + {"set": "metadata.product.vendor_name", "value": "ISC"}, + + // Time + {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"}, + + // Client + {"group": 2, "to": "src_endpoint.ip"}, + {"group": 3, "to": "src_endpoint.port"}, + + // Query + {"group": 5, "to": "query_info.hostname"}, + + // Status + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + {"set": "rcode", "value": "REFUSED"}, + + // Severity + {"set": "severity_id", "value": "3"}, + {"set": "severity", "value": "Medium"} + ] + }, + + // Zone transfer (AXFR) - successful + { + "pattern": "xfer-out:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+transfer of\\s+'([^']+)':\\s+AXFR\\s+(started|ended)", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "DNS Activity"}, + + {"group": 6, "to": "transfer_status"}, + {"lookup": "transfer_status", "map": {"started": 3, "ended": 4}, "to": "activity_id"}, + {"lookup": "transfer_status", "map": {"started": "Zone Transfer Start", "ended": "Zone Transfer Complete"}, "to": "activity_name"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "ISC BIND"}, + {"set": "metadata.product.vendor_name", "value": "ISC"}, + + // Time + {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"}, + + // Client (secondary DNS) + {"group": 2, "to": "dst_endpoint.ip"}, + {"group": 3, "to": "dst_endpoint.port"}, + + // Zone + {"group": 5, "to": "query_info.hostname"}, + {"set": "query_info.type", "value": "AXFR"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Dynamic update + { + "pattern": "update:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+updating zone\\s+'([^']+)':\\s+(adding|deleting)\\s+an RR at\\s+'([^']+)'\\s+(\\w+)\\s+(\\S+)", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "DNS Activity"}, + + {"group": 6, "to": "update_action"}, + {"lookup": "update_action", "map": {"adding": 5, "deleting": 6}, "to": "activity_id"}, + {"lookup": "update_action", "map": {"adding": "Record Add", "deleting": "Record Delete"}, "to": "activity_name"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "ISC BIND"}, + {"set": "metadata.product.vendor_name", "value": "ISC"}, + + // Time + {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"}, + + // Client + {"group": 2, "to": "src_endpoint.ip"}, + {"group": 3, "to": "src_endpoint.port"}, + + // Zone and record + {"group": 5, "to": "query_info.zone"}, + {"group": 7, "to": "query_info.hostname"}, + {"group": 8, "to": "query_info.type"}, + {"group": 9, "to": "answers.rdata"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Rate limiting + { + "pattern": "rate-limit:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+):\\s+rate limit\\s+(\\w+)\\s+(\\w+)\\s+response", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "finding_info.types", "value": ["DNS Rate Limiting"]}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "ISC BIND"}, + {"set": "metadata.product.vendor_name", "value": "ISC"}, + + // Time + {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"}, + + // Client + {"group": 2, "to": "src_endpoint.ip"}, + {"group": 3, "to": "src_endpoint.port"}, + + // Rate limit action + {"group": 4, "to": "activity_name"}, + {"group": 5, "to": "finding_info.title"}, + + // Severity + {"set": "severity_id", "value": "3"}, + {"set": "severity", "value": "Medium"} + ] + }, + + // DNSSEC events + { + "pattern": "dnssec:\\s+info:\\s+zone\\s+(\\S+):\\s+DNSKEY\\s+(\\d+)/(\\w+)\\s+\\((\\w+)\\)\\s+is now\\s+(\\w+)", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "DNS Activity"}, + {"set": "activity_id", "value": "7"}, + {"set": "activity_name", "value": "DNSSEC Key Event"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "ISC BIND"}, + {"set": "metadata.product.vendor_name", "value": "ISC"}, + + // Time + {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"}, + + // Zone + {"group": 1, "to": "query_info.zone"}, + + // Key info + {"group": 2, "to": "dnssec.key_tag"}, + {"group": 3, "to": "dnssec.algorithm"}, + {"group": 4, "to": "dnssec.key_type"}, + {"group": 5, "to": "dnssec.key_state"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + } + ], + + "query_type_mappings": { + "A": 1, "AAAA": 28, "MX": 15, "TXT": 16, "CNAME": 5, + "NS": 2, "SOA": 6, "PTR": 12, "SRV": 33, "AXFR": 252, "ANY": 255 + } +} diff --git a/parsers/ocsf-linux-os b/parsers/ocsf-linux-os new file mode 100644 index 0000000..446407f --- /dev/null +++ b/parsers/ocsf-linux-os @@ -0,0 +1,406 @@ +// SentinelOne AI SIEM Parser: Linux OS +// OCSF Schema Version: 1.1.0 +// Maps Linux syslog/auth/audit logs to OCSF classes +// Primary Classes: Authentication (3002), Process Activity (1007), Account Change (3001) + +{ + "parserName": "LinuxOS-OCSF", + "version": "1.0.0", + "vendor": "Linux", + "product": "Linux OS", + "format": "syslog", + + "patterns": [ + // SSH successful login + { + "pattern": "sshd\\[\\d+\\]:\\s+Accepted\\s+(\\w+)\\s+for\\s+(\\S+)\\s+from\\s+([\\d.]+)\\s+port\\s+(\\d+)", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "type_uid", "value": "300201"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "OpenSSH"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)\\s+(\\S+)", "group": 2, "to": "device.hostname"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // Auth method + {"group": 1, "to": "auth_protocol"}, + + // User + {"group": 2, "to": "user.name"}, + + // Source + {"group": 3, "to": "src_endpoint.ip"}, + {"group": 4, "to": "src_endpoint.port"}, + + // SSH key fingerprint + {"regex": "SHA256:(\\S+)", "group": 1, "to": "user.credential_uid"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // SSH failed login + { + "pattern": "sshd\\[\\d+\\]:\\s+Failed\\s+(\\w+)\\s+for\\s+(invalid user\\s+)?(\\S+)\\s+from\\s+([\\d.]+)\\s+port\\s+(\\d+)", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "OpenSSH"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // Auth method + {"group": 1, "to": "auth_protocol"}, + + // User + {"group": 3, "to": "user.name"}, + {"set": "user.type", "value": "Invalid", "if": "invalid user"}, + + // Source + {"group": 4, "to": "src_endpoint.ip"}, + {"group": 5, "to": "src_endpoint.port"}, + + // Severity + {"set": "severity_id", "value": "3"}, + {"set": "severity", "value": "Medium"} + ] + }, + + // Sudo command execution + { + "pattern": "sudo:\\s+(\\S+)\\s+:\\s+TTY=(\\S+)\\s+;\\s+PWD=(\\S+)\\s+;\\s+USER=(\\S+)\\s+;\\s+COMMAND=(.+)$", + "rewrites": [ + {"set": "class_uid", "value": "1007"}, + {"set": "class_name", "value": "Process Activity"}, + {"set": "category_uid", "value": "1"}, + {"set": "category_name", "value": "System Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Launch"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "sudo"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // Actor + {"group": 1, "to": "actor.user.name"}, + {"group": 2, "to": "actor.session.terminal"}, + {"group": 3, "to": "process.cwd"}, + + // Target user (run as) + {"group": 4, "to": "user.name"}, + + // Command + {"group": 5, "to": "process.cmd_line"}, + + // Privilege escalation indicator + {"set": "is_privileged", "value": "true"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Sudo denied + { + "pattern": "sudo:\\s+(\\S+)\\s+:\\s+user NOT in sudoers", + "rewrites": [ + {"set": "class_uid", "value": "3003"}, + {"set": "class_name", "value": "Authorization"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Deny"}, + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "sudo"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // User + {"group": 1, "to": "actor.user.name"}, + + // Extract command attempted + {"regex": "COMMAND=(.+)$", "group": 1, "to": "process.cmd_line"}, + + // Severity + {"set": "severity_id", "value": "4"}, + {"set": "severity", "value": "High"} + ] + }, + + // User creation (useradd) + { + "pattern": "useradd\\[\\d+\\]:\\s+new user:\\s+name=(\\S+),\\s+UID=(\\d+),\\s+GID=(\\d+),\\s+home=(\\S+),\\s+shell=(\\S+)", + "rewrites": [ + {"set": "class_uid", "value": "3001"}, + {"set": "class_name", "value": "Account Change"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Create"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "useradd"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // New user + {"group": 1, "to": "user.name"}, + {"group": 2, "to": "user.uid"}, + {"group": 3, "to": "user.gid"}, + {"group": 4, "to": "user.home"}, + {"group": 5, "to": "user.shell"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // User modification (usermod) + { + "pattern": "usermod\\[\\d+\\]:\\s+add\\s+'(\\S+)'\\s+to\\s+group\\s+'(\\S+)'", + "rewrites": [ + {"set": "class_uid", "value": "3004"}, + {"set": "class_name", "value": "Group Membership"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Add"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "usermod"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // User and group + {"group": 1, "to": "user.name"}, + {"group": 2, "to": "group.name"}, + + // Severity for privileged groups + {"set": "severity_id", "value": "4", "if": "wheel|sudo|root|admin"}, + {"set": "severity", "value": "High", "if": "wheel|sudo|root|admin"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // UFW firewall block + { + "pattern": "kernel:\\s+\\[UFW BLOCK\\]\\s+IN=(\\S*)\\s+OUT=(\\S*).*SRC=([\\d.]+)\\s+DST=([\\d.]+).*PROTO=(\\w+)\\s+SPT=(\\d+)\\s+DPT=(\\d+)", + "rewrites": [ + {"set": "class_uid", "value": "4001"}, + {"set": "class_name", "value": "Network Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Deny"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "UFW"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // Interfaces + {"group": 1, "to": "src_endpoint.interface_name"}, + {"group": 2, "to": "dst_endpoint.interface_name"}, + + // Endpoints + {"group": 3, "to": "src_endpoint.ip"}, + {"group": 4, "to": "dst_endpoint.ip"}, + {"group": 6, "to": "src_endpoint.port"}, + {"group": 7, "to": "dst_endpoint.port"}, + + // Protocol + {"group": 5, "to": "connection_info.protocol_name"}, + + // Status + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"} + ] + }, + + // Audit EXECVE (command execution) + { + "pattern": "auditd\\[\\d+\\]:\\s+EXECVE\\s+argc=(\\d+)\\s+(.+)$", + "rewrites": [ + {"set": "class_uid", "value": "1007"}, + {"set": "class_name", "value": "Process Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Launch"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "auditd"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // Arguments + {"group": 1, "to": "process.argc"}, + {"group": 2, "to": "process.cmd_line", "transform": "parseAuditArgs"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Systemd service start + { + "pattern": "systemd\\[1\\]:\\s+Started\\s+(.+?)(?:\\s+-\\s+(.+))?\\.?$", + "rewrites": [ + {"set": "class_uid", "value": "1006"}, + {"set": "class_name", "value": "Service Activity"}, + {"set": "category_uid", "value": "1"}, + {"set": "category_name", "value": "System Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Start"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "systemd"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // Service + {"group": 1, "to": "service.name"}, + {"group": 2, "to": "service.desc"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Cron job execution + { + "pattern": "cron\\[\\d+\\]:\\s+\\((\\S+)\\)\\s+CMD\\s+\\((.+)\\)$", + "rewrites": [ + {"set": "class_uid", "value": "1007"}, + {"set": "class_name", "value": "Process Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Launch"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "cron"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // User + {"group": 1, "to": "actor.user.name"}, + + // Command + {"group": 2, "to": "process.cmd_line"}, + + // Scheduled task indicator + {"set": "is_scheduled", "value": "true"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Password change + { + "pattern": "passwd\\[\\d+\\]:\\s+password changed for\\s+(\\S+)\\s+by\\s+(\\S+)", + "rewrites": [ + {"set": "class_uid", "value": "3001"}, + {"set": "class_name", "value": "Account Change"}, + {"set": "activity_id", "value": "3"}, + {"set": "activity_name", "value": "Password Change"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "passwd"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // Target user + {"group": 1, "to": "user.name"}, + + // Actor + {"group": 2, "to": "actor.user.name"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // SSH disconnect + { + "pattern": "sshd\\[\\d+\\]:\\s+Received disconnect from\\s+([\\d.]+)\\s+port\\s+(\\d+):(\\d+):\\s+(.+)$", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Logoff"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "OpenSSH"}, + {"set": "metadata.product.vendor_name", "value": "Linux"}, + + // Time + {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"}, + + // Source + {"group": 1, "to": "src_endpoint.ip"}, + {"group": 2, "to": "src_endpoint.port"}, + + // Disconnect code and reason + {"group": 3, "to": "status_code"}, + {"group": 4, "to": "status_detail"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + } + ], + + "transforms": { + "parseAuditArgs": { + "description": "Parse audit EXECVE arguments a0=\"/bin/bash\" a1=\"-c\" to command line", + "regex": "a\\d+=\"([^\"]+)\"", + "join": " " + } + } +} diff --git a/parsers/ocsf-mitre-attack b/parsers/ocsf-mitre-attack new file mode 100644 index 0000000..a007a9a --- /dev/null +++ b/parsers/ocsf-mitre-attack @@ -0,0 +1 @@ +{"name": "OCSF MITRE Coverage", "graphs": [{"label": "T1110-Brute Force", "filter": "message contains \"Failed\"", "function": "count", "graphType": "value"}, {"label": "T1046-Scanning", "filter": "action=\"deny\"", "function": "count", "graphType": "value"}, {"label": "T1059-Command Exec", "filter": "message contains \"bash\"", "function": "count", "graphType": "value"}, {"label": "T1078-Valid Accounts", "filter": "user_name=\"root\"", "function": "count", "graphType": "value"}, {"label": "T1548-Priv Esc", "filter": "message contains \"sudo\"", "function": "count", "graphType": "value"}, {"label": "Top IPs", "facet": "src_ip", "filter": "src_ip is not null", "graphType": "topValuesTable", "limit": 10}]} \ No newline at end of file diff --git a/parsers/ocsf-mitre-coverage b/parsers/ocsf-mitre-coverage new file mode 100644 index 0000000..8dd7477 --- /dev/null +++ b/parsers/ocsf-mitre-coverage @@ -0,0 +1,160 @@ +{ + "duration": "24h", + "description": "MITRE ATT&CK technique coverage from OCSF detections", + "graphs": [ + { + "title": "MITRE ATT&CK Coverage", + "graphStyle": "markdown", + "markdown": "## MITRE ATT&CK Technique Counters\nEach panel shows the count of events matching a specific MITRE technique pattern.\n\n| Technique | Description |\n|---|---|\n| T1110 | Brute Force |\n| T1046 | Network Service Scanning |\n| T1059 | Command and Scripting Interpreter |\n| T1078 | Valid Accounts |\n| T1098 | Account Manipulation |\n| T1548 | Abuse Elevation Control Mechanism |", + "layout": { + "w": 60, + "h": 10, + "x": 0, + "y": 0 + } + }, + { + "title": "T1110 - Brute Force", + "graphStyle": "number", + "query": "message contains 'Failed password' or message contains 'authentication failure' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 0, + "y": 10 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1046 - Network Scanning", + "graphStyle": "number", + "query": "action = 'deny' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 15, + "y": 10 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1059 - Command Execution", + "graphStyle": "number", + "query": "message contains 'bash -c' or message contains 'python -c' or message contains 'powershell -enc' or message contains 'cmd.exe /c' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 30, + "y": 10 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1078 - Valid Accounts", + "graphStyle": "number", + "query": "user_name = 'root' or user_name = 'Administrator' or user_name = 'admin' or user_name = 'SYSTEM' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 45, + "y": 10 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1098 - Account Manipulation", + "graphStyle": "number", + "query": "message contains 'useradd' or message contains 'usermod' or message contains 'GRANT' or message contains 'Add member' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 0, + "y": 17 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1548 - Privilege Escalation", + "graphStyle": "number", + "query": "message contains 'sudo' or message contains 'NOT in sudoers' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 15, + "y": 17 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1021 - Remote Services", + "graphStyle": "number", + "query": "(dstport = 22 or dstport = 3389 or dstport = 5985) action = 'allow' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 30, + "y": 17 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1136 - Create Account", + "graphStyle": "number", + "query": "message contains 'useradd' or message contains 'new user' or message contains 'CREATE USER' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 45, + "y": 17 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "Detections Over Time", + "graphStyle": "stacked_bar", + "xAxis": "time", + "query": "serverHost contains 'ocsf' | group count() by timestamp=timebucket('1h'), serverHost | transpose serverHost on timestamp", + "layout": { + "w": 40, + "h": 14, + "x": 0, + "y": 24 + } + }, + { + "title": "Top Attacker IPs", + "graphStyle": "table", + "query": "src_ip = * (message contains 'Failed' or message contains 'deny' or action = 'deny') | group hits=count() by src_ip | sort -hits | limit 10", + "layout": { + "w": 20, + "h": 14, + "x": 40, + "y": 24 + } + } + ] +} \ No newline at end of file diff --git a/parsers/ocsf-mitre-coverage-v2 b/parsers/ocsf-mitre-coverage-v2 new file mode 100644 index 0000000..bed2681 --- /dev/null +++ b/parsers/ocsf-mitre-coverage-v2 @@ -0,0 +1,160 @@ +{ + "duration": "24h", + "description": "MITRE ATT&CK technique coverage from OCSF detections", + "graphs": [ + { + "title": "MITRE ATT&CK Coverage", + "graphStyle": "markdown", + "markdown": "## MITRE ATT&CK Technique Counters\\n\\nEach panel shows the count of events matching a specific MITRE technique pattern.\\n\\n| Technique | Description | Detection Pattern |\\n|---|---|---|\\n| T1110 | Brute Force | Failed password attempts |\\n| T1046 | Network Scanning | Firewall denies to multiple ports |\\n| T1059 | Command Execution | bash -c, powershell -enc |\\n| T1078 | Valid Accounts | root/admin/SYSTEM usage |\\n| T1098 | Account Manipulation | useradd, GRANT |\\n| T1548 | Privilege Escalation | sudo, NOT in sudoers |", + "layout": { + "w": 60, + "h": 12, + "x": 0, + "y": 0 + } + }, + { + "title": "T1110 - Brute Force", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' (message contains 'Failed password' or message contains 'authentication failure') | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 0, + "y": 12 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1046 - Network Scanning", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' action = 'deny' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 15, + "y": 12 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1059 - Command Execution", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' (message contains 'bash -c' or message contains 'python -c' or message contains 'powershell -enc' or message contains 'cmd.exe /c') | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 30, + "y": 12 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1078 - Valid Accounts", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' (user_name = 'root' or user_name = 'Administrator' or user_name = 'admin' or user_name = 'SYSTEM') | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 45, + "y": 12 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1098 - Account Manipulation", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' (message contains 'useradd' or message contains 'usermod' or message contains 'GRANT' or message contains 'Add member') | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 0, + "y": 19 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1548 - Privilege Escalation", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' (message contains 'sudo' or message contains 'NOT in sudoers') | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 15, + "y": 19 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1021 - Remote Services", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' (dstport = 22 or dstport = 3389 or dstport = 5985) action = 'allow' | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 30, + "y": 19 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "T1136 - Create Account", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' (message contains 'useradd' or message contains 'new user' or message contains 'CREATE USER') | group count() | limit 1", + "layout": { + "w": 15, + "h": 7, + "x": 45, + "y": 19 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "Detections Over Time", + "graphStyle": "stacked_bar", + "xAxis": "time", + "query": "serverHost contains 'ocsf' | group count() by timestamp=timebucket('1h'), serverHost | transpose serverHost on timestamp", + "layout": { + "w": 40, + "h": 14, + "x": 0, + "y": 26 + } + }, + { + "title": "Top Attacker IPs", + "graphStyle": "table", + "query": "src_ip = * serverHost contains 'ocsf' (message contains 'Failed' or message contains 'deny' or action = 'deny') | group hits=count() by src_ip | sort -hits | limit 10", + "layout": { + "w": 20, + "h": 14, + "x": 40, + "y": 26 + } + } + ] +} \ No newline at end of file diff --git a/parsers/ocsf-ms-dhcp b/parsers/ocsf-ms-dhcp new file mode 100644 index 0000000..cadc65f --- /dev/null +++ b/parsers/ocsf-ms-dhcp @@ -0,0 +1,163 @@ +// SentinelOne AI SIEM Parser: Microsoft DHCP Server +// OCSF Schema Version: 1.1.0 +// Maps Microsoft DHCP CSV logs to OCSF classes +// Primary Class: DHCP Activity (4004) + +{ + "parserName": "MicrosoftDHCP-OCSF", + "version": "1.0.0", + "vendor": "Microsoft", + "product": "DHCP Server", + "format": "csv", + "hasHeader": true, + + "patterns": [ + // DHCP Lease events (Assign, Renew, Release) + { + "pattern": "^(10|11|12|17|20),", + "rewrites": [ + {"set": "class_uid", "value": "4004"}, + {"set": "class_name", "value": "DHCP Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft DHCP"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + {"csv": "TransactionID", "to": "metadata.uid"}, + {"csv": "CorrelationID", "to": "metadata.correlation_uid"}, + + // Time + {"concat": ["$Date", " ", "$Time"], "to": "time"}, + + // Event ID mapping + {"csv": "ID", "to": "event_id"}, + {"lookup": "event_id", "map": { + "10": 1, "11": 2, "12": 3, "13": 4, "14": 5, + "15": 6, "16": 7, "17": 8, "20": 9 + }, "to": "activity_id"}, + {"lookup": "event_id", "map": { + "10": "Assign", "11": "Renew", "12": "Release", + "13": "DNS Update Request", "14": "DNS Update Successful", + "15": "NACK", "16": "Decline", "17": "Expired", "20": "BOOTP Assign" + }, "to": "activity_name"}, + + // Description + {"csv": "Description", "to": "message"}, + + // Lease info + {"csv": "IP Address", "to": "lease.ip"}, + {"csv": "Host Name", "to": "lease.hostname"}, + {"csv": "MAC Address", "to": "lease.mac"}, + + // Device + {"csv": "IP Address", "to": "device.ip"}, + {"csv": "Host Name", "to": "device.hostname"}, + {"csv": "MAC Address", "to": "device.mac"}, + + // User (if available) + {"csv": "User Name", "to": "user.name"}, + + // DHCP identifiers + {"csv": "Dhcid", "to": "dhcp.client_id"}, + {"csv": "VendorClass(ASCII)", "to": "dhcp.vendor_class"}, + {"csv": "UserClass(ASCII)", "to": "dhcp.user_class"}, + {"csv": "RelayAgentInformation", "to": "dhcp.relay_agent"}, + + // Status based on event + {"set": "status_id", "value": "1", "if": "ID:(10|11|13|14|20)"}, + {"set": "status", "value": "Success", "if": "ID:(10|11|13|14|20)"}, + {"set": "status_id", "value": "2", "if": "ID:(15|16|30)"}, + {"set": "status", "value": "Failure", "if": "ID:(15|16|30)"} + ] + }, + + // DNS Update events + { + "pattern": "^(13|14|30|31),", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "DNS Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft DHCP"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + + // Time + {"concat": ["$Date", " ", "$Time"], "to": "time"}, + + // Activity + {"csv": "ID", "to": "event_id"}, + {"lookup": "event_id", "map": { + "13": 1, "14": 1, "30": 2, "31": 1 + }, "to": "activity_id"}, + {"lookup": "event_id", "map": { + "13": "DNS Update Request", "14": "DNS Update Successful", + "30": "DNS Update Failed", "31": "DNS Update Request" + }, "to": "activity_name"}, + + // DNS info + {"csv": "Host Name", "to": "query_info.hostname"}, + {"csv": "IP Address", "to": "answers.rdata"}, + + // Status + {"csv": "DnsRegError", "to": "status_code"}, + {"set": "status_id", "value": "1", "if": "DnsRegError:0"}, + {"set": "status", "value": "Success", "if": "DnsRegError:0"}, + {"set": "status_id", "value": "2", "if": "DnsRegError:[^0]"}, + {"set": "status", "value": "Failure", "if": "DnsRegError:[^0]"} + ] + }, + + // NACK/Decline/Expired (potential issues) + { + "pattern": "^(15|16|17|32),", + "rewrites": [ + {"set": "class_uid", "value": "4004"}, + {"set": "class_name", "value": "DHCP Activity"}, + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft DHCP"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + + // Time + {"concat": ["$Date", " ", "$Time"], "to": "time"}, + + // Event + {"csv": "ID", "to": "event_id"}, + {"lookup": "event_id", "map": { + "15": "NACK", "16": "Decline", "17": "Expired", "32": "Deleted" + }, "to": "activity_name"}, + + // Device + {"csv": "IP Address", "to": "device.ip"}, + {"csv": "Host Name", "to": "device.hostname"}, + {"csv": "MAC Address", "to": "device.mac"}, + + // Severity for issues + {"set": "severity_id", "value": "2"}, + {"set": "severity", "value": "Low"} + ] + } + ], + + "event_id_reference": { + "10": "New IP address leased to client", + "11": "Lease renewed by client", + "12": "Lease released by client", + "13": "DNS update request sent", + "14": "DNS update successful", + "15": "DHCP NACK sent to client", + "16": "DHCP Decline from client", + "17": "Lease expired and deleted", + "20": "BOOTP address leased to client", + "30": "DNS update failed", + "31": "DNS update request sent", + "32": "Lease deleted by administrator" + } +} diff --git a/parsers/ocsf-ms-dns b/parsers/ocsf-ms-dns new file mode 100644 index 0000000..ed78e7a --- /dev/null +++ b/parsers/ocsf-ms-dns @@ -0,0 +1,113 @@ +// SentinelOne AI SIEM Parser: Microsoft DNS Debug Log +// OCSF Schema Version: 1.1.0 +// Maps Microsoft DNS debug logs to OCSF classes +// Primary Class: DNS Activity (4003) + +{ + "parserName": "MicrosoftDNS-OCSF", + "version": "1.0.0", + "vendor": "Microsoft", + "product": "DNS Server", + "format": "regex", + + "patterns": [ + // DNS Query/Response + { + "pattern": "^(\\d+/\\d+/\\d+)\\s+(\\d+:\\d+:\\d+\\s+[AP]M)\\s+(\\w+)\\s+PACKET\\s+(\\w+)\\s+(UDP|TCP)\\s+(Rcv|Snd)\\s+([\\d.]+)\\s+(\\w+)\\s+([RQ\\s]+)\\s+\\[([^\\]]+)\\]\\s+(\\w+)\\s+(.+)$", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "DNS Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + // Activity based on direction + {"group": 6, "to": "direction"}, + {"lookup": "direction", "map": {"Rcv": 1, "Snd": 2}, "to": "activity_id"}, + {"lookup": "direction", "map": {"Rcv": "Query", "Snd": "Response"}, "to": "activity_name"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Microsoft DNS"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + {"group": 3, "to": "metadata.uid"}, + {"group": 4, "to": "metadata.log_name"}, + + // Time + {"concat": ["$1", " ", "$2"], "to": "time"}, + + // Protocol + {"group": 5, "to": "connection_info.protocol_name"}, + + // Client IP + {"group": 7, "to": "src_endpoint.ip"}, + + // Transaction ID + {"group": 8, "to": "query_info.uid"}, + + // Flags + {"group": 9, "to": "query_info.flags"}, + {"group": 10, "to": "rcode_name"}, + + // Query type + {"group": 11, "to": "query_info.type"}, + + // Query name (decode DNS format) + {"group": 12, "to": "query_info.hostname", "transform": "decodeDnsName"}, + + // Response code mapping + {"lookup": "rcode_name", "map": { + "NOERROR": 0, "FORMERR": 1, "SERVFAIL": 2, "NXDOMAIN": 3, + "NOTIMP": 4, "REFUSED": 5, "YXDOMAIN": 6, "YXRRSET": 7 + }, "to": "rcode_id"}, + + // Status based on response code + {"set": "status_id", "value": "1", "if": "NOERROR"}, + {"set": "status", "value": "Success", "if": "NOERROR"}, + {"set": "status_id", "value": "2", "if": "REFUSED|NXDOMAIN|SERVFAIL"}, + {"set": "status", "value": "Failure", "if": "REFUSED|NXDOMAIN|SERVFAIL"}, + + // Observables + {"array": "observables", "append": {"type": "IP Address", "type_id": 2, "value": "$7"}}, + {"array": "observables", "append": {"type": "Hostname", "type_id": 1, "value": "$query_info.hostname"}} + ] + } + ], + + "transforms": { + "decodeDnsName": { + "description": "Converts DNS wire format (4)mail(4)corp(5)local(0) to mail.corp.local", + "regex": "\\((\\d+)\\)([^(]+)", + "replace": "$2.", + "trim": "." + } + }, + + "query_type_mappings": { + "A": {"id": 1, "name": "A (IPv4 Address)"}, + "AAAA": {"id": 28, "name": "AAAA (IPv6 Address)"}, + "MX": {"id": 15, "name": "MX (Mail Exchange)"}, + "TXT": {"id": 16, "name": "TXT (Text)"}, + "CNAME": {"id": 5, "name": "CNAME (Canonical Name)"}, + "NS": {"id": 2, "name": "NS (Name Server)"}, + "SOA": {"id": 6, "name": "SOA (Start of Authority)"}, + "PTR": {"id": 12, "name": "PTR (Pointer)"}, + "SRV": {"id": 33, "name": "SRV (Service)"}, + "AXFR": {"id": 252, "name": "AXFR (Zone Transfer)"}, + "ANY": {"id": 255, "name": "ANY (All Records)"} + }, + + "security_indicators": { + "zone_transfer": { + "condition": "query_info.type == 'AXFR'", + "severity_id": 4, + "severity": "High", + "finding_info.title": "DNS Zone Transfer Attempt" + }, + "any_query": { + "condition": "query_info.type == 'ANY'", + "severity_id": 3, + "severity": "Medium", + "finding_info.title": "DNS ANY Query (Potential Amplification)" + } + } +} diff --git a/parsers/ocsf-oracle-rdbms b/parsers/ocsf-oracle-rdbms new file mode 100644 index 0000000..159c232 --- /dev/null +++ b/parsers/ocsf-oracle-rdbms @@ -0,0 +1,184 @@ +// SentinelOne AI SIEM Parser: Oracle RDBMS Audit Record +// OCSF Schema Version: 1.1.0 +// Maps Oracle Database audit trail to OCSF classes +// Primary Classes: Database Activity (4003), Authentication (3002), Authorization (3003) + +{ + "parserName": "OracleRDBMS-OCSF", + "version": "1.0.0", + "vendor": "Oracle", + "product": "Oracle Database", + "format": "kv", + "delimiter": " ", + "kvSeparator": ":", + + "patterns": [ + // Logon events + { + "pattern": "ACTION_NAME:\\s*LOGON", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "type_uid", "value": "300201"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Oracle Database"}, + {"set": "metadata.product.vendor_name", "value": "Oracle"}, + {"regex": "DBID:\\s*(\\d+)", "group": 1, "to": "metadata.product.uid"}, + {"regex": "INSTANCE_NUMBER:\\s*(\\d+)", "group": 1, "to": "metadata.product.feature.uid"}, + + // Time + {"regex": "TIMESTAMP:\\s*([\\d-]+\\s[\\d:.]+\\s\\w+)", "group": 1, "to": "time"}, + + // User + {"regex": "USERID:\\s*(\\S+)", "group": 1, "to": "user.name"}, + {"regex": "OS_USERNAME:\\s*(\\S+)", "group": 1, "to": "actor.user.name"}, + {"regex": "CLIENT_ID:\\s*(\\S+)", "group": 1, "to": "user.credential_uid"}, + + // Session + {"regex": "SESSIONID:\\s*(\\d+)", "group": 1, "to": "session.uid"}, + + // Source + {"regex": "USERHOST:\\s*(\\S+)", "group": 1, "to": "src_endpoint.name"}, + {"regex": "TERMINAL:\\s*(\\S+)", "group": 1, "to": "src_endpoint.interface_name"}, + {"regex": "OS_PROCESS:\\s*(\\d+)", "group": 1, "to": "actor.process.pid"}, + + // Auth details + {"regex": "AUTHENTICATION_TYPE:\\s*(\\S+)", "group": 1, "to": "auth_protocol"}, + {"regex": "PRIV_USED:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "user.privileges"}, + + // Status + {"regex": "RETURNCODE:\\s*(\\d+)", "group": 1, "to": "status_code"}, + {"set": "status_id", "value": "1", "if": "RETURNCODE: 0"}, + {"set": "status", "value": "Success", "if": "RETURNCODE: 0"}, + {"set": "status_id", "value": "2", "if": "RETURNCODE: [^0]"}, + {"set": "status", "value": "Failure", "if": "RETURNCODE: [^0]"}, + + // Comment + {"regex": "COMMENT_TEXT:\\s*(.+?)$", "group": 1, "to": "message"} + ] + }, + + // SELECT/Query events + { + "pattern": "ACTION_NAME:\\s*SELECT", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "Database Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Query"}, + {"set": "type_uid", "value": "400301"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Oracle Database"}, + {"set": "metadata.product.vendor_name", "value": "Oracle"}, + + // User + {"regex": "USERID:\\s*(\\S+)", "group": 1, "to": "actor.user.name"}, + {"regex": "SESSIONID:\\s*(\\d+)", "group": 1, "to": "actor.session.uid"}, + + // Database object + {"regex": "OBJ_CREATOR:\\s*(\\S+)", "group": 1, "to": "database.schema"}, + {"regex": "OBJ_NAME:\\s*(\\S+)", "group": 1, "to": "database.table"}, + + // Query + {"regex": "SQL_TEXT:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "query_info.query_string"}, + {"set": "query_info.query_type", "value": "SELECT"}, + + // Source + {"regex": "USERHOST:\\s*(\\S+)", "group": 1, "to": "src_endpoint.name"}, + + // Privileges + {"regex": "PRIV_USED:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "actor.user.privileges"} + ] + }, + + // INSERT/UPDATE/DELETE events + { + "pattern": "ACTION_NAME:\\s*(INSERT|UPDATE|DELETE)", + "rewrites": [ + {"set": "class_uid", "value": "4003"}, + {"set": "class_name", "value": "Database Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + {"lookup": "ACTION_NAME", "map": {"INSERT": 2, "UPDATE": 3, "DELETE": 4}, "to": "activity_id"}, + {"lookup": "ACTION_NAME", "map": {"INSERT": "Insert", "UPDATE": "Update", "DELETE": "Delete"}, "to": "activity_name"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Oracle Database"}, + {"set": "metadata.product.vendor_name", "value": "Oracle"}, + + // User + {"regex": "USERID:\\s*(\\S+)", "group": 1, "to": "actor.user.name"}, + {"regex": "SESSIONID:\\s*(\\d+)", "group": 1, "to": "actor.session.uid"}, + + // Database object + {"regex": "OBJ_CREATOR:\\s*(\\S+)", "group": 1, "to": "database.schema"}, + {"regex": "OBJ_NAME:\\s*(\\S+)", "group": 1, "to": "database.table"}, + + // Query + {"regex": "SQL_TEXT:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "query_info.query_string"}, + + // Source + {"regex": "USERHOST:\\s*(\\S+)", "group": 1, "to": "src_endpoint.name"}, + + // Severity for data modification + {"set": "severity_id", "value": "2"}, + {"set": "severity", "value": "Low"} + ] + }, + + // GRANT/REVOKE events + { + "pattern": "ACTION_NAME:\\s*(GRANT|REVOKE)", + "rewrites": [ + {"set": "class_uid", "value": "3003"}, + {"set": "class_name", "value": "Authorization"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + + {"lookup": "ACTION_NAME", "map": {"GRANT": 1, "REVOKE": 2}, "to": "activity_id"}, + {"lookup": "ACTION_NAME", "map": {"GRANT": "Grant", "REVOKE": "Revoke"}, "to": "activity_name"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Oracle Database"}, + {"set": "metadata.product.vendor_name", "value": "Oracle"}, + + // Actor (who granted) + {"regex": "USERID:\\s*(\\S+)", "group": 1, "to": "actor.user.name"}, + + // Target (who received) + {"regex": "GRANTEE:\\s*(\\S+)", "group": 1, "to": "user.name"}, + + // Privilege/Role + {"regex": "OBJ_NAME:\\s*(\\S+)", "group": 1, "to": "privileges"}, + {"regex": "SQL_TEXT:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "message"}, + + // Severity for privilege changes + {"set": "severity_id", "value": "4"}, + {"set": "severity", "value": "High"} + ] + } + ], + + "action_mappings": { + "100": {"name": "LOGON", "class": "Authentication", "activity": "Logon"}, + "101": {"name": "LOGOFF", "class": "Authentication", "activity": "Logoff"}, + "103": {"name": "SELECT", "class": "Database Activity", "activity": "Query"}, + "2": {"name": "INSERT", "class": "Database Activity", "activity": "Insert"}, + "6": {"name": "UPDATE", "class": "Database Activity", "activity": "Update"}, + "7": {"name": "DELETE", "class": "Database Activity", "activity": "Delete"}, + "108": {"name": "GRANT", "class": "Authorization", "activity": "Grant"}, + "109": {"name": "REVOKE", "class": "Authorization", "activity": "Revoke"}, + "1": {"name": "CREATE TABLE", "class": "Database Activity", "activity": "Create"}, + "12": {"name": "DROP TABLE", "class": "Database Activity", "activity": "Delete"} + } +} diff --git a/parsers/ocsf-paloalto b/parsers/ocsf-paloalto new file mode 100644 index 0000000..b239acc --- /dev/null +++ b/parsers/ocsf-paloalto @@ -0,0 +1,158 @@ +// SentinelOne AI SIEM Parser: Palo Alto PA Series +// OCSF Schema Version: 1.1.0 +// Maps Palo Alto CSV logs to OCSF classes +// Primary Classes: Network Activity (4001), Detection Finding (2004), Security Finding (2001) + +{ + "parserName": "PaloAlto-OCSF", + "version": "1.0.0", + "vendor": "Palo Alto Networks", + "product": "PA Series Firewall", + "format": "csv", + + "patterns": [ + // TRAFFIC logs + { + "pattern": ",TRAFFIC,", + "rewrites": [ + {"set": "class_uid", "value": "4001"}, + {"set": "class_name", "value": "Network Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Palo Alto Firewall"}, + {"set": "metadata.product.vendor_name", "value": "Palo Alto Networks"}, + {"csv": 1, "to": "metadata.product.version"}, + {"csv": 2, "to": "device.uid"}, + {"csv": 6, "to": "time"}, + + // Source endpoint + {"csv": 7, "to": "src_endpoint.ip"}, + {"csv": 8, "to": "dst_endpoint.ip"}, + {"csv": 9, "to": "proxy.ip"}, + {"csv": 10, "to": "proxy.dst_ip"}, + {"csv": 24, "to": "src_endpoint.port"}, + {"csv": 25, "to": "dst_endpoint.port"}, + + // User + {"csv": 12, "to": "actor.user.name"}, + + // Application + {"csv": 14, "to": "app_name"}, + + // Zones + {"csv": 16, "to": "src_endpoint.zone"}, + {"csv": 17, "to": "dst_endpoint.zone"}, + + // Interfaces + {"csv": 18, "to": "src_endpoint.interface_name"}, + {"csv": 19, "to": "dst_endpoint.interface_name"}, + + // Session + {"csv": 22, "to": "connection_info.session.uid"}, + + // Protocol + {"csv": 29, "to": "connection_info.protocol_name"}, + + // Action + {"csv": 30, "to": "activity_name"}, + {"lookup": "activity_name", "map": {"allow": 1, "deny": 2, "drop": 5, "reset-both": 6}, "to": "activity_id"}, + + // Traffic stats + {"csv": 31, "to": "traffic.bytes"}, + {"csv": 32, "to": "traffic.bytes_out"}, + {"csv": 33, "to": "traffic.bytes_in"}, + {"csv": 34, "to": "traffic.packets"}, + + // Duration + {"csv": 36, "to": "connection_info.session.duration"}, + + // Policy + {"csv": 11, "to": "policy.name"}, + + // Status + {"set": "status_id", "value": "1", "if": "allow"}, + {"set": "status", "value": "Success", "if": "allow"} + ] + }, + + // THREAT logs (vulnerability, spyware, virus, wildfire) + { + "pattern": ",THREAT,", + "rewrites": [ + {"set": "class_uid", "value": "2004"}, + {"set": "class_name", "value": "Detection Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Palo Alto Threat Prevention"}, + {"set": "metadata.product.vendor_name", "value": "Palo Alto Networks"}, + {"csv": 2, "to": "device.uid"}, + {"csv": 6, "to": "time"}, + + // Threat subtype + {"csv": 4, "to": "finding_info.type_uid"}, + + // Endpoints + {"csv": 7, "to": "src_endpoint.ip"}, + {"csv": 8, "to": "dst_endpoint.ip"}, + {"csv": 24, "to": "src_endpoint.port"}, + {"csv": 25, "to": "dst_endpoint.port"}, + + // User + {"csv": 12, "to": "actor.user.name"}, + + // Threat info + {"csv": 31, "to": "finding_info.title"}, + {"csv": 32, "to": "finding_info.desc"}, + {"csv": 33, "to": "severity"}, + {"lookup": "severity", "map": {"critical": 5, "high": 4, "medium": 3, "low": 2, "informational": 1}, "to": "severity_id"}, + + // Direction + {"csv": 34, "to": "connection_info.direction"}, + + // Threat ID + {"csv": 35, "to": "finding_info.uid"}, + + // Action + {"csv": 30, "to": "activity_name"}, + {"lookup": "activity_name", "map": {"alert": 1, "block": 2, "drop": 2, "reset-both": 2, "reset-client": 2, "reset-server": 2}, "to": "activity_id"}, + + // File info (for wildfire) + {"csv": 42, "to": "file.name"}, + {"csv": 43, "to": "file.type_id"}, + {"csv": 46, "to": "file.hashes.sha256"}, + {"csv": 47, "to": "malware.classification.name"} + ] + }, + + // SYSTEM logs + { + "pattern": ",SYSTEM,", + "rewrites": [ + {"set": "class_uid", "value": "6002"}, + {"set": "class_name", "value": "API Activity"}, + {"set": "category_uid", "value": "6"}, + {"set": "category_name", "value": "Application Activity"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Palo Alto System"}, + {"set": "metadata.product.vendor_name", "value": "Palo Alto Networks"}, + {"csv": 2, "to": "device.uid"}, + {"csv": 6, "to": "time"}, + + // System event type + {"csv": 4, "to": "activity_name"}, + + // Severity + {"csv": 33, "to": "severity"}, + + // Message + {"csv": 31, "to": "message"} + ] + } + ] +} diff --git a/parsers/ocsf-qradar b/parsers/ocsf-qradar new file mode 100644 index 0000000..d6c5e35 --- /dev/null +++ b/parsers/ocsf-qradar @@ -0,0 +1,96 @@ +// SentinelOne AI SIEM Parser: IBM QRadar +// OCSF Schema Version: 1.1.0 +// Maps QRadar LEEF/JSON events to OCSF classes +// Primary Classes: Security Finding (2001), Authentication (3002), Network Activity (4001) + +{ + "parserName": "QRadar-OCSF", + "version": "1.0.0", + "vendor": "IBM", + "product": "QRadar", + "format": "json", + + "patterns": [ + { + "pattern": ".*", + "rewrites": [ + // OCSF Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "QRadar"}, + {"set": "metadata.product.vendor_name", "value": "IBM"}, + {"copy": "logSourceName", "to": "metadata.log_name"}, + {"copy": "logSourceTypeName", "to": "metadata.product.feature.name"}, + + // OCSF Classification + {"set": "class_uid", "value": "2001"}, // Security Finding + {"set": "class_name", "value": "Security Finding"}, + {"copy": "category", "to": "category_name"}, + {"set": "type_uid", "value": "200101"}, // Security Finding: Create + + // Time mapping + {"copy": "startTime", "to": "time"}, + {"parseTimestamp": "startTime", "format": "ISO8601", "to": "time_dt"}, + + // Severity mapping (QRadar 1-10 to OCSF 0-6) + {"copy": "severity", "to": "severity_id", "transform": "qradarSeverityToOCSF"}, + {"lookup": "severity_id", "map": {"1": "Informational", "2": "Low", "3": "Medium", "4": "High", "5": "Critical", "6": "Fatal"}, "to": "severity"}, + + // Actor/User mapping + {"copy": "username", "to": "actor.user.name"}, + {"copy": "domainName", "to": "actor.user.domain"}, + {"copy": "identityHostName", "to": "actor.user.credential_uid"}, + + // Source endpoint + {"copy": "sourceIP", "to": "src_endpoint.ip"}, + {"copy": "sourcePort", "to": "src_endpoint.port"}, + + // Destination endpoint + {"copy": "destinationIP", "to": "dst_endpoint.ip"}, + {"copy": "destinationPort", "to": "dst_endpoint.port"}, + + // Network connection + {"copy": "protocol", "to": "connection_info.protocol_name"}, + + // Finding details + {"copy": "qidName", "to": "finding_info.title"}, + {"copy": "eventName", "to": "finding_info.desc"}, + {"copy": "qid", "to": "finding_info.uid"}, + {"copy": "payload", "to": "finding_info.data_sources"}, + + // Risk scoring + {"copy": "magnitude", "to": "risk_score"}, + {"copy": "credibility", "to": "confidence_score"}, + {"copy": "relevance", "to": "impact_score"}, + + // Observables + {"array": "observables", "append": {"type": "IP Address", "type_id": 2, "value": "$sourceIP"}}, + {"array": "observables", "append": {"type": "IP Address", "type_id": 2, "value": "$destinationIP"}}, + {"array": "observables", "append": {"type": "User Name", "type_id": 4, "value": "$username"}, "if": "username"} + ] + } + ], + + "transforms": { + "qradarSeverityToOCSF": { + "1-2": 1, + "3-4": 2, + "5-6": 3, + "7-8": 4, + "9-10": 5 + } + }, + + "ocsf_mappings": { + "authentication_events": { + "condition": "category == 'Authentication'", + "class_uid": 3002, + "class_name": "Authentication", + "activity_id": {"success": 1, "failure": 2} + }, + "network_events": { + "condition": "protocol != ''", + "class_uid": 4001, + "class_name": "Network Activity" + } + } +} diff --git a/parsers/ocsf-security-overview b/parsers/ocsf-security-overview new file mode 100644 index 0000000..046739e --- /dev/null +++ b/parsers/ocsf-security-overview @@ -0,0 +1,84 @@ +{ + "duration": "24h", + "description": "Cross-source security posture from OCSF-normalized events", + "graphs": [ + { + "title": "Events by Source", + "graphStyle": "donut", + "maxPieSlices": 15, + "query": "serverHost = * | group count() by serverHost | sort -count | limit 15", + "layout": { + "w": 20, + "h": 14, + "x": 0, + "y": 0 + } + }, + { + "title": "Event Volume Over Time", + "graphStyle": "stacked_bar", + "xAxis": "time", + "query": "serverHost = * | group count() by timestamp=timebucket('1h'), serverHost | transpose serverHost on timestamp", + "layout": { + "w": 40, + "h": 14, + "x": 20, + "y": 0 + } + }, + { + "title": "Top Source IPs", + "graphStyle": "table", + "query": "src_ip = * | group hits=count() by src_ip | sort -hits | limit 15", + "layout": { + "w": 20, + "h": 14, + "x": 0, + "y": 14 + } + }, + { + "title": "Top Active Users", + "graphStyle": "table", + "query": "user_name = * | group hits=count() by user_name | sort -hits | limit 15", + "layout": { + "w": 20, + "h": 14, + "x": 20, + "y": 14 + } + }, + { + "title": "Authentication Failures", + "graphStyle": "number", + "query": "message contains 'Failed password' or message contains 'authentication failure' | group count() | limit 1", + "layout": { + "w": 10, + "h": 7, + "x": 40, + "y": 14 + }, + "options": { + "format": "auto", + "precision": "0", + "suffix": " failures" + } + }, + { + "title": "Firewall Denies", + "graphStyle": "number", + "query": "action = 'deny' or action = 'block' or action = 'drop' | group count() | limit 1", + "layout": { + "w": 10, + "h": 7, + "x": 50, + "y": 14 + }, + "options": { + "format": "auto", + "precision": "0", + "suffix": " blocked" + } + } + ] +} \ No newline at end of file diff --git a/parsers/ocsf-security-overview-v2 b/parsers/ocsf-security-overview-v2 new file mode 100644 index 0000000..f3673a1 --- /dev/null +++ b/parsers/ocsf-security-overview-v2 @@ -0,0 +1,221 @@ +{ + "duration": "24h", + "description": "Cross-source security posture from OCSF-normalized events", + "parameters": [ + { + "name": "source", + "values": [ + { + "label": "All Sources", + "value": "*" + }, + { + "label": "Linux", + "value": "linux-ocsf" + }, + { + "label": "FortiGate", + "value": "fortigate-ocsf" + }, + { + "label": "CheckPoint", + "value": "checkpoint-ocsf" + }, + { + "label": "Palo Alto", + "value": "paloalto-ocsf" + }, + { + "label": "Windows", + "value": "windows-ocsf" + } + ], + "defaultValue": "*" + } + ], + "graphs": [ + { + "title": "Dashboard Overview", + "graphStyle": "markdown", + "markdown": "## OCSF Security Overview\\n\\nCross-source security posture from **OCSF v1.3.0** normalized events.\\n\\n| Metric | Description |\\n|--------|-------------|\\n| **Sources** | All serverHost containing 'ocsf' |\\n| **Time Range** | Last 24 hours |\\n| **Refresh** | Auto (5 min) |\\n\\nUse the **source** dropdown above to filter by specific data source.", + "layout": { + "w": 60, + "h": 8, + "x": 0, + "y": 0 + } + }, + { + "title": "Event Count by OCSF Source", + "graphStyle": "donut", + "maxPieSlices": 12, + "dataLabelType": "PERCENTAGE", + "query": "serverHost contains 'ocsf' | group count() by serverHost | sort -count | limit 12", + "layout": { + "w": 20, + "h": 14, + "x": 0, + "y": 8 + } + }, + { + "title": "Event Volume Over Time (24h)", + "graphStyle": "stacked_bar", + "xAxis": "time", + "query": "serverHost contains 'ocsf' | group count() by timestamp=timebucket('1h'), serverHost | transpose serverHost on timestamp", + "layout": { + "w": 40, + "h": 14, + "x": 20, + "y": 8 + } + }, + { + "title": "Unique Source IPs", + "graphStyle": "number", + "query": "src_ip = * serverHost contains 'ocsf' | group estimate_distinct(src_ip) | limit 1", + "layout": { + "w": 12, + "h": 7, + "x": 0, + "y": 22 + }, + "options": { + "format": "auto", + "precision": "0", + "suffix": " IPs" + } + }, + { + "title": "Unique Users", + "graphStyle": "number", + "query": "user_name = * serverHost contains 'ocsf' | group estimate_distinct(user_name) | limit 1", + "layout": { + "w": 12, + "h": 7, + "x": 12, + "y": 22 + }, + "options": { + "format": "auto", + "precision": "0", + "suffix": " users" + } + }, + { + "title": "Unique Destinations", + "graphStyle": "number", + "query": "dst_ip = * serverHost contains 'ocsf' | group estimate_distinct(dst_ip) | limit 1", + "layout": { + "w": 12, + "h": 7, + "x": 24, + "y": 22 + }, + "options": { + "format": "auto", + "precision": "0", + "suffix": " IPs" + } + }, + { + "title": "Total Events", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' | group count() | limit 1", + "layout": { + "w": 12, + "h": 7, + "x": 36, + "y": 22 + }, + "options": { + "format": "auto", + "precision": "0" + } + }, + { + "title": "Auth Failure Events (24h)", + "graphStyle": "number", + "query": "serverHost contains 'ocsf' (message contains 'Failed password' or message contains 'authentication failure' or status = 'failure') | group count() | limit 1", + "layout": { + "w": 12, + "h": 7, + "x": 48, + "y": 22 + }, + "options": { + "format": "auto", + "precision": "0", + "suffix": " failures" + } + }, + { + "title": "Top Source IPs (24h)", + "graphStyle": "table", + "query": "src_ip = * serverHost contains 'ocsf' | group hits=count() by src_ip | sort -hits | limit 15", + "layout": { + "w": 20, + "h": 14, + "x": 0, + "y": 29 + } + }, + { + "title": "Top Active Users (24h)", + "graphStyle": "table", + "query": "user_name = * serverHost contains 'ocsf' | group hits=count() by user_name | sort -hits | limit 15", + "layout": { + "w": 20, + "h": 14, + "x": 20, + "y": 29 + } + }, + { + "title": "External Connections (non-RFC1918)", + "graphStyle": "table", + "query": "dst_ip = * serverHost contains 'ocsf' | let is_external = not net_rfc1918(dst_ip) | filter is_external = true | group hits=count() by dst_ip | sort -hits | limit 15", + "layout": { + "w": 20, + "h": 14, + "x": 40, + "y": 29 + } + }, + { + "title": "Events by Severity", + "graphStyle": "donut", + "maxPieSlices": 5, + "query": "severity_id = * serverHost contains 'ocsf' | group count() by severity_id | sort -count | limit 5", + "layout": { + "w": 15, + "h": 12, + "x": 0, + "y": 43 + } + }, + { + "title": "Events by Action", + "graphStyle": "donut", + "maxPieSlices": 6, + "query": "action = * serverHost contains 'ocsf' | group count() by action | sort -count | limit 6", + "layout": { + "w": 15, + "h": 12, + "x": 15, + "y": 43 + } + }, + { + "title": "Firewall Blocks (24h)", + "graphStyle": "table", + "query": "serverHost contains 'ocsf' (action = 'deny' or action = 'block' or action = 'drop') | group hits=count() by serverHost, src_ip, dst_ip | sort -hits | limit 20", + "layout": { + "w": 30, + "h": 12, + "x": 30, + "y": 43 + } + } + ] +} \ No newline at end of file diff --git a/parsers/ocsf-sim-generic b/parsers/ocsf-sim-generic new file mode 100644 index 0000000..74f7b53 --- /dev/null +++ b/parsers/ocsf-sim-generic @@ -0,0 +1,184 @@ +// SentinelOne AI SIEM Parser: SIM Generic Log DSM +// OCSF Schema Version: 1.1.0 +// Maps generic syslog-style logs to OCSF classes +// Primary Classes: Base Event (0), Application Activity (6001) + +{ + "parserName": "SIMGeneric-OCSF", + "version": "1.0.0", + "vendor": "Generic", + "product": "SIM Generic Log", + "format": "syslog", + + "patterns": [ + // Generic syslog with key=value pairs + { + "pattern": "^(\\w+\\s+\\d+\\s+[\\d:]+)\\s+(\\S+)\\s+(\\S+)\\[(\\d+)\\]:\\s+(\\w+)\\s+(.*)$", + "rewrites": [ + {"set": "class_uid", "value": "6001"}, + {"set": "class_name", "value": "Application Activity"}, + {"set": "category_uid", "value": "6"}, + {"set": "category_name", "value": "Application Activity"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Generic Application"}, + {"set": "metadata.product.vendor_name", "value": "Unknown"}, + {"group": 2, "to": "device.hostname"}, + {"group": 3, "to": "app_name"}, + {"group": 4, "to": "actor.process.pid"}, + + // Time + {"group": 1, "to": "time", "transform": "syslogTimestamp"}, + + // Severity from log level + {"group": 5, "to": "severity"}, + {"lookup": "severity", "map": { + "CRITICAL": 5, "FATAL": 6, "ERROR": 4, "WARNING": 3, "WARN": 3, + "INFO": 1, "DEBUG": 0, "TRACE": 0 + }, "to": "severity_id"}, + + // Message + {"group": 6, "to": "message"}, + + // Extract key=value pairs from message + {"kvExtract": "$6", "to": "unmapped"} + ] + }, + + // Authentication events + { + "pattern": "(login|logon|auth|authentication)", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + + // Extract user + {"regex": "user[=:]\\s*(\\S+)", "group": 1, "to": "user.name"}, + + // Extract source IP + {"regex": "(?:src_ip|ip|from)[=:]\\s*([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + + // Extract session + {"regex": "session[_id]*[=:]\\s*(\\S+)", "group": 1, "to": "session.uid"}, + + // Determine success/failure + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "status_id", "value": "1", "if": "success|successful|accepted"}, + {"set": "status", "value": "Success", "if": "success|successful|accepted"}, + {"set": "status_id", "value": "2", "if": "fail|failed|denied|invalid"}, + {"set": "status", "value": "Failure", "if": "fail|failed|denied|invalid"} + ] + }, + + // File operations + { + "pattern": "(file|upload|download)", + "rewrites": [ + {"set": "class_uid", "value": "1001"}, + {"set": "class_name", "value": "File Activity"}, + + // Extract filename + {"regex": "filename[=:]\\s*(\\S+)", "group": 1, "to": "file.name"}, + + // Extract size + {"regex": "size[_bytes]*[=:]\\s*(\\d+)", "group": 1, "to": "file.size"}, + + // Extract user + {"regex": "user[=:]\\s*(\\S+)", "group": 1, "to": "actor.user.name"}, + + // Extract destination + {"regex": "destination[=:]\\s*(\\S+)", "group": 1, "to": "file.path"}, + + // Activity + {"set": "activity_id", "value": "2", "if": "upload"}, + {"set": "activity_name", "value": "Upload", "if": "upload"}, + {"set": "activity_id", "value": "3", "if": "download"}, + {"set": "activity_name", "value": "Download", "if": "download"} + ] + }, + + // Security alerts + { + "pattern": "(security|alert|attack|injection|malware|threat)", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + + // Extract source IP + {"regex": "(?:src_ip|ip)[=:]\\s*([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + + // Extract target + {"regex": "(?:target_url|url)[=:]\\s*(\\S+)", "group": 1, "to": "finding_info.src_url"}, + + // Extract payload + {"regex": "payload[=:]\\s*\"([^\"]+)\"", "group": 1, "to": "finding_info.data_sources"}, + + // Severity + {"set": "severity_id", "value": "4"}, + {"set": "severity", "value": "High"} + ] + }, + + // Configuration changes + { + "pattern": "(config|configuration|setting|changed)", + "rewrites": [ + {"set": "class_uid", "value": "5001"}, + {"set": "class_name", "value": "Configuration"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Update"}, + + // Extract setting + {"regex": "setting[=:]\\s*(\\S+)", "group": 1, "to": "config.name"}, + + // Extract old/new values + {"regex": "old_value[=:]\\s*(\\S+)", "group": 1, "to": "prev_config.value"}, + {"regex": "new_value[=:]\\s*(\\S+)", "group": 1, "to": "config.value"}, + + // Extract who changed + {"regex": "changed_by[=:]\\s*(\\S+)", "group": 1, "to": "actor.user.name"} + ] + }, + + // Service events + { + "pattern": "(service|started|stopped|restart)", + "rewrites": [ + {"set": "class_uid", "value": "1006"}, + {"set": "class_name", "value": "Service Activity"}, + + // Extract service name + {"regex": "service_name[=:]\\s*(\\S+)", "group": 1, "to": "service.name"}, + + // Extract version + {"regex": "version[=:]\\s*(\\S+)", "group": 1, "to": "service.version"}, + + // Extract port + {"regex": "port[=:]\\s*(\\d+)", "group": 1, "to": "service.port"}, + + // Extract PID + {"regex": "pid[=:]\\s*(\\d+)", "group": 1, "to": "service.pid"}, + + // Activity + {"set": "activity_id", "value": "1", "if": "started"}, + {"set": "activity_name", "value": "Start", "if": "started"}, + {"set": "activity_id", "value": "2", "if": "stopped"}, + {"set": "activity_name", "value": "Stop", "if": "stopped"} + ] + } + ], + + "transforms": { + "syslogTimestamp": { + "formats": [ + "MMM dd HH:mm:ss", + "MMM d HH:mm:ss" + ], + "timezone": "local" + } + } +} diff --git a/parsers/ocsf-threat-detection b/parsers/ocsf-threat-detection new file mode 100644 index 0000000..bc33470 --- /dev/null +++ b/parsers/ocsf-threat-detection @@ -0,0 +1,73 @@ +{ + "duration": "24h", + "description": "Active threats and detection triggers across OCSF sources", + "graphs": [ + { + "title": "About This Dashboard", + "graphStyle": "markdown", + "markdown": "## OCSF Threat Detection\nMonitors suspicious activity patterns across all OCSF-normalized log sources.\n\n**Key Indicators:**\n- Brute force attempts (3+ failed logins)\n- Port scanning (5+ unique ports)\n- Suspicious process execution\n- Lateral movement indicators", + "layout": { + "w": 60, + "h": 6, + "x": 0, + "y": 0 + } + }, + { + "title": "Brute Force Attempts", + "graphStyle": "table", + "query": "message contains 'Failed password' or message contains 'authentication failure' | group failed_attempts=count() by src_ip, user_name | filter failed_attempts >= 3 | sort -failed_attempts | limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 6 + } + }, + { + "title": "Port Scan Sources", + "graphStyle": "table", + "query": "action = 'deny' dstport = * srcip = * | group hits=count() by srcip, dstport | group unique_ports=count() by srcip | filter unique_ports >= 5 | sort -unique_ports | limit 15", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 6 + } + }, + { + "title": "Suspicious Process Execution", + "graphStyle": "table", + "query": "message contains 'mimikatz' or message contains 'psexec' or message contains 'netcat' or message contains 'reverse shell' or message contains 'powershell -enc' | columns timestamp, serverHost, message | limit 50", + "layout": { + "w": 60, + "h": 14, + "x": 0, + "y": 20 + } + }, + { + "title": "Lateral Movement Indicators", + "graphStyle": "table", + "query": "(dstport = 22 or dstport = 3389 or dstport = 445 or dstport = 5985) srcip = * | group conns=count() by srcip, dstport | filter conns >= 3 | sort -conns | limit 15", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 34 + } + }, + { + "title": "C2 Beacon Activity", + "graphStyle": "stacked_bar", + "xAxis": "grouped_data", + "query": "(dstport = 4444 or dstport = 8080 or dstport = 1337) srcip = * | group count() by srcip | sort -count | limit 10", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 34 + } + } + ] +} \ No newline at end of file diff --git a/parsers/ocsf-threat-detection-v2 b/parsers/ocsf-threat-detection-v2 new file mode 100644 index 0000000..57ecb50 --- /dev/null +++ b/parsers/ocsf-threat-detection-v2 @@ -0,0 +1,93 @@ +{ + "duration": "24h", + "description": "Active threats and detection triggers across OCSF sources", + "parameters": [ + { + "name": "severity_filter", + "values": [ + { + "label": "All", + "value": "*" + }, + { + "label": "Critical Only", + "value": "1" + }, + { + "label": "High+", + "value": "1,2" + } + ], + "defaultValue": "*" + } + ], + "graphs": [ + { + "title": "Threat Detection Overview", + "graphStyle": "markdown", + "markdown": "## OCSF Threat Detection\\n\\nMonitors suspicious activity patterns across all OCSF-normalized log sources.\\n\\n**Key Indicators:**\\n- Brute force attempts (3+ failed logins from same IP)\\n- Port scanning (5+ unique destination ports)\\n- Suspicious process execution (mimikatz, psexec, etc.)\\n- Lateral movement (SSH/RDP/SMB from internal IPs)", + "layout": { + "w": 60, + "h": 7, + "x": 0, + "y": 0 + } + }, + { + "title": "Brute Force Attempts (3+ failures)", + "graphStyle": "table", + "query": "serverHost contains 'ocsf' (message contains 'Failed password' or message contains 'authentication failure') | group failed_attempts=count() by src_ip, user_name | filter failed_attempts >= 3 | sort -failed_attempts | limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 7 + } + }, + { + "title": "Port Scan Sources (5+ ports)", + "graphStyle": "table", + "query": "serverHost contains 'ocsf' action = 'deny' dstport = * srcip = * | group hits=count() by srcip, dstport | group unique_ports=count() by srcip | filter unique_ports >= 5 | sort -unique_ports | limit 15", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 7 + } + }, + { + "title": "Suspicious Process Execution", + "graphStyle": "table", + "query": "serverHost contains 'ocsf' (message contains 'mimikatz' or message contains 'psexec' or message contains 'netcat' or message contains 'reverse shell' or message contains 'powershell -enc' or message contains 'certutil -decode') | columns timestamp, serverHost, message | limit 50", + "layout": { + "w": 60, + "h": 14, + "x": 0, + "y": 21 + } + }, + { + "title": "Lateral Movement (SSH/RDP/SMB)", + "graphStyle": "table", + "query": "serverHost contains 'ocsf' (dstport = 22 or dstport = 3389 or dstport = 445 or dstport = 5985) srcip = * | group conns=count() by srcip, dstport | filter conns >= 3 | sort -conns | limit 15", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 35 + } + }, + { + "title": "C2 Beacon Activity (suspicious ports)", + "graphStyle": "stacked_bar", + "xAxis": "grouped_data", + "query": "serverHost contains 'ocsf' (dstport = 4444 or dstport = 8080 or dstport = 1337 or dstport = 6666) srcip = * | group count() by srcip | sort -count | limit 10", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 35 + } + } + ] +} \ No newline at end of file diff --git a/parsers/ocsf-watchguard b/parsers/ocsf-watchguard new file mode 100644 index 0000000..6c240c6 --- /dev/null +++ b/parsers/ocsf-watchguard @@ -0,0 +1,216 @@ +// SentinelOne AI SIEM Parser: WatchGuard Fireware OS +// OCSF Schema Version: 1.1.0 +// Maps WatchGuard Firebox logs to OCSF classes +// Primary Classes: Network Activity (4001), Authentication (3002), Security Finding (2001) + +{ + "parserName": "WatchGuard-OCSF", + "version": "1.0.0", + "vendor": "WatchGuard", + "product": "Fireware OS", + "format": "space-delimited", + + "patterns": [ + // Firewall traffic logs + { + "pattern": "^(\\d{4}-\\d{2}-\\d{2}\\s+[\\d:]+)\\s+firewall\\s+(Allow|Deny)\\s+([\\d.]+)\\s+([\\d.]+|\\S+)\\s+(\\S+)\\s+(\\d+)\\s+(\\d+)", + "rewrites": [ + {"set": "class_uid", "value": "4001"}, + {"set": "class_name", "value": "Network Activity"}, + {"set": "category_uid", "value": "4"}, + {"set": "category_name", "value": "Network Activity"}, + + // Activity + {"group": 2, "to": "activity_name"}, + {"lookup": "activity_name", "map": {"Allow": 1, "Deny": 2}, "to": "activity_id"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "WatchGuard Fireware"}, + {"set": "metadata.product.vendor_name", "value": "WatchGuard"}, + + // Time + {"group": 1, "to": "time"}, + + // Endpoints + {"group": 3, "to": "src_endpoint.ip"}, + {"group": 4, "to": "dst_endpoint.ip"}, + {"group": 6, "to": "src_endpoint.port"}, + {"group": 7, "to": "dst_endpoint.port"}, + + // Protocol/Service + {"group": 5, "to": "connection_info.protocol_name"}, + + // Extract additional fields + {"regex": "rule_name=\"([^\"]+)\"", "group": 1, "to": "policy.name"}, + {"regex": "geo_src=\"([^\"]+)\"", "group": 1, "to": "src_endpoint.location.country"}, + {"regex": "geo_dst=\"([^\"]+)\"", "group": 1, "to": "dst_endpoint.location.country"}, + {"regex": "proxy_act=\"([^\"]+)\"", "group": 1, "to": "proxy.name"}, + {"regex": "msg_id=\"([^\"]+)\"", "group": 1, "to": "metadata.uid"}, + + // Application info + {"regex": "app_name=\"([^\"]+)\"", "group": 1, "to": "app_name"}, + {"regex": "app_cat=\"([^\"]+)\"", "group": 1, "to": "app.category"}, + {"regex": "app_behavior=\"([^\"]+)\"", "group": 1, "to": "app.feature.name"}, + + // Status + {"lookup": "activity_name", "map": {"Allow": 1, "Deny": 2}, "to": "status_id"}, + {"lookup": "activity_name", "map": {"Allow": "Success", "Deny": "Failure"}, "to": "status"} + ] + }, + + // IPS signature match + { + "pattern": "IPS\\s+signature_match", + "rewrites": [ + {"set": "class_uid", "value": "2004"}, + {"set": "class_name", "value": "Detection Finding"}, + {"set": "category_uid", "value": "2"}, + {"set": "category_name", "value": "Findings"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "WatchGuard IPS"}, + {"set": "metadata.product.vendor_name", "value": "WatchGuard"}, + + // Endpoints + {"regex": "signature_match\\s+([\\d.]+)\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + {"regex": "signature_match\\s+([\\d.]+)\\s+([\\d.]+)", "group": 2, "to": "dst_endpoint.ip"}, + + // Signature info + {"regex": "sig_name=\"([^\"]+)\"", "group": 1, "to": "finding_info.title"}, + {"regex": "sig_id=\"([^\"]+)\"", "group": 1, "to": "finding_info.uid"}, + {"regex": "sig_vers=\"([^\"]+)\"", "group": 1, "to": "finding_info.version"}, + {"regex": "severity=\"([^\"]+)\"", "group": 1, "to": "severity"}, + {"regex": "action=\"([^\"]+)\"", "group": 1, "to": "activity_name"}, + + // Severity mapping + {"lookup": "severity", "map": {"Critical": 5, "High": 4, "Medium": 3, "Low": 2, "Info": 1}, "to": "severity_id"}, + + // Action mapping + {"lookup": "activity_name", "map": {"block": 2, "drop": 2, "alert": 1, "allow": 0}, "to": "activity_id"}, + + // Geo + {"regex": "geo_src=\"([^\"]+)\"", "group": 1, "to": "src_endpoint.location.country"} + ] + }, + + // Antivirus detection + { + "pattern": "antivirus\\s+virus_found", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "finding_info.types", "value": ["Malware"]}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "WatchGuard Gateway AntiVirus"}, + {"set": "metadata.product.vendor_name", "value": "WatchGuard"}, + + // Endpoints + {"regex": "virus_found\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + + // Malware info + {"regex": "virus_name=\"([^\"]+)\"", "group": 1, "to": "malware.name"}, + {"regex": "file_name=\"([^\"]+)\"", "group": 1, "to": "file.name"}, + {"regex": "action=\"([^\"]+)\"", "group": 1, "to": "activity_name"}, + {"regex": "content_type=\"([^\"]+)\"", "group": 1, "to": "file.type_id"}, + {"regex": "md5=\"([^\"]+)\"", "group": 1, "to": "file.hashes.md5"}, + + {"set": "severity_id", "value": "5"}, + {"set": "severity", "value": "Critical"} + ] + }, + + // Authentication events + { + "pattern": "authentication\\s+(auth_success|auth_failure)", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "WatchGuard Fireware"}, + {"set": "metadata.product.vendor_name", "value": "WatchGuard"}, + + // User + {"regex": "user=\"([^\"]+)\"", "group": 1, "to": "user.name"}, + {"regex": "domain=\"([^\"]+)\"", "group": 1, "to": "user.domain"}, + + // Source + {"regex": "auth_\\w+\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + + // Auth details + {"regex": "auth_method=\"([^\"]+)\"", "group": 1, "to": "auth_protocol"}, + {"regex": "auth_server=\"([^\"]+)\"", "group": 1, "to": "auth_server"}, + {"regex": "session_id=\"([^\"]+)\"", "group": 1, "to": "session.uid"}, + {"regex": "reason=\"([^\"]+)\"", "group": 1, "to": "status_detail"}, + {"regex": "attempts=\"([^\"]+)\"", "group": 1, "to": "attempts"}, + + // Status + {"set": "status_id", "value": "1", "if": "auth_success"}, + {"set": "status", "value": "Success", "if": "auth_success"}, + {"set": "status_id", "value": "2", "if": "auth_failure"}, + {"set": "status", "value": "Failure", "if": "auth_failure"} + ] + }, + + // System/Config changes + { + "pattern": "system\\s+config_change", + "rewrites": [ + {"set": "class_uid", "value": "5001"}, + {"set": "class_name", "value": "Configuration"}, + {"set": "category_uid", "value": "5"}, + {"set": "category_name", "value": "Discovery"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Update"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "WatchGuard Fireware"}, + {"set": "metadata.product.vendor_name", "value": "WatchGuard"}, + + // Actor + {"regex": "admin_user=\"([^\"]+)\"", "group": 1, "to": "actor.user.name"}, + {"regex": "config_change\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + + // Change details + {"regex": "change_type=\"([^\"]+)\"", "group": 1, "to": "activity_name"}, + {"regex": "object_type=\"([^\"]+)\"", "group": 1, "to": "resources.type"}, + {"regex": "object_name=\"([^\"]+)\"", "group": 1, "to": "resources.name"}, + {"regex": "action=\"([^\"]+)\"", "group": 1, "to": "resources.action"} + ] + }, + + // DLP events + { + "pattern": "dlp\\s+data_leak_prevented", + "rewrites": [ + {"set": "class_uid", "value": "2001"}, + {"set": "class_name", "value": "Security Finding"}, + {"set": "finding_info.types", "value": ["Data Loss Prevention"]}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "WatchGuard DLP"}, + {"set": "metadata.product.vendor_name", "value": "WatchGuard"}, + + // Source + {"regex": "data_leak_prevented\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"}, + + // DLP details + {"regex": "rule_name=\"([^\"]+)\"", "group": 1, "to": "policy.name"}, + {"regex": "pattern_matched=\"([^\"]+)\"", "group": 1, "to": "finding_info.title"}, + {"regex": "action=\"([^\"]+)\"", "group": 1, "to": "activity_name"}, + {"regex": "user=\"([^\"]+)\"", "group": 1, "to": "actor.user.name"}, + {"regex": "file_name=\"([^\"]+)\"", "group": 1, "to": "file.name"}, + {"regex": "bytes_blocked=\"([^\"]+)\"", "group": 1, "to": "traffic.bytes"}, + + {"set": "severity_id", "value": "4"}, + {"set": "severity", "value": "High"} + ] + } + ] +} diff --git a/parsers/ocsf-windows-security b/parsers/ocsf-windows-security new file mode 100644 index 0000000..588bd3b --- /dev/null +++ b/parsers/ocsf-windows-security @@ -0,0 +1,219 @@ +// SentinelOne AI SIEM Parser: Microsoft Windows Security Event Log +// OCSF Schema Version: 1.1.0 +// Maps Windows Security XML events to OCSF classes +// Primary Classes: Authentication (3002), Account Change (3001), Process Activity (1007) + +{ + "parserName": "WindowsSecurity-OCSF", + "version": "1.0.0", + "vendor": "Microsoft", + "product": "Windows Security", + "format": "xml", + + "patterns": [ + // Successful Logon (4624) + { + "pattern": "4624", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "type_uid", "value": "300201"}, + + // Metadata + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Windows Security"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + {"xpath": "//System/EventRecordID", "to": "metadata.uid"}, + {"xpath": "//System/Computer", "to": "metadata.product.feature.name"}, + + // Time + {"xpath": "//System/TimeCreated/@SystemTime", "to": "time"}, + + // User (Target) + {"xpath": "//EventData/Data[@Name='TargetUserName']", "to": "user.name"}, + {"xpath": "//EventData/Data[@Name='TargetDomainName']", "to": "user.domain"}, + {"xpath": "//EventData/Data[@Name='TargetUserSid']", "to": "user.uid"}, + {"xpath": "//EventData/Data[@Name='TargetLogonId']", "to": "session.uid"}, + + // Actor (Subject) + {"xpath": "//EventData/Data[@Name='SubjectUserName']", "to": "actor.user.name"}, + {"xpath": "//EventData/Data[@Name='SubjectDomainName']", "to": "actor.user.domain"}, + {"xpath": "//EventData/Data[@Name='SubjectUserSid']", "to": "actor.user.uid"}, + + // Logon type mapping + {"xpath": "//EventData/Data[@Name='LogonType']", "to": "logon_type_id"}, + {"lookup": "logon_type_id", "map": { + "2": "Interactive", + "3": "Network", + "4": "Batch", + "5": "Service", + "7": "Unlock", + "8": "NetworkCleartext", + "9": "NewCredentials", + "10": "RemoteInteractive", + "11": "CachedInteractive" + }, "to": "logon_type"}, + + // Source endpoint + {"xpath": "//EventData/Data[@Name='IpAddress']", "to": "src_endpoint.ip"}, + {"xpath": "//EventData/Data[@Name='IpPort']", "to": "src_endpoint.port"}, + {"xpath": "//EventData/Data[@Name='WorkstationName']", "to": "src_endpoint.name"}, + + // Authentication details + {"xpath": "//EventData/Data[@Name='AuthenticationPackageName']", "to": "auth_protocol"}, + {"xpath": "//EventData/Data[@Name='LogonProcessName']", "to": "logon_process.name"}, + + // Process + {"xpath": "//EventData/Data[@Name='ProcessId']", "to": "actor.process.pid"}, + {"xpath": "//EventData/Data[@Name='ProcessName']", "to": "actor.process.file.path"}, + + // Status + {"set": "status_id", "value": "1"}, + {"set": "status", "value": "Success"} + ] + }, + + // Failed Logon (4625) + { + "pattern": "4625", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Logon"}, + {"set": "status_id", "value": "2"}, + {"set": "status", "value": "Failure"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Windows Security"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + + {"xpath": "//EventData/Data[@Name='TargetUserName']", "to": "user.name"}, + {"xpath": "//EventData/Data[@Name='TargetDomainName']", "to": "user.domain"}, + {"xpath": "//EventData/Data[@Name='Status']", "to": "status_code"}, + {"xpath": "//EventData/Data[@Name='SubStatus']", "to": "status_detail"}, + {"xpath": "//EventData/Data[@Name='FailureReason']", "to": "message"}, + {"xpath": "//EventData/Data[@Name='IpAddress']", "to": "src_endpoint.ip"}, + {"xpath": "//EventData/Data[@Name='WorkstationName']", "to": "src_endpoint.name"}, + {"xpath": "//EventData/Data[@Name='LogonType']", "to": "logon_type_id"}, + + // Severity for failed auth + {"set": "severity_id", "value": "3"}, + {"set": "severity", "value": "Medium"} + ] + }, + + // Process Creation (4688) + { + "pattern": "4688", + "rewrites": [ + {"set": "class_uid", "value": "1007"}, + {"set": "class_name", "value": "Process Activity"}, + {"set": "category_uid", "value": "1"}, + {"set": "category_name", "value": "System Activity"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Launch"}, + {"set": "type_uid", "value": "100701"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Windows Security"}, + {"set": "metadata.product.vendor_name", "value": "Microsoft"}, + + // Actor + {"xpath": "//EventData/Data[@Name='SubjectUserName']", "to": "actor.user.name"}, + {"xpath": "//EventData/Data[@Name='SubjectDomainName']", "to": "actor.user.domain"}, + {"xpath": "//EventData/Data[@Name='SubjectUserSid']", "to": "actor.user.uid"}, + {"xpath": "//EventData/Data[@Name='SubjectLogonId']", "to": "actor.session.uid"}, + + // New Process + {"xpath": "//EventData/Data[@Name='NewProcessId']", "to": "process.pid"}, + {"xpath": "//EventData/Data[@Name='NewProcessName']", "to": "process.file.path"}, + {"xpath": "//EventData/Data[@Name='CommandLine']", "to": "process.cmd_line"}, + {"xpath": "//EventData/Data[@Name='TokenElevationType']", "to": "process.integrity"}, + + // Parent Process + {"xpath": "//EventData/Data[@Name='ProcessId']", "to": "process.parent_process.pid"}, + {"xpath": "//EventData/Data[@Name='ParentProcessName']", "to": "process.parent_process.file.path"}, + + // Labels + {"xpath": "//EventData/Data[@Name='MandatoryLabel']", "to": "process.integrity_id"} + ] + }, + + // Special Privileges (4672) + { + "pattern": "4672", + "rewrites": [ + {"set": "class_uid", "value": "3002"}, + {"set": "class_name", "value": "Authentication"}, + {"set": "activity_id", "value": "2"}, + {"set": "activity_name", "value": "Logon: Privileged"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Windows Security"}, + + {"xpath": "//EventData/Data[@Name='SubjectUserName']", "to": "user.name"}, + {"xpath": "//EventData/Data[@Name='SubjectDomainName']", "to": "user.domain"}, + {"xpath": "//EventData/Data[@Name='SubjectUserSid']", "to": "user.uid"}, + {"xpath": "//EventData/Data[@Name='SubjectLogonId']", "to": "session.uid"}, + {"xpath": "//EventData/Data[@Name='PrivilegeList']", "to": "user.privileges"}, + + {"set": "is_admin", "value": "true"} + ] + }, + + // User Account Created (4720) + { + "pattern": "4720", + "rewrites": [ + {"set": "class_uid", "value": "3001"}, + {"set": "class_name", "value": "Account Change"}, + {"set": "category_uid", "value": "3"}, + {"set": "category_name", "value": "Identity & Access Management"}, + {"set": "activity_id", "value": "1"}, + {"set": "activity_name", "value": "Create"}, + {"set": "type_uid", "value": "300101"}, + + {"set": "metadata.version", "value": "1.1.0"}, + {"set": "metadata.product.name", "value": "Windows Security"}, + + // Actor (who created) + {"xpath": "//EventData/Data[@Name='SubjectUserName']", "to": "actor.user.name"}, + {"xpath": "//EventData/Data[@Name='SubjectDomainName']", "to": "actor.user.domain"}, + {"xpath": "//EventData/Data[@Name='SubjectUserSid']", "to": "actor.user.uid"}, + + // Target (new account) + {"xpath": "//EventData/Data[@Name='TargetUserName']", "to": "user.name"}, + {"xpath": "//EventData/Data[@Name='TargetDomainName']", "to": "user.domain"}, + {"xpath": "//EventData/Data[@Name='TargetSid']", "to": "user.uid"}, + {"xpath": "//EventData/Data[@Name='SamAccountName']", "to": "user.account.name"}, + {"xpath": "//EventData/Data[@Name='DisplayName']", "to": "user.full_name"}, + {"xpath": "//EventData/Data[@Name='UserPrincipalName']", "to": "user.email_addr"} + ] + } + ], + + "event_id_mappings": { + "4624": {"class": "Authentication", "activity": "Logon", "status": "Success"}, + "4625": {"class": "Authentication", "activity": "Logon", "status": "Failure"}, + "4634": {"class": "Authentication", "activity": "Logoff", "status": "Success"}, + "4648": {"class": "Authentication", "activity": "Logon: Explicit Credentials"}, + "4672": {"class": "Authentication", "activity": "Logon: Privileged"}, + "4688": {"class": "Process Activity", "activity": "Launch"}, + "4689": {"class": "Process Activity", "activity": "Terminate"}, + "4720": {"class": "Account Change", "activity": "Create"}, + "4722": {"class": "Account Change", "activity": "Enable"}, + "4723": {"class": "Account Change", "activity": "Password Change"}, + "4724": {"class": "Account Change", "activity": "Password Reset"}, + "4725": {"class": "Account Change", "activity": "Disable"}, + "4726": {"class": "Account Change", "activity": "Delete"}, + "4728": {"class": "Group Membership", "activity": "Add"}, + "4729": {"class": "Group Membership", "activity": "Remove"}, + "4732": {"class": "Group Membership", "activity": "Add"}, + "4733": {"class": "Group Membership", "activity": "Remove"} + } +} diff --git a/parsers/okta_authentication-latest b/parsers/okta_authentication-latest new file mode 100644 index 0000000..6f52d1d --- /dev/null +++ b/parsers/okta_authentication-latest @@ -0,0 +1,291 @@ +{ + "attributes": { + "dataSource.vendor": "Okta", + "dataSource.name": "Okta System Log", + "dataSource.category": "security", + "metadata.product.vendor_name": "Okta", + "metadata.product.name": "Okta System Log", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [ + { + "input": "unmapped.published", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "constant": { + "value": 3002, + "field": "class_uid" + } + }, + { + "constant": { + "value": "Authentication", + "field": "class_name" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "copy": { + "from": "unmapped.published", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "copy": { + "from": "unmapped.uuid", + "to": "metadata.uid" + } + }, + { + "copy": { + "from": "unmapped.eventType", + "to": "type_name" + } + }, + { + "copy": { + "from": "unmapped.displayMessage", + "to": "message" + } + }, + { + "copy": { + "from": "unmapped.actor.alternateId", + "to": "user.name" + } + }, + { + "copy": { + "from": "unmapped.actor.displayName", + "to": "user.full_name" + } + }, + { + "copy": { + "from": "unmapped.actor.id", + "to": "user.uid" + } + }, + { + "copy": { + "from": "unmapped.client.ipAddress", + "to": "src_endpoint.ip" + } + }, + { + "copy": { + "from": "unmapped.client.geographicalContext.city", + "to": "src_endpoint.location.city" + } + }, + { + "copy": { + "from": "unmapped.client.geographicalContext.state", + "to": "src_endpoint.location.region" + } + }, + { + "copy": { + "from": "unmapped.client.geographicalContext.country", + "to": "src_endpoint.location.country" + } + }, + { + "copy": { + "from": "unmapped.client.geographicalContext.postalCode", + "to": "src_endpoint.location.postal_code" + } + }, + { + "copy": { + "from": "unmapped.client.geographicalContext.geolocation.lat", + "to": "src_endpoint.location.coordinates[0]" + } + }, + { + "copy": { + "from": "unmapped.client.geographicalContext.geolocation.lon", + "to": "src_endpoint.location.coordinates[1]" + } + }, + { + "copy": { + "from": "unmapped.client.userAgent.rawUserAgent", + "to": "http_request.user_agent" + } + }, + { + "copy": { + "from": "unmapped.client.userAgent.os.family", + "to": "src_endpoint.os.name" + } + }, + { + "copy": { + "from": "unmapped.client.userAgent.browser.family", + "to": "http_request.user_agent" + } + }, + { + "copy": { + "from": "unmapped.outcome.result", + "to": "status" + } + }, + { + "copy": { + "from": "unmapped.outcome.reason", + "to": "status_detail" + } + }, + { + "copy": { + "from": "unmapped.transaction.type", + "to": "auth_protocol" + } + }, + { + "copy": { + "from": "unmapped.transaction.id", + "to": "session.uid" + } + }, + { + "copy": { + "from": "unmapped.authenticationContext.externalSessionId", + "to": "session.uid" + } + }, + { + "copy": { + "from": "unmapped.debugContext.debugData.requestId", + "to": "metadata.correlation_uid" + } + }, + { + "copy": { + "from": "unmapped.debugContext.debugData.requestUri", + "to": "http_request.url.path" + } + }, + { + "copy": { + "from": "unmapped.target[0].displayName", + "to": "dst_endpoint.name" + } + }, + { + "copy": { + "from": "unmapped.target[0].alternateId", + "to": "dst_endpoint.uid" + } + }, + { + "copy": { + "from": "unmapped.severity", + "to": "severity" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.outcome.result = 'SUCCESS'" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id", + "predicate": "unmapped.outcome.result = 'FAILURE'" + } + }, + { + "constant": { + "value": 1, + "field": "severity_id", + "predicate": "unmapped.outcome.result = 'SUCCESS'" + } + }, + { + "constant": { + "value": 3, + "field": "severity_id", + "predicate": "unmapped.outcome.result = 'FAILURE'" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "unmapped.outcome.result = 'SUCCESS'" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "unmapped.outcome.result = 'FAILURE'" + } + } + ] + } + ] + }, + "observables": { + "fields": [ + { + "name": "user.name", + "type": "User" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address" + }, + { + "name": "http_request.user_agent", + "type": "Other" + }, + { + "name": "session.uid", + "type": "Other" + }, + { + "name": "dst_endpoint.name", + "type": "Other" + } + ] + } +} \ No newline at end of file diff --git a/parsers/paloalto_firewall-latest b/parsers/paloalto_firewall-latest new file mode 100644 index 0000000..9080daf --- /dev/null +++ b/parsers/paloalto_firewall-latest @@ -0,0 +1,1169 @@ +{ + attributes: { + "dataSource.category": "security", + "dataSource.name": "Palo Alto Networks Firewall", + "dataSource.vendor": "Palo Alto Networks", + }, + patterns: { + //maps to high_resolution_timestamp: + //timestamp: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3}(\\+|-)\\d{2}:\\d{2}", + //application_characteristic can be a single value, a comma delimited list in quotes, or blank. Null value is handled by format: traffic-2, not by this pattern. + app_characteristic: "(\".*\")|[^,]+", + //description field from system log is wrapped in quotes and may contain commas + desc: "(\".*\")", + userid_log_type: "USERID", + logout_sub_type: "logout", + login_sub_type: "login", + hipmatch_log_type: "HIPMATCH", + config_log_type: "CONFIG", + wildfire_sub_type: "wildfire", + data_filtering_sub_type: "file", + globalprotect_log_type: "GLOBALPROTECT", + iptag_log_type: "IPTAG", + gtp_log_type: "GTP", + tunnel_log_type: "\\b(?:START|END|start|end)\\b", + sctp_log_type: "SCTP", + system_log_type: "SYSTEM" + }, + + formats: [ + // { + // format: ".*$timestamp=timestamp$(\\,)*", + //}, + { + //match all fields. application_characteristic can be a single value, or a comma delimited list in quotes. + attributes: { + "class_uid": "4001", + "category_uid": "4", + "severity_id": "0", + "class_name": "Network Activity", + "category_name": "Network Activity", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.0.0-rc.3", + "metadata.log_name": "TRAFFIC", + }, + format: ".*,$metadata.logged_time_dt$,$device.hw_info.serial_number$,TRAFFIC,$unmapped.sub_type$,.*,$metadata.original_time$,$src_endpoint.ip$,$dst_endpoint.ip$,$src_endpoint.intermediate_ips$,$dst_endpoint.intermediate_ips$,$unmapped.rule_matched$,$actor.user.name$,$unmapped.dst_user$,$app_name$,$unmapped.vsys$,$unmapped.from_zone$,$unmapped.to_zone$,$unmapped.inbound_if$,$unmapped.outbound_if$,$actor.session.issuer$,$metadata.original_time$,$actor.session.uid$,$unmapped.repeat_count$,$src_endpoint.port$,$dst_endpoint.port$,$unmapped.nat_src_port$,$unmapped.nat_dst_port$,$unmapped.flags$,$connection_info.protocol_name$,$unmapped.action_value$,$traffic.bytes$,$traffic.bytes_in$,$traffic.bytes_out$,$traffic.packets$,$actor.session.created_time_dt$,$duration$,$unmapped.url_category_value$,.*,$metadata.sequence$,$unmapped.action_flags$,$src_endpoint.location.region$,$dst_endpoint.location.region$,.*,$traffic.packets_out$,$traffic.packets_in$,$unmapped.session_end_reason_value$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.hostname$,$unmapped.action_source$,$unmapped.src_uuid$,$unmapped.dst_uuid$,$device.imsi$,$device.imei$,$unmapped.parent_session_id$,$unmapped.parent_start_time$,$unmapped.tunnel_type$,$unmapped.ep_assoc_id$,$unmapped.chunks_total$,$unmapped.chunks_sent$,$unmapped.chunks_received$,$unmapped.rule_matched_uuid$,$unmapped.http2_connection$,$unmapped.link_change_count$,$unmapped.policy_id$,$unmapped.link_switches$,$unmapped.sdwan_cluster$,$unmapped.sdwan_device_type$,$unmapped.sdwan_cluster_type$,$unmapped.sdwan_site$,$actor.user.groups$,$src_endpoint.intermediate_ips$,$unmapped.src_category$,$unmapped.src_profile$,$unmapped.src_model$,$unmapped.src_vendor$,$unmapped.src_osfamily$,$unmapped.src_osversion$,$src_endpoint.hostname$,$src_endpoint.mac$,$unmapped.dst_category$,$unmapped.dst_profile$,$unmapped.dst_model$,$unmapped.dst_vendor$,$unmapped.dst_osfamily$,$unmapped.dst_osversion$,$dst_endpoint.hostname$,$dst_endpoint.mac$,$unmapped.container_id$,$unmapped.pod_namespace$,$unmapped.pod_name$,$unmapped.src_edl$,$unmapped.dst_edl$,$device.uid$,$unmapped.serial_number$,$unmapped.src_dag$,$unmapped.dst_dag$,$unmapped.session_owner$,$unmapped.high_res_timestamp$,$unmapped.nsdsai_sst$,$unmapped.nsdsai_sd$,$unmapped.subcategory_of_app$,$unmapped.category_of_app$,$unmapped.technology_of_app$,$unmapped.risk_of_app$,$unmapped.characteristic_of_app=app_characteristic$,$unmapped.container_of_app$,$unmapped.tunneled_app$,$unmapped.is_saas_of_app$,$unmapped.sanctioned_state_of_app$,$unmapped.offloaded$", + halt: true, + rewrites: [ + { + input: "unmapped.sub_type", + output: "activity_id", + match: "^start$", + replace: "1" + }, + { + input: "unmapped.sub_type", + output: "activity_id", + match: "^end$", + replace: "2" + }, + { + input: "unmapped.sub_type", + output: "activity_id", + match: "^drop$", + replace: "4" + }, + { + input: "unmapped.sub_type", + output: "activity_id", + match: "^deny$", + replace: "5" + }, + { + input: "unmapped.sub_type", + output: "activity_name", + match: "^start$", + replace: "Open" + }, + { + input: "unmapped.sub_type", + output: "activity_name", + match: "^end$", + replace: "Close" + }, + { + input: "unmapped.sub_type", + output: "activity_name", + match: "^drop$", + replace: "Fail" + }, + { + input: "unmapped.sub_type", + output: "activity_name", + match: "^deny$", + replace: "Refuse" + }, + { + input: "unmapped.sub_type", + output: "event.type", + match: "^start$", + replace: "Open" + }, + { + input: "unmapped.sub_type", + output: "event.type", + match: "^end$", + replace: "Close" + }, + { + input: "unmapped.sub_type", + output: "event.type", + match: "^drop$", + replace: "Fail" + }, + { + input: "unmapped.sub_type", + output: "event.type", + match: "^deny$", + replace: "Refuse" + }, + { + input: "unmapped.sub_type", + output: "type_uid", + match: "^start$", + replace: "400101" + }, + { + input: "unmapped.sub_type", + output: "type_uid", + match: "^end$", + replace: "400102" + }, + { + input: "unmapped.sub_type", + output: "type_uid", + match: "^drop$", + replace: "400104" + }, + { + input: "unmapped.sub_type", + output: "type_uid", + match: "^deny$", + replace: "400105" + }, + { + input: "unmapped.sub_type", + output: "type_name", + match: "^start$", + replace: "Network Activity: Open" + }, + { + input: "unmapped.sub_type", + output: "type_name", + match: "^end$", + replace: "Network Activity: Close" + }, + { + input: "unmapped.sub_type", + output: "type_name", + match: "^drop$", + replace: "Network Activity: Fail" + }, + { + input: "unmapped.sub_type", + output: "type_name", + match: "^deny$", + replace: "Network Activity: Refuse" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^allow$", + replace: "1" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^deny$", + replace: "2" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^allow$", + replace: "Success" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^deny$", + replace: "Failure" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^(?!allow|deny$).*", + replace: "99" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^(?!allow|deny$).*", + replace: "Other" + }, + { + input: "dst_endpoint.intermediate_ips", + output: "dst_endpoint.intermediate_ips", + match: ".*", + replace: "\\[\"$0\"\\]" + }, + { + input: "message", + output: "src_endpoint.intermediate_ips", + match: "(?:[^,]*,){9}([^,]*){1},(?:[^,]*,){65}([^,]*){1},(?:[^,]*,){38}.*", + replace: "\\[\"$1\"\\, \"$2\"\\]" + }, + { + input: "message", + output: "observables", + match: "(?:[^,]*,){7}([^,]*),([^,]*),(?:[^,]*,){3}([^,]*),(?:[^,]*,){69}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),.*", + replace: "\\[\\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"src_endpoint.hostname\"\\, \"value\"\\: \"$4\"\\}\\, \\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"dst_endpoint.hostname\"\\, \"value\"\\: \"$6\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: \"$1\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"dst_endpoint.ip\"\\, \"value\"\\: \"$2\"\\}\\, \\{\"type_id\"\\: \"4\"\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"actor.user.name\"\\, \"value\"\\: \"$3\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"src_endpoint.mac\"\\, \"value\"\\: \"$5\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"dst_endpoint.mac\"\\, \"value\"\\: \"$7\"\\}\\]" + }, + ] + }, + { + //dont match on application_characteristic for cases where is it blank. + attributes: { + "class_uid": "4001", + "category_uid": "4", + "severity_id": "0", + "class_name": "Network Activity", + "category_name": "Network Activity", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.0.0-rc.3", + "metadata.log_name": "TRAFFIC", + }, + format: ".*,$metadata.logged_time_dt$,$device.hw_info.serial_number$,TRAFFIC,$unmapped.sub_type$,.*,$metadata.original_time$,$src_endpoint.ip$,$dst_endpoint.ip$,$src_endpoint.intermediate_ips$,$dst_endpoint.intermediate_ips$,$unmapped.rule_matched$,$actor.user.name$,$unmapped.dst_user$,$app_name$,$unmapped.vsys$,$unmapped.from_zone$,$unmapped.to_zone$,$unmapped.inbound_if$,$unmapped.outbound_if$,$actor.session.issuer$,$metadata.original_time$,$actor.session.uid$,$unmapped.repeat_count$,$src_endpoint.port$,$dst_endpoint.port$,$unmapped.nat_src_port$,$unmapped.nat_dst_port$,$unmapped.flags$,$connection_info.protocol_name$,$unmapped.action_value$,$traffic.bytes$,$traffic.bytes_in$,$traffic.bytes_out$,$traffic.packets$,$actor.session.created_time_dt$,$duration$,$unmapped.url_category_value$,.*,$metadata.sequence$,$unmapped.action_flags$,$src_endpoint.location.region$,$dst_endpoint.location.region$,.*,$traffic.packets_out$,$traffic.packets_in$,$unmapped.session_end_reason_value$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.hostname$,$unmapped.action_source$,$unmapped.src_uuid$,$unmapped.dst_uuid$,$device.imsi$,$device.imei$,$unmapped.parent_session_id$,$unmapped.parent_start_time$,$unmapped.tunnel_type$,$unmapped.ep_assoc_id$,$unmapped.chunks_total$,$unmapped.chunks_sent$,$unmapped.chunks_received$,$unmapped.rule_matched_uuid$,$unmapped.http2_connection$,$unmapped.link_change_count$,$unmapped.policy_id$,$unmapped.link_switches$,$unmapped.sdwan_cluster$,$unmapped.sdwan_device_type$,$unmapped.sdwan_cluster_type$,$unmapped.sdwan_site$,$actor.user.groups$,$src_endpoint.intermediate_ips$,$unmapped.src_category$,$unmapped.src_profile$,$unmapped.src_model$,$unmapped.src_vendor$,$unmapped.src_osfamily$,$unmapped.src_osversion$,$src_endpoint.hostname$,$src_endpoint.mac$,$unmapped.dst_category$,$unmapped.dst_profile$,$unmapped.dst_model$,$unmapped.dst_vendor$,$unmapped.dst_osfamily$,$unmapped.dst_osversion$,$dst_endpoint.hostname$,$dst_endpoint.mac$,$unmapped.container_id$,$unmapped.pod_namespace$,$unmapped.pod_name$,$unmapped.src_edl$,$unmapped.dst_edl$,$device.uid$,$unmapped.serial_number$,$unmapped.src_dag$,$unmapped.dst_dag$,$unmapped.session_owner$,$unmapped.high_res_timestamp$,$unmapped.nsdsai_sst$,$unmapped.nsdsai_sd$,$unmapped.subcategory_of_app$,$unmapped.category_of_app$,$unmapped.technology_of_app$,$unmapped.risk_of_app$,$unmapped.characteristic_of_app$,$unmapped.container_of_app$,$unmapped.tunneled_app$,$unmapped.is_saas_of_app$,$unmapped.sanctioned_state_of_app$,$unmapped.offloaded$", + halt: true, + rewrites: [ + { + input: "unmapped.sub_type", + output: "event.type", + match: "^start$", + replace: "Open" + }, + { + input: "unmapped.sub_type", + output: "event.type", + match: "^end$", + replace: "Close" + }, + { + input: "unmapped.sub_type", + output: "event.type", + match: "^drop$", + replace: "Fail" + }, + { + input: "unmapped.sub_type", + output: "event.type", + match: "^deny$", + replace: "Refuse" + }, + { + input: "unmapped.sub_type", + output: "activity_id", + match: "^start$", + replace: "1" + }, + { + input: "unmapped.sub_type", + output: "activity_id", + match: "^end$", + replace: "2" + }, + { + input: "unmapped.sub_type", + output: "activity_id", + match: "^drop$", + replace: "4" + }, + { + input: "unmapped.sub_type", + output: "activity_id", + match: "^deny$", + replace: "5" + }, + { + input: "unmapped.sub_type", + output: "activity_name", + match: "^start$", + replace: "Open" + }, + { + input: "unmapped.sub_type", + output: "activity_name", + match: "^end$", + replace: "Close" + }, + { + input: "unmapped.sub_type", + output: "activity_name", + match: "^drop$", + replace: "Fail" + }, + { + input: "unmapped.sub_type", + output: "activity_name", + match: "^deny$", + replace: "Refuse" + }, + { + input: "unmapped.sub_type", + output: "type_uid", + match: "^start$", + replace: "400101" + }, + { + input: "unmapped.sub_type", + output: "type_uid", + match: "^end$", + replace: "400102" + }, + { + input: "unmapped.sub_type", + output: "type_uid", + match: "^drop$", + replace: "400104" + }, + { + input: "unmapped.sub_type", + output: "type_uid", + match: "^deny$", + replace: "400105" + }, + { + input: "unmapped.sub_type", + output: "type_name", + match: "^start$", + replace: "Network Activity: Open" + }, + { + input: "unmapped.sub_type", + output: "type_name", + match: "^end$", + replace: "Network Activity: Close" + }, + { + input: "unmapped.sub_type", + output: "type_name", + match: "^drop$", + replace: "Network Activity: Fail" + }, + { + input: "unmapped.sub_type", + output: "type_name", + match: "^deny$", + replace: "Network Activity: Refuse" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^allow$", + replace: "1" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^deny$", + replace: "2" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^allow$", + replace: "Success" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^deny$", + replace: "Failure" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^(?!allow|deny$).*", + replace: "99" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^(?!allow|deny$).*", + replace: "Other" + }, + { + input: "dst_endpoint.intermediate_ips", + output: "dst_endpoint.intermediate_ips", + match: ".*", + replace: "\\[\"$0\"\\]" + }, + { + input: "message", + output: "src_endpoint.intermediate_ips", + match: "(?:[^,]*,){9}([^,]*){1},(?:[^,]*,){65}([^,]*){1},(?:[^,]*,){38}.*", + replace: "\\[\"$1\"\\, \"$2\"\\]" + }, + { + input: "message", + output: "observables", + match: "(?:[^,]*,){7}([^,]*),([^,]*),(?:[^,]*,){3}([^,]*),(?:[^,]*,){69}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),.*", + replace: "\\[\\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"src_endpoint.hostname\"\\, \"value\"\\: \"$4\"\\}\\, \\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"dst_endpoint.hostname\"\\, \"value\"\\: \"$6\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: \"$1\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"dst_endpoint.ip\"\\, \"value\"\\: \"$2\"\\}\\, \\{\"type_id\"\\: \"4\"\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"actor.user.name\"\\, \"value\"\\: \"$3\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"src_endpoint.mac\"\\, \"value\"\\: \"$5\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"dst_endpoint.mac\"\\, \"value\"\\: \"$7\"\\}\\]" + }, + ] + }, + { + attributes: { + "class_uid": "0", + "activity_id": "99", + "category_uid": "0", + "type_uid": "99", + "type_name": "Base Event: Other", + "class_name": "Base Event", + "category_name": "Uncategorized", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.0.0-rc.3", + "metadata.log_name": "SYSTEM", + }, + format: ".*,$metadata.logged_time_dt$,$unmapped.serial$,SYSTEM,$unmapped.sub_type$,.*,$metadata.original_time$,$unmapped.vsys$,$unmapped.event_id$,$unmapped.object$,.*,.*,$unmapped.module$,$unmapped.severity$,$unmapped.description=desc$,$metadata.sequence$,$unmapped.action_flags$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$unmapped.device_name$,.*,.*,$unmapped.high_res_timestamp$", + halt: true, + rewrites: [ + { + input: "unmapped.sub_type", + output: "activity_name", + match: ".*", + replace: "$0" + }, + { + input: "unmapped.sub_type", + output: "event.type", + match: ".*", + replace: "$0" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^informational$", + replace: "1" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^low$", + replace: "2" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^medium$", + replace: "3" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^high$", + replace: "4" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^critical$", + replace: "5" + }, + { + input: "message", + output: "observables", + match: "(?:[^,]*,){14}(\".*\"),(?:[^,]*,){7}([^,]*),.*", + replace: "\\[\\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"device.hostname\"\\, \"value\"\\: \"$2\"\\}\\]" + }, + ] + }, + { + //matches THREAT logs with comma surround lists in application_characteristic and url_category_list. + attributes: { + "activity_name": "THREAT", + "class_uid": "4001", + "activity_id": "99", + "category_uid": "4", + "type_uid": "400199", + "type_name": "Network Activity: Other", + "class_name": "Network Activity", + "category_name": "Network Activity", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.0.0-rc.3", + "metadata.log_name": "THREAT", + "event.type": "THREAT" + }, + format: ".*,$metadata.logged_time_dt$,$device.hw_info.serial_number$,THREAT,$unmapped.sub_type$,.*,$metadata.original_time$,$src_endpoint.ip$,$dst_endpoint.ip$,$src_endpoint.intermediate_ips$,$dst_endpoint.intermediate_ips$,$unmapped.rule_matched$,$actor.user.name$,$unmapped.dst_user$,$app_name$,$unmapped.vsys$,$unmapped.from_zone$,$unmapped.to_zone$,$unmapped.inbound_if$,$unmapped.outbound_if$,$actor.session.issuer$,$metadata.original_time$,$actor.session.uid$,$unmapped.repeat_count$,$src_endpoint.port$,$dst_endpoint.port$,$unmapped.nat_src_port$,$unmapped.nat_dst_port$,$unmapped.flags$,$connection_info.protocol_name$,$unmapped.action_value$,$unmapped.file$,$unmapped.threat_id$,$unmapped.url_category_value$,$unmapped.severity$,$unmapped.direction_of_attack$,$metadata.sequence$,$unmapped.action_flags$,$src_endpoint.location.region$,$dst_endpoint.location.region$,$metadata.product.version$,$unmapped.pcap_id$,$unmapped.file_digest$,.*,$cloud.account_uid$,$unmapped.url_idx$,$unmapped.user_agent$,$unmapped.file_type$,$src_endpoint.intermediate_ips$,$unmapped.referrer$,$unmapped.sender_of_email$,$unmapped.subject_of_email$,$unmapped.receipent_of_email$,$unmapped.report_id$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.hostname$,.*,$unmapped.src_uuid$,$unmapped.dst_uuid$,$unmapped.http_method$,$device.imsi$,$device.imei$,$unmapped.parent_session_id$,$unmapped.parent_start_time$,$unmapped.tunnel_type$,$unmapped.threat_category$,$unmapped.content_version$,.*,$unmapped.ep_assoc_id$,$unmapped.ppid$,$unmapped.http_headers$,\"$unmapped.url_category_list$\",$unmapped.rule_matched_uuid$,$unmapped.http2_connection$,$actor.user.groups$,$src_endpoint.intermediate_ips$,$unmapped.src_category$,$unmapped.src_profile$,$unmapped.src_model$,$unmapped.src_vendor$,$unmapped.src_osfamily$,$unmapped.src_osversion$,$src_endpoint.hostname$,$src_endpoint.mac$,$unmapped.dst_category$,$unmapped.dst_profile$,$unmapped.dst_model$,$unmapped.dst_vendor$,$unmapped.dst_osfamily$,$unmapped.dst_osversion$,$dst_endpoint.hostname$,$dst_endpoint.mac$,$unmapped.container_id$,$unmapped.pod_namespace$,$unmapped.pod_name$,$unmapped.src_edl$,$unmapped.dst_edl$,$device.uid$,$unmapped.serial_number$,$unmapped.src_dag$,$unmapped.dst_dag$,$unmapped.partial_hash$,.*,$unmapped.high_res_timestamp$,$unmapped.reason$,$unmapped.justification$,$unmapped.nssai_sst$,$unmapped.subcategory_of_app$,$unmapped.category_of_app$,$unmapped.technology_of_app$,$unmapped.risk_of_app$,\"$unmapped.characteristic_of_app$\",$unmapped.container_of_app$,$unmapped.tunneled_app$,$unmapped.is_saas_of_app$,$unmapped.sanctioned_state_of_app$", + halt: true, + rewrites: [ + { + input: "unmapped.severity", + output: "severity_id", + match: "^informational$", + replace: "1" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^low$", + replace: "2" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^medium$", + replace: "3" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^high$", + replace: "4" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^critical$", + replace: "5" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^allow$", + replace: "1" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^deny$", + replace: "2" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^allow$", + replace: "Success" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^deny$", + replace: "Failure" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^(?!allow|deny$).*", + replace: "99" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^(?!allow|deny$).*", + replace: "Other" + }, + { + input: "dst_endpoint.intermediate_ips", + output: "dst_endpoint.intermediate_ips", + match: ".*", + replace: "\\[\"$0\"\\]" + }, + { + input: "message", + output: "src_endpoint.intermediate_ips", + match: "(?:[^,]*,){9}([^,]*),(?:[^,]*,){21}(\".*\"),(?:[^,]*,){16}([^,]*),(?:[^,]*,){26}(\".*\"),(?:[^,]*,){3}([^,]*),.*", + replace: "\\[\"$1\"\\, \"$3\"\\, \"$5\"\\]" + }, + { + input: "message", + output: "observables", + match: "(?:[^,]*,){7}([^,]*),([^,]*),(?:[^,]*,){3}([^,]*),(?:[^,]*,){18}(\".*\"),(?:[^,]*,){43}(\".*\"),(?:[^,]*,){10}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),.*", + replace: "\\[\\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"src_endpoint.hostname\"\\, \"value\"\\: \"$6\"\\}\\, \\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"dst_endpoint.hostname\"\\, \"value\"\\: \"$8\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: \"$1\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"dst_endpoint.ip\"\\, \"value\"\\: \"$2\"\\}\\, \\{\"type_id\"\\: \"4\"\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"actor.user.name\"\\, \"value\"\\: \"$3\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"src_endpoint.mac\"\\, \"value\"\\: \"$7\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"dst_endpoint.mac\"\\, \"value\"\\: \"$9\"\\}\\]" + }, + ] + }, + { + //matches THREAT logs with comma surround lists in application_characteristic and url_category_list. + attributes: { + "activity_name": "THREAT", + "class_uid": "4001", + "activity_id": "99", + "category_uid": "4", + "type_uid": "400199", + "type_name": "Network Activity: Other", + "class_name": "Network Activity", + "category_name": "Network Activity", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.0.0-rc.3", + "metadata.log_name": "THREAT", + "event.type": "THREAT" + }, + format: ".*,$metadata.logged_time_dt$,$device.hw_info.serial_number$,THREAT,$unmapped.sub_type$,.*,$metadata.original_time$,$src_endpoint.ip$,$dst_endpoint.ip$,$src_endpoint.intermediate_ips$,$dst_endpoint.intermediate_ips$,$unmapped.rule_matched$,$actor.user.name$,$unmapped.dst_user$,$app_name$,$unmapped.vsys$,$unmapped.from_zone$,$unmapped.to_zone$,$unmapped.inbound_if$,$unmapped.outbound_if$,$actor.session.issuer$,$metadata.original_time$,$actor.session.uid$,$unmapped.repeat_count$,$src_endpoint.port$,$dst_endpoint.port$,$unmapped.nat_src_port$,$unmapped.nat_dst_port$,$unmapped.flags$,$connection_info.protocol_name$,$unmapped.action_value$,$unmapped.file$,$unmapped.threat_id$,$unmapped.url_category_value$,$unmapped.severity$,$unmapped.direction_of_attack$,$metadata.sequence$,$unmapped.action_flags$,$src_endpoint.location.region$,$dst_endpoint.location.region$,$metadata.product.version$,$unmapped.pcap_id$,$unmapped.file_digest$,.*,$cloud.account_uid$,$unmapped.url_idx$,$unmapped.user_agent$,$unmapped.file_type$,$src_endpoint.intermediate_ips$,$unmapped.referrer$,$unmapped.sender_of_email$,$unmapped.subject_of_email$,$unmapped.receipent_of_email$,$unmapped.report_id$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.hostname$,.*,$unmapped.src_uuid$,$unmapped.dst_uuid$,$unmapped.http_method$,$device.imsi$,$device.imei$,$unmapped.parent_session_id$,$unmapped.parent_start_time$,$unmapped.tunnel_type$,$unmapped.threat_category$,$unmapped.content_version$,.*,$unmapped.ep_assoc_id$,$unmapped.ppid$,$unmapped.http_headers$,$unmapped.url_category_list$,$unmapped.rule_matched_uuid$,$unmapped.http2_connection$,$actor.user.groups$,$src_endpoint.intermediate_ips$,$unmapped.src_category$,$unmapped.src_profile$,$unmapped.src_model$,$unmapped.src_vendor$,$unmapped.src_osfamily$,$unmapped.src_osversion$,$src_endpoint.hostname$,$src_endpoint.mac$,$unmapped.dst_category$,$unmapped.dst_profile$,$unmapped.dst_model$,$unmapped.dst_vendor$,$unmapped.dst_osfamily$,$unmapped.dst_osversion$,$dst_endpoint.hostname$,$dst_endpoint.mac$,$unmapped.container_id$,$unmapped.pod_namespace$,$unmapped.pod_name$,$unmapped.src_edl$,$unmapped.dst_edl$,$device.uid$,$unmapped.serial_number$,$unmapped.src_dag$,$unmapped.dst_dag$,$unmapped.partial_hash$,.*,$unmapped.high_res_timestamp$,$unmapped.reason$,$unmapped.justification$,$unmapped.nssai_sst$,$unmapped.subcategory_of_app$,$unmapped.category_of_app$,$unmapped.technology_of_app$,$unmapped.risk_of_app$,$unmapped.characteristic_of_app$,$unmapped.container_of_app$,$unmapped.tunneled_app$,$unmapped.is_saas_of_app$,$unmapped.sanctioned_state_of_app$", + halt: true, + rewrites: [ + { + input: "unmapped.severity", + output: "severity_id", + match: "^informational$", + replace: "1" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^low$", + replace: "2" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^medium$", + replace: "3" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^high$", + replace: "4" + }, + { + input: "unmapped.severity", + output: "severity_id", + match: "^critical$", + replace: "5" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^allow$", + replace: "1" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^deny$", + replace: "2" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^allow$", + replace: "Success" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^deny$", + replace: "Failure" + }, + { + input: "unmapped.action_value", + output: "status_id", + match: "^(?!allow|deny$).*", + replace: "99" + }, + { + input: "unmapped.action_value", + output: "status", + match: "^(?!allow|deny$).*", + replace: "Other" + }, + { + input: "dst_endpoint.intermediate_ips", + output: "dst_endpoint.intermediate_ips", + match: ".*", + replace: "\\[\"$0\"\\]" + }, + { + input: "message", + output: "src_endpoint.intermediate_ips", + match: "(?:[^,]*,){9}([^,]*),(?:[^,]*,){38}([^,]*),(?:[^,]*,){30}([^,]*),.*", + replace: "\\[\"$1\"\\, \"$2\"\\, \"$3\"\\]" + }, + { + input: "message", + output: "observables", + match: "(?:[^,]*,){7}([^,]*),([^,]*),(?:[^,]*,){3}([^,]*),(?:[^,]*,){73}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),.*", + replace: "\\[\\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"src_endpoint.hostname\"\\, \"value\"\\: \"$4\"\\}\\, \\{\"type_id\"\\: \"1\"\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"dst_endpoint.hostname\"\\, \"value\"\\: \"$6\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: \"$1\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"dst_endpoint.ip\"\\, \"value\"\\: \"$2\"\\}\\, \\{\"type_id\"\\: \"4\"\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"actor.user.name\"\\, \"value\"\\: \"$3\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"src_endpoint.mac\"\\, \"value\"\\: \"$5\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"dst_endpoint.mac\"\\, \"value\"\\: \"$7\"\\}\\]" + }, + ] + }, + { + attributes: { + "activity_name": "Logoff", + "activity_id": "2", + "category_name": "Identity & Access Management", + "category_uid": "3", + "class_name": "Authentication", + "class_uid": "3002", + "cloud.provider": "Palo Alto Networks" + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "300202", + "type_name": "Authentication: Logoff", + "event.type": "Logoff", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=userid_log_type$,$unmapped.subtype=logout_sub_type$,.*,$start_time_dt$,$unmapped.vsys$,$src_endpoint.ip$,$user.name$,$user.uid$,$metadata.event_code$,$unmapped.repeatcnt$,$unmapped.timeout$,$src_endpoint.port$,$dst_endpoint.port$,$unmapped.datasource$,$unmapped.datasourcetype$,$unmapped.seqno$,$unmapped.actionflags$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$src_endpoint.hostname$,$unmapped.vsys_id$,$unmapped.factortype$,$unmapped.factorcompletiontime$,$unmapped.factorno$,$unmapped.ugflags$,$unmapped.userbysource$,$unmapped.tag_name$,$unmapped.high_res_timestamp$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){7}([^,]*)(?:,[^,]*){0},([^,]*)(?:,[^,]*){15},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"src_endpoint.hostname\"\\, \"value\"\\: $3\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 4\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"user.name\"\\, \"value\"\\: $2\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "activity_name": "Logon", + "activity_id": "1", + "category_name": "Identity & Access Management", + "category_uid": "3", + "class_name": "Authentication", + "class_uid": "3002", + "cloud.provider": "Palo Alto Networks" + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "300201", + "type_name": "Authentication: Logon", + "event.type": "Logon", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=userid_log_type$,$unmapped.subtype=login_sub_type$,.*,$start_time_dt$,$unmapped.vsys$,$src_endpoint.ip$,$user.name$,$user.uid$,$metadata.event_code$,$unmapped.repeatcnt$,$unmapped.timeout$,$src_endpoint.port$,$dst_endpoint.port$,$unmapped.datasource$,$unmapped.datasourcetype$,$unmapped.seqno$,$unmapped.actionflags$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$src_endpoint.hostname$,$unmapped.vsys_id$,$unmapped.factortype$,$unmapped.factorcompletiontime$,$unmapped.factorno$,$unmapped.ugflags$,$unmapped.userbysource$,$unmapped.tag_name$,$unmapped.high_res_timestamp$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){7}([^,]*)(?:,[^,]*){0},([^,]*)(?:,[^,]*){15},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"src_endpoint.hostname\"\\, \"value\"\\: $3\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 4\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"user.name\"\\, \"value\"\\: $2\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "action": "Other", + "action_id": "99", + "activity_name": "Other", + "activity_id": "99", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Detection Finding", + "class_uid": "2004", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "200499", + "type_name": "Detection Finding: Other", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$finding_info.title=hipmatch_log_type$,$unmapped.subtype$,.*,$start_time_dt$,$actor.user.name$,$unmapped.vsys$,$device.name$,$device.os.name$,$device.ip$,$unmapped.matchname$,$unmapped.repeatcnt$,$unmapped.matchtype$,.*,.*,$unmapped.seqno$,$unmapped.actionflags$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.hostname$,$unmapped.vsys_id$,$unmapped.srcipv6$,$unmapped.uid_alt$,$device.uid$,$device.mac$,$unmapped.high_res_timestamp$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){10}([^,]*)(?:,[^,]*){12},([^,]*)(?:,[^,]*){4},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"device.hostname\"\\, \"value\"\\: $2\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"device.ip\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 3\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"device.mac\"\\, \"value\"\\: $3\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "activity_name": "Log", + "activity_id": "1", + "category_name": "Discovery", + "category_uid": "5", + "class_name": "Device Config State", + "class_uid": "5002", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "500201", + "type_name": "Device Config State: Log", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=config_log_type$,$unmapped.subtype$,.*,$start_time_dt$,$device.hostname$,$unmapped.vsys$,$actor.process.cmd_line$,$actor.user.name$,$unmapped.client$,$unmapped.result$,$metadata.product.path$,$unmapped.before-change-detail$,$unmapped.after-change-detail$,$unmapped.seqno$,$unmapped.actionflags$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.name$,$device.groups$,$unmapped.comment$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){6}([^,]*)(?:,[^,]*){2},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"device.hostname\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 4\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"actor.user.name\"\\, \"value\"\\: $2\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "action": "Other", + "action_id": "99", + "activity_name": "Other", + "activity_id": "99", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Detection Finding", + "class_uid": "2004", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "200499", + "type_name": "Detection Finding: Other", + "severity_id": "99" + }, + format: "$metadata.original_time$,$device.hw_info.serial_number$,$unmapped.type$,$unmapped.subtype=wildfire_sub_type$,.*,$finding_info.created_time_dt$,$source_address$,$destination_address$,$nat_source_ip$,$nat_destination_ip$,$firewall_rule.name$,$actor.user.name$,$unmapped.dstuser$,$unmapped.app$,$unmapped.vsys$,$source_zone$,$destination_zone$,$inbound_interface$,$outbound_interface$,$unmapped.logset$,.*,$actor.session.uid$,$count$,$source_port$,$destination_port$,$unmapped.natsport$,$unmapped.natdport$,$unmapped.flags$,$ip_protocol$,$action$,$filename$,$finding_info.uid$,$unmapped.category$,$unmapped.severity$,$unmapped.direction$,$metadata.sequence$,$unmapped.actionflags$,$source_location$,$destination_location$,.*,$unmapped.contenttype$,$unmapped.pcap_id$,$unmapped.filedigest$,$unmapped.cloud$,$unmapped.url_idx$,$unmapped.user_agent$,$file_type$,$unmapped.xff$,$unmapped.referer$,$unmapped.sender$,$unmapped.subject$,$unmapped.recipient$,$unmapped.reportid$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.name$,.*,$source_vm_uuid$,$destination_vm_uuid$,$unmapped.http_method$,$unmapped.imsi$,$device.imei$,$parent_session_id$,$parent_start_time$,$unmapped.tunnel$,$unmapped.thr_category$,$unmapped.contentver$,.*,$unmapped.assoc_id$,$unmapped.ppid$,$unmapped.http_headers$,$unmapped.url_category_list$,$unmapped.rule_uuid$,$unmapped.http2_connection$,$unmapped.dynusergroup_name$,$unmapped.xff_ip$,$unmapped.src_category$,$unmapped.src_profile$,$unmapped.src_model$,$unmapped.src_vendor$,$unmapped.src_osfamily$,$unmapped.src_osversion$,$source_hostname$,$source_mac_address$,$unmapped.dst_category$,$unmapped.dst_profile$,$unmapped.dst_model$,$unmapped.dst_vendor$,$unmapped.dst_osfamily$,$unmapped.dst_osversion$,$destination_hostname$,$destination_mac_address$,$unmapped.container_id$,$unmapped.pod_namespace$,$unmapped.pod_name$,$unmapped.src_edl$,$unmapped.dst_edl$,$unmapped.hostid$,$unmapped.serialnumber$,$unmapped.domain_edl$,$unmapped.src_dag$,$unmapped.dst_dag$,$unmapped.partial_hash$,$unmapped.high_res_timestamp$,$unmapped.reason$,$unmapped.justification$,$unmapped.nssai_sst$,$unmapped.subcategory_of_app$,$unmapped.category_of_app$,$unmapped.technology_of_app$,$risk_level$,$unmapped.characteristic_of_app=app_characteristic$,$unmapped.container_of_app$,$unmapped.tunneled_app$,$unmapped.is_saas_of_app$,$unmapped.sanctioned_state_of_app$,$unmapped.cloud_reportid$", + halt: true, + rewrites: [ + { + input: "message", + output: "evidences", + match: "^(?:[^,]*,){6}([^,]*),([^,]*),([^,]*),([^,]*),(?:[^,]*,){5}([^,]*),([^,]*),([^,]*),([^,]*),(?:[^,]*,){4}([^,]*),([^,]*),(?:[^,]*,){3}([^,]*),(?:[^,]*,){1}([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),(?:[^,]*,){7}([^,]*),([^,]*),(?:[^,]*,){13}([^,]*),(?:[^,]*,){1}([^,]*),(?:[^,]*,){18}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),(?:[^,]*,){7}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),(?:[^,]*,){1}([^,]*),([^,]*).*", + replace: "\\[\"src_endpoint\"\\:\\{\"ip\"\\: $1\\, \"intermediate_ips\"\\:\\[$3\\]\\, \"zone\"\\: $5\\, \"interface_name\"\\: $7\\, \"port\"\\: $9\\, \"location\"\\: \\{\"country\"\\: $13\\}\\, \"uid\"\\: $16\\, \"hostname\"\\: $20\\, \"mac\"\\: $21\\}\\, \"dst_endpoint\"\\:\\{\"ip\"\\: $2\\, \"intermediate_ips\"\\:\\[$4\\]\\, \"zone\"\\: $6\\, \"interface_name\"\\: $8\\, \"port\"\\: $10\\, \"location\"\\: \\{\"country\"\\: $14\\}\\, \"uid\"\\: $17\\, \"hostname\"\\: $22\\, \"mac\"\\: $23\\}\\, \"connection_info\"\\: \\{ \"protocol_name\"\\: $11\\}\\, \"process\"\\: \\{\"file\"\\: \\{\"name\"\\: $12\\, \"type\"\\: $15\\}\\, \"parent_process\"\\: \\{\"session\": \\{\"uid\": $18\\}\\, \"created_time\"\\: $19\\}\\} \\]" + }, + { + input: "message", + output: "observables", + match: "^(?:[^,]*,){6}([^,]*),(?:[^,]*,){0}([^,]*),(?:[^,]*,){3}([^,]*),(?:[^,]*,){73}([^,]*),(?:[^,]*,){7}([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"evidences.src_endpoint.hostname\"\\, \"value\"\\: $4\\}\\, \\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"evidences.dst_endpoint.hostname\"\\, \"value\"\\: $5\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"evidences.src_endpoint.ip\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"evidences.dst_endpoint.ip\"\\, \"value\"\\: $2\\}\\, \\{\"type_id\"\\: 4\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"actor.user.name\"\\, \"value\"\\: $3\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + }, + { + action: "removeFields", + fields: [ + "source_address", + "destination_address", + "nat_source_ip", + "nat_destination_ip", + "source_zone", + "destination_zone", + "inbound_interface", + "outbound_interface", + "source_port", + "destination_port", + "ip_protocol", + "filename", + "source_location", + "destination_location", + "file_type", + "source_vm_uuid", + "destination_vm_uuid", + "parent_session_id", + "parent_start_time", + "source_hostname", + "source_mac_address", + "destination_hostname", + "destination_mac_address" + ] + } + ] + }, + { + attributes: { + "action": "Other", + "action_id": "99", + "activity_name": "Other", + "activity_id": "99", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Detection Finding", + "class_uid": "2004", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "200499", + "type_name": "Detection Finding: Other", + "severity_id": "99" + }, + format: "$metadata.original_time$,$device.hw_info.serial_number$,$unmapped.type$,$unmapped.subtype=data_filtering_sub_type$,.*,$finding_info.created_time_dt$,$source_address$,$destination_address$,$nat_source_ip$,$nat_destination_ip$,$firewall_rule.name$,$actor.user.name$,$unmapped.dstuser$,$unmapped.app$,$unmapped.vsys$,$source_zone$,$destination_zone$,$inbound_interface$,$outbound_interface$,$unmapped.logset$,.*,$actor.session.uid$,$count$,$source_port$,$destination_port$,$unmapped.natsport$,$unmapped.natdport$,$unmapped.flags$,$ip_protocol$,$action$,$filename$,$finding_info.uid$,$unmapped.category$,$unmapped.severity$,$unmapped.direction$,$metadata.sequence$,$unmapped.actionflags$,$source_location$,$destination_location$,.*,$unmapped.contenttype$,$unmapped.pcap_id$,$unmapped.filedigest$,$unmapped.cloud$,$unmapped.url_idx$,$unmapped.user_agent$,$file_type$,$unmapped.xff$,$unmapped.referer$,$unmapped.sender$,$unmapped.subject$,$unmapped.recipient$,$unmapped.reportid$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.name$,.*,$source_vm_uuid$,$destination_vm_uuid$,$unmapped.http_method$,$unmapped.imsi$,$device.imei$,$parent_session_id$,$parent_start_time$,$unmapped.tunnel$,$unmapped.thr_category$,$unmapped.contentver$,.*,$unmapped.assoc_id$,$unmapped.ppid$,$unmapped.http_headers$,$unmapped.url_category_list$,$unmapped.rule_uuid$,$unmapped.http2_connection$,$unmapped.dynusergroup_name$,$unmapped.xff_ip$,$unmapped.src_category$,$unmapped.src_profile$,$unmapped.src_model$,$unmapped.src_vendor$,$unmapped.src_osfamily$,$unmapped.src_osversion$,$source_hostname$,$source_mac_address$,$unmapped.dst_category$,$unmapped.dst_profile$,$unmapped.dst_model$,$unmapped.dst_vendor$,$unmapped.dst_osfamily$,$unmapped.dst_osversion$,$destination_hostname$,$destination_mac_address$,$unmapped.container_id$,$unmapped.pod_namespace$,$unmapped.pod_name$,$unmapped.src_edl$,$unmapped.dst_edl$,$unmapped.hostid$,$unmapped.serialnumber$,$unmapped.domain_edl$,$unmapped.src_dag$,$unmapped.dst_dag$,$unmapped.partial_hash$,$unmapped.high_res_timestamp$,$unmapped.reason$,$unmapped.justification$,$unmapped.nssai_sst$,$unmapped.subcategory_of_app$,$unmapped.category_of_app$,$unmapped.technology_of_app$,$risk_level$,$unmapped.characteristic_of_app=app_characteristic$,$unmapped.container_of_app$,$unmapped.tunneled_app$,$unmapped.is_saas_of_app$,$unmapped.sanctioned_state_of_app$,$unmapped.cloud_reportid$", + halt: true, + rewrites: [ + { + input: "message", + output: "evidences", + match: "^(?:[^,]*,){6}([^,]*),([^,]*),([^,]*),([^,]*),(?:[^,]*,){5}([^,]*),([^,]*),([^,]*),([^,]*),(?:[^,]*,){4}([^,]*),([^,]*),(?:[^,]*,){3}([^,]*),(?:[^,]*,){1}([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),(?:[^,]*,){7}([^,]*),([^,]*),(?:[^,]*,){13}([^,]*),(?:[^,]*,){1}([^,]*),(?:[^,]*,){18}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),(?:[^,]*,){7}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),(?:[^,]*,){6}([^,]*),([^,]*),(?:[^,]*,){1}([^,]*),([^,]*).*", + replace: "\\[\"src_endpoint\"\\:\\{\"ip\"\\: $1\\, \"intermediate_ips\"\\:\\[$3\\]\\, \"zone\"\\: $5\\, \"interface_name\"\\: $7\\, \"port\"\\: $9\\, \"location\"\\: \\{\"country\"\\: $13\\}\\, \"uid\"\\: $16\\, \"hostname\"\\: $20\\, \"mac\"\\: $21\\}\\, \"dst_endpoint\"\\:\\{\"ip\"\\: $2\\, \"intermediate_ips\"\\:\\[$4\\]\\, \"zone\"\\: $6\\, \"interface_name\"\\: $8\\, \"port\"\\: $10\\, \"location\"\\: \\{\"country\"\\: $14\\}\\, \"uid\"\\: $17\\, \"hostname\"\\: $22\\, \"mac\"\\: $23\\}\\, \"connection_info\"\\: \\{ \"protocol_name\"\\: $11\\}\\, \"process\"\\: \\{\"file\"\\: \\{\"name\"\\: $12\\, \"type\"\\: $15\\}\\, \"parent_process\"\\: \\{\"session\": \\{\"uid\": $18\\}\\, \"created_time\"\\: $19\\}\\} \\]" + }, + { + input: "message", + output: "observables", + match: "^(?:[^,]*,){6}([^,]*),(?:[^,]*,){0}([^,]*),(?:[^,]*,){3}([^,]*),(?:[^,]*,){73}([^,]*),(?:[^,]*,){7}([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"evidences.src_endpoint.hostname\"\\, \"value\"\\: $4\\}\\, \\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"evidences.dst_endpoint.hostname\"\\, \"value\"\\: $5\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"evidences.src_endpoint.ip\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"evidences.dst_endpoint.ip\"\\, \"value\"\\: $2\\}\\, \\{\"type_id\"\\: 4\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"actor.user.name\"\\, \"value\"\\: $3\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + }, + { + action: "removeFields", + fields: [ + "source_address", + "destination_address", + "nat_source_ip", + "nat_destination_ip", + "source_zone", + "destination_zone", + "inbound_interface", + "outbound_interface", + "source_port", + "destination_port", + "ip_protocol", + "filename", + "source_location", + "destination_location", + "file_type", + "source_vm_uuid", + "destination_vm_uuid", + "parent_session_id", + "parent_start_time", + "source_hostname", + "source_mac_address", + "destination_hostname", + "destination_mac_address" + ] + } + ] + }, + { + attributes: { + "activity_name": "Other", + "activity_id": "99", + "category_name": "Identity & Access Management", + "category_uid": "3", + "class_name": "Authentication", + "class_uid": "3002", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "300299", + "type_name": "Authentication: Other", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=globalprotect_log_type$,$unmapped.subtype$,.*,$start_time_dt$,$unmapped.vsys$,$metadata.event_code$,$unmapped.stage$,$auth_protocol$,$unmapped.tunnel_type$,$actor.user.name$,$src_endpoint.location.region$,$device.name$,$device.ip$,$unmapped.public_ipv6$,$unmapped.private_ip$,$unmapped.private_ipv6$,$unmapped.hostid$,$src_endpoint.hw_info.serial_number$,$metadata.product.version$,$src_endpoint.os.name$,$src_endpoint.os.version$,$unmapped.repeatcnt$,$unmapped.reason$,$unmapped.error$,$unmapped.description$,$status$,$unmapped.location$,$unmapped.login_duration$,$unmapped.connect_method$,$unmapped.error_code$,$unmapped.portal$,$unmapped.seqno$,$unmapped.actionflags$,$unmapped.high_res_timestamp$,$unmapped.selection_type$,$unmapped.response_time$,$unmapped.priority$,$unmapped.attempted_gateways$,$unmapped.gateway$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$src_endpoint.hostname$,$unmapped.vsys_id$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){11}([^,]*)(?:,[^,]*){2},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"device.ip\"\\, \"value\"\\: $2\\}\\, \\{\"type_id\"\\: 4\\, \"type\"\\: \"User Name\"\\, \"name\"\\: \"actor.user.name\"\\, \"value\"\\: $1\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "activity_name": "Update", + "activity_id": "3", + "category_name": "Identity & Access Management", + "category_uid": "3", + "class_name": "Entity Management", + "class_uid": "3004", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "300403", + "type_name": "Entity Management: Update", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=iptag_log_type$,$unmapped.subtype$,.*,$start_time_dt$,$unmapped.vsys$,$device.ip$,$unmapped.tag_name$,$metadata.event_code$,$unmapped.repeatcnt$,$unmapped.timeout$,$unmapped.datasource$,$unmapped.datasourcetype$,$unmapped.datasource_subtype$,$unmapped.seqno$,$unmapped.actionflags$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.name$,$unmapped.vsys_id$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){7}([^,]*)(?:,[^,]*){14},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"device.name\"\\, \"value\"\\: $2\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"device.ip\"\\, \"value\"\\: $1\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "activity_name": "Open", + "activity_id": "1", + "category_name": "Network Activity", + "category_uid": "4", + "class_name": "Network Activity", + "class_uid": "4001", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "400101", + "type_name": "Network Activity: Open", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=gtp_log_type$,$unmapped.subtype$,.*,$start_time_dt$,$src_endpoint.ip$,$dst_endpoint.ip$,.*,.*,$firewall_rule.name$,.*,.*,$unmapped.app$,$unmapped.vsys$,$src_endpoint.zone$,$dst_endpoint.zone$,$src_endpoint.interface_name$,$dst_endpoint.interface_name$,$unmapped.logset$,.*,$actor.session.uid$,.*,$src_endpoint.port$,$dst_endpoint.port$,.*,.*,.*,$connection_info.protocol_name$,$action$,$unmapped.event_type$,$unmapped.msisdn$,$unmapped.apn$,$unmapped.rat$,$unmapped.msg_type$,$device.ip$,$unmapped.teid1$,$unmapped.teid2$,$unmapped.gtp_interface$,$unmapped.cause_code$,$unmapped.severity$,$unmapped.mcc$,$unmapped.mnc$,$unmapped.area_code$,$unmapped.cell_id$,$unmapped.event_code$,.*,.*,$src_endpoint.location.country$,$dst_endpoint.location.country$,.*,.*,.*,.*,.*,.*,.*,$unmapped.imsi$,$device.imei$,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,$start_time$,$unmapped.elapsed$,$unmapped.tunnel_insp_rule$,$unmapped.tunnel_insp_rule$,$unmapped.tunnel_insp_rule$,$unmapped.rule_uuid$,$unmapped.pcap_id$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){6}([^,]*)(?:,[^,]*){0},([^,]*)(?:,[^,]*){27},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"dst_endpoint.ip\"\\, \"value\"\\: $2\\}, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"device.ip\"\\, \"value\"\\: $3\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "activity_name": "Open", + "activity_id": "1", + "category_name": "Network Activity", + "category_uid": "4", + "class_name": "Network Activity", + "class_uid": "4001", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "400101", + "type_name": "Network Activity: Open", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=tunnel_log_type$,$unmapped.subtype$,.*,$start_time_dt$,$src_endpoint.ip$,$dst_endpoint.ip$,$src_endpoint.proxy_endpoint.ip$,$dst_endpoint.proxy_endpoint.ip$,$firewall_rule.name$,$actor.user.name$,$user.name$,$unmapped.app$,$unmapped.vsys$,$src_endpoint.zone$,$dst_endpoint.zone$,$src_endpoint.interface_name$,$dst_endpoint.interface_name$,$unmapped.logset$,.*,$actor.session.uid$,$unmapped.repeatcnt$,$src_endpoint.port$,$dst_endpoint.port$,$src_endpoint.proxy_endpoint.port$,$dst_endpoint.proxy_endpoint.port$,$unmapped.flags$,$connection_info.protocol_name$,$action$,$unmapped.severity$,$unmapped.seqno$,$unmapped.actionflags$,$src_endpoint.location.country$,$dst_endpoint.location.country$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.name$,$unmapped.imsi$,$device.imei$,$session.uid$,$start_time$,$tunnel_type$,$traffic.bytes$,$traffic.bytes_out$,$traffic.bytes_in$,$traffic.packets$,$traffic.packets_out$,$traffic.packets_in$,$unmapped.max_encap$,$unmapped.unknown_proto$,$unmapped.strict_check$,$unmapped.tunnel_fragment$,$session.count$,$unmapped.sessions_closed$,$session.expiration_reason$,$unmapped.action_source$,$session.created_time$,$session.expiration_time$,$unmapped.tunnel_insp_rule$,$device.ip$,$user.uid$,$unmapped.rule_uuid$,$unmapped.pcap_id$,$unmapped.dynusergroup_name$,$unmapped.src_edl$,$unmapped.dst_edl$,$unmapped.high_res_timestamp$,$unmapped.nssai_sd$,$unmapped.nssai_sd$,$unmapped.pdu_session_id$,$unmapped.subcategory_of_app$,$unmapped.category_of_app$,$unmapped.technology_of_app$,$unmapped.risk_of_app$,$unmapped.characteristic_of_app$,$unmapped.container_of_app$,$unmapped.is_saas_of_app$,$unmapped.sanctioned_state_of_app$,$unmapped.cluster_name$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){6}([^,]*)(?:,[^,]*){0},([^,]*)(?:,[^,]*){57},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"dst_endpoint.ip\"\\, \"value\"\\: $2\\}, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"device.ip\"\\, \"value\"\\: $3\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "activity_name": "Open", + "activity_id": "1", + "category_name": "Network Activity", + "category_uid": "4", + "class_name": "Network Activity", + "class_uid": "4001", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "400101", + "type_name": "Network Activity: Open", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=sctp_log_type$,.*,.*,$start_time_dt$,$src_endpoint.ip$,$dst_endpoint.ip$,.*,.*,$firewall_rule.name$,.*,.*,.*,$unmapped.vsys$,$src_endpoint.zone$,$dst_endpoint.zone$,$src_endpoint.interface_name$,$dst_endpoint.interface_name$,$unmapped.logset$,.*,$actor.session.uid$,$unmapped.repeatcnt$,$src_endpoint.port$,$dst_endpoint.port$,.*,.*,.*,.*,$connection_info.protocol_name$,$action$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.name$,$unmapped.seqno$,.*,$unmapped.assoc_id$,$unmapped.ppid$,$unmapped.severity$,$unmappedsctp_chunk_type$,.*,$unmapped.verif_tag_1$,$unmapped.verif_tag_2$,$unmapped.sctp_cause_code$,$unmapped.diam_app_id$,$unmapped.diam_cmd_code$,$unmapped.diam_avp_code$,$unmapped.stream_id$,$unmapped.assoc_end_reason$,$unmapped.op_code$,$unmapped.sccp_calling_ssn$,$unmapped.sccp_calling_gt$,$unmapped.sctp_filter$,$unmapped.chunks$,$unmapped.chunks_sent$,$unmapped.chunks_received$,$traffic.packets$,$traffic.packets_out$,$traffic.packets_in$,$unmapped.rule_uuid$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){6}([^,]*)(?:,[^,]*){0},([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"src_endpoint.ip\"\\, \"value\"\\: $1\\}\\, \\{\"type_id\"\\: 2\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"dst_endpoint.ip\"\\, \"value\"\\: $2\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + { + attributes: { + "activity_name": "Create", + "activity_id": "1", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Detection Finding", + "class_uid": "2004", + "cloud.provider": "Palo Alto Networks", + "metadata.product.name": "Palo Alto Networks Firewall", + "metadata.product.vendor_name": "Palo Alto Networks", + "metadata.version":"1.1.0", + "type_uid": "200401", + "type_name": "Detection Finding: Create", + "severity_id": "99" + }, + format: "$metadata.original_time$,$metadata.product.uid$,$unmapped.type=system_log_type$,$unmapped.subtype$,.*,$start_time_dt$,$unmapped.vsys$,$metadata.event_code$,$unmapped.object$,.*,.*,$unmapped.module$,$unmapped.severity$,$unmapped.description$,$unmapped.seqno$,$unmapped.actionflags$,$unmapped.dg_hier_level_1$,$unmapped.dg_hier_level_2$,$unmapped.dg_hier_level_3$,$unmapped.dg_hier_level_4$,$unmapped.vsys_name$,$device.hostname$", + halt: true, + rewrites: [ + { + input: "message", + output: "observables", + match: "(?:[^,]*,){21}([^,]*).*", + replace: "\\[\\{\"type_id\"\\: 1\\, \"type\"\\: \"Hostname\"\\, \"name\"\\: \"device.hostname\"\\, \"value\"\\: $1\\}\\}\\]" + }, + { + input: "activity_name", + output: "event.type", + match: ".*", + replace: "$0" + } + ] + }, + ] +} diff --git a/parsers/pingone_mfa-latest b/parsers/pingone_mfa-latest new file mode 100644 index 0000000..87925d7 --- /dev/null +++ b/parsers/pingone_mfa-latest @@ -0,0 +1,289 @@ +{ + "attributes": { + "dataSource.vendor": "Ping Identity", + "dataSource.name": "PingOne MFA", + "dataSource.category": "security", + "metadata.product.vendor_name": "Ping Identity", + "metadata.product.name": "PingOne MFA", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [ + { + "input": "unmapped.timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.recordedAt", + "output": "recorded_at", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.user", + "output": "user.email_addr", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.source\\.ip", + "output": "src_endpoint.ip", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.action\\.type", + "output": "activity_name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.factor", + "output": "mfa_factors", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.result\\.status", + "output": "status_detail", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.description", + "output": "message", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.sessionId", + "output": "session.uid", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dataSource", + "output": "metadata.product.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dataSource\\.vendor", + "output": "metadata.product.vendor_name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dataSource\\.name", + "output": "metadata.product.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dataSource\\.category", + "output": "metadata.product.category", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "activity_name = *", + "transformations": [ + { + "constant": { + "value": 3002, + "field": "class_uid" + } + }, + { + "constant": { + "value": "Authentication", + "field": "class_name" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "activity_name = 'MFA.AUTHENTICATE'" + } + }, + { + "constant": { + "value": "Logon", + "field": "activity_name", + "predicate": "activity_name = 'MFA.AUTHENTICATE'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "activity_name = 'MFA.ENROLL'" + } + }, + { + "constant": { + "value": "Other", + "field": "activity_name", + "predicate": "activity_name = 'MFA.ENROLL'" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "status_detail = 'SUCCESS'" + } + }, + { + "constant": { + "value": "Success", + "field": "status", + "predicate": "status_detail = 'SUCCESS'" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "status_detail = 'FAILURE'" + } + }, + { + "constant": { + "value": "Failure", + "field": "status", + "predicate": "status_detail = 'FAILURE'" + } + }, + { + "constant": { + "value": 1, + "field": "severity_id" + } + }, + { + "constant": { + "value": "Informational", + "field": "severity" + } + }, + { + "constant": { + "value": 300201, + "field": "type_uid" + } + }, + { + "copy": { + "from": "user.email_addr", + "to": "user.email_addr" + } + }, + { + "copy": { + "from": "user.email_addr", + "to": "user.name" + } + }, + { + "copy": { + "from": "src_endpoint.ip", + "to": "src_endpoint.ip" + } + }, + { + "copy": { + "from": "mfa_factors", + "to": "mfa_factors" + } + }, + { + "copy": { + "from": "session.uid", + "to": "session.uid" + } + }, + { + "copy": { + "from": "status_detail", + "to": "status_detail" + } + }, + { + "copy": { + "from": "recorded_at", + "to": "recorded_at" + } + }, + { + "copy": { + "from": "message", + "to": "message" + } + }, + { + "copy": { + "from": "metadata.product.name", + "to": "metadata.product.name" + } + }, + { + "copy": { + "from": "metadata.product.vendor_name", + "to": "metadata.product.vendor_name" + } + }, + { + "copy": { + "from": "metadata.product.category", + "to": "metadata.product.category" + } + } + ] + } + ] + }, + "observables": { + "fields": [ + { + "name": "user.email_addr", + "type": "User" + }, + { + "name": "user.name", + "type": "User" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address" + }, + { + "name": "session.uid", + "type": "Other" + } + ] + } +} \ No newline at end of file diff --git a/parsers/pingprotect-latest b/parsers/pingprotect-latest new file mode 100644 index 0000000..75913c3 --- /dev/null +++ b/parsers/pingprotect-latest @@ -0,0 +1,309 @@ +{ + "attributes": { + "dataSource.vendor": "Ping Identity", + "dataSource.name": "PingProtect", + "dataSource.category": "security", + "metadata.product.vendor_name": "Ping Identity", + "metadata.product.name": "PingProtect", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [ + { + "input": "unmapped.timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.recordedAt", + "output": "recorded_at", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.actors\\.client\\.id", + "output": "actor.app.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.actors\\.user\\.id", + "output": "actor.user.uid", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.source\\.ip", + "output": "src_endpoint.ip", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.action\\.type", + "output": "activity_name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.action\\.description", + "output": "activity_desc", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.resources\\.application\\.id", + "output": "resource.uid", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.result\\.status", + "output": "status_detail", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.result\\.description", + "output": "message", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dataSource", + "output": "metadata.product.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dataSource\\.vendor", + "output": "metadata.product.vendor_name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dataSource\\.name", + "output": "metadata.product.name", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dataSource\\.category", + "output": "metadata.product.category", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "activity_name = *", + "transformations": [ + { + "constant": { + "value": 3001, + "field": "class_uid" + } + }, + { + "constant": { + "value": "Account Change", + "field": "class_name" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "constant": { + "value": 5, + "field": "activity_id", + "predicate": "activity_name = 'SECRET.READ'" + } + }, + { + "constant": { + "value": "Read", + "field": "activity_name", + "predicate": "activity_name = 'SECRET.READ'" + } + }, + { + "constant": { + "value": 3, + "field": "activity_id", + "predicate": "activity_name = 'ROLE_ASSIGNMENT.DELETED'" + } + }, + { + "constant": { + "value": "Delete", + "field": "activity_name", + "predicate": "activity_name = 'ROLE_ASSIGNMENT.DELETED'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "activity_name = 'MFA.CHALLENGE'" + } + }, + { + "constant": { + "value": "Other", + "field": "activity_name", + "predicate": "activity_name = 'MFA.CHALLENGE'" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "status_detail = 'SUCCESS'" + } + }, + { + "constant": { + "value": "Success", + "field": "status", + "predicate": "status_detail = 'SUCCESS'" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "status_detail = 'FAILURE'" + } + }, + { + "constant": { + "value": "Failure", + "field": "status", + "predicate": "status_detail = 'FAILURE'" + } + }, + { + "constant": { + "value": 1, + "field": "severity_id" + } + }, + { + "constant": { + "value": "Informational", + "field": "severity" + } + }, + { + "constant": { + "value": 300101, + "field": "type_uid" + } + }, + { + "copy": { + "from": "actor.user.uid", + "to": "actor.user.uid" + } + }, + { + "copy": { + "from": "actor.app.name", + "to": "actor.app.name" + } + }, + { + "copy": { + "from": "src_endpoint.ip", + "to": "src_endpoint.ip" + } + }, + { + "copy": { + "from": "resource.uid", + "to": "resource.uid" + } + }, + { + "copy": { + "from": "activity_desc", + "to": "activity_desc" + } + }, + { + "copy": { + "from": "status_detail", + "to": "status_detail" + } + }, + { + "copy": { + "from": "recorded_at", + "to": "recorded_at" + } + }, + { + "copy": { + "from": "message", + "to": "message" + } + }, + { + "copy": { + "from": "metadata.product.name", + "to": "metadata.product.name" + } + }, + { + "copy": { + "from": "metadata.product.vendor_name", + "to": "metadata.product.vendor_name" + } + }, + { + "copy": { + "from": "metadata.product.category", + "to": "metadata.product.category" + } + } + ] + } + ] + }, + "observables": { + "fields": [ + { + "name": "actor.user.uid", + "type": "User" + }, + { + "name": "actor.app.name", + "type": "Other" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address" + }, + { + "name": "resource.uid", + "type": "Other" + } + ] + } +} \ No newline at end of file diff --git a/parsers/proofpoint_proofpoint_logs-latest b/parsers/proofpoint_proofpoint_logs-latest new file mode 100644 index 0000000..614244b --- /dev/null +++ b/parsers/proofpoint_proofpoint_logs-latest @@ -0,0 +1,85 @@ +{ + attributes: { + "dataSource.vendor": "Proofpoint", + "dataSource.category": "security" + }, + formats: [ + { + id: "format1", + format: "${parse=dottedjson}$" + rewrites: [ + {input: "messageTime", output: "timestamp", match: ".*", replace: "$0"}, + {input: "clickTime", output: "unmapped.clickTime", match: ".*", replace: "$0"}, + + {input: "threatsInfoMap", output: "unmapped.threatsInfoMap", match: ".*", replace: "$0"}, + {input: "messageParts", output: "unmapped.messageParts", match: ".*", replace: "$0"}, + {input: "quarantineFolder", output: "unmapped.quarantineFolder", match: ".*", replace: "$0"}, + {input: "impostorScore", output: "unmapped.impostorScore", match: ".*", replace: "$0"}, + {input: "phishScore", output: "unmapped.phishScore", match: ".*", replace: "$0"}, + {input: "policyRoutes", output: "unmapped.policyRoutes", match: ".*", replace: "$0"}, + + {input: "threatStatus", output: "unmapped.threatStatus", match: ".*", replace: "$0"}, + {input: "threatsInfoMap[0].threatStatus", output: "unmapped.threatStatus", match: ".*", replace: "$0"}, + + {input: "classification", output: "unmapped.classification", match: ".*", replace: "$0"}, + {input: "threatsInfoMap[0].classification", output: "unmapped.classification", match: ".*", replace: "$0"}, + + {input: "sender", output: "unmapped.sender", match: ".*", replace: "$0"}, + {input: "recipient", output: "unmapped.recipient", match: ".*", replace: "$0"}, + + {input: "sender", output: "email.from", match: ".*", replace: "$0"}, + {input: "fromAddress[0]", output: "email.from", match: ".*", replace: "$0"}, + {input: "fromAddress", output: "email.from", match: ".*", replace: "$0"}, + + {input: "recipient", output: "email.to", match: ".*", replace: "$0"}, + {input: "toAddresses[0]", output: "email.to", match: ".*", replace: "$0"}, + {input: "toAddresses", output: "email.to", match: ".*", replace: "$0"}, + + {input: "recipient", output: "actor.user.name", match: ".*", replace: "$0"}, + {input: "toAddresses[0]", output: "actor.user.name", match: ".*", replace: "$0"}, + {input: "toAddresses", output: "actor.user.name", match: ".*", replace: "$0"}, + + {input: "messageSize", output: "email.size", match: ".*", replace: "$0"}, + {input: "headerFrom", output: "email.smtp_from", match: ".*", replace: "$0"}, + + {input: "oext", output: "oext", match: ".*", replace: "$0"}, + {input: "mod", output: "mod", match: ".*", replace: "$0"} + ] + } + ], + mappings: { + version: 1, + mappings: [ + { + predicate: "clickTime = * OR clickIP = * OR threatURL = *", + transformations: [ + { constant: { field: "dataSource.name", value: "Proofpoint" } }, + { constant: { field: "event.type", value: "Click" } }, + { copy: { from: "fromAddress[0]", to: "email.from" } }, + { copy: { from: "toAddresses[0]", to: "email.to" } }, + { copy: { from: "toAddresses[0]", to: "actor.user.name" } }, + { copy: { from: "recipient", to: "actor.user.name" } } + ] + }, + { + predicate: "messageTime = * OR messageParts = * OR threatsInfoMap = *", + transformations: [ + { constant: { field: "dataSource.name", value: "Proofpoint" } }, + { constant: { field: "event.type", value: "Email" } }, + { copy: { from: "fromAddress[0]", to: "email.from" } }, + { copy: { from: "toAddresses[0]", to: "email.to" } }, + { copy: { from: "toAddresses[0]", to: "actor.user.name" } }, + { copy: { from: "recipient", to: "actor.user.name" } } + ] + }, + { + predicate: "true", + transformations: [ + { constant: { field: "dataSource.name", value: "Proofpoint" } }, + { constant: { field: "event.type", value: "Other" } }, + + ] + } + ] + } +} \ No newline at end of file diff --git a/parsers/sdl_skill_smoke_1776702106 b/parsers/sdl_skill_smoke_1776702106 new file mode 100644 index 0000000..a86e696 --- /dev/null +++ b/parsers/sdl_skill_smoke_1776702106 @@ -0,0 +1 @@ +{"keys": {"a": "1"}} \ No newline at end of file diff --git a/parsers/searches b/parsers/searches new file mode 100644 index 0000000..9195f4f --- /dev/null +++ b/parsers/searches @@ -0,0 +1,12 @@ +{ + searches: [ + { + title: "marc - Impossible traveller 2", + url: "/events/pq?_scopeId=2387775029058663326&_scopeLevel=site&_categoryId=eventSearch&startTime=4+hours&endTime=NOW&filter=%7C+sql+join+baseline+%3D+%28%0AdataSource.vendor%3D%27Microsoft%27+dataSource.category+%3D+%27security%27+event.type%3D%27Logon%27%0A%7C+columns+actor.user.email_addr%2C+device.ip%2C+geo_ip_state%28device.ip%29%0A%7C+group+login_freq_by_state%3Dcount%28%29+by+email_addr%3Dlower%28actor.user.email_addr%29%2Cstate%3Dgeo_ip_state%28device.ip%29%0A%7C+columns+email_addr%2Cstate%2Clogin_freq_by_state%0A%2F%2Fthe+sort+below+is+necessary+because+it+ensure+that+the+order+of+rows+is+preserved+when+using+array_ag++%0A%7C+sort+%2Bemail_addr%2C-login_freq_by_state%0A%7C+group+baseline_login_freq_by_state%3Dmax%28login_freq_by_state%29%2C+states%3Darray_agg%28state%29+by+email_addr%0A%7C+columns+email_addr%2Cstate%3Darray_get%28states%2C0%29%2Cbaseline_login_freq_by_state%0A%29%2C%0Alogons+%3D+%28%0AdataSource.vendor%3D%27Microsoft%27+dataSource.category+%3D+%27security%27+event.type%3D%27Logon%27%0A%2F%2F%7C+columns+actor.user.email_addr%2C+unmapped.UserId%2C+event.type%2C+device.ip%2C+geo_ip_state%28device.ip%29%0A%7C+group+deviation_login_count%3Dcount%28event.type%29%2Cdeviation_ip_addresses%3Darray_agg_distinct%28device.ip%29+by+email_addr%3Dlower%28actor.user.email_addr%29%2C+deviation_country%3Dgeo_ip_country%28device.ip%29%2C+state%3Dgeo_ip_state%28device.ip%29%0A%29+on+baseline.email_addr%3D%3Dlogons.email_addr%0A%7Cfilter+baseline.state%21%3Dlogons.state%0A%7C+columns+email_addr%2Cbaseline.state%2C+baseline_login_freq_by_state%2Cdeviation_login_source%3Dformat%28%22%25s+%28%25s%29%22%2Clogons.state%2Cdeviation_country%29%2Cdeviation_login_count%2C+deviation_ip_addresses" + }, + { + title: "marc - Impossible traveller IP tets", + url: "/events/pq?_scopeId=2387775029058663326&_scopeLevel=site&_categoryId=eventSearch&startTime=72+hours&endTime=NOW&filter=%7C+sql+join+baseline+%3D+%28%0AdataSource.vendor%3D%27Microsoft%27+dataSource.category+%3D+%27security%27+event.type%3D%27Logon%27%0A%7C+columns+actor.user.email_addr%2C+device.ip%0A%7C+group+login_freq_by_ip%3Dcount%28%29+by+email_addr%3Dlower%28actor.user.email_addr%29%2Cdevice.ip%0A%7C+columns+email_addr%2Cdevice.ip%2Clogin_freq_by_ip%0A%2F%2Fthe+sort+below+is+necessary+because+it+ensure+that+the+order+of+rows+is+preserved+when+using+array_ag++%0A%7C+sort+%2Bemail_addr%2C-login_freq_by_ip%0A%7C+group+baseline_login_freq_by_ip%3Dmax%28login_freq_by_ip%29%2C+ips%3Darray_agg%28device.ip%29+by+email_addr%0A%7C+columns+email_addr%2Cip%3Darray_get%28ips%2C0%29%2Cbaseline_login_freq_by_ip%0A%29%2C%0Alogons+%3D+%28%0AdataSource.vendor%3D%27Microsoft%27+dataSource.category+%3D+%27security%27+event.type%3D%27Logon%27%0A%2F%2F%7C+columns+actor.user.email_addr%2C+unmapped.UserId%2C+event.type%2C+device.ip%0A%7C+group+deviation_login_count%3Dcount%28event.type%29%2Cdeviation_ip_addresses%3Darray_agg_distinct%28device.ip%29+by+email_addr%3Dlower%28actor.user.email_addr%29%2C+deviation_ip%3Ddevice.ip%29+on+baseline.email_addr%3D%3Dlogons.email_addr%0A" + } + ] +} \ No newline at end of file diff --git a/parsers/sentinelone_endpoint-latest b/parsers/sentinelone_endpoint-latest new file mode 100644 index 0000000..3a7cd18 --- /dev/null +++ b/parsers/sentinelone_endpoint-latest @@ -0,0 +1,466 @@ +{ + "attributes": { + "dataSource.vendor": "SentinelOne", + "dataSource.name": "SentinelOne", + "dataSource.category": "security", + "metadata.product.vendor_name": "SentinelOne", + "metadata.product.name": "EDR", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [ + { + "input": "unmapped.event\\.time", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "constant": { + "value": 1001, + "field": "class_uid" + } + }, + { + "constant": { + "value": "Process Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": 1, + "field": "category_uid" + } + }, + { + "constant": { + "value": "System Activity", + "field": "category_name" + } + }, + { + "copy": { + "from": "unmapped.event\\.time", + "to": "time" + } + }, + { + "replace": { + "field": "time", + "regexp": "(\\d+)\\d{3}", + "replacement": "$1" + } + }, + { + "copy": { + "from": "unmapped.event\\.id", + "to": "metadata.uid" + } + }, + { + "copy": { + "from": "unmapped.event\\.type", + "to": "message" + } + }, + { + "copy": { + "from": "unmapped.event\\.category", + "to": "category_name" + } + }, + { + "copy": { + "from": "unmapped.meta\\.event\\.name", + "to": "activity_name" + } + }, + { + "copy": { + "from": "unmapped.endpoint\\.name", + "to": "device.hostname" + } + }, + { + "copy": { + "from": "unmapped.endpoint\\.os", + "to": "device.os.name" + } + }, + { + "copy": { + "from": "unmapped.endpoint\\.type", + "to": "device.type" + } + }, + { + "copy": { + "from": "unmapped.agent\\.uuid", + "to": "device.uid" + } + }, + { + "copy": { + "from": "unmapped.agent\\.version", + "to": "device.agent_list[0].version" + } + }, + { + "copy": { + "from": "unmapped.site\\.id", + "to": "device.location.uid" + } + }, + { + "copy": { + "from": "unmapped.site\\.name", + "to": "device.location.desc" + } + }, + { + "copy": { + "from": "unmapped.account\\.id", + "to": "device.org.uid" + } + }, + { + "copy": { + "from": "unmapped.account\\.name", + "to": "device.org.name" + } + }, + { + "copy": { + "from": "unmapped.os\\.name", + "to": "device.os.name" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.name", + "to": "process.name" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.pid", + "to": "process.pid" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.uid", + "to": "process.uid" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.user", + "to": "process.user.name" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.cmdline", + "to": "process.cmd_line" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.displayName", + "to": "process.name" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.image\\.path", + "to": "process.file.path" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.image\\.sha1", + "to": "process.file.hashes[0].value" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.image\\.sha256", + "to": "process.file.hashes[1].value" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.image\\.size", + "to": "process.file.size" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.parent\\.name", + "to": "process.parent_process.name" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.parent\\.pid", + "to": "process.parent_process.pid" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.parent\\.uid", + "to": "process.parent_process.uid" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.parent\\.cmdline", + "to": "process.parent_process.cmd_line" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.parent\\.image\\.path", + "to": "process.parent_process.file.path" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.parent\\.image\\.sha1", + "to": "process.parent_process.file.hashes[0].value" + } + }, + { + "copy": { + "from": "unmapped.src\\.process\\.parent\\.image\\.sha256", + "to": "process.parent_process.file.hashes[1].value" + } + }, + { + "copy": { + "from": "unmapped.tgt\\.process\\.uid", + "to": "actor.process.uid" + } + }, + { + "copy": { + "from": "unmapped.tgt\\.process\\.cmdline", + "to": "actor.process.cmd_line" + } + }, + { + "copy": { + "from": "unmapped.tgt\\.process\\.user", + "to": "actor.user.name" + } + }, + { + "copy": { + "from": "unmapped.tgt\\.file\\.path", + "to": "file.path" + } + }, + { + "copy": { + "from": "unmapped.tgt\\.file\\.size", + "to": "file.size" + } + }, + { + "copy": { + "from": "unmapped.src\\.ip\\.address", + "to": "src_endpoint.ip" + } + }, + { + "copy": { + "from": "unmapped.src\\.port\\.number", + "to": "src_endpoint.port" + } + }, + { + "copy": { + "from": "unmapped.dst\\.ip\\.address", + "to": "dst_endpoint.ip" + } + }, + { + "copy": { + "from": "unmapped.dst\\.port\\.number", + "to": "dst_endpoint.port" + } + }, + { + "copy": { + "from": "unmapped.event\\.network\\.direction", + "to": "connection_info.direction" + } + }, + { + "copy": { + "from": "unmapped.event\\.network\\.connectionStatus", + "to": "connection_info.status" + } + }, + { + "copy": { + "from": "unmapped.event\\.network\\.protocolName", + "to": "connection_info.protocol_name" + } + }, + { + "copy": { + "from": "unmapped.indicator\\.category", + "to": "finding.title" + } + }, + { + "copy": { + "from": "unmapped.indicator\\.name", + "to": "finding.desc" + } + }, + { + "copy": { + "from": "unmapped.indicator\\.description", + "to": "finding.message" + } + }, + { + "copy": { + "from": "unmapped.registry\\.keyPath", + "to": "registry.key" + } + }, + { + "copy": { + "from": "unmapped.registry\\.value", + "to": "registry.value" + } + }, + { + "copy": { + "from": "unmapped.cmdScript\\.content", + "to": "process.cmd_line" + } + }, + { + "copy": { + "from": "unmapped.threadId", + "to": "process.tid" + } + }, + { + "copy": { + "from": "unmapped.session", + "to": "process.session.uid" + } + }, + { + "constant": { + "value": "SHA1", + "field": "process.file.hashes[0].type_id", + "predicate": "unmapped.src\\.process\\.image\\.sha1 != \"\"" + } + }, + { + "constant": { + "value": "SHA256", + "field": "process.file.hashes[1].type_id", + "predicate": "unmapped.src\\.process\\.image\\.sha256 != \"\"" + } + }, + { + "constant": { + "value": "SHA1", + "field": "process.parent_process.file.hashes[0].type_id", + "predicate": "unmapped.src\\.process\\.parent\\.image\\.sha1 != \"\"" + } + }, + { + "constant": { + "value": "SHA256", + "field": "process.parent_process.file.hashes[1].type_id", + "predicate": "unmapped.src\\.process\\.parent\\.image\\.sha256 != \"\"" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id" + } + }, + { + "constant": { + "value": 1, + "field": "severity_id" + } + }, + { + "constant": { + "value": 1, + "field": "status_id" + } + } + ] + } + ] + }, + "observables": { + "fields": [ + { + "name": "device.hostname", + "type": "Hostname" + }, + { + "name": "process.name", + "type": "Process Name" + }, + { + "name": "process.user.name", + "type": "User" + }, + { + "name": "process.file.path", + "type": "File Name" + }, + { + "name": "process.file.hashes[0].value", + "type": "File Hash" + }, + { + "name": "process.file.hashes[1].value", + "type": "File Hash" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address" + }, + { + "name": "dst_endpoint.ip", + "type": "IP Address" + }, + { + "name": "file.path", + "type": "File Name" + }, + { + "name": "registry.key", + "type": "Other" + } + ] + } +} \ No newline at end of file diff --git a/parsers/sophos b/parsers/sophos new file mode 100644 index 0000000..1763eee --- /dev/null +++ b/parsers/sophos @@ -0,0 +1,447 @@ +{ + attributes: { + "metadata.version": "2.0.0", + "dataSource.vendor": "Sophos", + "dataSource.name": "Sophos Firewall", + "dataSource.category": "security", + "metadata.product.vendor_name": "Sophos", + "metadata.product.name": "Sophos Firewall", + "metadata.log_provider": "syslog", + "severity_id": 1, + "severity": "Informational" + }, + + patterns: { + tsval: "[^\"]+", + qval: "[^\"]+", + nqval: "[^ ]+", + ip: "\\d+\\.\\d+\\.\\d+\\.\\d+", + mac: "[0-9A-Fa-f:]+", + num: "\\d+", + rest: ".*" + }, + + formats: [ + // FIREWALL ALLOWED - match log_type="Firewall" and log_subtype="Allowed" + { + id: "fw_allow", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106, + disposition_id: 1, disposition: "Allowed" + }, + format: ".*log_type=\"Firewall\".*log_subtype=\"Allowed\".*src_ip=\"$src_ip=ip$\".*dst_ip=\"$dst_ip=ip$\".*protocol=\"$protocol=qval$\".*", + rewrites: [ + { input: "message", output: "src_port", match: ".*src_port=$v=num$.*" }, + { input: "message", output: "dst_port", match: ".*dst_port=$v=num$.*" }, + { input: "message", output: "fw_rule", match: ".*fw_rule_name=\"$v=qval$\".*" }, + { input: "message", output: "src_zone", match: ".*src_zone=\"$v=qval$\".*" }, + { input: "message", output: "dst_zone", match: ".*dst_zone=\"$v=qval$\".*" }, + { input: "message", output: "src_mac", match: ".*src_mac=\"$v=mac$\".*" }, + { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" } + ], + halt: true + }, + + // FIREWALL DENIED + { + id: "fw_deny", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 6, activity_name: "Traffic", + type_uid: 400106, + disposition_id: 2, disposition: "Blocked", + severity_id: 3, severity: "Medium" + }, + format: ".*log_type=\"Firewall\".*log_subtype=\"Denied\".*src_ip=\"$src_ip=ip$\".*dst_ip=\"$dst_ip=ip$\".*protocol=\"$protocol=qval$\".*", + rewrites: [ + { input: "message", output: "src_port", match: ".*src_port=$v=num$.*" }, + { input: "message", output: "dst_port", match: ".*dst_port=$v=num$.*" }, + { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" } + ], + halt: true + }, + + // IPS DETECT + { + id: "ips_detect", + attributes: { + class_uid: 4002, class_name: "Detection Finding", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Create", + type_uid: 400201, + severity_id: 3, severity: "Medium" + }, + format: ".*log_type=\"IDP\".*log_subtype=\"Detect\".*", + rewrites: [ + { input: "message", output: "sig_id", match: ".*signature_id=$v=num$.*" }, + { input: "message", output: "sig_msg", match: ".*signature_msg=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=$v=ip$.*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=$v=ip$.*" }, + { input: "message", output: "src_port", match: ".*src_port=$v=num$.*" }, + { input: "message", output: "dst_port", match: ".*dst_port=$v=num$.*" }, + { input: "message", output: "protocol", match: ".*protocol=\"$v=qval$\".*" }, + { input: "message", output: "classification", match: ".*classification=\"$v=qval$\".*" }, + { input: "message", output: "category", match: ".*category=\"$v=qval$\".*" }, + { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" } + ], + halt: true + }, + + // IPS DROP + { + id: "ips_drop", + attributes: { + class_uid: 4002, class_name: "Detection Finding", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Create", + type_uid: 400201, + disposition_id: 2, disposition: "Blocked", + severity_id: 4, severity: "High" + }, + format: ".*log_type=\"IDP\".*log_subtype=\"Drop\".*", + rewrites: [ + { input: "message", output: "sig_id", match: ".*signature_id=$v=num$.*" }, + { input: "message", output: "sig_msg", match: ".*signature_msg=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=$v=ip$.*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=$v=ip$.*" }, + { input: "message", output: "src_port", match: ".*src_port=$v=num$.*" }, + { input: "message", output: "dst_port", match: ".*dst_port=$v=num$.*" }, + { input: "message", output: "protocol", match: ".*protocol=\"$v=qval$\".*" }, + { input: "message", output: "classification", match: ".*classification=\"$v=qval$\".*" }, + { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" } + ], + halt: true + }, + + // ATP THREAT + { + id: "atp", + attributes: { + class_uid: 4002, class_name: "Detection Finding", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Create", + type_uid: 400201, + severity_id: 4, severity: "High" + }, + format: ".*log_type=\"ATP\".*", + rewrites: [ + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" }, + { input: "message", output: "malware", match: ".*malware=\"$v=qval$\".*" }, + { input: "message", output: "threatfeed", match: ".*threatfeed=\"$v=qval$\".*" }, + { input: "message", output: "protocol", match: ".*protocol=\"$v=qval$\".*" }, + { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" } + ], + halt: true + }, + + // AUTH SUCCESS + { + id: "auth_ok", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 1, activity_name: "Logon", + type_uid: 300201, + status_id: 1, status: "Success" + }, + format: ".*log_subtype=\"Authentication\".*status=\"Successful\".*", + rewrites: [ + { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "auth_comp", match: ".*log_component=\"$v=qval$\".*" }, + { input: "message", output: "user_grp", match: ".*user_group=\"$v=qval$\".*" }, + { input: "message", output: "auth_mech", match: ".*auth_mechanism=\"$v=qval$\".*" }, + { input: "message", output: "client", match: ".*client_used=\"$v=qval$\".*" } + ], + halt: true + }, + + // AUTH FAILURE + { + id: "auth_fail", + attributes: { + class_uid: 3002, class_name: "Authentication", + category_uid: 3, category_name: "Identity & Access Management", + activity_id: 1, activity_name: "Logon", + type_uid: 300201, + status_id: 2, status: "Failure", + severity_id: 3, severity: "Medium" + }, + format: ".*log_subtype=\"Authentication\".*status=\"Failed\".*", + rewrites: [ + { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "auth_comp", match: ".*log_component=\"$v=qval$\".*" }, + { input: "message", output: "reason", match: ".*reason=\"$v=qval$\".*" }, + { input: "message", output: "auth_mech", match: ".*auth_mechanism=\"$v=qval$\".*" } + ], + halt: true + }, + + // IPSEC ESTABLISHED + { + id: "ipsec_up", + attributes: { + class_uid: 4014, class_name: "Tunnel Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Open", + type_uid: 401401, + status_id: 1, status: "Success" + }, + format: ".*log_component=\"IPSec\".*status=\"Established\".*", + rewrites: [ + { input: "message", output: "con_name", match: ".*con_name=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" }, + { input: "message", output: "local_net", match: ".*local_network=\"$v=qval$\".*" }, + { input: "message", output: "remote_net", match: ".*remote_network=\"$v=qval$\".*" } + ], + halt: true + }, + + // IPSEC TERMINATED + { + id: "ipsec_down", + attributes: { + class_uid: 4014, class_name: "Tunnel Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 2, activity_name: "Close", + type_uid: 401402 + }, + format: ".*log_component=\"IPSec\".*status=\"Terminated\".*", + rewrites: [ + { input: "message", output: "con_name", match: ".*con_name=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" }, + { input: "message", output: "local_net", match: ".*local_network=\"$v=qval$\".*" }, + { input: "message", output: "remote_net", match: ".*remote_network=\"$v=qval$\".*" } + ], + halt: true + }, + + // DHCP + { + id: "dhcp", + attributes: { + class_uid: 4004, class_name: "DHCP Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Lease", + type_uid: 400401 + }, + format: ".*log_component=\"DHCP Server\".*", + rewrites: [ + { input: "message", output: "client_ip", match: ".*reported_ip=\"$v=ip$\".*" }, + { input: "message", output: "client_mac", match: ".*src_mac=\"$v=mac$\".*" }, + { input: "message", output: "hostname", match: ".*reported_host=\"$v=qval$\".*" }, + { input: "message", output: "lease_time", match: ".*lease_time=$v=num$.*" }, + { input: "message", output: "dhcp_status", match: ".*status=\"$v=qval$\".*" } + ], + halt: true + }, + + // ANTIVIRUS - full format with all fields + { + id: "av_full", + attributes: { + class_uid: 4002, class_name: "Detection Finding", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Create", + type_uid: 400201, + severity_id: 4, severity: "High" + }, + format: ".*log_type=\"Anti-Virus\".*virus=\"$malware=qval$\".*src_ip=\"$src_ip=ip$\".*dst_ip=\"$dst_ip=ip$\".*filename=\"$filename=qval$\".*url=\"$url=qval$\".*user=\"$user=qval$\".*", + halt: true + }, + // ANTIVIRUS - minimal (virus, src, dst only) + { + id: "av_min", + attributes: { + class_uid: 4002, class_name: "Detection Finding", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Create", + type_uid: 400201, + severity_id: 4, severity: "High" + }, + format: ".*log_type=\"Anti-Virus\".*virus=\"$malware=qval$\".*src_ip=\"$src_ip=ip$\".*dst_ip=\"$dst_ip=ip$\".*", + halt: true + }, + + // WEB FILTER ALLOWED + { + id: "web_allow", + attributes: { + class_uid: 4007, class_name: "Web Resources Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Access", + type_uid: 400701, + disposition_id: 1, disposition: "Allowed" + }, + format: ".*log_type=\"Content Filtering\".*log_subtype=\"Allowed\".*", + rewrites: [ + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" }, + { input: "message", output: "url", match: ".*url=\"$v=qval$\".*" }, + { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" }, + { input: "message", output: "category", match: ".*category=\"$v=qval$\".*" } + ], + halt: true + }, + + // WEB FILTER DENIED + { + id: "web_deny", + attributes: { + class_uid: 4007, class_name: "Web Resources Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Access", + type_uid: 400701, + disposition_id: 2, disposition: "Blocked", + severity_id: 2, severity: "Low" + }, + format: ".*log_type=\"Content Filtering\".*log_subtype=\"Denied\".*", + rewrites: [ + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" }, + { input: "message", output: "url", match: ".*url=\"$v=qval$\".*" }, + { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" }, + { input: "message", output: "category", match: ".*category=\"$v=qval$\".*" }, + { input: "message", output: "reason", match: ".*reason=\"$v=qval$\".*" } + ], + halt: true + }, + + // SSL VPN CONNECT + { + id: "sslvpn_up", + attributes: { + class_uid: 4014, class_name: "Tunnel Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Open", + type_uid: 401401 + }, + format: ".*log_component=\"SSL VPN\".*status=\"Connected\".*", + rewrites: [ + { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "tunnel_ip", match: ".*tunnel_ip=\"$v=ip$\".*" } + ], + halt: true + }, + + // SSL VPN DISCONNECT + { + id: "sslvpn_down", + attributes: { + class_uid: 4014, class_name: "Tunnel Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 2, activity_name: "Close", + type_uid: 401402 + }, + format: ".*log_component=\"SSL VPN\".*status=\"Disconnected\".*", + rewrites: [ + { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "bytes_sent", match: ".*bytes_sent=$v=num$.*" }, + { input: "message", output: "bytes_recv", match: ".*bytes_received=$v=num$.*" } + ], + halt: true + }, + + // WAF + { + id: "waf", + attributes: { + class_uid: 4007, class_name: "Web Resources Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 1, activity_name: "Access", + type_uid: 400701, + severity_id: 3, severity: "Medium" + }, + format: ".*log_type=\"WAF\".*", + rewrites: [ + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" }, + { input: "message", output: "url", match: ".*url=\"$v=qval$\".*" }, + { input: "message", output: "reason", match: ".*reason=\"$v=qval$\".*" } + ], + halt: true + }, + + // FALLBACK - extract common fields from any Sophos log + { + id: "fallback", + attributes: { + class_uid: 4001, class_name: "Network Activity", + category_uid: 4, category_name: "Network Activity", + activity_id: 0, activity_name: "Unknown", + type_uid: 400100 + }, + format: "$body=rest$", + rewrites: [ + { input: "message", output: "log_type", match: ".*log_type=\"$v=qval$\".*" }, + { input: "message", output: "log_comp", match: ".*log_component=\"$v=qval$\".*" }, + { input: "message", output: "subtype", match: ".*log_subtype=\"$v=qval$\".*" }, + { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" }, + { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" }, + { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" }, + { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" } + ] + } + ], + + mappings: { + version: 1, + mappings: [ + { + transformations: [ + { rename: { from: "src_ip", to: "src_endpoint.ip" } }, + { rename: { from: "dst_ip", to: "dst_endpoint.ip" } }, + { rename: { from: "src_port", to: "src_endpoint.port" } }, + { rename: { from: "dst_port", to: "dst_endpoint.port" } }, + { rename: { from: "src_mac", to: "src_endpoint.mac" } }, + { rename: { from: "protocol", to: "connection_info.protocol_name" } }, + { rename: { from: "bytes_sent", to: "traffic.bytes_out" } }, + { rename: { from: "bytes_recv", to: "traffic.bytes_in" } }, + { rename: { from: "user", to: "actor.user.name" } }, + { rename: { from: "user_grp", to: "actor.user.groups" } }, + { rename: { from: "auth_mech", to: "auth_protocol" } }, + { rename: { from: "fw_rule", to: "unmapped.fw_rule_name" } }, + { rename: { from: "src_zone", to: "src_endpoint.zone" } }, + { rename: { from: "dst_zone", to: "dst_endpoint.zone" } }, + { rename: { from: "in_iface", to: "src_endpoint.interface_name" } }, + { rename: { from: "out_iface", to: "dst_endpoint.interface_name" } }, + { rename: { from: "sig_id", to: "finding_info.uid" } }, + { rename: { from: "sig_msg", to: "finding_info.title" } }, + { rename: { from: "classification", to: "finding_info.types" } }, + { rename: { from: "category", to: "unmapped.category" } }, + { rename: { from: "malware", to: "malware.name" } }, + { rename: { from: "threatfeed", to: "unmapped.threatfeed" } }, + { rename: { from: "url", to: "http_request.url.original" } }, + { rename: { from: "filename", to: "file.name" } }, + { rename: { from: "con_name", to: "unmapped.connection_name" } }, + { rename: { from: "local_net", to: "unmapped.local_network" } }, + { rename: { from: "remote_net", to: "unmapped.remote_network" } }, + { rename: { from: "client_ip", to: "dst_endpoint.ip" } }, + { rename: { from: "client_mac", to: "dst_endpoint.mac" } }, + { rename: { from: "hostname", to: "dst_endpoint.hostname" } }, + { rename: { from: "tunnel_ip", to: "unmapped.tunnel_ip" } }, + { rename: { from: "auth_comp", to: "unmapped.auth_component" } }, + { rename: { from: "log_type", to: "unmapped.log_type" } }, + { rename: { from: "log_comp", to: "unmapped.log_component" } }, + { rename: { from: "subtype", to: "unmapped.log_subtype" } }, + { rename: { from: "reason", to: "unmapped.reason" } }, + { rename: { from: "client", to: "unmapped.client_used" } }, + { rename: { from: "dhcp_status", to: "unmapped.dhcp_status" } }, + { rename: { from: "lease_time", to: "unmapped.lease_time" } }, + { rename: { from: "dev", to: "device.name" } }, + { rename: { from: "body", to: "unmapped.raw_body" } } + ] + } + ] + } +} diff --git a/parsers/sophos-edr b/parsers/sophos-edr new file mode 100644 index 0000000..4c7f45a --- /dev/null +++ b/parsers/sophos-edr @@ -0,0 +1,33 @@ +{ + attributes: { + "metadata.version": "1.0.0", + "dataSource.vendor": "Sophos", + "dataSource.name": "Sophos EDR", + "dataSource.category": "security", + "Category": "security", + "metadata.product.vendor_name": "Sophos", + "metadata.product.name": "Endpoint Detection and Response", + "metadata.log_provider": "api", + "class_uid": 2001, + "class_name": "Security Finding", + "severity_id": 2, + "severity": "Low" + }, + + formats: [ + { + format: ".*\\{.*\\}.*", + rewrites: [ + { input: "message", output: "sophos.name", match: ".*\"name\":\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "sophos.type", match: ".*\"type\":\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "sophos.severity", match: ".*\"severity\":\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "sophos.group", match: ".*\"group\":\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "sophos.dhost", match: ".*\"dhost\":\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "sophos.suser", match: ".*\"suser\":\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "sophos.endpoint_id", match: ".*\"endpoint_id\":\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "sophos.customer_id", match: ".*\"customer_id\":\\s*\"([^\"]+)\".*", replace: "$1" }, + { input: "message", output: "src_endpoint.ip", match: ".*\"ip\":\\s*\"([^\"]+)\".*", replace: "$1" } + ] + } + ] +} diff --git a/parsers/stormshield b/parsers/stormshield new file mode 100644 index 0000000..fbb2fdb --- /dev/null +++ b/parsers/stormshield @@ -0,0 +1,58 @@ +{ + // specify a time zone if the timestamps in your log are not in GMT + timezone: "Europe/Paris", + attributes: { + "dataSource.category": "security", + "dataSource.name": "Stormshield", + "dataSource.vendor": "Stormshield", + "class_name": "Network Activity", + "class_id": 4001 + }, + patterns: { + tsPattern: "\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}" + }, + formats: [ + { + format: ".*time=\"$timestamp=tsPattern$\"" + }, + { + format: ".*$_$=$unmapped._$ ", + repeat: true + }, + { + format: "^.*", + rewrites: [ + { + "input": "unmapped.src", + "output": "src_endpoint.ip", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.srcport", + "output": "src_endpoint.port", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dst", + "output": "dst_endpoint.ip", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.dstport", + "output": "dst_endpoint.port", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.user", + "output": "actor.user.name", + "match": ".*", + "replace": "$0" + }, + ] + } + ] +} \ No newline at end of file diff --git a/parsers/ueba-healthcare b/parsers/ueba-healthcare new file mode 100644 index 0000000..8a92116 --- /dev/null +++ b/parsers/ueba-healthcare @@ -0,0 +1,204 @@ +{ + "duration": "24h", + "description": "Healthcare UEBA \u2014 auth, TI/Konnektor, data-transfer, SMC-B/HBA card ops. Powered by ueba/01..12 feature extractors.", + "graphs": [ + { + "title": "Auth events (24h)", + "graphStyle": "number", + "query": "| filter( class_uid == 3002 )\n| group n = count()", + "layout": { + "w": 15, + "h": 6, + "x": 0, + "y": 0 + } + }, + { + "title": "Auth failures (24h)", + "graphStyle": "number", + "query": "| filter( class_uid == 3002 )\n| parse '\"outcome\": \"$outcome{regex=[^\"]+}$\"' from message\n| group n = count( outcome == \"failure\" )", + "layout": { + "w": 15, + "h": 6, + "x": 15, + "y": 0 + } + }, + { + "title": "Konnektor disconnects (24h)", + "graphStyle": "number", + "query": "| filter( class_uid == 4001 )\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group n = count( event_type == \"KONNEKTOR_DISCONNECTED\" )", + "layout": { + "w": 15, + "h": 6, + "x": 30, + "y": 0 + } + }, + { + "title": "Certs expired/expiring (24h)", + "graphStyle": "number", + "query": "| filter( class_uid == 4001 )\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group n = count( event_type == \"CERTIFICATE_EXPIRED\" or event_type == \"CERTIFICATE_EXPIRING\" )", + "layout": { + "w": 15, + "h": 6, + "x": 45, + "y": 0 + } + }, + { + "title": "Auth success vs failure (hourly)", + "graphStyle": "line", + "query": "| filter( class_uid == 3002 )\n| parse '\"outcome\": \"$outcome{regex=[^\"]+}$\"' from message\n| group\n success = count( outcome == \"success\" ),\n failure = count( outcome == \"failure\" )\n by hour = timebucket('1 hour')\n| sort hour", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 6 + } + }, + { + "title": "Konnektor health (hourly)", + "graphStyle": "line", + "query": "| filter( class_uid == 4001 )\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n connected = count( event_type == \"KONNEKTOR_CONNECTED\" ),\n disconnected = count( event_type == \"KONNEKTOR_DISCONNECTED\" ),\n vpn_failed = count( event_type == \"VPN_TUNNEL_FAILED\" )\n by hour = timebucket('1 hour')\n| sort hour", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 6 + } + }, + { + "title": "Top users by auth failures", + "graphStyle": "table", + "query": "| filter( class_uid == 3002 )\n| parse '\"username\": \"$user{regex=[^\"]+}$\"' from message\n| parse '\"outcome\": \"$outcome{regex=[^\"]+}$\"' from message\n| group fails = count( outcome == \"failure\" ) by user\n| filter user = *\n| sort - fails\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 20 + } + }, + { + "title": "Top users by password reset / lockout", + "graphStyle": "table", + "query": "| filter( class_uid == 3002 )\n| parse '\"username\": \"$user{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n pwd_reset = count( event_type == \"PASSWORD_RESET_REQUEST\" ),\n locked = count( event_type == \"ACCOUNT_LOCKED\" )\n by user\n| filter user = *\n| sort - locked\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 20 + } + }, + { + "title": "Top Konnektor hosts by VPN failures", + "graphStyle": "table", + "query": "| filter( class_uid == 4001 )\n| parse '\"hostname\": \"$host{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group vpn_failed = count( event_type == \"VPN_TUNNEL_FAILED\" ) by host\n| filter host = *\n| sort - vpn_failed\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 34 + } + }, + { + "title": "Cert lifecycle by host", + "graphStyle": "table", + "query": "| filter( class_uid == 4001 )\n| parse '\"hostname\": \"$host{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n expired = count( event_type == \"CERTIFICATE_EXPIRED\" ),\n expiring = count( event_type == \"CERTIFICATE_EXPIRING\" ),\n valid = count( event_type == \"CERTIFICATE_VALID\" )\n by host\n| filter host = *\n| sort - expired, - expiring\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 34 + } + }, + { + "title": "HL7 / FHIR / Exports by user", + "graphStyle": "table", + "query": "| filter( class_uid == 4001 )\n| parse '\"username\": \"$user{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n hl7_recv = count( event_type == \"HL7_MESSAGE_RECEIVED\" ),\n hl7_sent = count( event_type == \"HL7_MESSAGE_SENT\" ),\n fhir = count( event_type == \"FHIR_API_REQUEST\" ),\n exports = count( event_type == \"DATA_EXPORT_COMPLETED\" )\n by user\n| filter user = *\n| sort - exports, - hl7_recv\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 48 + } + }, + { + "title": "Total records exported by user (24h)", + "graphStyle": "table", + "query": "| filter( class_uid == 4001 )\n| parse '\"username\": \"$user{regex=[^\"]+}$\"' from message\n| parse '\"record_count\": $record_count{regex=[0-9]+}$' from message\n| group total_records = sum( record_count ) by user\n| filter user = *\n| sort - total_records\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 48 + } + }, + { + "title": "External destinations by user", + "graphStyle": "table", + "query": "| filter( class_uid == 4001 )\n| parse '\"username\": \"$user{regex=[^\"]+}$\"' from message\n| parse '\"destination\": \"$dest{regex=[^\"]+}$\"' from message\n| group external = count( dest == \"External Specialist\" ) by user, dest\n| filter user = *\n| filter dest = *\n| sort - external\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 62 + } + }, + { + "title": "Auth failures by role (24h)", + "graphStyle": "table", + "query": "| filter( class_uid == 3002 )\n| parse '\"role\": \"$role{regex=[^\"]+}$\"' from message\n| parse '\"outcome\": \"$outcome{regex=[^\"]+}$\"' from message\n| group fails = count( outcome == \"failure\" ) by role\n| filter role = *\n| sort - fails", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 62 + } + }, + { + "title": "SMC-B PIN events per Konnektor host", + "graphStyle": "table", + "query": "| filter( class_uid == 3002 )\n| parse '\"hostname\": \"$host{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n pin_verified = count( event_type == \"CARD_PIN_VERIFIED\" ),\n pin_failed = count( event_type == \"CARD_PIN_FAILED\" ),\n pin_blocked = count( event_type == \"CARD_PIN_BLOCKED\" )\n by host\n| filter host = *\n| sort - pin_failed, - pin_blocked\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 76 + } + }, + { + "title": "QES signatures + decryptions per host", + "graphStyle": "table", + "query": "| filter( class_uid == 3002 )\n| parse '\"hostname\": \"$host{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n signatures = count( event_type == \"CARD_SIGNATURE_CREATED\" ),\n decryptions = count( event_type == \"CARD_DECRYPTION_SUCCESS\" ),\n auth_success = count( event_type == \"CARD_AUTHENTICATION_SUCCESS\" ),\n auth_failed = count( event_type == \"CARD_AUTHENTICATION_FAILED\" )\n by host\n| filter host = *\n| sort - signatures\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 76 + } + }, + { + "title": "Account lockouts by hospital", + "graphStyle": "table", + "query": "| filter( class_uid == 3002 )\n| parse '\"hospital_id\": \"$hospital{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n locked = count( event_type == \"ACCOUNT_LOCKED\" ),\n unlocked = count( event_type == \"ACCOUNT_UNLOCKED\" ),\n pwd_reset = count( event_type == \"PASSWORD_RESET_REQUEST\" )\n by hospital\n| filter hospital = *\n| sort - locked", + "layout": { + "w": 30, + "h": 14, + "x": 0, + "y": 90 + } + }, + { + "title": "High/Critical severity events per host", + "graphStyle": "table", + "query": "| filter( class_uid == 3002 or class_uid == 4001 )\n| parse '\"hostname\": \"$host{regex=[^\"]+}$\"' from message\n| parse '\"severity\": \"$severity{regex=[^\"]+}$\"' from message\n| group high_sev = count( severity == \"HIGH\" or severity == \"CRITICAL\" ) by host\n| filter host = *\n| sort - high_sev\n| limit 20", + "layout": { + "w": 30, + "h": 14, + "x": 30, + "y": 90 + } + } + ] +} \ No newline at end of file diff --git a/parsers/ueba_alerts b/parsers/ueba_alerts new file mode 100644 index 0000000..1bb33fb --- /dev/null +++ b/parsers/ueba_alerts @@ -0,0 +1 @@ +{"columnNames": ["alert_id", "created_at", "entity_type", "entity_id", "family", "severity", "score", "explanation", "status"], "rows": [["risk-1778716800000000000-host-omniconnect-fra-01.local", 1778791804244494080, "host", "omniconnect-fra-01.local", "risk", "high", 82.61, "daily_risk=82.61 (>70)", "new"], ["risk-1778630400000000000-host-omniconnect-mun-01.local", 1778791804244494080, "host", "omniconnect-mun-01.local", "risk", "high", 83.27, "daily_risk=83.27 (>70)", "new"], ["risk-1778716800000000000-host-omniconnect-mun-01.local", 1778791804244494080, "host", "omniconnect-mun-01.local", "risk", "high", 88.22, "daily_risk=88.22 (>70)", "new"]]} \ No newline at end of file diff --git a/parsers/ueba_baselines_entity b/parsers/ueba_baselines_entity new file mode 100644 index 0000000..53f54df --- /dev/null +++ b/parsers/ueba_baselines_entity @@ -0,0 +1 @@ +{"columnNames": ["entity_type", "entity_id", "family", "feature_name", "mu", "sigma", "q99", "n"], "rows": [["user", ".anna.schmidt", "auth", "auth_total", 1.4545454545454546, 0.6555547773570889, 3.0, 11], ["user", "lab.tech.sarah.koch", "auth", "auth_total", 1.3333333333333333, 0.4714045207910317, 2.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "auth_total", 1.5, 0.6708203932499369, 3.0, 10], ["user", "pharmacist.hans.meyer", "auth", "auth_total", 1.3333333333333333, 0.6236095644623235, 3.0, 12], ["user", ".lisa.bauer", "auth", "auth_total", 1.2857142857142858, 0.6998542122237652, 3.0, 7], ["user", ".thomas.weber", "auth", "auth_total", 1.8, 0.8717797887081348, 4.0, 10], ["user", "admin.klaus.fischer", "auth", "auth_total", 1.2307692307692308, 0.4213250442347432, 2.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "auth_total", 1.5454545454545454, 0.6555547773570889, 3.0, 11], ["user", ".anna.schmidt", "auth", "auth_fail", 0.5454545454545454, 0.6555547773570889, 2.0, 11], ["user", "lab.tech.sarah.koch", "auth", "auth_fail", 0.5, 0.5, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "auth_fail", 0.5, 0.5, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "auth_fail", 0.75, 0.5951190357119042, 2.0, 12], ["user", ".lisa.bauer", "auth", "auth_fail", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "auth", "auth_fail", 0.6, 0.48989794855663565, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "auth_fail", 0.8461538461538461, 0.532938710021193, 2.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "auth_fail", 0.5454545454545454, 0.6555547773570889, 2.0, 11], ["user", ".anna.schmidt", "auth", "auth_succ", 0.9090909090909091, 0.6680426571226848, 2.0, 11], ["user", "lab.tech.sarah.koch", "auth", "auth_succ", 0.8333333333333334, 0.6871842709362768, 2.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "auth_succ", 1.0, 0.4472135954999579, 2.0, 10], ["user", "pharmacist.hans.meyer", "auth", "auth_succ", 0.5833333333333334, 0.6400954789890506, 2.0, 12], ["user", ".lisa.bauer", "auth", "auth_succ", 1.1428571428571428, 0.8329931278350428, 3.0, 7], ["user", ".thomas.weber", "auth", "auth_succ", 1.2, 1.16619037896906, 4.0, 10], ["user", "admin.klaus.fischer", "auth", "auth_succ", 0.38461538461538464, 0.48650425541051995, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "auth_succ", 1.0, 0.6030226891555273, 2.0, 11], ["user", ".anna.schmidt", "auth", "auth_fail_ratio", 0.34848484848484845, 0.42908491692443324, 1.0, 11], ["user", "lab.tech.sarah.koch", "auth", "auth_fail_ratio", 0.4166666666666667, 0.44876373392787533, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "auth_fail_ratio", 0.2833333333333333, 0.3253203549323856, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "auth_fail_ratio", 0.5694444444444444, 0.45368008252947434, 1.0, 12], ["user", ".lisa.bauer", "auth", "auth_fail_ratio", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "auth", "auth_fail_ratio", 0.45, 0.4153311931459037, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "auth_fail_ratio", 0.6923076923076923, 0.41779924966154675, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "auth_fail_ratio", 0.3333333333333333, 0.3956837835515332, 1.0, 11], ["user", ".anna.schmidt", "auth", "login_success", 0.45454545454545453, 0.6555547773570889, 2.0, 11], ["user", "lab.tech.sarah.koch", "auth", "login_success", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "login_success", 0.3, 0.45825756949558394, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "login_success", 0.25, 0.4330127018922193, 1.0, 12], ["user", ".lisa.bauer", "auth", "login_success", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", ".thomas.weber", "auth", "login_success", 0.0, 0.0, 0.0, 10], ["user", "admin.klaus.fischer", "auth", "login_success", 0.07692307692307693, 0.26646935501059654, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "login_success", 0.36363636363636365, 0.48104569292083466, 1.0, 11], ["user", ".anna.schmidt", "auth", "login_failure", 0.18181818181818182, 0.38569460791993493, 1.0, 11], ["user", "lab.tech.sarah.koch", "auth", "login_failure", 0.0, 0.0, 0.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "login_failure", 0.2, 0.4000000000000001, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "login_failure", 0.16666666666666666, 0.3726779962499649, 1.0, 12], ["user", ".lisa.bauer", "auth", "login_failure", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "auth", "login_failure", 0.1, 0.30000000000000004, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "login_failure", 0.07692307692307693, 0.26646935501059654, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "login_failure", 0.09090909090909091, 0.28747978728803447, 1.0, 11], ["user", ".anna.schmidt", "auth", "logout", 0.0, 0.0, 0.0, 11], ["user", "lab.tech.sarah.koch", "auth", "logout", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "logout", 0.2, 0.4, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "logout", 0.08333333333333333, 0.2763853991962833, 1.0, 12], ["user", ".lisa.bauer", "auth", "logout", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "auth", "logout", 0.6, 1.0198039027185568, 3.0, 10], ["user", "admin.klaus.fischer", "auth", "logout", 0.07692307692307693, 0.26646935501059654, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "logout", 0.18181818181818182, 0.38569460791993493, 1.0, 11], ["user", ".anna.schmidt", "auth", "session_timeout", 0.2727272727272727, 0.4453617714151233, 1.0, 11], ["user", "lab.tech.sarah.koch", "auth", "session_timeout", 0.0, 0.0, 0.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "session_timeout", 0.2, 0.4000000000000001, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "session_timeout", 0.16666666666666666, 0.37267799624996495, 1.0, 12], ["user", ".lisa.bauer", "auth", "session_timeout", 0.7142857142857143, 0.4517539514526256, 1.0, 7], ["user", ".thomas.weber", "auth", "session_timeout", 0.2, 0.4000000000000001, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "session_timeout", 0.0, 0.0, 0.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "session_timeout", 0.18181818181818182, 0.38569460791993493, 1.0, 11], ["user", ".anna.schmidt", "auth", "mfa_success", 0.0, 0.0, 0.0, 11], ["user", "lab.tech.sarah.koch", "auth", "mfa_success", 0.16666666666666666, 0.37267799624996495, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "mfa_success", 0.0, 0.0, 0.0, 10], ["user", "pharmacist.hans.meyer", "auth", "mfa_success", 0.0, 0.0, 0.0, 12], ["user", ".lisa.bauer", "auth", "mfa_success", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "auth", "mfa_success", 0.1, 0.30000000000000004, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "mfa_success", 0.23076923076923078, 0.4213250442347432, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "mfa_success", 0.09090909090909091, 0.2874797872880344, 1.0, 11], ["user", ".anna.schmidt", "auth", "mfa_failure", 0.0, 0.0, 0.0, 11], ["user", "lab.tech.sarah.koch", "auth", "mfa_failure", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "mfa_failure", 0.1, 0.30000000000000004, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "mfa_failure", 0.0, 0.0, 0.0, 12], ["user", ".lisa.bauer", "auth", "mfa_failure", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "auth", "mfa_failure", 0.1, 0.30000000000000004, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "mfa_failure", 0.07692307692307693, 0.2664693550105966, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "mfa_failure", 0.0, 0.0, 0.0, 11], ["user", ".anna.schmidt", "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 11], ["user", "lab.tech.sarah.koch", "auth", "mfa_fail_ratio", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "mfa_fail_ratio", 0.1, 0.30000000000000004, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 12], ["user", ".lisa.bauer", "auth", "mfa_fail_ratio", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "auth", "mfa_fail_ratio", 0.1, 0.30000000000000004, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "mfa_fail_ratio", 0.07692307692307693, 0.2664693550105966, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 11], ["user", ".anna.schmidt", "auth", "password_change", 0.18181818181818182, 0.385694607919935, 1.0, 11], ["user", "lab.tech.sarah.koch", "auth", "password_change", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "password_change", 0.3, 0.45825756949558394, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "password_change", 0.08333333333333333, 0.2763853991962833, 1.0, 12], ["user", ".lisa.bauer", "auth", "password_change", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", ".thomas.weber", "auth", "password_change", 0.3, 0.45825756949558394, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "password_change", 0.0, 0.0, 0.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "password_change", 0.18181818181818182, 0.385694607919935, 1.0, 11], ["user", ".anna.schmidt", "auth", "password_reset_req", 0.18181818181818182, 0.385694607919935, 1.0, 11], ["user", "lab.tech.sarah.koch", "auth", "password_reset_req", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "password_reset_req", 0.0, 0.0, 0.0, 10], ["user", "pharmacist.hans.meyer", "auth", "password_reset_req", 0.25, 0.4330127018922193, 1.0, 12], ["user", ".lisa.bauer", "auth", "password_reset_req", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "auth", "password_reset_req", 0.1, 0.30000000000000004, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "password_reset_req", 0.15384615384615385, 0.36080121229410994, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "password_reset_req", 0.2727272727272727, 0.616575453011388, 2.0, 11], ["user", ".anna.schmidt", "auth", "account_locked", 0.18181818181818182, 0.38569460791993493, 1.0, 11], ["user", "lab.tech.sarah.koch", "auth", "account_locked", 0.0, 0.0, 0.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "account_locked", 0.1, 0.30000000000000004, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "account_locked", 0.16666666666666666, 0.3726779962499649, 1.0, 12], ["user", ".lisa.bauer", "auth", "account_locked", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "auth", "account_locked", 0.1, 0.30000000000000004, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "account_locked", 0.23076923076923078, 0.4213250442347432, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "account_locked", 0.09090909090909091, 0.2874797872880344, 1.0, 11], ["user", ".anna.schmidt", "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 11], ["user", "lab.tech.sarah.koch", "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 6], ["user", "nurse.maria.m\\u00fcller", "auth", "account_unlocked_fail", 0.1, 0.30000000000000004, 1.0, 10], ["user", "pharmacist.hans.meyer", "auth", "account_unlocked_fail", 0.16666666666666666, 0.3726779962499649, 1.0, 12], ["user", ".lisa.bauer", "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "auth", "account_unlocked_fail", 0.2, 0.4000000000000001, 1.0, 10], ["user", "admin.klaus.fischer", "auth", "account_unlocked_fail", 0.3076923076923077, 0.46153846153846156, 1.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "account_unlocked_fail", 0.09090909090909091, 0.2874797872880344, 1.0, 11], ["host", "avelios-app-01.berlin.local", "endpoint", "host_events", 1.5714285714285714, 0.7284313590846836, 3.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_events", 1.3333333333333333, 0.8498365855987975, 4.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_events", 2.0, 1.0690449676496976, 4.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_events", 1.2, 0.4000000000000001, 2.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_events", 1.6666666666666667, 0.9428090415820634, 4.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_events", 2.5, 1.2583057392117916, 6.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_events", 1.0909090909090908, 0.28747978728803447, 2.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_events", 1.6428571428571428, 0.7178482586514923, 3.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_events", 1.3333333333333333, 0.4714045207910317, 2.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_events", 1.4, 0.48989794855663565, 2.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_events", 1.4545454545454546, 0.6555547773570889, 3.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_events", 1.6666666666666667, 0.7453559924999299, 3.0, 6], ["host", "avelios-app-01.berlin.local", "endpoint", "host_failures", 0.7142857142857143, 0.7953949089757174, 3.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_failures", 0.4166666666666667, 0.6400954789890505, 2.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_failures", 0.7142857142857143, 0.5890150893739515, 2.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_failures", 0.4, 0.48989794855663565, 1.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_failures", 1.0, 0.8944271909999159, 4.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_failures", 0.0, 0.0, 0.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_failures", 0.2727272727272727, 0.4453617714151233, 1.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_failures", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_failures", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_failures", 0.2, 0.4000000000000001, 1.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_failures", 0.45454545454545453, 0.7820295697311479, 2.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_failures", 0.0, 0.0, 0.0, 6], ["host", "avelios-app-01.berlin.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_infos", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_infos", 0.3, 0.45825756949558405, 1.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_infos", 0.2727272727272727, 0.4453617714151233, 1.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_infos", 0.5, 0.5, 1.0, 6], ["host", "avelios-app-01.berlin.local", "endpoint", "host_failure_ratio", 0.4642857142857143, 0.4417613170304636, 1.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_failure_ratio", 0.3333333333333333, 0.47140452079103173, 1.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_failure_ratio", 0.3392857142857143, 0.3369804727313848, 1.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_failure_ratio", 0.4, 0.48989794855663565, 1.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_failure_ratio", 0.6444444444444444, 0.4076430295076476, 1.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_failure_ratio", 0.2727272727272727, 0.4453617714151233, 1.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_failure_ratio", 0.1, 0.20000000000000004, 0.5, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_failure_ratio", 0.2424242424242424, 0.4042928504280707, 1.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 6], ["host", "avelios-app-01.berlin.local", "endpoint", "host_high_severity", 0.21428571428571427, 0.41032590332414504, 1.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_high_severity", 0.25, 0.5951190357119042, 2.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_high_severity", 0.07142857142857142, 0.25753937681885636, 1.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_high_severity", 0.1, 0.30000000000000004, 1.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_high_severity", 0.06666666666666667, 0.2494438257849295, 1.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_high_severity", 0.09090909090909091, 0.2874797872880344, 1.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_high_severity", 0.3, 0.45825756949558394, 1.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_high_severity", 0.18181818181818182, 0.38569460791993493, 1.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_high_severity", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["host", "avelios-app-01.berlin.local", "endpoint", "host_auth_events", 1.5714285714285714, 0.7284313590846836, 3.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_auth_events", 1.3333333333333333, 0.8498365855987975, 4.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_auth_events", 2.0, 1.0690449676496976, 4.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_auth_events", 1.2, 0.4000000000000001, 2.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_auth_events", 1.6666666666666667, 0.9428090415820634, 4.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_auth_events", 0.0, 0.0, 0.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_auth_events", 1.0909090909090908, 0.28747978728803447, 2.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_auth_events", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_auth_events", 1.1666666666666667, 0.6871842709362768, 2.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_auth_events", 0.9, 0.5385164807134504, 2.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_auth_events", 0.9090909090909091, 0.6680426571226848, 2.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_auth_events", 1.0, 0.5773502691896257, 2.0, 6], ["host", "avelios-app-01.berlin.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_data_events", 2.5, 1.2583057392117916, 6.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_data_events", 1.6428571428571428, 0.7178482586514923, 3.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 6], ["host", "avelios-app-01.berlin.local", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_ti_events", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_ti_events", 0.5, 0.6708203932499369, 2.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_ti_events", 0.5454545454545454, 0.49792959773196915, 1.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_ti_events", 0.6666666666666666, 0.74535599249993, 2.0, 6], ["host", "avelios-app-01.berlin.local", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 14], ["host", "avelios-app-01.munich.local", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 12], ["host", "avelios-app-02.berlin.local", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 10], ["host", "avelios-app-03.berlin.local", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 15], ["host", "avelios-int-01.berlin.local", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 18], ["host", "avelios-app-03.munich.local", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_card_events", 1.1666666666666667, 0.6871842709362768, 2.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_card_events", 0.9, 0.5385164807134504, 2.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_card_events", 0.9090909090909091, 0.6680426571226848, 2.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_card_events", 1.0, 0.5773502691896257, 2.0, 6], ["host", "avelios-int-01.berlin.local", "network", "ti_events", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "ti_events", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "ti_events", 1.0, 0.0, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "ti_events", 1.3333333333333333, 0.4714045207910317, 2.0, 3], ["host", "omniconnect-fra-01.local", "network", "ti_events", 1.25, 0.4330127018922193, 2.0, 4], ["host", "omniconnect-ber-01.local", "network", "ti_events", 1.0, 0.0, 1.0, 1], ["host", "avelios-int-01.berlin.local", "network", "ti_failures", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "ti_failures", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "ti_failures", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "ti_failures", 0.0, 0.0, 0.0, 3], ["host", "omniconnect-fra-01.local", "network", "ti_failures", 0.5, 0.5, 1.0, 4], ["host", "omniconnect-ber-01.local", "network", "ti_failures", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "ti_failure_ratio", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 3], ["host", "omniconnect-fra-01.local", "network", "ti_failure_ratio", 0.375, 0.414578098794425, 1.0, 4], ["host", "omniconnect-ber-01.local", "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "konnektor_connected", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "konnektor_connected", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "konnektor_connected", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "konnektor_connected", 0.0, 0.0, 0.0, 3], ["host", "omniconnect-fra-01.local", "network", "konnektor_connected", 0.0, 0.0, 0.0, 4], ["host", "omniconnect-ber-01.local", "network", "konnektor_connected", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-ham-01.local", "network", "konnektor_disconnected", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "omniconnect-fra-01.local", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 4], ["host", "omniconnect-ber-01.local", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "konnektor_health_check", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "konnektor_health_check", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "konnektor_health_check", 0.16666666666666666, 0.37267799624996495, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "konnektor_health_check", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "omniconnect-fra-01.local", "network", "konnektor_health_check", 0.0, 0.0, 0.0, 4], ["host", "omniconnect-ber-01.local", "network", "konnektor_health_check", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "konnektor_flap_score", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "konnektor_flap_score", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "omniconnect-fra-01.local", "network", "konnektor_flap_score", 0.5, 0.5, 1.0, 4], ["host", "omniconnect-ber-01.local", "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "vpn_tunnel_failed", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 3], ["host", "omniconnect-fra-01.local", "network", "vpn_tunnel_failed", 0.5, 0.5, 1.0, 4], ["host", "omniconnect-ber-01.local", "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "vpn_tunnel_reconnect", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 3], ["host", "omniconnect-fra-01.local", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 4], ["host", "omniconnect-ber-01.local", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "cert_expired", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "cert_expired", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "cert_expired", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-ham-01.local", "network", "cert_expired", 0.0, 0.0, 0.0, 3], ["host", "omniconnect-fra-01.local", "network", "cert_expired", 0.0, 0.0, 0.0, 4], ["host", "omniconnect-ber-01.local", "network", "cert_expired", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "cert_expiring", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "cert_expiring", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "cert_expiring", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-ham-01.local", "network", "cert_expiring", 0.0, 0.0, 0.0, 3], ["host", "omniconnect-fra-01.local", "network", "cert_expiring", 0.0, 0.0, 0.0, 4], ["host", "omniconnect-ber-01.local", "network", "cert_expiring", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "cert_valid", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "cert_valid", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "cert_valid", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "cert_valid", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "omniconnect-fra-01.local", "network", "cert_valid", 0.0, 0.0, 0.0, 4], ["host", "omniconnect-ber-01.local", "network", "cert_valid", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 6], ["host", "omniconnect-ham-01.local", "network", "ti_service_unavailable", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "omniconnect-fra-01.local", "network", "ti_service_unavailable", 0.25, 0.4330127018922193, 1.0, 4], ["host", "omniconnect-ber-01.local", "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 1], ["host", "avelios-int-01.berlin.local", "network", "ti_service_available", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "ti_service_available", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "ti_service_available", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "ti_service_available", 0.0, 0.0, 0.0, 3], ["host", "omniconnect-fra-01.local", "network", "ti_service_available", 0.5, 0.5, 1.0, 4], ["host", "omniconnect-ber-01.local", "network", "ti_service_available", 1.0, 0.0, 1.0, 1], ["host", "avelios-int-01.berlin.local", "network", "high_sev_events", 0.0, 0.0, 0.0, 18], ["host", "avelios-int-01.munich.local", "network", "high_sev_events", 0.0, 0.0, 0.0, 14], ["host", "omniconnect-mun-01.local", "network", "high_sev_events", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "high_sev_events", 0.6666666666666666, 0.4714045207910317, 1.0, 3], ["host", "omniconnect-fra-01.local", "network", "high_sev_events", 0.75, 0.4330127018922193, 1.0, 4], ["host", "omniconnect-ber-01.local", "network", "high_sev_events", 0.0, 0.0, 0.0, 1], ["user", "billing.clerk.peter.wolf", "cloud", "dt_events", 1.1428571428571428, 0.3499271061118826, 2.0, 7], ["user", ".thomas.weber", "cloud", "dt_events", 1.125, 0.33071891388307384, 2.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "dt_events", 1.4444444444444444, 0.4969039949999533, 2.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "dt_events", 1.0, 0.0, 1.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "dt_events", 1.3333333333333333, 0.4714045207910317, 2.0, 6], ["user", ".anna.schmidt", "cloud", "dt_events", 1.2857142857142858, 0.45175395145262565, 2.0, 7], ["user", ".lisa.bauer", "cloud", "dt_events", 1.6666666666666667, 0.7453559924999299, 3.0, 6], ["user", "admin.klaus.fischer", "cloud", "dt_events", 1.0, 0.0, 1.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "dt_failures", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "cloud", "dt_failures", 0.0, 0.0, 0.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "dt_failures", 0.0, 0.0, 0.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "dt_failures", 0.0, 0.0, 0.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "dt_failures", 0.0, 0.0, 0.0, 6], ["user", ".anna.schmidt", "cloud", "dt_failures", 0.0, 0.0, 0.0, 7], ["user", ".lisa.bauer", "cloud", "dt_failures", 0.0, 0.0, 0.0, 6], ["user", "admin.klaus.fischer", "cloud", "dt_failures", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "export_initiated", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", ".thomas.weber", "cloud", "export_initiated", 0.125, 0.33071891388307384, 1.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "export_initiated", 0.3333333333333333, 0.6666666666666666, 2.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "export_initiated", 0.0, 0.0, 0.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "export_initiated", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", ".anna.schmidt", "cloud", "export_initiated", 0.0, 0.0, 0.0, 7], ["user", ".lisa.bauer", "cloud", "export_initiated", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "admin.klaus.fischer", "cloud", "export_initiated", 0.5, 0.5, 1.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "export_completed", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "cloud", "export_completed", 0.0, 0.0, 0.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "export_completed", 0.1111111111111111, 0.31426968052735443, 1.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "export_completed", 0.0, 0.0, 0.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "export_completed", 0.0, 0.0, 0.0, 6], ["user", ".anna.schmidt", "cloud", "export_completed", 0.42857142857142855, 0.4948716593053935, 1.0, 7], ["user", ".lisa.bauer", "cloud", "export_completed", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", "admin.klaus.fischer", "cloud", "export_completed", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "import_initiated", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", ".thomas.weber", "cloud", "import_initiated", 0.0, 0.0, 0.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "import_initiated", 0.1111111111111111, 0.3142696805273545, 1.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "import_initiated", 0.125, 0.33071891388307384, 1.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "import_initiated", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", ".anna.schmidt", "cloud", "import_initiated", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".lisa.bauer", "cloud", "import_initiated", 0.0, 0.0, 0.0, 6], ["user", "admin.klaus.fischer", "cloud", "import_initiated", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "import_completed", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "cloud", "import_completed", 0.125, 0.33071891388307384, 1.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "import_completed", 0.0, 0.0, 0.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "import_completed", 0.25, 0.4330127018922193, 1.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "import_completed", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", ".anna.schmidt", "cloud", "import_completed", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".lisa.bauer", "cloud", "import_completed", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "admin.klaus.fischer", "cloud", "import_completed", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "email_notifications", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "cloud", "email_notifications", 0.375, 0.4841229182759271, 1.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "email_notifications", 0.2222222222222222, 0.41573970964154905, 1.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "email_notifications", 0.25, 0.4330127018922193, 1.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "email_notifications", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", ".anna.schmidt", "cloud", "email_notifications", 0.2857142857142857, 0.4517539514526256, 1.0, 7], ["user", ".lisa.bauer", "cloud", "email_notifications", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", "admin.klaus.fischer", "cloud", "email_notifications", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "report_generated", 0.2857142857142857, 0.4517539514526256, 1.0, 7], ["user", ".thomas.weber", "cloud", "report_generated", 0.25, 0.4330127018922193, 1.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "report_generated", 0.0, 0.0, 0.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "report_generated", 0.25, 0.4330127018922193, 1.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "report_generated", 0.0, 0.0, 0.0, 6], ["user", ".anna.schmidt", "cloud", "report_generated", 0.0, 0.0, 0.0, 7], ["user", ".lisa.bauer", "cloud", "report_generated", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "admin.klaus.fischer", "cloud", "report_generated", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "fhir_requests", 0.4444444444444444, 0.4969039949999533, 1.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "fhir_requests", 0.16666666666666666, 0.37267799624996495, 1.0, 6], ["user", ".anna.schmidt", "cloud", "fhir_requests", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".lisa.bauer", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 6], ["user", "admin.klaus.fischer", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "hl7_received", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", ".thomas.weber", "cloud", "hl7_received", 0.0, 0.0, 0.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "hl7_received", 0.0, 0.0, 0.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "hl7_received", 0.125, 0.33071891388307384, 1.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "hl7_received", 0.0, 0.0, 0.0, 6], ["user", ".anna.schmidt", "cloud", "hl7_received", 0.0, 0.0, 0.0, 7], ["user", ".lisa.bauer", "cloud", "hl7_received", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", "admin.klaus.fischer", "cloud", "hl7_received", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 7], ["user", ".thomas.weber", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "hl7_sent", 0.2222222222222222, 0.6285393610547089, 2.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 6], ["user", ".anna.schmidt", "cloud", "hl7_sent", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", ".lisa.bauer", "cloud", "hl7_sent", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "admin.klaus.fischer", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "print_jobs", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "cloud", "print_jobs", 0.25, 0.4330127018922193, 1.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "print_jobs", 0.0, 0.0, 0.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "print_jobs", 0.0, 0.0, 0.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "print_jobs", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", ".anna.schmidt", "cloud", "print_jobs", 0.0, 0.0, 0.0, 7], ["user", ".lisa.bauer", "cloud", "print_jobs", 0.0, 0.0, 0.0, 6], ["user", "admin.klaus.fischer", "cloud", "print_jobs", 0.5, 0.5, 1.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "total_records_exported", 106.57142857142857, 175.98933177314805, 468.0, 7], ["user", ".thomas.weber", "cloud", "total_records_exported", 84.75, 224.22742361272404, 678.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "total_records_exported", 205.11111111111111, 302.92919761131, 829.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "total_records_exported", 0.0, 0.0, 0.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "total_records_exported", 146.66666666666666, 327.9566366999692, 880.0, 6], ["user", ".anna.schmidt", "cloud", "total_records_exported", 263.14285714285717, 365.019149623464, 857.0, 7], ["user", ".lisa.bauer", "cloud", "total_records_exported", 302.5, 427.87059959758864, 921.0, 6], ["user", "admin.klaus.fischer", "cloud", "total_records_exported", 151.5, 151.5, 303.0, 2], ["user", "billing.clerk.peter.wolf", "cloud", "external_destinations", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", ".thomas.weber", "cloud", "external_destinations", 0.0, 0.0, 0.0, 8], ["user", "lab.tech.sarah.koch", "cloud", "external_destinations", 0.2222222222222222, 0.41573970964154905, 1.0, 9], ["user", "nurse.maria.m\\u00fcller", "cloud", "external_destinations", 0.0, 0.0, 0.0, 8], ["user", "pharmacist.hans.meyer", "cloud", "external_destinations", 0.0, 0.0, 0.0, 6], ["user", ".anna.schmidt", "cloud", "external_destinations", 0.0, 0.0, 0.0, 7], ["user", ".lisa.bauer", "cloud", "external_destinations", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", "admin.klaus.fischer", "cloud", "external_destinations", 0.0, 0.0, 0.0, 2], ["host", "omniconnect-ber-01.local", "healthcare", "card_events", 1.4, 0.4898979485566356, 2.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_events", 1.125, 0.33071891388307384, 2.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_events", 1.25, 0.4330127018922193, 2.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_events", 1.2, 0.4, 2.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_failures", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_failures", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_failures", 0.5, 0.8660254037844386, 2.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_failures", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_failure_ratio", 0.25, 0.4330127018922193, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_read_success", 0.4, 0.48989794855663565, 1.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_read_success", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_read_success", 0.25, 0.4330127018922193, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_read_success", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_read_failure", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_read_failure", 0.2, 0.4, 1.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_pin_verified", 0.4, 0.48989794855663565, 1.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_pin_verified", 0.25, 0.4330127018922193, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_pin_verified", 0.25, 0.4330127018922193, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_pin_verified", 0.2, 0.4000000000000001, 1.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_pin_failed", 0.25, 0.4330127018922193, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_pin_blocked", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_removed", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_removed", 0.25, 0.4330127018922193, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_removed", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_removed", 0.2, 0.4, 1.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_decryption", 0.2, 0.4000000000000001, 1.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_decryption", 0.25, 0.4330127018922193, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_decryption", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_decryption", 0.6, 0.48989794855663565, 1.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_signature_created", 0.2, 0.4, 1.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_signature_created", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_auth_success", 0.2, 0.4, 1.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_auth_success", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "card_auth_failed", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "smcb_events", 0.4, 0.48989794855663565, 1.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "smcb_events", 0.25, 0.4330127018922193, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "smcb_events", 0.375, 0.4841229182759271, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "smcb_events", 0.4, 0.48989794855663565, 1.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "hba_events", 0.4, 0.48989794855663565, 1.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "hba_events", 0.375, 0.4841229182759271, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "hba_events", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "hba_events", 0.2, 0.4, 1.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "qes_pin_attempts", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "low_attempts_remaining", 0.125, 0.33071891388307384, 1.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 5], ["user", ".anna.schmidt", "auth", "distinct_src_ip", 1.2727272727272727, 0.4453617714151233, 2.0, 11], ["user", "nurse.maria.m\\u00fcller", "auth", "distinct_src_ip", 1.5, 0.6708203932499369, 3.0, 10], ["user", ".lisa.bauer", "auth", "distinct_src_ip", 1.2857142857142858, 0.6998542122237652, 3.0, 7], ["user", ".thomas.weber", "auth", "distinct_src_ip", 1.8, 0.8717797887081348, 4.0, 10], ["user", "admin.klaus.fischer", "auth", "distinct_src_ip", 1.2307692307692308, 0.4213250442347432, 2.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "distinct_src_ip", 1.5454545454545454, 0.6555547773570889, 3.0, 11], ["user", "lab.tech.sarah.koch", "auth", "distinct_src_ip", 1.4, 0.4898979485566356, 2.0, 5], ["user", "pharmacist.hans.meyer", "auth", "distinct_src_ip", 1.3636363636363635, 0.642824346533225, 3.0, 11], ["user", ".anna.schmidt", "auth", "distinct_src_host", 1.1818181818181819, 0.385694607919935, 2.0, 11], ["user", "nurse.maria.m\\u00fcller", "auth", "distinct_src_host", 1.5, 0.6708203932499369, 3.0, 10], ["user", ".lisa.bauer", "auth", "distinct_src_host", 1.1428571428571428, 0.34992710611188266, 2.0, 7], ["user", ".thomas.weber", "auth", "distinct_src_host", 1.7, 0.6403124237432849, 3.0, 10], ["user", "admin.klaus.fischer", "auth", "distinct_src_host", 1.0769230769230769, 0.26646935501059654, 2.0, 13], ["user", "billing.clerk.peter.wolf", "auth", "distinct_src_host", 1.4545454545454546, 0.6555547773570889, 3.0, 11], ["user", "lab.tech.sarah.koch", "auth", "distinct_src_host", 1.4, 0.4898979485566356, 2.0, 5], ["user", "pharmacist.hans.meyer", "auth", "distinct_src_host", 1.2727272727272727, 0.4453617714151233, 2.0, 11], ["host", "avelios-app-02.berlin.local", "endpoint", "host_distinct_users", 1.9285714285714286, 1.0326308782000686, 4.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_distinct_users", 1.1, 0.3, 2.0, 10], ["host", "avelios-int-01.berlin.local", "endpoint", "host_distinct_users", 2.2222222222222223, 1.082977149423218, 5.0, 18], ["host", "avelios-app-01.berlin.local", "endpoint", "host_distinct_users", 1.4615384615384615, 0.7457969011409737, 3.0, 13], ["host", "avelios-app-01.munich.local", "endpoint", "host_distinct_users", 1.2727272727272727, 0.616575453011388, 3.0, 11], ["host", "avelios-app-03.berlin.local", "endpoint", "host_distinct_users", 1.5714285714285714, 0.7284313590846836, 3.0, 14], ["host", "avelios-app-03.munich.local", "endpoint", "host_distinct_users", 1.0, 0.0, 1.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_distinct_users", 1.5, 0.5, 2.0, 14], ["host", "avelios-app-02.berlin.local", "endpoint", "host_distinct_etypes", 1.8571428571428572, 0.989743318610787, 4.0, 14], ["host", "avelios-app-02.munich.local", "endpoint", "host_distinct_etypes", 1.1, 0.3, 2.0, 10], ["host", "avelios-int-01.berlin.local", "endpoint", "host_distinct_etypes", 2.111111111111111, 0.9938079899999066, 4.0, 18], ["host", "avelios-app-01.berlin.local", "endpoint", "host_distinct_etypes", 1.6153846153846154, 0.737820234355803, 3.0, 13], ["host", "avelios-app-01.munich.local", "endpoint", "host_distinct_etypes", 1.1818181818181819, 0.5749595745760689, 3.0, 11], ["host", "avelios-app-03.berlin.local", "endpoint", "host_distinct_etypes", 1.6428571428571428, 0.8112726208286106, 3.0, 14], ["host", "avelios-app-03.munich.local", "endpoint", "host_distinct_etypes", 1.0, 0.0, 1.0, 11], ["host", "avelios-int-01.munich.local", "endpoint", "host_distinct_etypes", 1.5714285714285714, 0.6226998490772391, 3.0, 14], ["host", "omniconnect-ber-01.local", "endpoint", "host_distinct_etypes", 1.3333333333333333, 0.4714045207910317, 2.0, 6], ["host", "omniconnect-fra-01.local", "endpoint", "host_distinct_etypes", 1.4, 0.48989794855663565, 2.0, 10], ["host", "omniconnect-mun-01.local", "endpoint", "host_distinct_etypes", 1.4545454545454546, 0.6555547773570889, 3.0, 11], ["host", "omniconnect-ham-01.local", "endpoint", "host_distinct_etypes", 1.6666666666666667, 0.7453559924999299, 3.0, 6], ["host", "omniconnect-mun-01.local", "network", "distinct_telematik_ids", 1.0, 0.0, 1.0, 6], ["host", "omniconnect-ham-01.local", "network", "distinct_telematik_ids", 1.3333333333333333, 0.4714045207910317, 2.0, 3], ["host", "omniconnect-fra-01.local", "network", "distinct_telematik_ids", 1.25, 0.4330127018922193, 2.0, 4], ["host", "omniconnect-ber-01.local", "network", "distinct_telematik_ids", 1.0, 0.0, 1.0, 1], ["user", "billing.clerk.peter.wolf", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 3], ["user", "lab.tech.sarah.koch", "cloud", "distinct_destinations", 1.5, 0.5, 2.0, 4], ["user", ".thomas.weber", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 1], ["user", ".anna.schmidt", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 4], ["user", ".lisa.bauer", "cloud", "distinct_destinations", 1.5, 0.5, 2.0, 4], ["user", "admin.klaus.fischer", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 1], ["user", "pharmacist.hans.meyer", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 1], ["user", "nurse.maria.m\\u00fcller", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 1], ["user", "billing.clerk.peter.wolf", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 2], ["user", "lab.tech.sarah.koch", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 3], ["user", ".thomas.weber", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 1], ["user", ".anna.schmidt", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 3], ["user", "admin.klaus.fischer", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 1], ["user", ".lisa.bauer", "cloud", "distinct_export_types", 1.5, 0.5, 2.0, 2], ["user", "pharmacist.hans.meyer", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 1], ["user", "billing.clerk.peter.wolf", "cloud", "distinct_msg_types", 1.0, 0.0, 1.0, 1], ["user", ".lisa.bauer", "cloud", "distinct_msg_types", 1.0, 0.0, 1.0, 3], ["user", ".anna.schmidt", "cloud", "distinct_msg_types", 1.0, 0.0, 1.0, 1], ["user", "lab.tech.sarah.koch", "cloud", "distinct_msg_types", 2.0, 0.0, 2.0, 1], ["user", "nurse.maria.m\\u00fcller", "cloud", "distinct_msg_types", 1.0, 0.0, 1.0, 1], ["host", "omniconnect-ber-01.local", "healthcare", "distinct_cards", 1.4, 0.4898979485566356, 2.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "distinct_cards", 1.125, 0.33071891388307384, 2.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "distinct_cards", 1.25, 0.4330127018922193, 2.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "distinct_cards", 1.2, 0.4, 2.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "distinct_terminals", 1.4, 0.4898979485566356, 2.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "distinct_terminals", 1.125, 0.33071891388307384, 2.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "distinct_terminals", 1.25, 0.4330127018922193, 2.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "distinct_terminals", 1.2, 0.4, 2.0, 5], ["host", "omniconnect-ber-01.local", "healthcare", "distinct_card_types", 1.4, 0.4898979485566356, 2.0, 5], ["host", "omniconnect-fra-01.local", "healthcare", "distinct_card_types", 1.0, 0.0, 1.0, 8], ["host", "omniconnect-mun-01.local", "healthcare", "distinct_card_types", 1.25, 0.4330127018922193, 2.0, 8], ["host", "omniconnect-ham-01.local", "healthcare", "distinct_card_types", 1.0, 0.0, 1.0, 5]]} \ No newline at end of file diff --git a/parsers/ueba_baselines_peer b/parsers/ueba_baselines_peer new file mode 100644 index 0000000..443739b --- /dev/null +++ b/parsers/ueba_baselines_peer @@ -0,0 +1 @@ +{"columnNames": ["entity_type", "peer_id", "family", "feature_name", "mu", "sigma", "q99", "n"], "rows": [["user", "role=Nurse|hosp=HOSP-003", "auth", "auth_total", 1.5, 0.6708203932499369, 3.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "auth_total", 1.3333333333333333, 0.6236095644623235, 3.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "auth_total", 1.8, 0.8717797887081348, 4.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "auth_total", 1.2307692307692308, 0.4213250442347432, 2.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "auth_total", 1.5454545454545454, 0.6555547773570889, 3.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "auth_fail", 0.5, 0.5, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "auth_fail", 0.75, 0.5951190357119042, 2.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "auth_fail", 0.6, 0.48989794855663565, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "auth_fail", 0.8461538461538461, 0.532938710021193, 2.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "auth_fail", 0.5454545454545454, 0.6555547773570889, 2.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "auth_succ", 1.0, 0.4472135954999579, 2.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "auth_succ", 0.5833333333333334, 0.6400954789890506, 2.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "auth_succ", 1.2, 1.16619037896906, 4.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "auth_succ", 0.38461538461538464, 0.48650425541051995, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "auth_succ", 1.0, 0.6030226891555273, 2.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "auth_fail_ratio", 0.2833333333333333, 0.3253203549323856, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "auth_fail_ratio", 0.5694444444444444, 0.45368008252947434, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "auth_fail_ratio", 0.45, 0.4153311931459037, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "auth_fail_ratio", 0.6923076923076923, 0.41779924966154675, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "auth_fail_ratio", 0.3333333333333333, 0.3956837835515332, 1.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "login_success", 0.3, 0.45825756949558394, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "login_success", 0.25, 0.4330127018922193, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "login_success", 0.0, 0.0, 0.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "login_success", 0.07692307692307693, 0.26646935501059654, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "login_success", 0.36363636363636365, 0.48104569292083466, 1.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "login_failure", 0.2, 0.4000000000000001, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "login_failure", 0.16666666666666666, 0.3726779962499649, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "login_failure", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "login_failure", 0.07692307692307693, 0.26646935501059654, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "login_failure", 0.09090909090909091, 0.28747978728803447, 1.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "logout", 0.2, 0.4, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "logout", 0.08333333333333333, 0.2763853991962833, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "logout", 0.6, 1.0198039027185568, 3.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "logout", 0.07692307692307693, 0.26646935501059654, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "logout", 0.18181818181818182, 0.38569460791993493, 1.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "session_timeout", 0.2, 0.4000000000000001, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "session_timeout", 0.16666666666666666, 0.37267799624996495, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "session_timeout", 0.2, 0.4000000000000001, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "session_timeout", 0.0, 0.0, 0.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "session_timeout", 0.18181818181818182, 0.38569460791993493, 1.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "mfa_success", 0.0, 0.0, 0.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "mfa_success", 0.0, 0.0, 0.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "mfa_success", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "mfa_success", 0.23076923076923078, 0.4213250442347432, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "mfa_success", 0.09090909090909091, 0.2874797872880344, 1.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "mfa_failure", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "mfa_failure", 0.0, 0.0, 0.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "mfa_failure", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "mfa_failure", 0.07692307692307693, 0.2664693550105966, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "mfa_failure", 0.0, 0.0, 0.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "mfa_fail_ratio", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "mfa_fail_ratio", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "mfa_fail_ratio", 0.07692307692307693, 0.2664693550105966, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "password_change", 0.3, 0.45825756949558394, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "password_change", 0.08333333333333333, 0.2763853991962833, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "password_change", 0.3, 0.45825756949558394, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "password_change", 0.0, 0.0, 0.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "password_change", 0.18181818181818182, 0.385694607919935, 1.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "password_reset_req", 0.0, 0.0, 0.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "password_reset_req", 0.25, 0.4330127018922193, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "password_reset_req", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "password_reset_req", 0.15384615384615385, 0.36080121229410994, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "password_reset_req", 0.2727272727272727, 0.616575453011388, 2.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "account_locked", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "account_locked", 0.16666666666666666, 0.3726779962499649, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "account_locked", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "account_locked", 0.23076923076923078, 0.4213250442347432, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "account_locked", 0.09090909090909091, 0.2874797872880344, 1.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "account_unlocked_fail", 0.1, 0.30000000000000004, 1.0, 10], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "account_unlocked_fail", 0.16666666666666666, 0.3726779962499649, 1.0, 12], ["user", "role=Physician|hosp=HOSP-003", "auth", "account_unlocked_fail", 0.2, 0.4000000000000001, 1.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "account_unlocked_fail", 0.3076923076923077, 0.46153846153846156, 1.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "account_unlocked_fail", 0.09090909090909091, 0.2874797872880344, 1.0, 11], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_events", 1.9574468085106382, 1.1100593583613256, 6.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_events", 1.4, 0.632455532033676, 3.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_events", 1.3333333333333333, 0.4714045207910317, 2.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_events", 1.4, 0.48989794855663565, 2.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_events", 1.4545454545454546, 0.6555547773570889, 3.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_events", 1.6666666666666667, 0.7453559924999299, 3.0, 6], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_failures", 0.5319148936170213, 0.7949592209476344, 4.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_failures", 0.12, 0.3249615361854385, 1.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_failures", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_failures", 0.2, 0.4000000000000001, 1.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_failures", 0.45454545454545453, 0.7820295697311479, 2.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_failures", 0.0, 0.0, 0.0, 6], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_infos", 0.0, 0.0, 0.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_infos", 0.0, 0.0, 0.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_infos", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_infos", 0.3, 0.45825756949558405, 1.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_infos", 0.2727272727272727, 0.4453617714151233, 1.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_infos", 0.5, 0.5, 1.0, 6], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_failure_ratio", 0.3439716312056737, 0.43543442522969733, 1.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_failure_ratio", 0.12, 0.3249615361854385, 1.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_failure_ratio", 0.1, 0.20000000000000004, 0.5, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_failure_ratio", 0.2424242424242424, 0.4042928504280707, 1.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 6], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_high_severity", 0.0851063829787234, 0.27903993720434067, 1.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_high_severity", 0.04, 0.19595917942265437, 1.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_high_severity", 0.3, 0.45825756949558394, 1.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_high_severity", 0.18181818181818182, 0.38569460791993493, 1.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_high_severity", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_auth_events", 1.0, 1.0314212462587935, 4.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_auth_events", 0.48, 0.574108003776293, 2.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_auth_events", 1.1666666666666667, 0.6871842709362768, 2.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_auth_events", 0.9, 0.5385164807134504, 2.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_auth_events", 0.9090909090909091, 0.6680426571226848, 2.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_auth_events", 1.0, 0.5773502691896257, 2.0, 6], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_data_events", 0.9574468085106383, 1.443362604778437, 6.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_data_events", 0.92, 0.9765244492586961, 3.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_data_events", 0.0, 0.0, 0.0, 6], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_ti_events", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_ti_events", 0.5, 0.6708203932499369, 2.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_ti_events", 0.5454545454545454, 0.49792959773196915, 1.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_ti_events", 0.6666666666666666, 0.74535599249993, 2.0, 6], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 47], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_card_events", 0.0, 0.0, 0.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_card_events", 1.1666666666666667, 0.6871842709362768, 2.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_card_events", 0.9, 0.5385164807134504, 2.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_card_events", 0.9090909090909091, 0.6680426571226848, 2.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_card_events", 1.0, 0.5773502691896257, 2.0, 6], ["host", "host_fam=avelios|loc=Berlin", "network", "ti_events", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "ti_events", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "ti_events", 1.0, 0.0, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "ti_events", 1.3333333333333333, 0.4714045207910317, 2.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "ti_events", 1.25, 0.4330127018922193, 2.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "ti_events", 1.0, 0.0, 1.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "ti_failures", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "ti_failures", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "ti_failures", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "ti_failures", 0.0, 0.0, 0.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "ti_failures", 0.5, 0.5, 1.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "ti_failures", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "ti_failure_ratio", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "ti_failure_ratio", 0.375, 0.414578098794425, 1.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "konnektor_connected", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "konnektor_connected", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "konnektor_connected", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "konnektor_connected", 0.0, 0.0, 0.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "konnektor_connected", 0.0, 0.0, 0.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "konnektor_connected", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "konnektor_disconnected", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "konnektor_health_check", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "konnektor_health_check", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "konnektor_health_check", 0.16666666666666666, 0.37267799624996495, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "konnektor_health_check", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "konnektor_health_check", 0.0, 0.0, 0.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "konnektor_health_check", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "konnektor_flap_score", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "konnektor_flap_score", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "konnektor_flap_score", 0.5, 0.5, 1.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "vpn_tunnel_failed", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "vpn_tunnel_failed", 0.5, 0.5, 1.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "vpn_tunnel_reconnect", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "cert_expired", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "cert_expired", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "cert_expired", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "cert_expired", 0.0, 0.0, 0.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "cert_expired", 0.0, 0.0, 0.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "cert_expired", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "cert_expiring", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "cert_expiring", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "cert_expiring", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "cert_expiring", 0.0, 0.0, 0.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "cert_expiring", 0.0, 0.0, 0.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "cert_expiring", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "cert_valid", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "cert_valid", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "cert_valid", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "cert_valid", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "cert_valid", 0.0, 0.0, 0.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "cert_valid", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "ti_service_unavailable", 0.3333333333333333, 0.4714045207910317, 1.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "ti_service_unavailable", 0.25, 0.4330127018922193, 1.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "ti_service_available", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "ti_service_available", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "ti_service_available", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "ti_service_available", 0.0, 0.0, 0.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "ti_service_available", 0.5, 0.5, 1.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "ti_service_available", 1.0, 0.0, 1.0, 1], ["host", "host_fam=avelios|loc=Berlin", "network", "high_sev_events", 0.0, 0.0, 0.0, 18], ["host", "host_fam=avelios|loc=Munich", "network", "high_sev_events", 0.0, 0.0, 0.0, 14], ["host", "host_fam=omniconnect|loc=Munich", "network", "high_sev_events", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "high_sev_events", 0.6666666666666666, 0.4714045207910317, 1.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "high_sev_events", 0.75, 0.4330127018922193, 1.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "high_sev_events", 0.0, 0.0, 0.0, 1], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "dt_events", 1.1428571428571428, 0.3499271061118826, 2.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "dt_events", 1.125, 0.33071891388307384, 2.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "dt_events", 1.0, 0.0, 1.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "dt_events", 1.3333333333333333, 0.4714045207910317, 2.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "dt_events", 1.0, 0.0, 1.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "dt_failures", 0.0, 0.0, 0.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "dt_failures", 0.0, 0.0, 0.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "dt_failures", 0.0, 0.0, 0.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "dt_failures", 0.0, 0.0, 0.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "dt_failures", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "export_initiated", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "export_initiated", 0.125, 0.33071891388307384, 1.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "export_initiated", 0.0, 0.0, 0.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "export_initiated", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "export_initiated", 0.5, 0.5, 1.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "export_completed", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "export_completed", 0.0, 0.0, 0.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "export_completed", 0.0, 0.0, 0.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "export_completed", 0.0, 0.0, 0.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "export_completed", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "import_initiated", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "import_initiated", 0.0, 0.0, 0.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "import_initiated", 0.125, 0.33071891388307384, 1.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "import_initiated", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "import_initiated", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "import_completed", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "import_completed", 0.125, 0.33071891388307384, 1.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "import_completed", 0.25, 0.4330127018922193, 1.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "import_completed", 0.3333333333333333, 0.4714045207910317, 1.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "import_completed", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "email_notifications", 0.0, 0.0, 0.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "email_notifications", 0.375, 0.4841229182759271, 1.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "email_notifications", 0.25, 0.4330127018922193, 1.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "email_notifications", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "email_notifications", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "report_generated", 0.2857142857142857, 0.4517539514526256, 1.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "report_generated", 0.25, 0.4330127018922193, 1.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "report_generated", 0.25, 0.4330127018922193, 1.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "report_generated", 0.0, 0.0, 0.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "report_generated", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "fhir_requests", 0.16666666666666666, 0.37267799624996495, 1.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "fhir_requests", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "hl7_received", 0.14285714285714285, 0.34992710611188266, 1.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "hl7_received", 0.0, 0.0, 0.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "hl7_received", 0.125, 0.33071891388307384, 1.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "hl7_received", 0.0, 0.0, 0.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "hl7_received", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "hl7_sent", 0.0, 0.0, 0.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "print_jobs", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "print_jobs", 0.25, 0.4330127018922193, 1.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "print_jobs", 0.0, 0.0, 0.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "print_jobs", 0.16666666666666666, 0.372677996249965, 1.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "print_jobs", 0.5, 0.5, 1.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "total_records_exported", 106.57142857142857, 175.98933177314805, 468.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "total_records_exported", 84.75, 224.22742361272404, 678.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "total_records_exported", 0.0, 0.0, 0.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "total_records_exported", 146.66666666666666, 327.9566366999692, 880.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "total_records_exported", 151.5, 151.5, 303.0, 2], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "external_destinations", 0.14285714285714285, 0.3499271061118826, 1.0, 7], ["user", "role=Physician|hosp=HOSP-003", "cloud", "external_destinations", 0.0, 0.0, 0.0, 8], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "external_destinations", 0.0, 0.0, 0.0, 8], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "external_destinations", 0.0, 0.0, 0.0, 6], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "external_destinations", 0.0, 0.0, 0.0, 2], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_events", 1.4, 0.4898979485566356, 2.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_events", 1.125, 0.33071891388307384, 2.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_events", 1.25, 0.4330127018922193, 2.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_events", 1.2, 0.4, 2.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_failures", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_failures", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_failures", 0.5, 0.8660254037844386, 2.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_failures", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_failure_ratio", 0.25, 0.4330127018922193, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_read_success", 0.4, 0.48989794855663565, 1.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_read_success", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_read_success", 0.25, 0.4330127018922193, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_read_success", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_read_failure", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_read_failure", 0.2, 0.4, 1.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_pin_verified", 0.4, 0.48989794855663565, 1.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_pin_verified", 0.25, 0.4330127018922193, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_pin_verified", 0.25, 0.4330127018922193, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_pin_verified", 0.2, 0.4000000000000001, 1.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_pin_failed", 0.25, 0.4330127018922193, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_pin_blocked", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_removed", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_removed", 0.25, 0.4330127018922193, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_removed", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_removed", 0.2, 0.4, 1.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_decryption", 0.2, 0.4000000000000001, 1.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_decryption", 0.25, 0.4330127018922193, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_decryption", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_decryption", 0.6, 0.48989794855663565, 1.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_signature_created", 0.2, 0.4, 1.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_signature_created", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_auth_success", 0.2, 0.4, 1.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_auth_success", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "card_auth_failed", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "smcb_events", 0.4, 0.48989794855663565, 1.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "smcb_events", 0.25, 0.4330127018922193, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "smcb_events", 0.375, 0.4841229182759271, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "smcb_events", 0.4, 0.48989794855663565, 1.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "hba_events", 0.4, 0.48989794855663565, 1.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "hba_events", 0.375, 0.4841229182759271, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "hba_events", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "hba_events", 0.2, 0.4, 1.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "qes_pin_attempts", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "low_attempts_remaining", 0.125, 0.33071891388307384, 1.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 5], ["user", "role=Nurse|hosp=HOSP-003", "auth", "distinct_src_ip", 1.5, 0.6708203932499369, 3.0, 10], ["user", "role=Physician|hosp=HOSP-003", "auth", "distinct_src_ip", 1.8, 0.8717797887081348, 4.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "distinct_src_ip", 1.2307692307692308, 0.4213250442347432, 2.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "distinct_src_ip", 1.5454545454545454, 0.6555547773570889, 3.0, 11], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "distinct_src_ip", 1.3636363636363635, 0.642824346533225, 3.0, 11], ["user", "role=Nurse|hosp=HOSP-003", "auth", "distinct_src_host", 1.5, 0.6708203932499369, 3.0, 10], ["user", "role=Physician|hosp=HOSP-003", "auth", "distinct_src_host", 1.7, 0.6403124237432849, 3.0, 10], ["user", "role=SystemAdmin|hosp=HOSP-003", "auth", "distinct_src_host", 1.0769230769230769, 0.26646935501059654, 2.0, 13], ["user", "role=BillingClerk|hosp=HOSP-001", "auth", "distinct_src_host", 1.4545454545454546, 0.6555547773570889, 3.0, 11], ["user", "role=Pharmacist|hosp=HOSP-003", "auth", "distinct_src_host", 1.2727272727272727, 0.4453617714151233, 2.0, 11], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_distinct_users", 1.8, 0.9568466729604884, 5.0, 45], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_distinct_users", 1.28, 0.44899888641287294, 2.0, 25], ["host", "host_fam=avelios|loc=Berlin", "endpoint", "host_distinct_etypes", 1.8222222222222222, 0.9015761233378132, 4.0, 45], ["host", "host_fam=avelios|loc=Munich", "endpoint", "host_distinct_etypes", 1.32, 0.5455272678794343, 3.0, 25], ["host", "host_fam=omniconnect|loc=Berlin", "endpoint", "host_distinct_etypes", 1.3333333333333333, 0.4714045207910317, 2.0, 6], ["host", "host_fam=omniconnect|loc=Frankfurt", "endpoint", "host_distinct_etypes", 1.4, 0.48989794855663565, 2.0, 10], ["host", "host_fam=omniconnect|loc=Munich", "endpoint", "host_distinct_etypes", 1.4545454545454546, 0.6555547773570889, 3.0, 11], ["host", "host_fam=omniconnect|loc=Hamburg", "endpoint", "host_distinct_etypes", 1.6666666666666667, 0.7453559924999299, 3.0, 6], ["host", "host_fam=omniconnect|loc=Munich", "network", "distinct_telematik_ids", 1.0, 0.0, 1.0, 6], ["host", "host_fam=omniconnect|loc=Hamburg", "network", "distinct_telematik_ids", 1.3333333333333333, 0.4714045207910317, 2.0, 3], ["host", "host_fam=omniconnect|loc=Frankfurt", "network", "distinct_telematik_ids", 1.25, 0.4330127018922193, 2.0, 4], ["host", "host_fam=omniconnect|loc=Berlin", "network", "distinct_telematik_ids", 1.0, 0.0, 1.0, 1], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 3], ["user", "role=Physician|hosp=HOSP-003", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 1], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 1], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 1], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "distinct_destinations", 1.0, 0.0, 1.0, 1], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 2], ["user", "role=Physician|hosp=HOSP-003", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 1], ["user", "role=SystemAdmin|hosp=HOSP-003", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 1], ["user", "role=Pharmacist|hosp=HOSP-003", "cloud", "distinct_export_types", 1.0, 0.0, 1.0, 1], ["user", "role=BillingClerk|hosp=HOSP-001", "cloud", "distinct_msg_types", 1.0, 0.0, 1.0, 1], ["user", "role=Nurse|hosp=HOSP-003", "cloud", "distinct_msg_types", 1.0, 0.0, 1.0, 1], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "distinct_cards", 1.4, 0.4898979485566356, 2.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "distinct_cards", 1.125, 0.33071891388307384, 2.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "distinct_cards", 1.25, 0.4330127018922193, 2.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "distinct_cards", 1.2, 0.4, 2.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "distinct_terminals", 1.4, 0.4898979485566356, 2.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "distinct_terminals", 1.125, 0.33071891388307384, 2.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "distinct_terminals", 1.25, 0.4330127018922193, 2.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "distinct_terminals", 1.2, 0.4, 2.0, 5], ["host", "host_fam=omniconnect|loc=Berlin", "healthcare", "distinct_card_types", 1.4, 0.4898979485566356, 2.0, 5], ["host", "host_fam=omniconnect|loc=Frankfurt", "healthcare", "distinct_card_types", 1.0, 0.0, 1.0, 8], ["host", "host_fam=omniconnect|loc=Munich", "healthcare", "distinct_card_types", 1.25, 0.4330127018922193, 2.0, 8], ["host", "host_fam=omniconnect|loc=Hamburg", "healthcare", "distinct_card_types", 1.0, 0.0, 1.0, 5]]} \ No newline at end of file diff --git a/parsers/ueba_entity_risk b/parsers/ueba_entity_risk new file mode 100644 index 0000000..cbd151f --- /dev/null +++ b/parsers/ueba_entity_risk @@ -0,0 +1 @@ +{"columnNames": ["entity_type", "entity_id", "date", "score"], "rows": [["user", ".anna.schmidt", 1778630400000000000, 23.57], ["user", ".anna.schmidt", 1778716800000000000, 56.48], ["user", "lab.tech.sarah.koch", 1778630400000000000, 48.55], ["user", "lab.tech.sarah.koch", 1778716800000000000, 61.95], ["user", "nurse.maria.m\\u00fcller", 1778630400000000000, 52.32], ["user", "nurse.maria.m\\u00fcller", 1778716800000000000, 67.04], ["user", "pharmacist.hans.meyer", 1778630400000000000, 42.16], ["user", "pharmacist.hans.meyer", 1778716800000000000, 64.47], ["user", ".lisa.bauer", 1778630400000000000, 24.49], ["user", ".lisa.bauer", 1778716800000000000, 55.79], ["user", ".thomas.weber", 1778630400000000000, 54.25], ["user", ".thomas.weber", 1778716800000000000, 67.04], ["user", "admin.klaus.fischer", 1778630400000000000, 34.64], ["user", "admin.klaus.fischer", 1778716800000000000, 48.64], ["user", "billing.clerk.peter.wolf", 1778630400000000000, 65.91], ["user", "billing.clerk.peter.wolf", 1778716800000000000, 65.91], ["host", "avelios-app-01.berlin.local", 1778630400000000000, 42.63], ["host", "avelios-app-01.berlin.local", 1778716800000000000, 42.63], ["host", "avelios-app-01.munich.local", 1778630400000000000, 18.38], ["host", "avelios-app-01.munich.local", 1778716800000000000, 41.11], ["host", "avelios-app-02.berlin.local", 1778630400000000000, 28.14], ["host", "avelios-app-02.berlin.local", 1778716800000000000, 46.88], ["host", "avelios-app-02.munich.local", 1778630400000000000, 26.0], ["host", "avelios-app-02.munich.local", 1778716800000000000, 39.0], ["host", "avelios-app-03.berlin.local", 1778630400000000000, 48.65], ["host", "avelios-app-03.berlin.local", 1778716800000000000, 56.72], ["host", "avelios-int-01.berlin.local", 1778630400000000000, 18.39], ["host", "avelios-int-01.berlin.local", 1778716800000000000, 47.35], ["host", "avelios-app-03.munich.local", 1778630400000000000, 63.69], ["host", "avelios-app-03.munich.local", 1778716800000000000, 45.03], ["host", "avelios-int-01.munich.local", 1778630400000000000, 13.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, 40.04], ["host", "omniconnect-ber-01.local", 1778630400000000000, 39.19], ["host", "omniconnect-ber-01.local", 1778716800000000000, 59.07], ["host", "omniconnect-fra-01.local", 1778630400000000000, 59.55], ["host", "omniconnect-fra-01.local", 1778716800000000000, 82.61], ["host", "omniconnect-mun-01.local", 1778630400000000000, 83.27], ["host", "omniconnect-mun-01.local", 1778716800000000000, 88.22], ["host", "omniconnect-ham-01.local", 1778630400000000000, 42.69], ["host", "omniconnect-ham-01.local", 1778716800000000000, 64.57]]} \ No newline at end of file diff --git a/parsers/ueba_family_scores_hourly b/parsers/ueba_family_scores_hourly new file mode 100644 index 0000000..babe0e2 --- /dev/null +++ b/parsers/ueba_family_scores_hourly @@ -0,0 +1 @@ +{"columnNames": ["entity_type", "entity_id", "hour_ts", "family", "family_score", "n_features"], "rows": [["user", ".anna.schmidt", 1778702400000000000, "auth", 23.57, 17], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", 22.36, 15], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", 15.28, 17], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", 22.36, 15], ["user", ".anna.schmidt", 1778706000000000000, "auth", 23.57, 17], ["user", ".lisa.bauer", 1778706000000000000, "auth", 6.32, 17], ["user", ".thomas.weber", 1778706000000000000, "auth", 30.0, 17], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", 18.26, 17], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", 31.62, 17], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", 14.14, 17], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", 22.36, 17], ["user", ".lisa.bauer", 1778709600000000000, "auth", 24.49, 17], ["user", ".thomas.weber", 1778709600000000000, "auth", 30.0, 17], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", 34.64, 17], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", 31.62, 17], ["user", ".anna.schmidt", 1778713200000000000, "auth", 8.32, 17], ["user", ".lisa.bauer", 1778713200000000000, "auth", 6.32, 17], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", 23.45, 17], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", 22.36, 17], ["user", ".anna.schmidt", 1778716800000000000, "auth", 22.19, 17], ["user", ".thomas.weber", 1778716800000000000, "auth", 20.0, 17], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", 21.21, 17], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", 14.14, 17], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", 22.36, 17], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", 31.62, 17], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", 30.0, 17], ["user", ".lisa.bauer", 1778724000000000000, "auth", 6.32, 17], ["user", ".thomas.weber", 1778724000000000000, "auth", 12.25, 17], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", 15.0, 17], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", 30.0, 17], ["user", ".anna.schmidt", 1778727600000000000, "auth", 16.33, 17], ["user", ".thomas.weber", 1778727600000000000, "auth", 13.73, 17], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", 15.0, 17], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", 13.23, 17], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", 33.17, 17], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", 34.64, 17], ["user", ".anna.schmidt", 1778734800000000000, "auth", 21.21, 17], ["user", ".lisa.bauer", 1778734800000000000, "auth", 6.32, 17], ["user", ".thomas.weber", 1778734800000000000, "auth", 30.0, 17], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", 18.26, 17], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", 22.36, 17], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", 30.0, 17], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", 17.32, 17], ["user", ".anna.schmidt", 1778742000000000000, "auth", 16.33, 17], ["user", ".thomas.weber", 1778742000000000000, "auth", 30.0, 17], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", 18.26, 17], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", 28.01, 17], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", 15.28, 17], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", 22.36, 17], ["user", ".anna.schmidt", 1778745600000000000, "auth", 8.32, 17], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", 34.64, 17], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", 21.21, 17], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", 22.36, 17], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", 22.36, 17], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", 22.36, 17], ["user", ".lisa.bauer", 1778749200000000000, "auth", 24.49, 17], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", 18.26, 17], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", 15.28, 17], ["user", ".anna.schmidt", 1778752800000000000, "auth", 21.21, 17], ["user", ".thomas.weber", 1778752800000000000, "auth", 25.24, 17], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", 15.28, 17], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", 22.36, 17], ["user", ".anna.schmidt", 1778756400000000000, "auth", 21.21, 17], ["user", ".thomas.weber", 1778756400000000000, "auth", 30.0, 17], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", 21.21, 17], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", 33.17, 17], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", 34.64, 17], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", 31.62, 17], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", 20.0, 17], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", 22.36, 17], ["user", ".anna.schmidt", 1778763600000000000, "auth", 21.21, 17], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", 23.45, 17], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", 21.21, 17], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", 22.36, 17], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", 20.0, 17], ["user", ".lisa.bauer", 1778767200000000000, "auth", 24.49, 17], ["user", ".thomas.weber", 1778767200000000000, "auth", 20.0, 17], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", 34.64, 17], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", 16.85, 17], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", 17.32, 17], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", 32.79, 9], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", 14.14, 9], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", 12.13, 11], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", 20.0, 11], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", 15.07, 9], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", 11.29, 11], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", 20.63, 11], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", 7.07, 11], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", 21.65, 11], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", 37.42, 11], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", 48.99, 11], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", 14.15, 11], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", 10.0, 11], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", 7.07, 10], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", 15.28, 10], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", 19.76, 10], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", 11.55, 11], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", 12.25, 11], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", 9.7, 11], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", 9.42, 11], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", 11.92, 11], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", 9.13, 10], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", 10.51, 11], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", 19.61, 11], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", 15.07, 11], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", 9.42, 11], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", 11.18, 11], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", 10.0, 11], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", 10.0, 10], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", 11.55, 11], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", 12.25, 11], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", 43.63, 11], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", 11.92, 11], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", 16.04, 11], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", 17.89, 10], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", 13.61, 10], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", 32.79, 11], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", 15.81, 11], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", 14.15, 11], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", 16.04, 11], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", 22.36, 10], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", 10.0, 10], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", 15.07, 11], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", 14.14, 11], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", 12.13, 11], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", 8.16, 11], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", 15.81, 11], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", 14.15, 11], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", 7.07, 10], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", 20.43, 10], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", 17.89, 10], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", 7.07, 11], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", 10.38, 11], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", 19.39, 11], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", 9.42, 11], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", 11.18, 11], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", 14.14, 11], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", 15.07, 11], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", 36.42, 11], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", 16.04, 11], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", 14.14, 10], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", 8.16, 10], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", 10.0, 10], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", 16.33, 10], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", 32.79, 11], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", 7.07, 11], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", 12.13, 11], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", 15.07, 11], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", 9.42, 11], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", 14.15, 11], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", 8.16, 10], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", 10.0, 10], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", 23.57, 10], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", 27.08, 11], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", 16.04, 11], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", 16.71, 10], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", 10.95, 10], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", 15.07, 11], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", 29.41, 11], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", 10.38, 11], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", 8.16, 11], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", 9.42, 11], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", 9.7, 11], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", 25.3, 11], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", 9.7, 11], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", 31.62, 11], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", 12.13, 11], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", 30.0, 11], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", 15.81, 11], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", 27.08, 11], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", 9.7, 11], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", 16.04, 11], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", 22.36, 10], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", 20.0, 10], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", 16.33, 10], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", 10.51, 11], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", 7.07, 11], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", 19.61, 11], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", 9.7, 11], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", 10.0, 11], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", 14.14, 10], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", 10.95, 10], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", 10.51, 11], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", 7.07, 11], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", 36.06, 11], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", 8.16, 11], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", 31.62, 11], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", 21.08, 11], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", 10.0, 11], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", 21.21, 10], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", 10.51, 11], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", 7.07, 11], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", 4.85, 11], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", 15.07, 11], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", 22.99, 11], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", 10.0, 11], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", 10.51, 11], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", 8.16, 11], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", 19.61, 11], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", 14.15, 11], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", 30.8, 11], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", 8.16, 10], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", 9.7, 11], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", 7.07, 11], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", 30.0, 11], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", 15.07, 11], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", 9.42, 11], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", 11.92, 11], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", 10.0, 11], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", 7.07, 10], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", 15.28, 10], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", 10.95, 10], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", 9.7, 11], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", 12.13, 11], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", 12.25, 11], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", 15.07, 11], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", 9.42, 11], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", 11.92, 11], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", 10.0, 11], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", 15.28, 10], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", 10.95, 10], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", 0.0, 15], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", 0.0, 15], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", 0.0, 15], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", 22.36, 16], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", 0.0, 15], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", 14.14, 16], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", 0.0, 15], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", 14.14, 16], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", 22.36, 16], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", 0.0, 15], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", 17.32, 16], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", 0.0, 15], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", 14.14, 16], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", 0.0, 15], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", 0.0, 15], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", 22.36, 16], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", 0.0, 15], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", 22.36, 16], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", 0.0, 15], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", 17.32, 16], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", 0.0, 15], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", 0.0, 15], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", 0.0, 16], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", 15.08, 16], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", 22.36, 16], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", 0.0, 15], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", 0.0, 15], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", 22.36, 16], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", 0.0, 15], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", 0.0, 15], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", 0.0, 15], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", 0.0, 15], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", 0.0, 15], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", 17.32, 16], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", 24.49, 14], ["user", ".thomas.weber", 1778706000000000000, "cloud", 17.32, 14], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", 11.18, 14], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", 26.46, 14], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", 14.14, 14], ["user", ".thomas.weber", 1778709600000000000, "cloud", 17.32, 14], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", 24.49, 16], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", 18.71, 16], ["user", ".thomas.weber", 1778716800000000000, "cloud", 26.46, 16], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", 24.49, 16], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", 18.71, 14], ["user", ".anna.schmidt", 1778720400000000000, "cloud", 14.9, 16], ["user", ".thomas.weber", 1778720400000000000, "cloud", 12.91, 14], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", 25.0, 16], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", 22.36, 14], ["user", ".anna.schmidt", 1778724000000000000, "cloud", 11.55, 16], ["user", ".lisa.bauer", 1778724000000000000, "cloud", 14.14, 16], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", 10.0, 16], ["user", ".thomas.weber", 1778727600000000000, "cloud", 12.91, 14], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", 17.32, 14], ["user", ".anna.schmidt", 1778731200000000000, "cloud", 24.49, 16], ["user", ".lisa.bauer", 1778731200000000000, "cloud", 22.36, 14], ["user", ".thomas.weber", 1778731200000000000, "cloud", 26.46, 14], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", 24.49, 16], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", 17.32, 14], ["user", ".lisa.bauer", 1778734800000000000, "cloud", 22.36, 16], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", 17.32, 14], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", 11.18, 14], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", 17.32, 14], ["user", ".anna.schmidt", 1778742000000000000, "cloud", 16.27, 16], ["user", ".lisa.bauer", 1778742000000000000, "cloud", 22.36, 17], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", 28.28, 14], ["user", ".anna.schmidt", 1778745600000000000, "cloud", 24.49, 14], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", 24.49, 14], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", 14.14, 14], ["user", ".anna.schmidt", 1778749200000000000, "cloud", 24.49, 14], ["user", ".lisa.bauer", 1778749200000000000, "cloud", 14.14, 14], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", 17.32, 14], ["user", ".lisa.bauer", 1778752800000000000, "cloud", 14.14, 16], ["user", ".thomas.weber", 1778752800000000000, "cloud", 17.32, 14], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", 28.28, 16], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", 22.36, 16], ["user", ".thomas.weber", 1778756400000000000, "cloud", 26.46, 14], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", 18.71, 14], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", 17.32, 14], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", 22.36, 14], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", 10.0, 14], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", 24.49, 14], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", 26.46, 16], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", 22.36, 14], ["user", ".anna.schmidt", 1778763600000000000, "cloud", 24.49, 14], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", 15.81, 14], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", 28.28, 16], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", 20.0, 20], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", 26.46, 20], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", 26.46, 20], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", 17.32, 20], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", 12.25, 20], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", 8.16, 20], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", 12.25, 20], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", 26.46, 20], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", 20.0, 20], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", 12.25, 20], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", 17.32, 20], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", 20.0, 20], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", 26.46, 20], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", 17.32, 20], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", 20.0, 20], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", 26.46, 20], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", 17.32, 20], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", 26.46, 20], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", 20.0, 20], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", 17.32, 20], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", 26.46, 20], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", 20.0, 20], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", 17.32, 20], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", 17.32, 20], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", 26.46, 20], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", 26.46, 20]]} \ No newline at end of file diff --git a/parsers/ueba_feature_scores_hourly b/parsers/ueba_feature_scores_hourly new file mode 100644 index 0000000..8d884fa --- /dev/null +++ b/parsers/ueba_feature_scores_hourly @@ -0,0 +1 @@ +{"columnNames": ["entity_type", "entity_id", "hour_ts", "family", "feature_name", "value", "z_self", "z_peer", "over_q99", "over_q99_peer", "feature_score"], "rows": [["user", ".anna.schmidt", 1778702400000000000, "auth", "auth_total", 3.0, 2.357, 0.0, 0, 0, 2.357], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "auth_total", 1.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "auth_total", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", ".anna.schmidt", 1778706000000000000, "auth", "auth_total", 2.0, 0.832, 0.0, 0, 0, 0.832], ["user", ".lisa.bauer", 1778706000000000000, "auth", "auth_total", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "auth_total", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "auth_total", 2.0, 0.693, 0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "auth_total", 2.0, 1.414, 0.0, 0, 0, 1.414], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", ".lisa.bauer", 1778709600000000000, "auth", "auth_total", 3.0, 2.449, 0.0, 0, 0, 2.449], ["user", ".thomas.weber", 1778709600000000000, "auth", "auth_total", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "auth_total", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", ".anna.schmidt", 1778713200000000000, "auth", "auth_total", 1.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".lisa.bauer", 1778713200000000000, "auth", "auth_total", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", ".anna.schmidt", 1778716800000000000, "auth", "auth_total", 2.0, 0.832, 0.0, 0, 0, 0.832], ["user", ".thomas.weber", 1778716800000000000, "auth", "auth_total", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "auth_total", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "auth_total", 1.0, -0.707, 0.0, 0, 0, 0.707], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "auth_total", 2.0, 1.069, 1.069, 0, 0, 1.069], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "auth_total", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "auth_total", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".lisa.bauer", 1778724000000000000, "auth", "auth_total", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "auth_total", 1.0, -0.918, -0.918, 0, 0, 0.918], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "auth_total", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".anna.schmidt", 1778727600000000000, "auth", "auth_total", 1.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778727600000000000, "auth", "auth_total", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "auth_total", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "auth_total", 3.0, 2.673, 2.673, 0, 0, 2.673], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "auth_total", 2.0, 1.826, 1.826, 0, 0, 1.826], ["user", ".anna.schmidt", 1778734800000000000, "auth", "auth_total", 1.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".lisa.bauer", 1778734800000000000, "auth", "auth_total", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "auth_total", 1.0, -0.918, -0.918, 0, 0, 0.918], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "auth_total", 2.0, 1.414, 0.0, 0, 0, 1.414], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "auth_total", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", ".anna.schmidt", 1778742000000000000, "auth", "auth_total", 1.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778742000000000000, "auth", "auth_total", 1.0, -0.918, -0.918, 0, 0, 0.918], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "auth_total", 3.0, 2.219, 2.219, 0, 0, 2.219], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "auth_total", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", ".anna.schmidt", 1778745600000000000, "auth", "auth_total", 1.0, -0.693, 0.0, 0, 0, 0.693], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "auth_total", 2.0, 1.826, 1.826, 0, 0, 1.826], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "auth_total", 2.0, 0.693, 0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "auth_total", 1.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "auth_total", 3.0, 2.236, 2.236, 0, 0, 2.236], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", ".lisa.bauer", 1778749200000000000, "auth", "auth_total", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "auth_total", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", ".anna.schmidt", 1778752800000000000, "auth", "auth_total", 1.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778752800000000000, "auth", "auth_total", 4.0, 2.524, 2.524, 0, 0, 2.524], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "auth_total", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "auth_total", 2.0, 1.069, 1.069, 0, 0, 1.069], ["user", ".anna.schmidt", 1778756400000000000, "auth", "auth_total", 2.0, 0.832, 0.0, 0, 0, 0.832], ["user", ".thomas.weber", 1778756400000000000, "auth", "auth_total", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "auth_total", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "auth_total", 2.0, 0.693, 0.693, 0, 0, 0.693], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "auth_total", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", ".anna.schmidt", 1778763600000000000, "auth", "auth_total", 1.0, -0.693, 0.0, 0, 0, 0.693], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "auth_total", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "auth_total", 2.0, 0.693, 0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "auth_total", 1.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "auth_total", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".lisa.bauer", 1778767200000000000, "auth", "auth_total", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "auth_total", 1.0, -0.918, -0.918, 0, 0, 0.918], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "auth_total", 2.0, 1.826, 1.826, 0, 0, 1.826], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "auth_total", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "auth_total", 1.0, -0.535, -0.535, 0, 0, 0.535], ["user", ".anna.schmidt", 1778702400000000000, "auth", "auth_fail", 1.0, 0.693, 0.0, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "auth_fail", 1.0, 1.0, 0.0, 0, 0, 1.0], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "auth_fail", 0.0, -1.0, -1.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "auth_fail", 1.0, 0.42, 0.42, 0, 0, 0.42], ["user", ".anna.schmidt", 1778706000000000000, "auth", "auth_fail", 0.0, -0.832, 0.0, 0, 0, 0.832], ["user", ".lisa.bauer", 1778706000000000000, "auth", "auth_fail", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "auth_fail", 0.0, -1.225, -1.225, 0, 0, 1.225], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "auth_fail", 0.0, -1.588, -1.588, 0, 0, 1.588], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "auth_fail", 1.0, 0.693, 0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "auth_fail", 1.0, 1.0, 0.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "auth_fail", 1.0, 0.42, 0.42, 0, 0, 0.42], ["user", ".lisa.bauer", 1778709600000000000, "auth", "auth_fail", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778709600000000000, "auth", "auth_fail", 1.0, 0.816, 0.816, 0, 0, 0.816], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "auth_fail", 1.0, 0.693, 0.693, 0, 0, 0.693], ["user", ".anna.schmidt", 1778713200000000000, "auth", "auth_fail", 0.0, -0.832, 0.0, 0, 0, 0.832], ["user", ".lisa.bauer", 1778713200000000000, "auth", "auth_fail", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "auth_fail", 1.0, 0.42, 0.42, 0, 0, 0.42], ["user", ".anna.schmidt", 1778716800000000000, "auth", "auth_fail", 2.0, 2.219, 0.0, 0, 0, 2.219], ["user", ".thomas.weber", 1778716800000000000, "auth", "auth_fail", 1.0, 0.816, 0.816, 0, 0, 0.816], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "auth_fail", 0.0, -0.832, -0.832, 0, 0, 0.832], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "auth_fail", 1.0, 1.0, 0.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "auth_fail", 2.0, 2.1, 2.1, 0, 0, 2.1], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "auth_fail", 0.0, -0.832, -0.832, 0, 0, 0.832], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "auth_fail", 1.0, 1.0, 1.0, 0, 0, 1.0], ["user", ".lisa.bauer", 1778724000000000000, "auth", "auth_fail", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "auth_fail", 0.0, -1.225, -1.225, 0, 0, 1.225], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "auth_fail", 1.0, 1.0, 1.0, 0, 0, 1.0], ["user", ".anna.schmidt", 1778727600000000000, "auth", "auth_fail", 0.0, -0.832, 0.0, 0, 0, 0.832], ["user", ".thomas.weber", 1778727600000000000, "auth", "auth_fail", 0.0, -1.225, -1.225, 0, 0, 1.225], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "auth_fail", 0.0, -0.832, -0.832, 0, 0, 0.832], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "auth_fail", 1.0, 0.42, 0.42, 0, 0, 0.42], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "auth_fail", 2.0, 2.165, 2.165, 0, 0, 2.165], ["user", ".anna.schmidt", 1778734800000000000, "auth", "auth_fail", 1.0, 0.693, 0.0, 0, 0, 0.693], ["user", ".lisa.bauer", 1778734800000000000, "auth", "auth_fail", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "auth_fail", 1.0, 0.816, 0.816, 0, 0, 0.816], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "auth_fail", 0.0, -1.0, 0.0, 0, 0, 1.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "auth_fail", 1.0, 1.0, 1.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "auth_fail", 1.0, 0.42, 0.42, 0, 0, 0.42], ["user", ".anna.schmidt", 1778742000000000000, "auth", "auth_fail", 0.0, -0.832, 0.0, 0, 0, 0.832], ["user", ".thomas.weber", 1778742000000000000, "auth", "auth_fail", 1.0, 0.816, 0.816, 0, 0, 0.816], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "auth_fail", 2.0, 2.219, 2.219, 0, 0, 2.219], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "auth_fail", 0.0, -1.0, -1.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "auth_fail", 0.0, -1.26, -1.26, 0, 0, 1.26], ["user", ".anna.schmidt", 1778745600000000000, "auth", "auth_fail", 0.0, -0.832, 0.0, 0, 0, 0.832], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "auth_fail", 0.0, -0.832, -0.832, 0, 0, 0.832], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "auth_fail", 0.0, -1.0, 0.0, 0, 0, 1.0], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "auth_fail", 1.0, 1.0, 1.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "auth_fail", 1.0, 0.42, 0.42, 0, 0, 0.42], ["user", ".lisa.bauer", 1778749200000000000, "auth", "auth_fail", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "auth_fail", 0.0, -1.588, -1.588, 0, 0, 1.588], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "auth_fail", 0.0, -1.0, -1.0, 0, 0, 1.0], ["user", ".anna.schmidt", 1778752800000000000, "auth", "auth_fail", 1.0, 0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778752800000000000, "auth", "auth_fail", 0.0, -1.225, -1.225, 0, 0, 1.225], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "auth_fail", 0.0, -1.0, -1.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "auth_fail", 1.0, 0.42, 0.42, 0, 0, 0.42], ["user", ".anna.schmidt", 1778756400000000000, "auth", "auth_fail", 1.0, 0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778756400000000000, "auth", "auth_fail", 1.0, 0.816, 0.816, 0, 0, 0.816], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "auth_fail", 0.0, -0.832, -0.832, 0, 0, 0.832], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "auth_fail", 0.0, -1.26, -1.26, 0, 0, 1.26], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "auth_fail", 0.0, -1.588, -1.588, 0, 0, 1.588], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "auth_fail", 1.0, 0.693, 0.693, 0, 0, 0.693], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "auth_fail", 0.0, -1.0, -1.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "auth_fail", 0.0, -1.26, -1.26, 0, 0, 1.26], ["user", ".anna.schmidt", 1778763600000000000, "auth", "auth_fail", 0.0, -0.832, 0.0, 0, 0, 0.832], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "auth_fail", 0.0, -0.832, -0.832, 0, 0, 0.832], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "auth_fail", 0.0, -1.0, 0.0, 0, 0, 1.0], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "auth_fail", 1.0, 1.0, 1.0, 0, 0, 1.0], ["user", ".lisa.bauer", 1778767200000000000, "auth", "auth_fail", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "auth_fail", 1.0, 0.816, 0.816, 0, 0, 0.816], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "auth_fail", 1.0, 0.289, 0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "auth_fail", 1.0, 0.693, 0.693, 0, 0, 0.693], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "auth_fail", 0.0, -1.26, -1.26, 0, 0, 1.26], ["user", ".anna.schmidt", 1778702400000000000, "auth", "auth_succ", 2.0, 1.633, 0.0, 0, 0, 1.633], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "auth_succ", 0.0, -1.213, 0.0, 0, 0, 1.213], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "auth_succ", 0.0, -0.911, -0.911, 0, 0, 0.911], ["user", ".anna.schmidt", 1778706000000000000, "auth", "auth_succ", 2.0, 1.633, 0.0, 0, 0, 1.633], ["user", ".lisa.bauer", 1778706000000000000, "auth", "auth_succ", 1.0, -0.171, 0.0, 0, 0, 0.171], ["user", ".thomas.weber", 1778706000000000000, "auth", "auth_succ", 2.0, 0.686, 0.686, 0, 0, 0.686], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "auth_succ", 1.0, 1.265, 1.265, 0, 0, 1.265], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "auth_succ", 1.0, 0.243, 0.0, 0, 0, 0.243], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "auth_succ", 0.0, -0.911, -0.911, 0, 0, 0.911], ["user", ".lisa.bauer", 1778709600000000000, "auth", "auth_succ", 3.0, 2.229, 0.0, 0, 0, 2.229], ["user", ".thomas.weber", 1778709600000000000, "auth", "auth_succ", 1.0, -0.171, -0.171, 0, 0, 0.171], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "auth_succ", 0.0, -0.791, -0.791, 0, 0, 0.791], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "auth_succ", 0.0, -1.658, -1.658, 0, 0, 1.658], ["user", ".anna.schmidt", 1778713200000000000, "auth", "auth_succ", 1.0, 0.136, 0.0, 0, 0, 0.136], ["user", ".lisa.bauer", 1778713200000000000, "auth", "auth_succ", 1.0, -0.171, 0.0, 0, 0, 0.171], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "auth_succ", 0.0, -0.791, -0.791, 0, 0, 0.791], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "auth_succ", 0.0, -0.911, -0.911, 0, 0, 0.911], ["user", ".anna.schmidt", 1778716800000000000, "auth", "auth_succ", 0.0, -1.361, 0.0, 0, 0, 1.361], ["user", ".thomas.weber", 1778716800000000000, "auth", "auth_succ", 1.0, -0.171, -0.171, 0, 0, 0.171], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "auth_succ", 0.0, -1.213, 0.0, 0, 0, 1.213], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "auth_succ", 0.0, -0.911, -0.911, 0, 0, 0.911], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "auth", "auth_succ", 1.0, -0.171, 0.0, 0, 0, 0.171], ["user", ".thomas.weber", 1778724000000000000, "auth", "auth_succ", 1.0, -0.171, -0.171, 0, 0, 0.171], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "auth_succ", 0.0, -0.791, -0.791, 0, 0, 0.791], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778727600000000000, "auth", "auth_succ", 1.0, 0.136, 0.0, 0, 0, 0.136], ["user", ".thomas.weber", 1778727600000000000, "auth", "auth_succ", 2.0, 0.686, 0.686, 0, 0, 0.686], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "auth_succ", 0.0, -0.791, -0.791, 0, 0, 0.791], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "auth_succ", 2.0, 2.213, 2.213, 0, 0, 2.213], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "auth_succ", 0.0, -0.791, -0.791, 0, 0, 0.791], ["user", ".anna.schmidt", 1778734800000000000, "auth", "auth_succ", 0.0, -1.361, 0.0, 0, 0, 1.361], ["user", ".lisa.bauer", 1778734800000000000, "auth", "auth_succ", 1.0, -0.171, 0.0, 0, 0, 0.171], ["user", ".thomas.weber", 1778734800000000000, "auth", "auth_succ", 0.0, -1.029, -1.029, 0, 0, 1.029], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "auth_succ", 0.0, -0.791, -0.791, 0, 0, 0.791], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "auth_succ", 2.0, 1.698, 0.0, 0, 0, 1.698], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "auth_succ", 0.0, -2.236, -2.236, 0, 0, 2.236], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "auth_succ", 0.0, -0.911, -0.911, 0, 0, 0.911], ["user", ".anna.schmidt", 1778742000000000000, "auth", "auth_succ", 1.0, 0.136, 0.0, 0, 0, 0.136], ["user", ".thomas.weber", 1778742000000000000, "auth", "auth_succ", 0.0, -1.029, -1.029, 0, 0, 1.029], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "auth_succ", 0.0, -0.791, -0.791, 0, 0, 0.791], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "auth_succ", 1.0, 0.651, 0.651, 0, 0, 0.651], ["user", ".anna.schmidt", 1778745600000000000, "auth", "auth_succ", 1.0, 0.136, 0.0, 0, 0, 0.136], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "auth_succ", 1.0, 1.265, 1.265, 0, 0, 1.265], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "auth_succ", 2.0, 1.658, 1.658, 0, 0, 1.658], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "auth_succ", 1.0, 0.243, 0.0, 0, 0, 0.243], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "auth_succ", 2.0, 2.236, 2.236, 0, 0, 2.236], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "auth_succ", 0.0, -0.911, -0.911, 0, 0, 0.911], ["user", ".lisa.bauer", 1778749200000000000, "auth", "auth_succ", 0.0, -1.372, 0.0, 0, 0, 1.372], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "auth_succ", 1.0, 1.265, 1.265, 0, 0, 1.265], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778752800000000000, "auth", "auth_succ", 0.0, -1.361, 0.0, 0, 0, 1.361], ["user", ".thomas.weber", 1778752800000000000, "auth", "auth_succ", 4.0, 2.401, 2.401, 0, 0, 2.401], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "auth_succ", 1.0, 0.651, 0.651, 0, 0, 0.651], ["user", ".anna.schmidt", 1778756400000000000, "auth", "auth_succ", 1.0, 0.136, 0.0, 0, 0, 0.136], ["user", ".thomas.weber", 1778756400000000000, "auth", "auth_succ", 1.0, -0.171, -0.171, 0, 0, 0.171], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "auth_succ", 1.0, 0.651, 0.651, 0, 0, 0.651], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "auth_succ", 1.0, 1.265, 1.265, 0, 0, 1.265], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "auth_succ", 1.0, 0.651, 0.651, 0, 0, 0.651], ["user", ".anna.schmidt", 1778763600000000000, "auth", "auth_succ", 1.0, 0.136, 0.0, 0, 0, 0.136], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "auth_succ", 0.0, -0.791, -0.791, 0, 0, 0.791], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "auth_succ", 2.0, 1.658, 1.658, 0, 0, 1.658], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "auth_succ", 1.0, 0.243, 0.0, 0, 0, 0.243], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "auth_succ", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778767200000000000, "auth", "auth_succ", 1.0, -0.171, 0.0, 0, 0, 0.171], ["user", ".thomas.weber", 1778767200000000000, "auth", "auth_succ", 0.0, -1.029, -1.029, 0, 0, 1.029], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "auth_succ", 1.0, 1.265, 1.265, 0, 0, 1.265], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "auth_succ", 0.0, -1.658, -1.658, 0, 0, 1.658], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "auth_succ", 1.0, 0.651, 0.651, 0, 0, 0.651], ["user", ".anna.schmidt", 1778702400000000000, "auth", "auth_fail_ratio", 0.3333333333333333, -0.035, 0.0, 0, 0, 0.035], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "auth_fail_ratio", 1.0, 1.3, 0.0, 0, 0, 1.3], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "auth_fail_ratio", 0.0, -0.871, -0.871, 0, 0, 0.871], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "auth_fail_ratio", 1.0, 0.949, 0.949, 0, 0, 0.949], ["user", ".anna.schmidt", 1778706000000000000, "auth", "auth_fail_ratio", 0.0, -0.812, 0.0, 0, 0, 0.812], ["user", ".lisa.bauer", 1778706000000000000, "auth", "auth_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "auth_fail_ratio", 0.0, -1.083, -1.083, 0, 0, 1.083], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "auth_fail_ratio", 0.0, -1.657, -1.657, 0, 0, 1.657], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "auth_fail_ratio", 0.5, 0.421, 0.421, 0, 0, 0.421], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "auth_fail_ratio", 0.5, 0.186, 0.0, 0, 0, 0.186], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "auth_fail_ratio", 1.0, 0.949, 0.949, 0, 0, 0.949], ["user", ".lisa.bauer", 1778709600000000000, "auth", "auth_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778709600000000000, "auth", "auth_fail_ratio", 0.5, 0.12, 0.12, 0, 0, 0.12], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "auth_fail_ratio", 1.0, 0.736, 0.736, 0, 0, 0.736], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "auth_fail_ratio", 1.0, 1.685, 1.685, 0, 0, 1.685], ["user", ".anna.schmidt", 1778713200000000000, "auth", "auth_fail_ratio", 0.0, -0.812, 0.0, 0, 0, 0.812], ["user", ".lisa.bauer", 1778713200000000000, "auth", "auth_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "auth_fail_ratio", 1.0, 0.736, 0.736, 0, 0, 0.736], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "auth_fail_ratio", 1.0, 0.949, 0.949, 0, 0, 0.949], ["user", ".anna.schmidt", 1778716800000000000, "auth", "auth_fail_ratio", 1.0, 1.518, 0.0, 0, 0, 1.518], ["user", ".thomas.weber", 1778716800000000000, "auth", "auth_fail_ratio", 0.5, 0.12, 0.12, 0, 0, 0.12], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "auth_fail_ratio", 0.0, -0.842, -0.842, 0, 0, 0.842], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "auth_fail_ratio", 1.0, 1.3, 0.0, 0, 0, 1.3], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "auth_fail_ratio", 1.0, 0.949, 0.949, 0, 0, 0.949], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "auth_fail_ratio", 0.0, -0.842, -0.842, 0, 0, 0.842], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "auth_fail_ratio", 0.5, 0.666, 0.666, 0, 0, 0.666], ["user", ".lisa.bauer", 1778724000000000000, "auth", "auth_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "auth_fail_ratio", 0.0, -1.083, -1.083, 0, 0, 1.083], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "auth_fail_ratio", 1.0, 0.736, 0.736, 0, 0, 0.736], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "auth_fail_ratio", 0.5, 0.666, 0.666, 0, 0, 0.666], ["user", ".anna.schmidt", 1778727600000000000, "auth", "auth_fail_ratio", 0.0, -0.812, 0.0, 0, 0, 0.812], ["user", ".thomas.weber", 1778727600000000000, "auth", "auth_fail_ratio", 0.0, -1.083, -1.083, 0, 0, 1.083], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "auth_fail_ratio", 1.0, 0.736, 0.736, 0, 0, 0.736], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "auth_fail_ratio", 0.0, -0.842, -0.842, 0, 0, 0.842], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "auth_fail_ratio", 0.3333333333333333, -0.52, -0.52, 0, 0, 0.52], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "auth_fail_ratio", 1.0, 0.736, 0.736, 0, 0, 0.736], ["user", ".anna.schmidt", 1778734800000000000, "auth", "auth_fail_ratio", 1.0, 1.518, 0.0, 0, 0, 1.518], ["user", ".lisa.bauer", 1778734800000000000, "auth", "auth_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "auth_fail_ratio", 1.0, 1.324, 1.324, 0, 0, 1.324], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "auth_fail_ratio", 1.0, 0.736, 0.736, 0, 0, 0.736], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "auth_fail_ratio", 0.0, -0.928, 0.0, 0, 0, 0.928], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "auth_fail_ratio", 1.0, 2.203, 2.203, 0, 0, 2.203], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "auth_fail_ratio", 1.0, 0.949, 0.949, 0, 0, 0.949], ["user", ".anna.schmidt", 1778742000000000000, "auth", "auth_fail_ratio", 0.0, -0.812, 0.0, 0, 0, 0.812], ["user", ".thomas.weber", 1778742000000000000, "auth", "auth_fail_ratio", 1.0, 1.324, 1.324, 0, 0, 1.324], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "auth_fail_ratio", 1.0, 0.736, 0.736, 0, 0, 0.736], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "auth_fail_ratio", 0.6666666666666666, 0.842, 0.842, 0, 0, 0.842], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "auth_fail_ratio", 0.0, -0.871, -0.871, 0, 0, 0.871], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "auth_fail_ratio", 0.0, -1.255, -1.255, 0, 0, 1.255], ["user", ".anna.schmidt", 1778745600000000000, "auth", "auth_fail_ratio", 0.0, -0.812, 0.0, 0, 0, 0.812], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "auth_fail_ratio", 0.5, -0.46, -0.46, 0, 0, 0.46], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "auth_fail_ratio", 0.0, -0.842, -0.842, 0, 0, 0.842], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "auth_fail_ratio", 0.0, -0.928, 0.0, 0, 0, 0.928], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "auth_fail_ratio", 0.3333333333333333, 0.154, 0.154, 0, 0, 0.154], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "auth_fail_ratio", 1.0, 0.949, 0.949, 0, 0, 0.949], ["user", ".lisa.bauer", 1778749200000000000, "auth", "auth_fail_ratio", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "auth_fail_ratio", 0.0, -1.657, -1.657, 0, 0, 1.657], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "auth_fail_ratio", 0.0, -0.871, -0.871, 0, 0, 0.871], ["user", ".anna.schmidt", 1778752800000000000, "auth", "auth_fail_ratio", 1.0, 1.518, 0.0, 0, 0, 1.518], ["user", ".thomas.weber", 1778752800000000000, "auth", "auth_fail_ratio", 0.0, -1.083, -1.083, 0, 0, 1.083], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "auth_fail_ratio", 0.0, -0.871, -0.871, 0, 0, 0.871], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "auth_fail_ratio", 0.5, -0.153, -0.153, 0, 0, 0.153], ["user", ".anna.schmidt", 1778756400000000000, "auth", "auth_fail_ratio", 0.5, 0.353, 0.0, 0, 0, 0.353], ["user", ".thomas.weber", 1778756400000000000, "auth", "auth_fail_ratio", 0.5, 0.12, 0.12, 0, 0, 0.12], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "auth_fail_ratio", 0.0, -0.842, -0.842, 0, 0, 0.842], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "auth_fail_ratio", 0.0, -1.255, -1.255, 0, 0, 1.255], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "auth_fail_ratio", 0.0, -1.657, -1.657, 0, 0, 1.657], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "auth_fail_ratio", 0.5, 0.421, 0.421, 0, 0, 0.421], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "auth_fail_ratio", 0.0, -0.871, -0.871, 0, 0, 0.871], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "auth_fail_ratio", 0.0, -1.255, -1.255, 0, 0, 1.255], ["user", ".anna.schmidt", 1778763600000000000, "auth", "auth_fail_ratio", 0.0, -0.812, 0.0, 0, 0, 0.812], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "auth_fail_ratio", 1.0, 0.736, 0.736, 0, 0, 0.736], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "auth_fail_ratio", 0.0, -0.842, -0.842, 0, 0, 0.842], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "auth_fail_ratio", 0.0, -0.928, 0.0, 0, 0, 0.928], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "auth_fail_ratio", 0.5, 0.666, 0.666, 0, 0, 0.666], ["user", ".lisa.bauer", 1778767200000000000, "auth", "auth_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "auth_fail_ratio", 1.0, 1.324, 1.324, 0, 0, 1.324], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "auth_fail_ratio", 0.5, -0.46, -0.46, 0, 0, 0.46], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "auth_fail_ratio", 1.0, 1.685, 1.685, 0, 0, 1.685], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "auth_fail_ratio", 0.0, -1.255, -1.255, 0, 0, 1.255], ["user", ".anna.schmidt", 1778702400000000000, "auth", "login_success", 1.0, 0.832, 0.0, 0, 0, 0.832], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "login_success", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "login_success", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778706000000000000, "auth", "login_success", 2.0, 2.357, 0.0, 0, 0, 2.357], ["user", ".lisa.bauer", 1778706000000000000, "auth", "login_success", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "login_success", 0.0, -0.756, -0.756, 0, 0, 0.756], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "login_success", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".lisa.bauer", 1778709600000000000, "auth", "login_success", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", ".thomas.weber", 1778709600000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "login_success", 0.0, -0.756, -0.756, 0, 0, 0.756], ["user", ".anna.schmidt", 1778713200000000000, "auth", "login_success", 1.0, 0.832, 0.0, 0, 0, 0.832], ["user", ".lisa.bauer", 1778713200000000000, "auth", "login_success", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778716800000000000, "auth", "login_success", 0.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778716800000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "login_success", 0.0, -0.756, -0.756, 0, 0, 0.756], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "login_success", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "login_success", 0.0, -0.756, -0.756, 0, 0, 0.756], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "login_success", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", ".lisa.bauer", 1778724000000000000, "auth", "login_success", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "login_success", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", ".anna.schmidt", 1778727600000000000, "auth", "login_success", 0.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778727600000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "login_success", 1.0, 1.323, 1.323, 0, 0, 1.323], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "login_success", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", ".anna.schmidt", 1778734800000000000, "auth", "login_success", 0.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".lisa.bauer", 1778734800000000000, "auth", "login_success", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "login_success", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "login_success", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778742000000000000, "auth", "login_success", 0.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778742000000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "login_success", 0.0, -0.756, -0.756, 0, 0, 0.756], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "login_success", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778745600000000000, "auth", "login_success", 1.0, 0.832, 0.0, 0, 0, 0.832], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "login_success", 1.0, 1.323, 1.323, 0, 0, 1.323], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "login_success", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "login_success", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".lisa.bauer", 1778749200000000000, "auth", "login_success", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "login_success", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", ".anna.schmidt", 1778752800000000000, "auth", "login_success", 0.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778752800000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "login_success", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "login_success", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", ".anna.schmidt", 1778756400000000000, "auth", "login_success", 0.0, -0.693, 0.0, 0, 0, 0.693], ["user", ".thomas.weber", 1778756400000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "login_success", 0.0, -0.756, -0.756, 0, 0, 0.756], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "login_success", 1.0, 3.464, 3.464, 0, 0, 3.464], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "login_success", 1.0, 1.323, 1.323, 0, 0, 1.323], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "login_success", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "login_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778763600000000000, "auth", "login_success", 0.0, -0.693, 0.0, 0, 0, 0.693], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "login_success", 1.0, 1.323, 1.323, 0, 0, 1.323], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "login_success", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "login_success", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", ".lisa.bauer", 1778767200000000000, "auth", "login_success", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "login_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "login_success", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "login_success", 0.0, -0.756, -0.756, 0, 0, 0.756], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "login_success", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", ".anna.schmidt", 1778702400000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "login_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "login_failure", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".anna.schmidt", 1778706000000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778706000000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".lisa.bauer", 1778709600000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", ".anna.schmidt", 1778713200000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778713200000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "login_failure", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".anna.schmidt", 1778716800000000000, "auth", "login_failure", 1.0, 2.121, 0.0, 0, 0, 2.121], ["user", ".thomas.weber", 1778716800000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "login_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".lisa.bauer", 1778724000000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778724000000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "login_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".anna.schmidt", 1778727600000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778727600000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", ".anna.schmidt", 1778734800000000000, "auth", "login_failure", 1.0, 2.121, 0.0, 0, 0, 2.121], ["user", ".lisa.bauer", 1778734800000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778734800000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "login_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778742000000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778742000000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "login_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778745600000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "login_failure", 1.0, 3.464, 3.464, 0, 0, 3.464], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "login_failure", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".lisa.bauer", 1778749200000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "login_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".anna.schmidt", 1778752800000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778752800000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "login_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778756400000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778756400000000000, "auth", "login_failure", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "login_failure", 1.0, 3.162, 3.162, 0, 0, 3.162], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "login_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778763600000000000, "auth", "login_failure", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "login_failure", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", ".lisa.bauer", 1778767200000000000, "auth", "login_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778767200000000000, "auth", "login_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "login_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "login_failure", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "login_failure", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778702400000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "logout", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "logout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778706000000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778706000000000000, "auth", "logout", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "logout", 0.0, -0.588, -0.588, 0, 0, 0.588], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "logout", 1.0, 2.121, 2.121, 0, 0, 2.121], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "logout", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".lisa.bauer", 1778709600000000000, "auth", "logout", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778709600000000000, "auth", "logout", 0.0, -0.588, -0.588, 0, 0, 0.588], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", ".anna.schmidt", 1778713200000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778713200000000000, "auth", "logout", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778716800000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "auth", "logout", 0.0, -0.588, -0.588, 0, 0, 0.588], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "logout", 1.0, 2.121, 2.121, 0, 0, 2.121], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "logout", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "logout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".lisa.bauer", 1778724000000000000, "auth", "logout", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "logout", 1.0, 0.392, 0.392, 0, 0, 0.392], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "logout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".anna.schmidt", 1778727600000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "auth", "logout", 2.0, 1.373, 1.373, 0, 0, 1.373], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "logout", 1.0, 3.317, 3.317, 0, 0, 3.317], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", ".anna.schmidt", 1778734800000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "auth", "logout", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "logout", 0.0, -0.588, -0.588, 0, 0, 0.588], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "logout", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "logout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778742000000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778742000000000000, "auth", "logout", 0.0, -0.588, -0.588, 0, 0, 0.588], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "logout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778745600000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "logout", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "logout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".lisa.bauer", 1778749200000000000, "auth", "logout", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "logout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".anna.schmidt", 1778752800000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "auth", "logout", 3.0, 2.353, 2.353, 0, 0, 2.353], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "logout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778756400000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "auth", "logout", 0.0, -0.588, -0.588, 0, 0, 0.588], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "logout", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778763600000000000, "auth", "logout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "logout", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "logout", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "logout", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", ".lisa.bauer", 1778767200000000000, "auth", "logout", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", ".thomas.weber", 1778767200000000000, "auth", "logout", 0.0, -0.588, -0.588, 0, 0, 0.588], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "logout", 1.0, 3.464, 3.464, 0, 0, 3.464], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "logout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "logout", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778702400000000000, "auth", "session_timeout", 0.0, -0.612, 0.0, 0, 0, 0.612], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778706000000000000, "auth", "session_timeout", 0.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".lisa.bauer", 1778706000000000000, "auth", "session_timeout", 1.0, 0.632, 0.0, 0, 0, 0.632], ["user", ".thomas.weber", 1778706000000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".lisa.bauer", 1778709600000000000, "auth", "session_timeout", 1.0, 0.632, 0.0, 0, 0, 0.632], ["user", ".thomas.weber", 1778709600000000000, "auth", "session_timeout", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", ".anna.schmidt", 1778713200000000000, "auth", "session_timeout", 0.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".lisa.bauer", 1778713200000000000, "auth", "session_timeout", 1.0, 0.632, 0.0, 0, 0, 0.632], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778716800000000000, "auth", "session_timeout", 0.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".thomas.weber", 1778716800000000000, "auth", "session_timeout", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".lisa.bauer", 1778724000000000000, "auth", "session_timeout", 1.0, 0.632, 0.0, 0, 0, 0.632], ["user", ".thomas.weber", 1778724000000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "session_timeout", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", ".anna.schmidt", 1778727600000000000, "auth", "session_timeout", 1.0, 1.633, 0.0, 0, 0, 1.633], ["user", ".thomas.weber", 1778727600000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778734800000000000, "auth", "session_timeout", 0.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".lisa.bauer", 1778734800000000000, "auth", "session_timeout", 1.0, 0.632, 0.0, 0, 0, 0.632], ["user", ".thomas.weber", 1778734800000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778742000000000000, "auth", "session_timeout", 1.0, 1.633, 0.0, 0, 0, 1.633], ["user", ".thomas.weber", 1778742000000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "session_timeout", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".anna.schmidt", 1778745600000000000, "auth", "session_timeout", 0.0, -0.612, 0.0, 0, 0, 0.612], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "session_timeout", 1.0, 2.121, 2.121, 0, 0, 2.121], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "session_timeout", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".lisa.bauer", 1778749200000000000, "auth", "session_timeout", 0.0, -1.581, 0.0, 0, 0, 1.581], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".anna.schmidt", 1778752800000000000, "auth", "session_timeout", 0.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".thomas.weber", 1778752800000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778756400000000000, "auth", "session_timeout", 1.0, 1.633, 0.0, 0, 0, 1.633], ["user", ".thomas.weber", 1778756400000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "session_timeout", 1.0, 2.121, 2.121, 0, 0, 2.121], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "session_timeout", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".anna.schmidt", 1778763600000000000, "auth", "session_timeout", 0.0, -0.612, 0.0, 0, 0, 0.612], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", ".lisa.bauer", 1778767200000000000, "auth", "session_timeout", 0.0, -1.581, 0.0, 0, 0, 1.581], ["user", ".thomas.weber", 1778767200000000000, "auth", "session_timeout", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "session_timeout", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "session_timeout", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "session_timeout", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778702400000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "mfa_success", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778706000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778706000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "auth", "mfa_success", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "mfa_success", 1.0, 1.826, 1.826, 0, 0, 1.826], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "mfa_success", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778709600000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", ".anna.schmidt", 1778713200000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778713200000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778716800000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "mfa_success", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "mfa_success", 1.0, 3.162, 3.162, 0, 0, 3.162], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778724000000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778727600000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", ".anna.schmidt", 1778734800000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778734800000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "mfa_success", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778742000000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778745600000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "mfa_success", 1.0, 1.826, 1.826, 0, 0, 1.826], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "mfa_success", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "mfa_success", 1.0, 1.826, 1.826, 0, 0, 1.826], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778752800000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778756400000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "mfa_success", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778767200000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778767200000000000, "auth", "mfa_success", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "mfa_success", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "mfa_success", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "mfa_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778702400000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "mfa_failure", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778706000000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778706000000000000, "auth", "mfa_failure", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "mfa_failure", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778709600000000000, "auth", "mfa_failure", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778709600000000000, "auth", "mfa_failure", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "mfa_failure", 1.0, 3.464, 3.464, 0, 0, 3.464], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778713200000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778713200000000000, "auth", "mfa_failure", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778716800000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "mfa_failure", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".lisa.bauer", 1778724000000000000, "auth", "mfa_failure", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "mfa_failure", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", ".anna.schmidt", 1778727600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", ".anna.schmidt", 1778734800000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "auth", "mfa_failure", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "mfa_failure", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778742000000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778745600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "mfa_failure", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "auth", "mfa_failure", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".anna.schmidt", 1778752800000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778756400000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "mfa_failure", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".lisa.bauer", 1778767200000000000, "auth", "mfa_failure", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "mfa_failure", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "mfa_failure", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "mfa_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778702400000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "mfa_fail_ratio", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778706000000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778706000000000000, "auth", "mfa_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "mfa_fail_ratio", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778709600000000000, "auth", "mfa_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778709600000000000, "auth", "mfa_fail_ratio", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "mfa_fail_ratio", 1.0, 3.464, 3.464, 0, 0, 3.464], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778713200000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778713200000000000, "auth", "mfa_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778716800000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "mfa_fail_ratio", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".lisa.bauer", 1778724000000000000, "auth", "mfa_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "mfa_fail_ratio", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", ".anna.schmidt", 1778727600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", ".anna.schmidt", 1778734800000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "auth", "mfa_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "mfa_fail_ratio", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778742000000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778745600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "mfa_fail_ratio", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "auth", "mfa_fail_ratio", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".anna.schmidt", 1778752800000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778756400000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "mfa_fail_ratio", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".lisa.bauer", 1778767200000000000, "auth", "mfa_fail_ratio", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "mfa_fail_ratio", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "mfa_fail_ratio", 0.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "mfa_fail_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778702400000000000, "auth", "password_change", 1.0, 2.121, 0.0, 0, 0, 2.121], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "password_change", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "password_change", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778706000000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778706000000000000, "auth", "password_change", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "password_change", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "password_change", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".lisa.bauer", 1778709600000000000, "auth", "password_change", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", ".thomas.weber", 1778709600000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", ".anna.schmidt", 1778713200000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778713200000000000, "auth", "password_change", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778716800000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778716800000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "password_change", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", ".lisa.bauer", 1778724000000000000, "auth", "password_change", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", ".anna.schmidt", 1778727600000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778727600000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778734800000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778734800000000000, "auth", "password_change", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "password_change", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778742000000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778742000000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "password_change", 1.0, 2.121, 2.121, 0, 0, 2.121], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778745600000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "password_change", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".lisa.bauer", 1778749200000000000, "auth", "password_change", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "password_change", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", ".anna.schmidt", 1778752800000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778752800000000000, "auth", "password_change", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "password_change", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778756400000000000, "auth", "password_change", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778756400000000000, "auth", "password_change", 1.0, 1.528, 1.528, 0, 0, 1.528], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "password_change", 1.0, 3.317, 3.317, 0, 0, 3.317], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778763600000000000, "auth", "password_change", 1.0, 2.121, 0.0, 0, 0, 2.121], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "password_change", 1.0, 2.121, 2.121, 0, 0, 2.121], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "password_change", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", ".lisa.bauer", 1778767200000000000, "auth", "password_change", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "password_change", 0.0, -0.655, -0.655, 0, 0, 0.655], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "password_change", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "password_change", 0.0, -0.471, -0.471, 0, 0, 0.471], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "password_change", 0.0, -0.302, -0.302, 0, 0, 0.302], ["user", ".anna.schmidt", 1778702400000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "password_reset_req", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778706000000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778706000000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "password_reset_req", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".lisa.bauer", 1778709600000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", ".anna.schmidt", 1778713200000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778713200000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "password_reset_req", 1.0, 2.345, 2.345, 0, 0, 2.345], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778716800000000000, "auth", "password_reset_req", 1.0, 2.121, 0.0, 0, 0, 2.121], ["user", ".thomas.weber", 1778716800000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "password_reset_req", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "password_reset_req", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778724000000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778727600000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778727600000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "password_reset_req", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", ".anna.schmidt", 1778734800000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778734800000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778734800000000000, "auth", "password_reset_req", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "password_reset_req", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "password_reset_req", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", ".anna.schmidt", 1778742000000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778742000000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "password_reset_req", 2.0, 2.801, 2.801, 0, 0, 2.801], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778745600000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "password_reset_req", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".lisa.bauer", 1778749200000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778752800000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778752800000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778756400000000000, "auth", "password_reset_req", 1.0, 2.121, 0.0, 0, 0, 2.121], ["user", ".thomas.weber", 1778756400000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778763600000000000, "auth", "password_reset_req", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "password_reset_req", 1.0, 2.345, 2.345, 0, 0, 2.345], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "password_reset_req", 0.0, -0.442, -0.442, 0, 0, 0.442], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "password_reset_req", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778767200000000000, "auth", "password_reset_req", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778767200000000000, "auth", "password_reset_req", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "password_reset_req", 0.0, -0.426, -0.426, 0, 0, 0.426], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "password_reset_req", 1.0, 1.18, 1.18, 0, 0, 1.18], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "password_reset_req", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778702400000000000, "auth", "account_locked", 1.0, 2.121, 0.0, 0, 0, 2.121], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778706000000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778706000000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "account_locked", 1.0, 3.162, 3.162, 0, 0, 3.162], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "account_locked", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".lisa.bauer", 1778709600000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", ".anna.schmidt", 1778713200000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778713200000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778716800000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778716800000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "account_locked", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", ".lisa.bauer", 1778724000000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778724000000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".anna.schmidt", 1778727600000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778727600000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "account_locked", 1.0, 1.826, 1.826, 0, 0, 1.826], ["user", ".anna.schmidt", 1778734800000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778734800000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778734800000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "account_locked", 1.0, 1.826, 1.826, 0, 0, 1.826], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778742000000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778742000000000000, "auth", "account_locked", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "account_locked", 1.0, 1.826, 1.826, 0, 0, 1.826], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778745600000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "account_locked", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".lisa.bauer", 1778749200000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".anna.schmidt", 1778752800000000000, "auth", "account_locked", 1.0, 2.121, 0.0, 0, 0, 2.121], ["user", ".thomas.weber", 1778752800000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778756400000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778756400000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778763600000000000, "auth", "account_locked", 0.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".lisa.bauer", 1778767200000000000, "auth", "account_locked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778767200000000000, "auth", "account_locked", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "account_locked", 0.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "account_locked", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "account_locked", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778702400000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778702400000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778702400000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778706000000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778706000000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "auth", "account_unlocked_fail", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".lisa.bauer", 1778709600000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "auth", "account_unlocked_fail", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "account_unlocked_fail", 1.0, 3.162, 3.162, 0, 0, 3.162], ["user", ".anna.schmidt", 1778713200000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778713200000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778716800000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "auth", "account_unlocked_fail", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "account_unlocked_fail", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".lisa.bauer", 1778724000000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778724000000000000, "auth", "account_unlocked_fail", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "account_unlocked_fail", 1.0, 1.5, 1.5, 0, 0, 1.5], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".anna.schmidt", 1778727600000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "auth", "account_unlocked_fail", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "account_unlocked_fail", 1.0, 1.5, 1.5, 0, 0, 1.5], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "account_unlocked_fail", 1.0, 1.5, 1.5, 0, 0, 1.5], ["user", ".anna.schmidt", 1778734800000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778734800000000000, "auth", "account_unlocked_fail", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "account_unlocked_fail", 1.0, 3.0, 3.0, 0, 0, 3.0], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778742000000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778742000000000000, "auth", "account_unlocked_fail", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778745600000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".lisa.bauer", 1778749200000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".anna.schmidt", 1778752800000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "auth", "account_unlocked_fail", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "account_unlocked_fail", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".anna.schmidt", 1778756400000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "auth", "account_unlocked_fail", 0.0, -0.5, -0.5, 0, 0, 0.5], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778763600000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "account_unlocked_fail", 0.0, -0.667, -0.667, 0, 0, 0.667], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "account_unlocked_fail", 0.0, -0.333, -0.333, 0, 0, 0.333], ["user", ".lisa.bauer", 1778767200000000000, "auth", "account_unlocked_fail", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778767200000000000, "auth", "account_unlocked_fail", 1.0, 2.0, 2.0, 0, 0, 2.0], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "account_unlocked_fail", 1.0, 1.5, 1.5, 0, 0, 1.5], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "account_unlocked_fail", 0.0, -0.316, -0.316, 0, 0, 0.316], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "account_unlocked_fail", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_events", 1.0, -0.784, -0.863, 0, 0, 0.863], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_events", 2.0, 2.0, 0.0, 0, 0, 2.0], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_events", 2.0, -0.397, 0.038, 0, 0, 0.397], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_events", 3.0, 1.961, 0.939, 0, 0, 1.961], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_events", 4.0, 1.871, 0.0, 0, 0, 1.871], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_events", 2.0, 0.354, 0.038, 0, 0, 0.354], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_events", 3.0, 0.397, 0.939, 0, 0, 0.939], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_events", 1.0, -0.896, -0.632, 0, 0, 0.896], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_events", 2.0, 0.832, 0.832, 0, 0, 0.832], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_events", 2.0, 0.354, 0.038, 0, 0, 0.354], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_events", 1.0, -1.192, -0.863, 0, 0, 1.192], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_events", 2.0, 0.832, 0.832, 0, 0, 0.832], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_events", 1.0, -0.784, -0.863, 0, 0, 0.863], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_events", 2.0, -0.397, 0.038, 0, 0, 0.397], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_events", 1.0, -0.896, -0.632, 0, 0, 0.896], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_events", 2.0, 0.447, 0.447, 0, 0, 0.447], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_events", 4.0, 2.475, 1.84, 0, 0, 2.475], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_events", 1.0, -1.192, -0.863, 0, 0, 1.192], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_events", 2.0, 0.498, 0.949, 0, 0, 0.949], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_events", 2.0, 0.447, 0.447, 0, 0, 0.447], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_events", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_events", 1.0, -0.784, -0.863, 0, 0, 0.863], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_events", 2.0, 0.354, 0.038, 0, 0, 0.354], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_events", 3.0, 0.397, 0.939, 0, 0, 0.939], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_events", 2.0, 0.498, 0.949, 0, 0, 0.949], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_events", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_events", 1.0, -0.894, -0.894, 0, 0, 0.894], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_events", 1.0, -0.784, -0.863, 0, 0, 0.863], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_events", 3.0, 0.397, 0.939, 0, 0, 0.939], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_events", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_events", 3.0, 1.789, 1.789, 0, 0, 1.789], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_events", 3.0, 1.414, 0.939, 0, 0, 1.414], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_events", 2.0, -0.397, 0.038, 0, 0, 0.397], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_events", 6.0, 2.782, 3.642, 0, 0, 3.642], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_events", 2.0, 0.498, 0.949, 0, 0, 0.949], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_events", 2.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_events", 1.0, -0.894, -0.894, 0, 0, 0.894], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_events", 2.0, 0.832, 0.832, 0, 0, 0.832], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_events", 3.0, 1.961, 0.939, 0, 0, 1.961], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_events", 3.0, 0.397, 0.939, 0, 0, 0.939], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_events", 1.0, -0.894, -0.894, 0, 0, 0.894], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_events", 3.0, 2.357, 2.357, 0, 0, 2.357], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_events", 2.0, 0.498, 0.949, 0, 0, 0.949], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_events", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_events", 1.0, -0.784, -0.863, 0, 0, 0.863], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_events", 2.0, 0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_events", 2.0, -0.397, 0.038, 0, 0, 0.397], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_events", 3.0, 1.891, 2.53, 0, 0, 2.53], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_events", 2.0, 0.588, 0.038, 0, 0, 0.588], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_events", 4.0, 3.138, 0.0, 0, 0, 3.138], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_events", 2.0, -0.397, 0.038, 0, 0, 0.397], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_events", 2.0, 0.498, 0.949, 0, 0, 0.949], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_events", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_events", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_events", 1.0, -0.784, -0.863, 0, 0, 0.863], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_events", 2.0, -0.397, 0.038, 0, 0, 0.397], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_events", 1.0, -0.896, -0.632, 0, 0, 0.896], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_events", 2.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_events", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_events", 1.0, -0.784, -0.863, 0, 0, 0.863], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_events", 2.0, 3.162, 0.949, 0, 0, 3.162], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_events", 4.0, 1.192, 1.84, 0, 0, 1.84], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_events", 1.0, -0.896, -0.632, 0, 0, 0.896], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_events", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_events", 2.0, 0.588, 0.038, 0, 0, 0.588], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_events", 2.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_events", 4.0, 1.192, 1.84, 0, 0, 1.84], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_events", 1.0, -0.896, -0.632, 0, 0, 0.896], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_events", 1.0, -0.784, -0.863, 0, 0, 0.863], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_events", 3.0, 1.414, 0.939, 0, 0, 1.414], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_events", 3.0, 0.397, 0.939, 0, 0, 0.939], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_events", 3.0, 1.891, 2.53, 0, 0, 2.53], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_events", 2.0, 0.588, 0.038, 0, 0, 0.588], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_events", 2.0, 2.0, 0.0, 0, 0, 2.0], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_events", 1.0, -1.192, -0.863, 0, 0, 1.192], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_events", 1.0, -0.896, -0.632, 0, 0, 0.896], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_events", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_events", 2.0, 0.588, 0.038, 0, 0, 0.588], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_events", 1.0, -0.707, -0.863, 0, 0, 0.863], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_events", 1.0, -0.316, -0.632, 0, 0, 0.632], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_events", 1.0, -1.192, -0.863, 0, 0, 1.192], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_events", 1.0, -0.896, -0.632, 0, 0, 0.896], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_events", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_events", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_failures", 1.0, 0.359, 0.589, 0, 0, 0.589], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_failures", 1.0, 0.911, 0.0, 0, 0, 0.911], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_failures", 0.0, -1.213, 0.0, 0, 0, 1.213], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_failures", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_failures", 0.0, -0.898, -0.669, 0, 0, 0.898], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_failures", 0.0, -0.651, 0.0, 0, 0, 0.651], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_failures", 1.0, 0.485, 0.0, 0, 0, 0.485], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_failures", 1.0, 1.633, 2.708, 0, 0, 2.708], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_failures", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_failures", 2.0, 1.976, 1.976, 0, 0, 1.976], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_failures", 1.0, 0.485, 0.0, 0, 0, 0.485], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_failures", 1.0, 1.225, 0.0, 0, 0, 1.225], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_failures", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_failures", 0.0, -0.581, -0.581, 0, 0, 0.581], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_failures", 0.0, -0.898, -0.669, 0, 0, 0.898], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_failures", 1.0, 0.485, 0.0, 0, 0, 0.485], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_failures", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_failures", 1.0, 0.485, 0.0, 0, 0, 0.485], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_failures", 1.0, 1.225, 0.0, 0, 0, 1.225], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_failures", 4.0, 3.354, 4.363, 0, 0, 4.363], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_failures", 0.0, -0.581, -0.581, 0, 0, 0.581], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_failures", 1.0, 0.359, 0.589, 0, 0, 0.589], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_failures", 0.0, -1.118, -0.669, 0, 0, 1.118], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_failures", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_failures", 1.0, 0.359, 0.589, 0, 0, 0.589], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_failures", 1.0, 0.911, 0.0, 0, 0, 0.911], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_failures", 0.0, -1.213, 0.0, 0, 0, 1.213], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_failures", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_failures", 0.0, -1.118, -0.669, 0, 0, 1.118], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_failures", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_failures", 0.0, -0.651, 0.0, 0, 0, 0.651], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_failures", 1.0, 0.485, 0.0, 0, 0, 0.485], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_failures", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_failures", 1.0, 0.911, 0.0, 0, 0, 0.911], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_failures", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_failures", 0.0, -0.581, -0.581, 0, 0, 0.581], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_failures", 3.0, 2.874, 3.105, 0, 0, 3.105], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_failures", 0.0, -0.651, 0.0, 0, 0, 0.651], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_failures", 0.0, -1.213, 0.0, 0, 0, 1.213], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_failures", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_failures", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_failures", 2.0, 1.976, 1.976, 0, 0, 1.976], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_failures", 1.0, 1.633, 2.708, 0, 0, 2.708], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_failures", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_failures", 0.0, -0.581, -0.581, 0, 0, 0.581], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_failures", 1.0, 0.359, 0.589, 0, 0, 0.589], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_failures", 2.0, 2.474, 0.0, 0, 0, 2.474], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_failures", 1.0, 0.485, 0.0, 0, 0, 0.485], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_failures", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_failures", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_failures", 1.0, 0.359, 0.589, 0, 0, 0.589], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_failures", 0.0, -0.651, 0.0, 0, 0, 0.651], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_failures", 0.0, -1.213, 0.0, 0, 0, 1.213], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_failures", 1.0, 1.225, 0.0, 0, 0, 1.225], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_failures", 0.0, -1.118, -0.669, 0, 0, 1.118], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_failures", 1.0, 1.633, 2.708, 0, 0, 2.708], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_failures", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_failures", 0.0, -0.581, -0.581, 0, 0, 0.581], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_failures", 0.0, -0.898, -0.669, 0, 0, 0.898], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_failures", 0.0, -0.651, 0.0, 0, 0, 0.651], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_failures", 1.0, 0.485, 0.0, 0, 0, 0.485], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_failures", 0.0, -0.581, -0.581, 0, 0, 0.581], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_failures", 0.0, -0.898, -0.669, 0, 0, 0.898], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_failures", 0.0, -0.651, 0.0, 0, 0, 0.651], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_failures", 2.0, 2.183, 0.0, 0, 0, 2.183], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_failures", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_failures", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_failures", 1.0, 0.697, 0.697, 0, 0, 0.697], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_failures", 0.0, -0.898, -0.669, 0, 0, 0.898], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_failures", 0.0, -0.651, 0.0, 0, 0, 0.651], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_failures", 1.0, 0.485, 0.0, 0, 0, 0.485], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_failures", 0.0, -0.898, -0.669, 0, 0, 0.898], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_failures", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_failures", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_failures", 1.0, 0.359, 0.589, 0, 0, 0.589], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_failures", 0.0, -0.651, 0.0, 0, 0, 0.651], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_failures", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_failures", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_failures", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_failures", 0.0, -0.581, -0.581, 0, 0, 0.581], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_failures", 1.0, 0.359, 0.589, 0, 0, 0.589], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_failures", 0.0, -1.213, 0.0, 0, 0, 1.213], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_failures", 1.0, 1.225, 0.0, 0, 0, 1.225], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_failures", 1.0, 0.0, 0.589, 0, 0, 0.589], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_failures", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_failures", 0.0, 0.0, -0.669, 0, 0, 0.669], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_failures", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_failures", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_failures", 0.0, -0.581, -0.581, 0, 0, 0.581], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_infos", 1.0, 1.528, 1.528, 0, 0, 1.528], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_infos", 0.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_infos", 0.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_infos", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_infos", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_infos", 0.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_infos", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_infos", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_infos", 1.0, 1.528, 1.528, 0, 0, 1.528], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_infos", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_infos", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_infos", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_infos", 1.0, 1.633, 1.633, 0, 0, 1.633], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_infos", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_infos", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_infos", 1.0, 1.633, 1.633, 0, 0, 1.633], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_infos", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_infos", 0.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_infos", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_infos", 1.0, 1.633, 1.633, 0, 0, 1.633], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_infos", 0.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_infos", 0.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_infos", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_infos", 1.0, 1.528, 1.528, 0, 0, 1.528], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_infos", 0.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_infos", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_infos", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_infos", 0.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_failure_ratio", 1.0, 1.213, 1.507, 0, 0, 1.507], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_failure_ratio", 1.0, 1.414, 0.0, 0, 0, 1.414], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_failure_ratio", 0.0, -1.007, 0.0, 0, 0, 1.007], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_failure_ratio", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_failure_ratio", 1.0, 0.872, 1.507, 0, 0, 1.507], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_failure_ratio", 0.0, -1.051, -0.79, 0, 0, 1.051], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_failure_ratio", 0.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_failure_ratio", 0.25, -0.265, 0.0, 0, 0, 0.265], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_failure_ratio", 0.5, -0.354, 0.358, 0, 0, 0.358], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_failure_ratio", 1.0, 1.633, 2.708, 0, 0, 2.708], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_failure_ratio", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_failure_ratio", 1.0, 1.874, 1.874, 0, 0, 1.874], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_failure_ratio", 0.3333333333333333, -0.018, 0.0, 0, 0, 0.018], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_failure_ratio", 1.0, 1.225, 0.0, 0, 0, 1.225], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_failure_ratio", 0.5, -0.354, 0.358, 0, 0, 0.358], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_failure_ratio", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_failure_ratio", 0.0, -0.6, -0.6, 0, 0, 0.6], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_failure_ratio", 0.0, -1.051, -0.79, 0, 0, 1.051], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_failure_ratio", 1.0, 1.961, 0.0, 0, 0, 1.961], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_failure_ratio", 1.0, 0.872, 1.507, 0, 0, 1.507], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_failure_ratio", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_failure_ratio", 0.3333333333333333, -0.018, 0.0, 0, 0, 0.018], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_failure_ratio", 1.0, 1.225, 0.0, 0, 0, 1.225], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_failure_ratio", 1.0, 0.872, 1.507, 0, 0, 1.507], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_failure_ratio", 0.0, -0.6, -0.6, 0, 0, 0.6], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_failure_ratio", 1.0, 1.213, 1.507, 0, 0, 1.507], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_failure_ratio", 0.0, -1.581, -0.79, 0, 0, 1.581], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_failure_ratio", 0.5, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_failure_ratio", 1.0, 1.213, 1.507, 0, 0, 1.507], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_failure_ratio", 1.0, 1.414, 0.0, 0, 0, 1.414], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_failure_ratio", 0.0, -1.007, 0.0, 0, 0, 1.007], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_failure_ratio", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_failure_ratio", 0.0, -1.581, -0.79, 0, 0, 1.581], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_failure_ratio", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_failure_ratio", 0.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_failure_ratio", 0.3333333333333333, -0.018, 0.0, 0, 0, 0.018], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_failure_ratio", 0.3333333333333333, -0.763, -0.024, 0, 0, 0.763], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_failure_ratio", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_failure_ratio", 1.0, 1.414, 0.0, 0, 0, 1.414], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_failure_ratio", 1.0, 0.872, 1.507, 0, 0, 1.507], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_failure_ratio", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_failure_ratio", 0.0, -0.6, -0.6, 0, 0, 0.6], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_failure_ratio", 1.0, 1.213, 1.507, 0, 0, 1.507], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_failure_ratio", 0.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_failure_ratio", 0.0, -1.007, 0.0, 0, 0, 1.007], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_failure_ratio", 1.0, 0.872, 1.507, 0, 0, 1.507], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_failure_ratio", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_failure_ratio", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_failure_ratio", 0.6666666666666666, 1.049, 1.049, 0, 0, 1.049], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_failure_ratio", 1.0, 1.633, 2.708, 0, 0, 2.708], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_failure_ratio", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_failure_ratio", 0.0, -0.6, -0.6, 0, 0, 0.6], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_failure_ratio", 1.0, 1.213, 1.507, 0, 0, 1.507], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_failure_ratio", 1.0, 1.414, 0.0, 0, 0, 1.414], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_failure_ratio", 0.3333333333333333, -0.018, 0.0, 0, 0, 0.018], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_failure_ratio", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_failure_ratio", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.5, 0.081, 0.358, 0, 0, 0.358], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.0, -1.007, 0.0, 0, 0, 1.007], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_failure_ratio", 1.0, 1.225, 0.0, 0, 0, 1.225], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.0, -1.581, -0.79, 0, 0, 1.581], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_failure_ratio", 1.0, 1.633, 2.708, 0, 0, 2.708], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.5, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_failure_ratio", 0.0, -0.6, -0.6, 0, 0, 0.6], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_failure_ratio", 0.0, -1.051, -0.79, 0, 0, 1.051], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_failure_ratio", 0.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_failure_ratio", 1.0, 1.961, 0.0, 0, 0, 1.961], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_failure_ratio", 0.0, -0.6, -0.6, 0, 0, 0.6], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_failure_ratio", 0.0, -1.051, -0.79, 0, 0, 1.051], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_failure_ratio", 0.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_failure_ratio", 0.6666666666666666, 0.972, 0.0, 0, 0, 0.972], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_failure_ratio", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_failure_ratio", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_failure_ratio", 1.0, 1.874, 1.874, 0, 0, 1.874], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_failure_ratio", 0.0, -1.051, -0.79, 0, 0, 1.051], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_failure_ratio", 0.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_failure_ratio", 0.5, 0.477, 0.0, 0, 0, 0.477], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_failure_ratio", 1.0, 0.872, 1.507, 0, 0, 1.507], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_failure_ratio", 0.0, -1.051, -0.79, 0, 0, 1.051], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_failure_ratio", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_failure_ratio", 0.3333333333333333, -0.763, -0.024, 0, 0, 0.763], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_failure_ratio", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.5, 0.081, 0.358, 0, 0, 0.358], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.0, -0.816, 0.0, 0, 0, 0.816], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_failure_ratio", 1.0, 0.872, 1.507, 0, 0, 1.507], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_failure_ratio", 0.0, -0.6, -0.6, 0, 0, 0.6], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_failure_ratio", 0.5, 0.081, 0.358, 0, 0, 0.358], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_failure_ratio", 0.0, -1.007, 0.0, 0, 0, 1.007], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_failure_ratio", 1.0, 1.225, 0.0, 0, 0, 1.225], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_failure_ratio", 1.0, 0.872, 1.507, 0, 0, 1.507], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_failure_ratio", 0.0, -0.612, -0.369, 0, 0, 0.612], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.79, 0, 0, 0.79], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_failure_ratio", 0.0, 0.0, -0.369, 0, 0, 0.369], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_failure_ratio", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_failure_ratio", 0.0, -0.6, -0.6, 0, 0, 0.6], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_high_severity", 1.0, 1.915, 3.279, 0, 0, 3.279], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_high_severity", 1.0, 3.742, 3.279, 0, 0, 3.742], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_high_severity", 1.0, 3.162, 4.899, 0, 0, 4.899], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_high_severity", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_high_severity", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_high_severity", 1.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_high_severity", 1.0, 1.915, 3.279, 0, 0, 3.279], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_high_severity", 1.0, 1.528, 1.528, 0, 0, 1.528], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_high_severity", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_high_severity", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_high_severity", 1.0, 1.414, 1.414, 0, 0, 1.414], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_high_severity", 1.0, 1.26, 0.0, 0, 0, 1.26], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_high_severity", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_high_severity", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_high_severity", 1.0, 1.915, 3.279, 0, 0, 3.279], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_high_severity", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_high_severity", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_high_severity", 1.0, 2.121, 2.121, 0, 0, 2.121], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_high_severity", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_high_severity", 2.0, 2.941, 0.0, 0, 0, 2.941], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_high_severity", 1.0, 3.0, 0.0, 0, 0, 3.0], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_high_severity", 1.0, 1.528, 1.528, 0, 0, 1.528], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_high_severity", 1.0, 3.606, 0.0, 0, 0, 3.606], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_high_severity", 1.0, 2.121, 2.121, 0, 0, 2.121], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_high_severity", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, -0.42, 0.0, 0, 0, 0.42], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, -0.655, -0.655, 0, 0, 0.655], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_high_severity", 0.0, -0.522, -0.305, 0, 0, 0.522], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_high_severity", 0.0, -0.277, 0.0, 0, 0, 0.277], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_high_severity", 0.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_high_severity", 0.0, -0.267, -0.305, 0, 0, 0.305], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_high_severity", 0.0, -0.316, -0.204, 0, 0, 0.316], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.305, 0, 0, 0.305], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_high_severity", 0.0, 0.0, -0.204, 0, 0, 0.204], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_high_severity", 1.0, 1.528, 1.528, 0, 0, 1.528], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_high_severity", 0.0, -0.471, -0.471, 0, 0, 0.471], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_auth_events", 1.0, -0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_auth_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_auth_events", 2.0, 2.0, 0.0, 0, 0, 2.0], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_auth_events", 3.0, 1.961, 1.939, 0, 0, 1.961], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_auth_events", 4.0, 1.871, 0.0, 0, 0, 1.871], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_auth_events", 2.0, 0.354, 0.97, 0, 0, 0.97], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_auth_events", 1.0, -0.243, -0.243, 0, 0, 0.243], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_auth_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_auth_events", 2.0, 1.633, 1.633, 0, 0, 1.633], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_auth_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_auth_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_auth_events", 2.0, 0.354, 0.97, 0, 0, 0.97], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_auth_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_auth_events", 1.0, -0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_auth_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_auth_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_auth_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_auth_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_auth_events", 4.0, 2.475, 2.909, 0, 0, 2.909], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_auth_events", 0.0, -1.732, -1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_auth_events", 0.0, -1.361, -1.361, 0, 0, 1.361], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_auth_events", 1.0, -0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_auth_events", 2.0, 0.354, 0.97, 0, 0, 0.97], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_auth_events", 0.0, -1.671, -1.671, 0, 0, 1.671], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_auth_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_auth_events", 1.0, -0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_auth_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_auth_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_auth_events", 1.0, -0.243, -0.243, 0, 0, 0.243], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_auth_events", 2.0, 2.043, 2.043, 0, 0, 2.043], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_auth_events", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_auth_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_auth_events", 3.0, 1.414, 1.939, 0, 0, 1.939], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_auth_events", 2.0, 1.213, 1.213, 0, 0, 1.213], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_auth_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_auth_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_auth_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_auth_events", 3.0, 1.961, 1.939, 0, 0, 1.961], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_auth_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_auth_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_auth_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_auth_events", 2.0, 1.633, 1.633, 0, 0, 1.633], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_auth_events", 0.0, -1.671, -1.671, 0, 0, 1.671], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_auth_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_auth_events", 1.0, -0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_auth_events", 2.0, 0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_auth_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_auth_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_auth_events", 2.0, 0.588, 0.97, 0, 0, 0.97], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_auth_events", 4.0, 3.138, 0.0, 0, 0, 3.138], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_auth_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_auth_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_auth_events", 0.0, -1.698, -1.698, 0, 0, 1.698], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_auth_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_auth_events", 0.0, -1.361, -1.361, 0, 0, 1.361], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_auth_events", 1.0, -0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_auth_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_auth_events", 2.0, 1.213, 1.213, 0, 0, 1.213], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_auth_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_auth_events", 1.0, -0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_auth_events", 3.0, 0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_auth_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_auth_events", 2.0, 3.162, 2.648, 0, 0, 3.162], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_auth_events", 0.0, -1.361, -1.361, 0, 0, 1.361], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_auth_events", 2.0, 0.588, 0.97, 0, 0, 0.97], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_auth_events", 2.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_auth_events", 1.0, -0.784, 0.0, 0, 0, 0.784], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_auth_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_auth_events", 3.0, 1.414, 1.939, 0, 0, 1.939], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_auth_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_auth_events", 2.0, 0.588, 0.97, 0, 0, 0.97], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_auth_events", 1.0, -0.392, 0.0, 0, 0, 0.392], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_auth_events", 2.0, 2.0, 0.0, 0, 0, 2.0], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_auth_events", 1.0, -0.243, -0.243, 0, 0, 0.243], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_auth_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_auth_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_auth_events", 2.0, 0.588, 0.97, 0, 0, 0.97], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_auth_events", 1.0, -0.935, 0.0, 0, 0, 0.935], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_auth_events", 1.0, -0.5, 0.0, 0, 0, 0.5], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_auth_events", 1.0, -0.707, 0.0, 0, 0, 0.707], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_auth_events", 1.0, -0.316, 0.906, 0, 0, 0.906], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.97, 0, 0, 0.97], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_auth_events", 0.0, 0.0, -0.836, 0, 0, 0.836], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_auth_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_auth_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_data_events", 2.0, -0.397, 0.722, 0, 0, 0.722], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_data_events", 3.0, 0.397, 1.415, 0, 0, 1.415], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_data_events", 1.0, -0.896, 0.082, 0, 0, 0.896], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_data_events", 1.0, -1.192, 0.029, 0, 0, 1.192], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_data_events", 2.0, -0.397, 0.722, 0, 0, 0.722], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_data_events", 1.0, -0.896, 0.082, 0, 0, 0.896], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_data_events", 1.0, -1.192, 0.029, 0, 0, 1.192], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_data_events", 2.0, 0.498, 1.106, 0, 0, 1.106], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_data_events", 3.0, 0.397, 1.415, 0, 0, 1.415], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_data_events", 2.0, 0.498, 1.106, 0, 0, 1.106], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_data_events", 3.0, 0.397, 1.415, 0, 0, 1.415], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_data_events", 2.0, -0.397, 0.722, 0, 0, 0.722], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_data_events", 6.0, 2.782, 3.494, 0, 0, 3.494], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_data_events", 2.0, 0.498, 1.106, 0, 0, 1.106], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_data_events", 3.0, 0.397, 1.415, 0, 0, 1.415], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_data_events", 2.0, 0.498, 1.106, 0, 0, 1.106], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_data_events", 2.0, -0.397, 0.722, 0, 0, 0.722], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_data_events", 3.0, 1.891, 2.13, 0, 0, 2.13], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_data_events", 2.0, -0.397, 0.722, 0, 0, 0.722], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_data_events", 2.0, 0.498, 1.106, 0, 0, 1.106], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_data_events", 2.0, -0.397, 0.722, 0, 0, 0.722], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_data_events", 1.0, -0.896, 0.082, 0, 0, 0.896], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_data_events", 4.0, 1.192, 2.108, 0, 0, 2.108], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_data_events", 1.0, -0.896, 0.082, 0, 0, 0.896], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_data_events", 4.0, 1.192, 2.108, 0, 0, 2.108], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_data_events", 1.0, -0.896, 0.082, 0, 0, 0.896], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_data_events", 3.0, 0.397, 1.415, 0, 0, 1.415], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_data_events", 3.0, 1.891, 2.13, 0, 0, 2.13], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_data_events", 1.0, -1.192, 0.029, 0, 0, 1.192], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_data_events", 1.0, -0.896, 0.082, 0, 0, 0.896], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.663, 0, 0, 0.663], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_data_events", 0.0, 0.0, -0.942, 0, 0, 0.942], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_data_events", 1.0, -1.192, 0.029, 0, 0, 1.192], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_data_events", 1.0, -0.896, 0.082, 0, 0, 0.896], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_data_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, -0.745, -0.745, 0, 0, 0.745], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_ti_events", 0.0, -1.095, -1.095, 0, 0, 1.095], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_ti_events", 1.0, 0.913, 0.913, 0, 0, 0.913], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_ti_events", 1.0, 0.447, 0.447, 0, 0, 0.447], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_ti_events", 2.0, 1.789, 1.789, 0, 0, 1.789], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_ti_events", 1.0, 0.913, 0.913, 0, 0, 0.913], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_ti_events", 2.0, 2.236, 2.236, 0, 0, 2.236], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_ti_events", 0.0, -0.894, -0.894, 0, 0, 0.894], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_ti_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_ti_events", 0.0, -0.745, -0.745, 0, 0, 0.745], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_ti_events", 1.0, 0.447, 0.447, 0, 0, 0.447], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_ti_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_ti_events", 0.0, -0.745, -0.745, 0, 0, 0.745], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_ti_events", 0.0, -0.894, -0.894, 0, 0, 0.894], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_ti_events", 1.0, 0.913, 0.913, 0, 0, 0.913], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_ti_events", 0.0, -0.745, -0.745, 0, 0, 0.745], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_ti_events", 0.0, -0.894, -0.894, 0, 0, 0.894], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_ti_events", 1.0, 0.913, 0.913, 0, 0, 0.913], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_ti_events", 1.0, 0.745, 0.745, 0, 0, 0.745], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_ti_events", 0.0, -1.095, -1.095, 0, 0, 1.095], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_ti_events", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_ti_events", 1.0, 0.745, 0.745, 0, 0, 0.745], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_ti_events", 1.0, 0.913, 0.913, 0, 0, 0.913], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_ti_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_ti_events", 0.0, -1.095, -1.095, 0, 0, 1.095], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_ti_events", 1.0, 0.913, 0.913, 0, 0, 0.913], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_ti_events", 0.0, -0.745, -0.745, 0, 0, 0.745], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, -0.745, -0.745, 0, 0, 0.745], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_ti_events", 0.0, -1.095, -1.095, 0, 0, 1.095], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_ti_events", 1.0, 0.745, 0.745, 0, 0, 0.745], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_ti_events", 0.0, -1.095, -1.095, 0, 0, 1.095], ["host", "avelios-app-01.berlin.local", 1778702400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778702400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778702400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_card_events", 1.0, -0.243, -0.243, 0, 0, 0.243], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_card_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_card_events", 2.0, 1.633, 1.633, 0, 0, 1.633], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_card_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_card_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_card_events", 0.0, -1.732, -1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_card_events", 0.0, -1.361, -1.361, 0, 0, 1.361], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_card_events", 0.0, -1.671, -1.671, 0, 0, 1.671], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_card_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_card_events", 1.0, -0.243, -0.243, 0, 0, 0.243], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_card_events", 2.0, 2.043, 2.043, 0, 0, 2.043], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_card_events", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_card_events", 2.0, 1.213, 1.213, 0, 0, 1.213], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_card_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_card_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_card_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_card_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_card_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_card_events", 2.0, 1.633, 1.633, 0, 0, 1.633], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_card_events", 0.0, -1.671, -1.671, 0, 0, 1.671], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_card_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, -1.698, -1.698, 0, 0, 1.698], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_card_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_card_events", 0.0, -1.361, -1.361, 0, 0, 1.361], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_card_events", 2.0, 1.213, 1.213, 0, 0, 1.213], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_card_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_card_events", 0.0, -1.361, -1.361, 0, 0, 1.361], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_card_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_card_events", 1.0, -0.243, -0.243, 0, 0, 0.243], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_card_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_card_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_card_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_card_events", 1.0, 0.186, 0.186, 0, 0, 0.186], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_card_events", 1.0, 0.136, 0.136, 0, 0, 0.136], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "ti_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "ti_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "ti_events", 2.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "ti_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "ti_events", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "ti_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "ti_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "ti_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "ti_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "ti_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "ti_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "ti_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "ti_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "ti_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "ti_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "ti_failures", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "ti_failures", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "ti_failures", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "ti_failures", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "ti_failures", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "ti_failures", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "ti_failures", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "ti_failures", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "ti_failures", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "ti_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "ti_failures", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "ti_failure_ratio", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "ti_failure_ratio", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "ti_failure_ratio", 0.5, 0.302, 0.302, 0, 0, 0.302], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "ti_failure_ratio", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "ti_failure_ratio", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "ti_failure_ratio", 0.0, -0.905, -0.905, 0, 0, 0.905], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "ti_failure_ratio", 1.0, 1.508, 1.508, 0, 0, 1.508], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "ti_failure_ratio", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "ti_failure_ratio", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "ti_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "ti_failure_ratio", 0.0, -0.905, -0.905, 0, 0, 0.905], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "konnektor_connected", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "konnektor_connected", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "konnektor_connected", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "konnektor_connected", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "konnektor_connected", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "konnektor_connected", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "konnektor_connected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "konnektor_disconnected", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "konnektor_disconnected", 1.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "konnektor_disconnected", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "konnektor_disconnected", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "konnektor_health_check", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "konnektor_health_check", 1.0, 1.414, 1.414, 0, 0, 1.414], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "konnektor_health_check", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "konnektor_health_check", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "konnektor_health_check", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "konnektor_health_check", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "konnektor_health_check", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "konnektor_health_check", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "konnektor_health_check", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "konnektor_health_check", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "konnektor_flap_score", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "konnektor_flap_score", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "konnektor_flap_score", 1.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "konnektor_flap_score", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "konnektor_flap_score", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "konnektor_flap_score", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "konnektor_flap_score", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "konnektor_flap_score", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "konnektor_flap_score", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "konnektor_flap_score", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "konnektor_flap_score", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "konnektor_flap_score", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "konnektor_flap_score", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "konnektor_flap_score", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "vpn_tunnel_failed", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "vpn_tunnel_failed", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "vpn_tunnel_failed", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "vpn_tunnel_failed", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "vpn_tunnel_failed", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "vpn_tunnel_failed", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "vpn_tunnel_failed", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "vpn_tunnel_failed", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "vpn_tunnel_failed", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "vpn_tunnel_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "vpn_tunnel_failed", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "vpn_tunnel_reconnect", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "vpn_tunnel_reconnect", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "vpn_tunnel_reconnect", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "vpn_tunnel_reconnect", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "vpn_tunnel_reconnect", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "vpn_tunnel_reconnect", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "vpn_tunnel_reconnect", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "cert_expired", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "cert_expiring", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "cert_valid", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "cert_valid", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "cert_valid", 1.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "cert_valid", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "cert_valid", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "cert_valid", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "cert_valid", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "cert_valid", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "cert_valid", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "cert_valid", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "ti_service_unavailable", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "ti_service_unavailable", 0.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "ti_service_unavailable", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "ti_service_unavailable", 1.0, 1.414, 1.414, 0, 0, 1.414], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "ti_service_unavailable", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "ti_service_unavailable", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "ti_service_unavailable", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "ti_service_unavailable", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "ti_service_available", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "ti_service_available", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "ti_service_available", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "ti_service_available", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "ti_service_available", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "ti_service_available", 1.0, 1.0, 1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "ti_service_available", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "ti_service_available", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "ti_service_available", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "ti_service_available", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "ti_service_available", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "ti_service_available", 0.0, -1.0, -1.0, 0, 0, 1.0], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778706000000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "high_sev_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778713200000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "high_sev_events", 0.0, -1.414, -1.414, 0, 0, 1.414], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "high_sev_events", 1.0, 0.707, 0.707, 0, 0, 0.707], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "high_sev_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778720400000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "high_sev_events", 1.0, 0.577, 0.577, 0, 0, 0.577], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "high_sev_events", 1.0, 0.707, 0.707, 0, 0, 0.707], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778731200000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "high_sev_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "high_sev_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.munich.local", 1778738400000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "high_sev_events", 0.0, -1.732, -1.732, 0, 0, 1.732], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778742000000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778745600000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "high_sev_events", 1.0, 0.577, 0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "high_sev_events", 0.0, -0.447, -0.447, 0, 0, 0.447], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778749200000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778752800000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "high_sev_events", 1.0, 2.236, 2.236, 0, 0, 2.236], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778756400000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778760000000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778763600000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "avelios-int-01.munich.local", 1778767200000000000, "network", "high_sev_events", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "high_sev_events", 1.0, 0.577, 0.577, 0, 0, 0.577], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "dt_events", 1.0, -0.408, -0.408, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "cloud", "dt_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "dt_events", 1.0, -0.894, 0.0, 0, 0, 0.894], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "dt_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".thomas.weber", 1778709600000000000, "cloud", "dt_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "dt_events", 1.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "dt_events", 2.0, 1.118, 0.0, 0, 0, 1.118], ["user", ".thomas.weber", 1778716800000000000, "cloud", "dt_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "dt_events", 1.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "dt_events", 1.0, -0.894, 0.0, 0, 0, 0.894], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "dt_events", 1.0, -0.632, 0.0, 0, 0, 0.632], ["user", ".thomas.weber", 1778720400000000000, "cloud", "dt_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "dt_events", 2.0, 1.118, 0.0, 0, 0, 1.118], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "dt_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "dt_events", 1.0, -0.632, 0.0, 0, 0, 0.632], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "dt_events", 1.0, -0.894, 0.0, 0, 0, 0.894], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "dt_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "dt_events", 2.0, 1.581, 0.0, 0, 0, 1.581], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "dt_events", 2.0, 0.447, 0.0, 0, 0, 0.447], ["user", ".thomas.weber", 1778731200000000000, "cloud", "dt_events", 2.0, 2.646, 2.646, 0, 0, 2.646], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "dt_events", 1.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "dt_events", 2.0, 0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "dt_events", 1.0, -0.894, 0.0, 0, 0, 0.894], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "dt_events", 1.0, -0.632, 0.0, 0, 0, 0.632], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "dt_events", 3.0, 1.789, 0.0, 0, 0, 1.789], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "dt_events", 1.0, -0.894, 0.0, 0, 0, 0.894], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "dt_events", 1.0, -0.632, 0.0, 0, 0, 0.632], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "dt_events", 1.0, -0.408, -0.408, 0, 0, 0.408], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "dt_events", 2.0, 1.414, 1.414, 0, 0, 1.414], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "dt_events", 1.0, -0.632, 0.0, 0, 0, 0.632], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "dt_events", 1.0, -0.894, 0.0, 0, 0, 0.894], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "dt_events", 1.0, -0.894, 0.0, 0, 0, 0.894], ["user", ".thomas.weber", 1778752800000000000, "cloud", "dt_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "dt_events", 2.0, 1.118, 0.0, 0, 0, 1.118], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "dt_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".thomas.weber", 1778756400000000000, "cloud", "dt_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "dt_events", 2.0, 1.118, 0.0, 0, 0, 1.118], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "dt_events", 1.0, -0.707, -0.707, 0, 0, 0.707], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "dt_events", 2.0, 2.449, 2.449, 0, 0, 2.449], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "dt_events", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "dt_events", 2.0, 1.414, 1.414, 0, 0, 1.414], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "dt_events", 2.0, 1.581, 0.0, 0, 0, 1.581], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "dt_events", 1.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "dt_events", 1.0, -0.894, 0.0, 0, 0, 0.894], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778720400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778731200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "dt_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "export_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "cloud", "export_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "export_initiated", 0.0, -0.5, 0.0, 0, 0, 0.5], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "export_initiated", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".thomas.weber", 1778709600000000000, "cloud", "export_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "export_initiated", 1.0, 2.449, 2.449, 0, 0, 2.449], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "export_initiated", 1.0, 1.0, 0.0, 0, 0, 1.0], ["user", ".thomas.weber", 1778716800000000000, "cloud", "export_initiated", 1.0, 2.646, 2.646, 0, 0, 2.646], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "export_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "export_initiated", 0.0, -0.5, 0.0, 0, 0, 0.5], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778720400000000000, "cloud", "export_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "export_initiated", 2.0, 2.5, 0.0, 0, 0, 2.5], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "export_initiated", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "export_initiated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "export_initiated", 1.0, 1.0, 1.0, 0, 0, 1.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "export_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "export_initiated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", ".thomas.weber", 1778731200000000000, "cloud", "export_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "export_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "export_initiated", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "export_initiated", 0.0, -0.5, 0.0, 0, 0, 0.5], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "export_initiated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "export_initiated", 0.0, -0.5, 0.0, 0, 0, 0.5], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "export_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "export_initiated", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "export_initiated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "export_initiated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", ".thomas.weber", 1778752800000000000, "cloud", "export_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "export_initiated", 0.0, -0.5, 0.0, 0, 0, 0.5], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "export_initiated", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".thomas.weber", 1778756400000000000, "cloud", "export_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "export_initiated", 0.0, -0.5, 0.0, 0, 0, 0.5], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "export_initiated", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "export_initiated", 0.0, -1.0, -1.0, 0, 0, 1.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "export_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "export_initiated", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "export_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "export_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "export_initiated", 0.0, -0.5, 0.0, 0, 0, 0.5], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "export_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "export_completed", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "export_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "export_completed", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", ".thomas.weber", 1778716800000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "export_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "export_completed", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "export_completed", 1.0, 1.155, 0.0, 0, 0, 1.155], ["user", ".thomas.weber", 1778720400000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "export_completed", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "export_completed", 1.0, 1.155, 0.0, 0, 0, 1.155], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "export_completed", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "export_completed", 0.0, -0.866, 0.0, 0, 0, 0.866], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "export_completed", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", ".thomas.weber", 1778731200000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "export_completed", 1.0, 2.449, 2.449, 0, 0, 2.449], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "export_completed", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "export_completed", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "export_completed", 1.0, 1.155, 0.0, 0, 0, 1.155], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "export_completed", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "export_completed", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "export_completed", 0.0, -0.866, 0.0, 0, 0, 0.866], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "export_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "export_completed", 0.0, -0.866, 0.0, 0, 0, 0.866], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "export_completed", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "export_completed", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", ".thomas.weber", 1778752800000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "export_completed", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "export_completed", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "export_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "export_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "export_completed", 0.0, -0.866, 0.0, 0, 0, 0.866], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "export_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "export_completed", 1.0, 2.828, 0.0, 0, 0, 2.828], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "import_initiated", 1.0, 2.449, 2.449, 0, 0, 2.449], ["user", ".thomas.weber", 1778706000000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "import_initiated", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "import_initiated", 1.0, 2.646, 2.646, 0, 0, 2.646], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "import_initiated", 0.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".thomas.weber", 1778709600000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "import_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "import_initiated", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", ".thomas.weber", 1778716800000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "import_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "import_initiated", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "import_initiated", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778720400000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "import_initiated", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "import_initiated", 0.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "import_initiated", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "import_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "import_initiated", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778731200000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "import_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "import_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "import_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "import_initiated", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "import_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "import_initiated", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "import_initiated", 1.0, 2.828, 0.0, 0, 0, 2.828], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "import_initiated", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "import_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "import_initiated", 1.0, 1.414, 1.414, 0, 0, 1.414], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "import_initiated", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "import_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "import_initiated", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "import_initiated", 0.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".thomas.weber", 1778756400000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "import_initiated", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "import_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "import_initiated", 0.0, -0.707, -0.707, 0, 0, 0.707], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "import_initiated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "import_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "import_initiated", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "import_initiated", 1.0, 1.414, 1.414, 0, 0, 1.414], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "import_initiated", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "import_initiated", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "import_initiated", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "import_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "cloud", "import_completed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "import_completed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "import_completed", 1.0, 1.414, 1.414, 0, 0, 1.414], ["user", ".thomas.weber", 1778709600000000000, "cloud", "import_completed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "import_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "cloud", "import_completed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "import_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "import_completed", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778720400000000000, "cloud", "import_completed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "import_completed", 0.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "import_completed", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "import_completed", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "import_completed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "import_completed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "import_completed", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "import_completed", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", ".thomas.weber", 1778731200000000000, "cloud", "import_completed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "import_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "import_completed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "import_completed", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "import_completed", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "import_completed", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "import_completed", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "import_completed", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "import_completed", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "import_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "import_completed", 1.0, 1.414, 1.414, 0, 0, 1.414], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "import_completed", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "import_completed", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "import_completed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "import_completed", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", ".thomas.weber", 1778752800000000000, "cloud", "import_completed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "import_completed", 0.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".thomas.weber", 1778756400000000000, "cloud", "import_completed", 1.0, 2.646, 2.646, 0, 0, 2.646], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "import_completed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "import_completed", 0.0, -0.707, -0.707, 0, 0, 0.707], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "import_completed", 1.0, 2.449, 2.449, 0, 0, 2.449], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "import_completed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "import_completed", 0.0, -0.707, -0.707, 0, 0, 0.707], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "import_completed", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "import_completed", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "import_completed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "cloud", "email_notifications", 0.0, -0.775, -0.775, 0, 0, 0.775], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "email_notifications", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "email_notifications", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "email_notifications", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".thomas.weber", 1778709600000000000, "cloud", "email_notifications", 0.0, -0.775, -0.775, 0, 0, 0.775], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "email_notifications", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", ".thomas.weber", 1778716800000000000, "cloud", "email_notifications", 0.0, -0.775, -0.775, 0, 0, 0.775], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "email_notifications", 1.0, 1.871, 0.0, 0, 0, 1.871], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "email_notifications", 0.0, -0.632, 0.0, 0, 0, 0.632], ["user", ".thomas.weber", 1778720400000000000, "cloud", "email_notifications", 1.0, 1.291, 1.291, 0, 0, 1.291], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "email_notifications", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "email_notifications", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "email_notifications", 0.0, -0.632, 0.0, 0, 0, 0.632], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "email_notifications", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "email_notifications", 1.0, 1.291, 1.291, 0, 0, 1.291], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "email_notifications", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "email_notifications", 1.0, 1.581, 0.0, 0, 0, 1.581], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "email_notifications", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", ".thomas.weber", 1778731200000000000, "cloud", "email_notifications", 1.0, 1.291, 1.291, 0, 0, 1.291], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "email_notifications", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "email_notifications", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "email_notifications", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "email_notifications", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "email_notifications", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "email_notifications", 0.0, -0.632, 0.0, 0, 0, 0.632], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "email_notifications", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "email_notifications", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "email_notifications", 0.0, -0.632, 0.0, 0, 0, 0.632], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "email_notifications", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "email_notifications", 0.0, -0.632, 0.0, 0, 0, 0.632], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "email_notifications", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "email_notifications", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "email_notifications", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", ".thomas.weber", 1778752800000000000, "cloud", "email_notifications", 0.0, -0.775, -0.775, 0, 0, 0.775], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "email_notifications", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "email_notifications", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".thomas.weber", 1778756400000000000, "cloud", "email_notifications", 0.0, -0.775, -0.775, 0, 0, 0.775], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "email_notifications", 1.0, 1.871, 0.0, 0, 0, 1.871], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "email_notifications", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "email_notifications", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "email_notifications", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "email_notifications", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "email_notifications", 1.0, 1.581, 0.0, 0, 0, 1.581], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "email_notifications", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "email_notifications", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "report_generated", 0.0, -0.632, -0.632, 0, 0, 0.632], ["user", ".thomas.weber", 1778706000000000000, "cloud", "report_generated", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "report_generated", 0.0, -0.632, -0.632, 0, 0, 0.632], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "report_generated", 0.0, -0.632, -0.632, 0, 0, 0.632], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778720400000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "report_generated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "report_generated", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", ".thomas.weber", 1778731200000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "report_generated", 0.0, -0.632, -0.632, 0, 0, 0.632], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "report_generated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "report_generated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "report_generated", 0.0, -0.632, -0.632, 0, 0, 0.632], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "report_generated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "report_generated", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "report_generated", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", ".thomas.weber", 1778752800000000000, "cloud", "report_generated", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "report_generated", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "report_generated", 1.0, 1.581, 1.581, 0, 0, 1.581], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "report_generated", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "report_generated", 1.0, 1.581, 1.581, 0, 0, 1.581], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "report_generated", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "fhir_requests", 1.0, 1.118, 0.0, 0, 0, 1.118], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "fhir_requests", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".thomas.weber", 1778709600000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "fhir_requests", 1.0, 1.118, 0.0, 0, 0, 1.118], ["user", ".thomas.weber", 1778716800000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "fhir_requests", 0.0, -0.894, 0.0, 0, 0, 0.894], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "fhir_requests", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778720400000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "fhir_requests", 0.0, -0.894, 0.0, 0, 0, 0.894], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "fhir_requests", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "fhir_requests", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "fhir_requests", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778731200000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "fhir_requests", 1.0, 1.118, 0.0, 0, 0, 1.118], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "fhir_requests", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "fhir_requests", 0.0, -0.894, 0.0, 0, 0, 0.894], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "fhir_requests", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "fhir_requests", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "fhir_requests", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "fhir_requests", 0.0, -0.894, 0.0, 0, 0, 0.894], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "fhir_requests", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".thomas.weber", 1778756400000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "fhir_requests", 1.0, 1.118, 0.0, 0, 0, 1.118], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "fhir_requests", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "fhir_requests", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "fhir_requests", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "fhir_requests", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "fhir_requests", 0.0, -0.894, 0.0, 0, 0, 0.894], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "hl7_received", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "hl7_received", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "hl7_received", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "hl7_received", 1.0, 2.449, 2.449, 0, 0, 2.449], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778720400000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "hl7_received", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "hl7_received", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "hl7_received", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", ".thomas.weber", 1778731200000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "hl7_received", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "hl7_received", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "hl7_received", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "hl7_received", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "hl7_received", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "hl7_received", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "hl7_received", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "hl7_received", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "hl7_received", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "hl7_received", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", ".thomas.weber", 1778752800000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "hl7_received", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "hl7_received", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "hl7_received", 1.0, 2.646, 2.646, 0, 0, 2.646], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "hl7_received", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "hl7_received", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778706000000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "hl7_sent", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "hl7_sent", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", ".thomas.weber", 1778716800000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "hl7_sent", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "hl7_sent", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778720400000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "hl7_sent", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "hl7_sent", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "hl7_sent", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "hl7_sent", 1.0, 2.449, 0.0, 0, 0, 2.449], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "hl7_sent", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", ".thomas.weber", 1778731200000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "hl7_sent", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "hl7_sent", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "hl7_sent", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "hl7_sent", 1.0, 2.236, 0.0, 0, 0, 2.236], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "hl7_sent", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "hl7_sent", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "hl7_sent", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "hl7_sent", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "hl7_sent", 0.0, -0.447, 0.0, 0, 0, 0.447], ["user", ".thomas.weber", 1778752800000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "hl7_sent", 2.0, 2.828, 0.0, 0, 0, 2.828], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "hl7_sent", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "hl7_sent", 0.0, -0.408, 0.0, 0, 0, 0.408], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "hl7_sent", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "hl7_sent", 0.0, -0.354, 0.0, 0, 0, 0.354], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "print_jobs", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "cloud", "print_jobs", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "print_jobs", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".thomas.weber", 1778709600000000000, "cloud", "print_jobs", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "print_jobs", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "cloud", "print_jobs", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "print_jobs", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778720400000000000, "cloud", "print_jobs", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "print_jobs", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "print_jobs", 0.0, -1.0, -1.0, 0, 0, 1.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "print_jobs", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778731200000000000, "cloud", "print_jobs", 1.0, 1.732, 1.732, 0, 0, 1.732], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "print_jobs", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "print_jobs", 1.0, 2.449, 2.449, 0, 0, 2.449], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "print_jobs", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778752800000000000, "cloud", "print_jobs", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "print_jobs", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".thomas.weber", 1778756400000000000, "cloud", "print_jobs", 0.0, -0.577, -0.577, 0, 0, 0.577], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "print_jobs", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "print_jobs", 1.0, 1.0, 1.0, 0, 0, 1.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "print_jobs", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "print_jobs", 1.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "print_jobs", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "print_jobs", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "total_records_exported", 0.0, -0.606, -0.606, 0, 0, 0.606], ["user", ".thomas.weber", 1778706000000000000, "cloud", "total_records_exported", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "total_records_exported", 0.0, -0.677, 0.0, 0, 0, 0.677], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "total_records_exported", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "total_records_exported", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".thomas.weber", 1778709600000000000, "cloud", "total_records_exported", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "total_records_exported", 468.0, 2.054, 2.054, 0, 0, 2.054], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "total_records_exported", 500.0, 0.973, 0.0, 0, 0, 0.973], ["user", ".thomas.weber", 1778716800000000000, "cloud", "total_records_exported", 678.0, 2.646, 2.646, 0, 0, 2.646], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "total_records_exported", 0.0, -0.606, -0.606, 0, 0, 0.606], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "total_records_exported", 0.0, -0.677, 0.0, 0, 0, 0.677], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "total_records_exported", 807.0, 1.49, 0.0, 0, 0, 1.49], ["user", ".thomas.weber", 1778720400000000000, "cloud", "total_records_exported", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "total_records_exported", 517.0, 1.03, 0.0, 0, 0, 1.03], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "total_records_exported", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "total_records_exported", 178.0, -0.233, 0.0, 0, 0, 0.233], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "total_records_exported", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "total_records_exported", 303.0, 1.0, 1.0, 0, 0, 1.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "total_records_exported", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "total_records_exported", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "total_records_exported", 0.0, -0.721, 0.0, 0, 0, 0.721], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "total_records_exported", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", ".thomas.weber", 1778731200000000000, "cloud", "total_records_exported", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "total_records_exported", 278.0, 0.974, 0.974, 0, 0, 0.974], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "total_records_exported", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "total_records_exported", 894.0, 1.382, 0.0, 0, 0, 1.382], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "total_records_exported", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "total_records_exported", 0.0, -0.677, 0.0, 0, 0, 0.677], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "total_records_exported", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "total_records_exported", 857.0, 1.627, 0.0, 0, 0, 1.627], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "total_records_exported", 921.0, 1.446, 0.0, 0, 0, 1.446], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "total_records_exported", 0.0, -0.677, 0.0, 0, 0, 0.677], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "total_records_exported", 0.0, -0.721, 0.0, 0, 0, 0.721], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "total_records_exported", 0.0, -0.606, -0.606, 0, 0, 0.606], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "total_records_exported", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "total_records_exported", 0.0, -0.721, 0.0, 0, 0, 0.721], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "total_records_exported", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "total_records_exported", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "total_records_exported", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", ".thomas.weber", 1778752800000000000, "cloud", "total_records_exported", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "total_records_exported", 0.0, -0.677, 0.0, 0, 0, 0.677], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "total_records_exported", 880.0, 2.236, 2.236, 0, 0, 2.236], ["user", ".thomas.weber", 1778756400000000000, "cloud", "total_records_exported", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "total_records_exported", 0.0, -0.677, 0.0, 0, 0, 0.677], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "total_records_exported", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "total_records_exported", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "total_records_exported", 0.0, -1.0, -1.0, 0, 0, 1.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "total_records_exported", 0.0, -0.606, -0.606, 0, 0, 0.606], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "total_records_exported", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "total_records_exported", 0.0, -0.447, -0.447, 0, 0, 0.447], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "total_records_exported", 0.0, -0.721, 0.0, 0, 0, 0.721], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "total_records_exported", 0.0, -0.606, -0.606, 0, 0, 0.606], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "total_records_exported", 829.0, 2.06, 0.0, 0, 0, 2.06], ["user", "billing.clerk.peter.wolf", 1778702400000000000, "cloud", "external_destinations", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778706000000000000, "cloud", "external_destinations", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "nurse.maria.m\\u00fcller", 1778706000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778706000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778709600000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "external_destinations", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "external_destinations", 1.0, 1.871, 0.0, 0, 0, 1.871], ["user", ".thomas.weber", 1778716800000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "external_destinations", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778716800000000000, "cloud", "external_destinations", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778720400000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "external_destinations", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "pharmacist.hans.meyer", 1778720400000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "external_destinations", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778727600000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778727600000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778731200000000000, "cloud", "external_destinations", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", ".thomas.weber", 1778731200000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "external_destinations", 1.0, 2.449, 2.449, 0, 0, 2.449], ["user", "nurse.maria.m\\u00fcller", 1778731200000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "external_destinations", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778738400000000000, "cloud", "external_destinations", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "nurse.maria.m\\u00fcller", 1778738400000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "external_destinations", 1.0, 1.414, 0.0, 0, 0, 1.414], ["user", "lab.tech.sarah.koch", 1778742000000000000, "cloud", "external_destinations", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", ".anna.schmidt", 1778745600000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "cloud", "external_destinations", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "pharmacist.hans.meyer", 1778745600000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778749200000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778749200000000000, "cloud", "external_destinations", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "external_destinations", 0.0, -0.707, 0.0, 0, 0, 0.707], ["user", ".thomas.weber", 1778752800000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "external_destinations", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778756400000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778756400000000000, "cloud", "external_destinations", 0.0, -0.535, 0.0, 0, 0, 0.535], ["user", "nurse.maria.m\\u00fcller", 1778756400000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778756400000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778760000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "cloud", "external_destinations", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "pharmacist.hans.meyer", 1778760000000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778763600000000000, "cloud", "external_destinations", 0.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "cloud", "external_destinations", 0.0, -0.408, -0.408, 0, 0, 0.408], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "external_destinations", 1.0, 1.871, 0.0, 0, 0, 1.871], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_events", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_events", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_events", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_events", 2.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_events", 2.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_events", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_events", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_events", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_events", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_events", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_events", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_events", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_events", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_failures", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_failures", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_failures", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_failures", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_failures", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_failures", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_failures", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_failures", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_failures", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_failure_ratio", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_failure_ratio", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_failure_ratio", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_failure_ratio", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_failure_ratio", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_failure_ratio", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_failure_ratio", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_failure_ratio", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_failure_ratio", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_read_success", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_read_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_read_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_read_success", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_read_success", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_read_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_read_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_read_success", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_read_success", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_read_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_read_success", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_read_success", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_read_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_read_success", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_read_failure", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_read_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_read_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_read_failure", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_read_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_read_failure", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_read_failure", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_read_failure", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_read_failure", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_read_failure", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_read_failure", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_read_failure", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_read_failure", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_read_failure", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_pin_verified", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_pin_verified", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_pin_verified", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_pin_verified", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_pin_verified", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_pin_verified", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_pin_verified", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_pin_verified", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_pin_verified", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_pin_verified", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_pin_verified", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_pin_verified", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_pin_verified", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_pin_verified", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_pin_verified", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_pin_failed", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_pin_failed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_pin_failed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_pin_failed", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_pin_failed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_pin_failed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_pin_failed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_pin_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_pin_failed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_pin_blocked", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_pin_blocked", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_pin_blocked", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_pin_blocked", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_pin_blocked", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_pin_blocked", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_pin_blocked", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_pin_blocked", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_pin_blocked", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_removed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_removed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_removed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_removed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_removed", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_removed", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_removed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_removed", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_removed", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_removed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_removed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_removed", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_removed", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_removed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_removed", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_removed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_removed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_removed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_removed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_removed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_removed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_removed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_removed", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_removed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_removed", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_removed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_decryption", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_decryption", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_decryption", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_decryption", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_decryption", 1.0, 0.816, 0.816, 0, 0, 0.816], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_decryption", 1.0, 0.816, 0.816, 0, 0, 0.816], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_decryption", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_decryption", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_decryption", 1.0, 0.816, 0.816, 0, 0, 0.816], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_decryption", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_decryption", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_decryption", 0.0, -1.225, -1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_decryption", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_decryption", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_decryption", 0.0, -1.225, -1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_decryption", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_decryption", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_decryption", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_decryption", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_decryption", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_decryption", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_decryption", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_decryption", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_decryption", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_decryption", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_decryption", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_signature_created", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_signature_created", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_signature_created", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_signature_created", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_signature_created", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_signature_created", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_signature_created", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_signature_created", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_signature_created", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_signature_created", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_signature_created", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_signature_created", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_signature_created", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_signature_created", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_auth_success", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_auth_success", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_auth_success", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_auth_success", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_auth_success", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_auth_success", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_auth_success", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_auth_success", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_auth_success", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_auth_success", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_auth_success", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_auth_success", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_auth_success", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_auth_success", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "card_auth_failed", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "card_auth_failed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "card_auth_failed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "card_auth_failed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "card_auth_failed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "card_auth_failed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "card_auth_failed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "card_auth_failed", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "card_auth_failed", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "smcb_events", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "smcb_events", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "smcb_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "smcb_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "smcb_events", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "smcb_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "smcb_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "smcb_events", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "smcb_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "smcb_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "smcb_events", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "smcb_events", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "smcb_events", 1.0, 1.291, 1.291, 0, 0, 1.291], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "smcb_events", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "smcb_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "smcb_events", 1.0, 1.291, 1.291, 0, 0, 1.291], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "smcb_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "smcb_events", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "smcb_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "smcb_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "smcb_events", 1.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "smcb_events", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "smcb_events", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "smcb_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "smcb_events", 0.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "smcb_events", 1.0, 1.291, 1.291, 0, 0, 1.291], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "hba_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "hba_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "hba_events", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "hba_events", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "hba_events", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "hba_events", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "hba_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "hba_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "hba_events", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "hba_events", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "hba_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "hba_events", 0.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "hba_events", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "hba_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "hba_events", 1.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "hba_events", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "hba_events", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "hba_events", 1.0, 1.291, 1.291, 0, 0, 1.291], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "hba_events", 1.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "hba_events", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "hba_events", 0.0, -0.775, -0.775, 0, 0, 0.775], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "hba_events", 0.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "hba_events", 1.0, 1.291, 1.291, 0, 0, 1.291], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "hba_events", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "hba_events", 1.0, 1.291, 1.291, 0, 0, 1.291], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "hba_events", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "qes_pin_attempts", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "qes_pin_attempts", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "qes_pin_attempts", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "qes_pin_attempts", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "qes_pin_attempts", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "qes_pin_attempts", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "qes_pin_attempts", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "qes_pin_attempts", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "qes_pin_attempts", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "low_attempts_remaining", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "low_attempts_remaining", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "low_attempts_remaining", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "low_attempts_remaining", 1.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "low_attempts_remaining", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "low_attempts_remaining", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "low_attempts_remaining", 0.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "low_attempts_remaining", 0.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "low_attempts_remaining", 0.0, -0.378, -0.378, 0, 0, 0.378], ["user", ".anna.schmidt", 1778702400000000000, "auth", "distinct_src_ip", 1.0, -0.612, 0.0, 0, 0, 0.612], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "distinct_src_ip", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", ".anna.schmidt", 1778706000000000000, "auth", "distinct_src_ip", 2.0, 1.633, 0.0, 0, 0, 1.633], ["user", ".lisa.bauer", 1778706000000000000, "auth", "distinct_src_ip", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "distinct_src_ip", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "distinct_src_ip", 2.0, 0.693, 0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "distinct_src_ip", 2.0, 1.225, 0.0, 0, 0, 1.225], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "distinct_src_ip", 1.0, -0.566, -0.566, 0, 0, 0.566], ["user", ".lisa.bauer", 1778709600000000000, "auth", "distinct_src_ip", 3.0, 2.449, 0.0, 0, 0, 2.449], ["user", ".thomas.weber", 1778709600000000000, "auth", "distinct_src_ip", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "distinct_src_ip", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", ".anna.schmidt", 1778713200000000000, "auth", "distinct_src_ip", 1.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".lisa.bauer", 1778713200000000000, "auth", "distinct_src_ip", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "distinct_src_ip", 1.0, -0.566, -0.566, 0, 0, 0.566], ["user", ".anna.schmidt", 1778716800000000000, "auth", "distinct_src_ip", 2.0, 1.633, 0.0, 0, 0, 1.633], ["user", ".thomas.weber", 1778716800000000000, "auth", "distinct_src_ip", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "distinct_src_ip", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "distinct_src_ip", 1.0, -0.816, 0.0, 0, 0, 0.816], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "distinct_src_ip", 2.0, 0.99, 0.99, 0, 0, 0.99], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "distinct_src_ip", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "distinct_src_ip", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".lisa.bauer", 1778724000000000000, "auth", "distinct_src_ip", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "distinct_src_ip", 1.0, -0.918, -0.918, 0, 0, 0.918], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "distinct_src_ip", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".anna.schmidt", 1778727600000000000, "auth", "distinct_src_ip", 1.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".thomas.weber", 1778727600000000000, "auth", "distinct_src_ip", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "distinct_src_ip", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "distinct_src_ip", 3.0, 2.546, 2.546, 0, 0, 2.546], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "distinct_src_ip", 2.0, 1.826, 1.826, 0, 0, 1.826], ["user", ".anna.schmidt", 1778734800000000000, "auth", "distinct_src_ip", 1.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".lisa.bauer", 1778734800000000000, "auth", "distinct_src_ip", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "distinct_src_ip", 1.0, -0.918, -0.918, 0, 0, 0.918], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "distinct_src_ip", 2.0, 1.225, 0.0, 0, 0, 1.225], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "distinct_src_ip", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "distinct_src_ip", 1.0, -0.566, -0.566, 0, 0, 0.566], ["user", ".anna.schmidt", 1778742000000000000, "auth", "distinct_src_ip", 1.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".thomas.weber", 1778742000000000000, "auth", "distinct_src_ip", 1.0, -0.918, -0.918, 0, 0, 0.918], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "distinct_src_ip", 3.0, 2.219, 2.219, 0, 0, 2.219], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "distinct_src_ip", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "distinct_src_ip", 1.0, -0.566, -0.566, 0, 0, 0.566], ["user", ".anna.schmidt", 1778745600000000000, "auth", "distinct_src_ip", 1.0, -0.612, 0.0, 0, 0, 0.612], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "distinct_src_ip", 2.0, 1.826, 1.826, 0, 0, 1.826], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "distinct_src_ip", 2.0, 0.693, 0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "distinct_src_ip", 1.0, -0.816, 0.0, 0, 0, 0.816], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "distinct_src_ip", 3.0, 2.236, 2.236, 0, 0, 2.236], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "distinct_src_ip", 1.0, -0.566, -0.566, 0, 0, 0.566], ["user", ".lisa.bauer", 1778749200000000000, "auth", "distinct_src_ip", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "distinct_src_ip", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", ".anna.schmidt", 1778752800000000000, "auth", "distinct_src_ip", 1.0, -0.612, 0.0, 0, 0, 0.612], ["user", ".thomas.weber", 1778752800000000000, "auth", "distinct_src_ip", 4.0, 2.524, 2.524, 0, 0, 2.524], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "distinct_src_ip", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "distinct_src_ip", 2.0, 0.99, 0.99, 0, 0, 0.99], ["user", ".anna.schmidt", 1778756400000000000, "auth", "distinct_src_ip", 2.0, 1.633, 0.0, 0, 0, 1.633], ["user", ".thomas.weber", 1778756400000000000, "auth", "distinct_src_ip", 2.0, 0.229, 0.229, 0, 0, 0.229], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "distinct_src_ip", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "distinct_src_ip", 1.0, -0.566, -0.566, 0, 0, 0.566], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "distinct_src_ip", 2.0, 0.693, 0.693, 0, 0, 0.693], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "distinct_src_ip", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "distinct_src_ip", 1.0, -0.566, -0.566, 0, 0, 0.566], ["user", ".anna.schmidt", 1778763600000000000, "auth", "distinct_src_ip", 1.0, -0.612, 0.0, 0, 0, 0.612], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "distinct_src_ip", 1.0, -0.548, -0.548, 0, 0, 0.548], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "distinct_src_ip", 2.0, 0.693, 0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "distinct_src_ip", 1.0, -0.816, 0.0, 0, 0, 0.816], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "distinct_src_ip", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".lisa.bauer", 1778767200000000000, "auth", "distinct_src_ip", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "distinct_src_ip", 1.0, -0.918, -0.918, 0, 0, 0.918], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "distinct_src_ip", 2.0, 1.826, 1.826, 0, 0, 1.826], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "distinct_src_ip", 1.0, -0.832, -0.832, 0, 0, 0.832], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "distinct_src_ip", 1.0, -0.566, -0.566, 0, 0, 0.566], ["user", ".anna.schmidt", 1778702400000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", "nurse.maria.m\\u00fcller", 1778702400000000000, "auth", "distinct_src_host", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", ".anna.schmidt", 1778706000000000000, "auth", "distinct_src_host", 2.0, 2.121, 0.0, 0, 0, 2.121], ["user", ".lisa.bauer", 1778706000000000000, "auth", "distinct_src_host", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778706000000000000, "auth", "distinct_src_host", 2.0, 0.469, 0.469, 0, 0, 0.469], ["user", "admin.klaus.fischer", 1778706000000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778706000000000000, "auth", "distinct_src_host", 2.0, 0.832, 0.832, 0, 0, 0.832], ["user", "lab.tech.sarah.koch", 1778706000000000000, "auth", "distinct_src_host", 2.0, 1.225, 0.0, 0, 0, 1.225], ["user", "pharmacist.hans.meyer", 1778706000000000000, "auth", "distinct_src_host", 1.0, -0.612, -0.612, 0, 0, 0.612], ["user", ".lisa.bauer", 1778709600000000000, "auth", "distinct_src_host", 2.0, 2.449, 0.0, 0, 0, 2.449], ["user", ".thomas.weber", 1778709600000000000, "auth", "distinct_src_host", 2.0, 0.469, 0.469, 0, 0, 0.469], ["user", "admin.klaus.fischer", 1778709600000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778709600000000000, "auth", "distinct_src_host", 1.0, -0.693, -0.693, 0, 0, 0.693], ["user", ".anna.schmidt", 1778713200000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778713200000000000, "auth", "distinct_src_host", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778713200000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "pharmacist.hans.meyer", 1778713200000000000, "auth", "distinct_src_host", 1.0, -0.612, -0.612, 0, 0, 0.612], ["user", ".anna.schmidt", 1778716800000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778716800000000000, "auth", "distinct_src_host", 2.0, 0.469, 0.469, 0, 0, 0.469], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "auth", "distinct_src_host", 1.0, -0.693, -0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778716800000000000, "auth", "distinct_src_host", 1.0, -0.816, 0.0, 0, 0, 0.816], ["user", "pharmacist.hans.meyer", 1778716800000000000, "auth", "distinct_src_host", 2.0, 1.633, 1.633, 0, 0, 1.633], ["user", "billing.clerk.peter.wolf", 1778720400000000000, "auth", "distinct_src_host", 1.0, -0.693, -0.693, 0, 0, 0.693], ["user", "nurse.maria.m\\u00fcller", 1778720400000000000, "auth", "distinct_src_host", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".lisa.bauer", 1778724000000000000, "auth", "distinct_src_host", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778724000000000000, "auth", "distinct_src_host", 1.0, -1.093, -1.093, 0, 0, 1.093], ["user", "admin.klaus.fischer", 1778724000000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778724000000000000, "auth", "distinct_src_host", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".anna.schmidt", 1778727600000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778727600000000000, "auth", "distinct_src_host", 2.0, 0.469, 0.469, 0, 0, 0.469], ["user", "admin.klaus.fischer", 1778727600000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778727600000000000, "auth", "distinct_src_host", 1.0, -0.693, -0.693, 0, 0, 0.693], ["user", "pharmacist.hans.meyer", 1778727600000000000, "auth", "distinct_src_host", 2.0, 1.633, 1.633, 0, 0, 1.633], ["user", "admin.klaus.fischer", 1778731200000000000, "auth", "distinct_src_host", 2.0, 3.464, 3.464, 0, 0, 3.464], ["user", ".anna.schmidt", 1778734800000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".lisa.bauer", 1778734800000000000, "auth", "distinct_src_host", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778734800000000000, "auth", "distinct_src_host", 1.0, -1.093, -1.093, 0, 0, 1.093], ["user", "admin.klaus.fischer", 1778734800000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "lab.tech.sarah.koch", 1778734800000000000, "auth", "distinct_src_host", 2.0, 1.225, 0.0, 0, 0, 1.225], ["user", "nurse.maria.m\\u00fcller", 1778734800000000000, "auth", "distinct_src_host", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778738400000000000, "auth", "distinct_src_host", 1.0, -0.612, -0.612, 0, 0, 0.612], ["user", ".anna.schmidt", 1778742000000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778742000000000000, "auth", "distinct_src_host", 1.0, -1.093, -1.093, 0, 0, 1.093], ["user", "admin.klaus.fischer", 1778742000000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778742000000000000, "auth", "distinct_src_host", 3.0, 2.357, 2.357, 0, 0, 2.357], ["user", "nurse.maria.m\\u00fcller", 1778742000000000000, "auth", "distinct_src_host", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778742000000000000, "auth", "distinct_src_host", 1.0, -0.612, -0.612, 0, 0, 0.612], ["user", ".anna.schmidt", 1778745600000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778745600000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778745600000000000, "auth", "distinct_src_host", 1.0, -0.693, -0.693, 0, 0, 0.693], ["user", "lab.tech.sarah.koch", 1778745600000000000, "auth", "distinct_src_host", 1.0, -0.816, 0.0, 0, 0, 0.816], ["user", "nurse.maria.m\\u00fcller", 1778745600000000000, "auth", "distinct_src_host", 3.0, 2.236, 2.236, 0, 0, 2.236], ["user", "pharmacist.hans.meyer", 1778745600000000000, "auth", "distinct_src_host", 1.0, -0.612, -0.612, 0, 0, 0.612], ["user", ".lisa.bauer", 1778749200000000000, "auth", "distinct_src_host", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", "admin.klaus.fischer", 1778749200000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "nurse.maria.m\\u00fcller", 1778749200000000000, "auth", "distinct_src_host", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", ".anna.schmidt", 1778752800000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", ".thomas.weber", 1778752800000000000, "auth", "distinct_src_host", 3.0, 2.03, 2.03, 0, 0, 2.03], ["user", "nurse.maria.m\\u00fcller", 1778752800000000000, "auth", "distinct_src_host", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778752800000000000, "auth", "distinct_src_host", 2.0, 1.633, 1.633, 0, 0, 1.633], ["user", ".anna.schmidt", 1778756400000000000, "auth", "distinct_src_host", 2.0, 2.121, 0.0, 0, 0, 2.121], ["user", ".thomas.weber", 1778756400000000000, "auth", "distinct_src_host", 2.0, 0.469, 0.469, 0, 0, 0.469], ["user", "billing.clerk.peter.wolf", 1778756400000000000, "auth", "distinct_src_host", 1.0, -0.693, -0.693, 0, 0, 0.693], ["user", "pharmacist.hans.meyer", 1778756400000000000, "auth", "distinct_src_host", 1.0, -0.612, -0.612, 0, 0, 0.612], ["user", "admin.klaus.fischer", 1778760000000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778760000000000000, "auth", "distinct_src_host", 2.0, 0.832, 0.832, 0, 0, 0.832], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "auth", "distinct_src_host", 1.0, -0.745, -0.745, 0, 0, 0.745], ["user", "pharmacist.hans.meyer", 1778760000000000000, "auth", "distinct_src_host", 1.0, -0.612, -0.612, 0, 0, 0.612], ["user", ".anna.schmidt", 1778763600000000000, "auth", "distinct_src_host", 1.0, -0.471, 0.0, 0, 0, 0.471], ["user", "admin.klaus.fischer", 1778763600000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778763600000000000, "auth", "distinct_src_host", 2.0, 0.832, 0.832, 0, 0, 0.832], ["user", "lab.tech.sarah.koch", 1778763600000000000, "auth", "distinct_src_host", 1.0, -0.816, 0.0, 0, 0, 0.816], ["user", "nurse.maria.m\\u00fcller", 1778763600000000000, "auth", "distinct_src_host", 2.0, 0.745, 0.745, 0, 0, 0.745], ["user", ".lisa.bauer", 1778767200000000000, "auth", "distinct_src_host", 1.0, -0.408, 0.0, 0, 0, 0.408], ["user", ".thomas.weber", 1778767200000000000, "auth", "distinct_src_host", 1.0, -1.093, -1.093, 0, 0, 1.093], ["user", "admin.klaus.fischer", 1778767200000000000, "auth", "distinct_src_host", 1.0, -0.289, -0.289, 0, 0, 0.289], ["user", "billing.clerk.peter.wolf", 1778767200000000000, "auth", "distinct_src_host", 1.0, -0.693, -0.693, 0, 0, 0.693], ["user", "pharmacist.hans.meyer", 1778767200000000000, "auth", "distinct_src_host", 1.0, -0.612, -0.612, 0, 0, 0.612], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_distinct_users", 1.0, -0.899, 0.0, 0, 0, 0.899], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_distinct_users", 1.0, -1.129, -0.836, 0, 0, 1.129], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_distinct_users", 3.0, 2.063, 1.254, 0, 0, 2.063], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_distinct_users", 4.0, 2.006, 0.0, 0, 0, 2.006], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_distinct_users", 2.0, 0.588, 0.209, 0, 0, 0.588], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_distinct_users", 3.0, 0.718, 1.254, 0, 0, 1.254], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_distinct_users", 1.0, -1.0, -0.624, 0, 0, 1.0], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_distinct_users", 2.0, 0.069, 0.0, 0, 0, 0.069], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_distinct_users", 2.0, 0.588, 0.209, 0, 0, 0.588], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_distinct_users", 1.0, -1.129, -0.836, 0, 0, 1.129], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_distinct_users", 1.0, -0.899, 0.0, 0, 0, 0.899], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_distinct_users", 1.0, -0.784, -0.836, 0, 0, 0.836], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_distinct_users", 2.0, -0.205, 0.209, 0, 0, 0.209], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_distinct_users", 1.0, -1.0, -0.624, 0, 0, 1.0], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_distinct_users", 3.0, 1.038, 0.0, 0, 0, 1.038], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_distinct_users", 3.0, 1.961, 1.254, 0, 0, 1.961], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_distinct_users", 1.0, -1.129, -0.836, 0, 0, 1.129], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_distinct_users", 2.0, 1.0, 1.604, 0, 0, 1.604], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_distinct_users", 2.0, 0.588, 0.209, 0, 0, 0.588], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_distinct_users", 3.0, 0.718, 1.254, 0, 0, 1.254], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_distinct_users", 2.0, 1.0, 1.604, 0, 0, 1.604], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_distinct_users", 1.0, -0.899, 0.0, 0, 0, 0.899], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_distinct_users", 1.0, -0.784, -0.836, 0, 0, 0.836], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_distinct_users", 3.0, 0.718, 1.254, 0, 0, 1.254], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_distinct_users", 3.0, 1.038, 0.0, 0, 0, 1.038], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_distinct_users", 2.0, 0.588, 0.209, 0, 0, 0.588], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_distinct_users", 2.0, -0.205, 0.209, 0, 0, 0.209], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_distinct_users", 1.0, -0.784, -0.836, 0, 0, 0.836], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_distinct_users", 5.0, 2.565, 3.344, 0, 0, 3.344], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_distinct_users", 2.0, 1.0, 1.604, 0, 0, 1.604], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_distinct_users", 3.0, 2.063, 1.254, 0, 0, 2.063], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_distinct_users", 1.0, -0.899, 0.0, 0, 0, 0.899], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_distinct_users", 1.0, -0.784, -0.836, 0, 0, 0.836], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_distinct_users", 2.0, -0.205, 0.209, 0, 0, 0.209], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_distinct_users", 2.0, 1.0, 1.604, 0, 0, 1.604], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_distinct_users", 2.0, 1.18, 0.0, 0, 0, 1.18], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_distinct_users", 3.0, 1.038, 0.0, 0, 0, 1.038], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_distinct_users", 2.0, -0.205, 0.209, 0, 0, 0.209], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_distinct_users", 2.0, 1.0, 1.604, 0, 0, 1.604], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_distinct_users", 3.0, 2.801, 0.0, 0, 0, 2.801], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_distinct_users", 1.0, -0.899, 0.0, 0, 0, 0.899], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_distinct_users", 1.0, -0.784, -0.836, 0, 0, 0.836], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_distinct_users", 2.0, -0.205, 0.209, 0, 0, 0.209], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_distinct_users", 2.0, 1.0, 1.604, 0, 0, 1.604], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_distinct_users", 1.0, -0.899, 0.0, 0, 0, 0.899], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_distinct_users", 2.0, -0.205, 0.209, 0, 0, 0.209], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_distinct_users", 1.0, -1.0, -0.624, 0, 0, 1.0], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_distinct_users", 3.0, 1.038, 0.0, 0, 0, 1.038], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_distinct_users", 3.0, 0.718, 1.254, 0, 0, 1.254], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_distinct_users", 1.0, -1.0, -0.624, 0, 0, 1.0], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_distinct_users", 2.0, 0.722, 0.209, 0, 0, 0.722], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_distinct_users", 2.0, 0.069, 0.0, 0, 0, 0.069], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_distinct_users", 1.0, -0.784, -0.836, 0, 0, 0.836], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_distinct_users", 4.0, 1.642, 2.299, 0, 0, 2.299], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_distinct_users", 1.0, -1.0, -0.624, 0, 0, 1.0], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_distinct_users", 3.0, 1.961, 1.254, 0, 0, 1.961], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_distinct_users", 2.0, -0.205, 0.209, 0, 0, 0.209], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_distinct_users", 2.0, 1.0, 1.604, 0, 0, 1.604], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_distinct_users", 2.0, 0.722, 0.209, 0, 0, 0.722], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_distinct_users", 1.0, -0.442, 0.0, 0, 0, 0.442], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_distinct_users", 2.0, 3.0, 0.0, 0, 0, 3.0], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_distinct_users", 1.0, -0.784, -0.836, 0, 0, 0.836], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_distinct_users", 1.0, -1.129, -0.836, 0, 0, 1.129], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_distinct_users", 1.0, -1.0, -0.624, 0, 0, 1.0], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_distinct_users", 1.0, -0.619, -0.836, 0, 0, 0.836], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_distinct_users", 1.0, -0.899, 0.0, 0, 0, 0.899], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_distinct_users", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_distinct_users", 1.0, -0.784, -0.836, 0, 0, 0.836], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_distinct_users", 1.0, 0.0, -0.624, 0, 0, 0.624], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_distinct_users", 1.0, -1.129, -0.836, 0, 0, 1.129], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_distinct_users", 1.0, -1.0, -0.624, 0, 0, 1.0], ["host", "avelios-app-02.berlin.local", 1778702400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.866, 0.0, 0, 0, 0.866], ["host", "avelios-app-02.munich.local", 1778702400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-int-01.berlin.local", 1778702400000000000, "endpoint", "host_distinct_etypes", 1.0, -1.118, -0.912, 0, 0, 1.118], ["host", "avelios-app-01.berlin.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 3.0, 1.877, 1.306, 0, 0, 1.877], ["host", "avelios-app-01.munich.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.berlin.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 4.0, 2.165, 0.0, 0, 0, 2.165], ["host", "avelios-app-03.berlin.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 2.0, 0.44, 0.197, 0, 0, 0.44], ["host", "avelios-app-03.munich.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 3.0, 0.894, 1.306, 0, 0, 1.306], ["host", "avelios-int-01.munich.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.918, -0.587, 0, 0, 0.918], ["host", "omniconnect-ber-01.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-fra-01.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778706000000000000, "endpoint", "host_distinct_etypes", 2.0, 0.832, 0.832, 0, 0, 0.832], ["host", "avelios-app-02.berlin.local", 1778709600000000000, "endpoint", "host_distinct_etypes", 3.0, 1.155, 0.0, 0, 0, 1.155], ["host", "avelios-app-02.munich.local", 1778709600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778709600000000000, "endpoint", "host_distinct_etypes", 2.0, 0.44, 0.197, 0, 0, 0.44], ["host", "avelios-app-03.munich.local", 1778709600000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778709600000000000, "endpoint", "host_distinct_etypes", 1.0, -1.118, -0.912, 0, 0, 1.118], ["host", "omniconnect-mun-01.local", 1778709600000000000, "endpoint", "host_distinct_etypes", 2.0, 0.832, 0.832, 0, 0, 0.832], ["host", "avelios-app-01.berlin.local", 1778713200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.834, -0.912, 0, 0, 0.912], ["host", "avelios-app-02.berlin.local", 1778713200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.866, 0.0, 0, 0, 0.866], ["host", "avelios-app-03.berlin.local", 1778713200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.792, -0.912, 0, 0, 0.912], ["host", "avelios-app-03.munich.local", 1778713200000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778713200000000000, "endpoint", "host_distinct_etypes", 1.0, -1.118, -0.912, 0, 0, 1.118], ["host", "avelios-int-01.munich.local", 1778713200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.918, -0.587, 0, 0, 0.918], ["host", "omniconnect-ham-01.local", 1778713200000000000, "endpoint", "host_distinct_etypes", 2.0, 0.447, 0.447, 0, 0, 0.447], ["host", "avelios-app-02.berlin.local", 1778716800000000000, "endpoint", "host_distinct_etypes", 3.0, 1.155, 0.0, 0, 0, 1.155], ["host", "avelios-app-02.munich.local", 1778716800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778716800000000000, "endpoint", "host_distinct_etypes", 3.0, 1.673, 1.306, 0, 0, 1.673], ["host", "avelios-int-01.berlin.local", 1778716800000000000, "endpoint", "host_distinct_etypes", 1.0, -1.118, -0.912, 0, 0, 1.118], ["host", "avelios-int-01.munich.local", 1778716800000000000, "endpoint", "host_distinct_etypes", 2.0, 0.688, 1.247, 0, 0, 1.247], ["host", "omniconnect-ham-01.local", 1778716800000000000, "endpoint", "host_distinct_etypes", 2.0, 0.447, 0.447, 0, 0, 0.447], ["host", "omniconnect-mun-01.local", 1778716800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778720400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.834, -0.912, 0, 0, 0.912], ["host", "avelios-app-03.berlin.local", 1778720400000000000, "endpoint", "host_distinct_etypes", 2.0, 0.44, 0.197, 0, 0, 0.44], ["host", "avelios-int-01.berlin.local", 1778720400000000000, "endpoint", "host_distinct_etypes", 3.0, 0.894, 1.306, 0, 0, 1.306], ["host", "avelios-int-01.munich.local", 1778720400000000000, "endpoint", "host_distinct_etypes", 2.0, 0.688, 1.247, 0, 0, 1.247], ["host", "omniconnect-fra-01.local", 1778720400000000000, "endpoint", "host_distinct_etypes", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-ham-01.local", 1778720400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.894, -0.894, 0, 0, 0.894], ["host", "avelios-app-01.berlin.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.834, -0.912, 0, 0, 0.912], ["host", "avelios-app-01.munich.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.berlin.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.866, 0.0, 0, 0, 0.866], ["host", "avelios-app-02.munich.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.792, -0.912, 0, 0, 0.912], ["host", "avelios-int-01.berlin.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 3.0, 0.894, 1.306, 0, 0, 1.306], ["host", "omniconnect-ber-01.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-fra-01.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-ham-01.local", 1778724000000000000, "endpoint", "host_distinct_etypes", 3.0, 1.789, 1.789, 0, 0, 1.789], ["host", "avelios-app-01.munich.local", 1778727600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.berlin.local", 1778727600000000000, "endpoint", "host_distinct_etypes", 2.0, 0.144, 0.0, 0, 0, 0.144], ["host", "avelios-app-03.berlin.local", 1778727600000000000, "endpoint", "host_distinct_etypes", 3.0, 1.673, 1.306, 0, 0, 1.673], ["host", "avelios-app-03.munich.local", 1778727600000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778727600000000000, "endpoint", "host_distinct_etypes", 1.0, -1.118, -0.912, 0, 0, 1.118], ["host", "avelios-app-01.munich.local", 1778731200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-03.berlin.local", 1778731200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.792, -0.912, 0, 0, 0.912], ["host", "avelios-int-01.berlin.local", 1778731200000000000, "endpoint", "host_distinct_etypes", 4.0, 1.901, 2.416, 0, 0, 2.416], ["host", "avelios-int-01.munich.local", 1778731200000000000, "endpoint", "host_distinct_etypes", 2.0, 0.688, 1.247, 0, 0, 1.247], ["host", "omniconnect-ber-01.local", 1778731200000000000, "endpoint", "host_distinct_etypes", 2.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-fra-01.local", 1778731200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-ham-01.local", 1778731200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.894, -0.894, 0, 0, 0.894], ["host", "omniconnect-mun-01.local", 1778731200000000000, "endpoint", "host_distinct_etypes", 2.0, 0.832, 0.832, 0, 0, 0.832], ["host", "avelios-app-01.berlin.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 3.0, 1.877, 1.306, 0, 0, 1.877], ["host", "avelios-app-01.munich.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.berlin.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.866, 0.0, 0, 0, 0.866], ["host", "avelios-app-03.berlin.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.792, -0.912, 0, 0, 0.912], ["host", "avelios-app-03.munich.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 3.0, 0.894, 1.306, 0, 0, 1.306], ["host", "omniconnect-fra-01.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-ham-01.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.894, -0.894, 0, 0, 0.894], ["host", "omniconnect-mun-01.local", 1778734800000000000, "endpoint", "host_distinct_etypes", 3.0, 2.357, 2.357, 0, 0, 2.357], ["host", "avelios-app-03.munich.local", 1778738400000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.munich.local", 1778738400000000000, "endpoint", "host_distinct_etypes", 2.0, 0.688, 1.247, 0, 0, 1.247], ["host", "omniconnect-fra-01.local", 1778738400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778738400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778742000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.834, -0.912, 0, 0, 0.912], ["host", "avelios-app-01.munich.local", 1778742000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.berlin.local", 1778742000000000000, "endpoint", "host_distinct_etypes", 2.0, 0.144, 0.0, 0, 0, 0.144], ["host", "avelios-app-02.munich.local", 1778742000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.munich.local", 1778742000000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778742000000000000, "endpoint", "host_distinct_etypes", 2.0, -0.112, 0.197, 0, 0, 0.197], ["host", "avelios-int-01.munich.local", 1778742000000000000, "endpoint", "host_distinct_etypes", 2.0, 0.688, 1.247, 0, 0, 1.247], ["host", "avelios-app-01.berlin.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 2.0, 0.521, 0.197, 0, 0, 0.521], ["host", "avelios-app-01.munich.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 3.0, 3.162, 0.0, 0, 0, 3.162], ["host", "avelios-app-02.berlin.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.866, 0.0, 0, 0, 0.866], ["host", "avelios-app-02.munich.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.792, -0.912, 0, 0, 0.912], ["host", "avelios-app-03.munich.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 2.0, -0.112, 0.197, 0, 0, 0.197], ["host", "avelios-int-01.munich.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 2.0, 0.688, 1.247, 0, 0, 1.247], ["host", "omniconnect-ber-01.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-fra-01.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778745600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778749200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.834, -0.912, 0, 0, 0.912], ["host", "avelios-app-01.munich.local", 1778749200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.berlin.local", 1778749200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.866, 0.0, 0, 0, 0.866], ["host", "avelios-int-01.berlin.local", 1778749200000000000, "endpoint", "host_distinct_etypes", 2.0, -0.112, 0.197, 0, 0, 0.197], ["host", "avelios-int-01.munich.local", 1778749200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.918, -0.587, 0, 0, 0.918], ["host", "omniconnect-ber-01.local", 1778749200000000000, "endpoint", "host_distinct_etypes", 2.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-mun-01.local", 1778749200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778752800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.834, -0.912, 0, 0, 0.912], ["host", "avelios-app-01.munich.local", 1778752800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.berlin.local", 1778752800000000000, "endpoint", "host_distinct_etypes", 3.0, 1.155, 0.0, 0, 0, 1.155], ["host", "avelios-app-02.munich.local", 1778752800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.munich.local", 1778752800000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778752800000000000, "endpoint", "host_distinct_etypes", 3.0, 0.894, 1.306, 0, 0, 1.306], ["host", "avelios-int-01.munich.local", 1778752800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.918, -0.587, 0, 0, 0.918], ["host", "omniconnect-mun-01.local", 1778752800000000000, "endpoint", "host_distinct_etypes", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778756400000000000, "endpoint", "host_distinct_etypes", 2.0, 0.521, 0.197, 0, 0, 0.521], ["host", "avelios-app-01.munich.local", 1778756400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.berlin.local", 1778756400000000000, "endpoint", "host_distinct_etypes", 2.0, 0.144, 0.0, 0, 0, 0.144], ["host", "avelios-app-03.berlin.local", 1778756400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.792, -0.912, 0, 0, 0.912], ["host", "avelios-int-01.berlin.local", 1778756400000000000, "endpoint", "host_distinct_etypes", 3.0, 0.894, 1.306, 0, 0, 1.306], ["host", "avelios-int-01.munich.local", 1778756400000000000, "endpoint", "host_distinct_etypes", 1.0, -0.918, -0.587, 0, 0, 0.918], ["host", "avelios-app-01.berlin.local", 1778760000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.834, -0.912, 0, 0, 0.912], ["host", "avelios-app-02.munich.local", 1778760000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778760000000000000, "endpoint", "host_distinct_etypes", 3.0, 1.673, 1.306, 0, 0, 1.673], ["host", "avelios-int-01.berlin.local", 1778760000000000000, "endpoint", "host_distinct_etypes", 3.0, 0.894, 1.306, 0, 0, 1.306], ["host", "avelios-int-01.munich.local", 1778760000000000000, "endpoint", "host_distinct_etypes", 3.0, 2.294, 3.08, 0, 0, 3.08], ["host", "omniconnect-fra-01.local", 1778760000000000000, "endpoint", "host_distinct_etypes", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "avelios-app-01.berlin.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 2.0, 0.521, 0.197, 0, 0, 0.521], ["host", "avelios-app-01.munich.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.316, 0.0, 0, 0, 0.316], ["host", "avelios-app-02.munich.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 2.0, 3.0, 0.0, 0, 0, 3.0], ["host", "avelios-app-03.berlin.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.792, -0.912, 0, 0, 0.912], ["host", "avelios-app-03.munich.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 1.0, -1.118, -0.912, 0, 0, 1.118], ["host", "avelios-int-01.munich.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.918, -0.587, 0, 0, 0.918], ["host", "omniconnect-ber-01.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-fra-01.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-mun-01.local", 1778763600000000000, "endpoint", "host_distinct_etypes", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "avelios-app-01.berlin.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 2.0, 0.521, 0.197, 0, 0, 0.521], ["host", "avelios-app-02.berlin.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.866, 0.0, 0, 0, 0.866], ["host", "avelios-app-02.munich.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.333, 0.0, 0, 0, 0.333], ["host", "avelios-app-03.berlin.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.792, -0.912, 0, 0, 0.912], ["host", "avelios-app-03.munich.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 1.0, 0.0, -0.587, 0, 0, 0.587], ["host", "avelios-int-01.berlin.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 1.0, -1.118, -0.912, 0, 0, 1.118], ["host", "avelios-int-01.munich.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.918, -0.587, 0, 0, 0.918], ["host", "omniconnect-fra-01.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778767200000000000, "endpoint", "host_distinct_etypes", 1.0, -0.693, -0.693, 0, 0, 0.693], ["host", "omniconnect-mun-01.local", 1778709600000000000, "network", "distinct_telematik_ids", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778713200000000000, "network", "distinct_telematik_ids", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-ham-01.local", 1778716800000000000, "network", "distinct_telematik_ids", 2.0, 1.414, 1.414, 0, 0, 1.414], ["host", "omniconnect-mun-01.local", 1778716800000000000, "network", "distinct_telematik_ids", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778720400000000000, "network", "distinct_telematik_ids", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-ham-01.local", 1778724000000000000, "network", "distinct_telematik_ids", 1.0, -0.707, -0.707, 0, 0, 0.707], ["host", "omniconnect-mun-01.local", 1778731200000000000, "network", "distinct_telematik_ids", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "network", "distinct_telematik_ids", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778738400000000000, "network", "distinct_telematik_ids", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778745600000000000, "network", "distinct_telematik_ids", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778745600000000000, "network", "distinct_telematik_ids", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-mun-01.local", 1778745600000000000, "network", "distinct_telematik_ids", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778752800000000000, "network", "distinct_telematik_ids", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-fra-01.local", 1778767200000000000, "network", "distinct_telematik_ids", 1.0, -0.577, -0.577, 0, 0, 0.577], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "distinct_destinations", 1.0, -1.0, 0.0, 0, 0, 1.0], ["user", ".thomas.weber", 1778716800000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "distinct_destinations", 2.0, 1.0, 0.0, 0, 0, 1.0], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "distinct_destinations", 1.0, -1.0, 0.0, 0, 0, 1.0], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "distinct_destinations", 2.0, 1.0, 0.0, 0, 0, 1.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "distinct_destinations", 2.0, 1.0, 0.0, 0, 0, 1.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "distinct_destinations", 1.0, -1.0, 0.0, 0, 0, 1.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "distinct_destinations", 2.0, 1.0, 0.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "distinct_destinations", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "distinct_destinations", 1.0, -1.0, 0.0, 0, 0, 1.0], ["user", "billing.clerk.peter.wolf", 1778713200000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778713200000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".thomas.weber", 1778716800000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778720400000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778720400000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778724000000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "admin.klaus.fischer", 1778724000000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778731200000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778734800000000000, "cloud", "distinct_export_types", 2.0, 1.0, 0.0, 0, 0, 1.0], ["user", ".anna.schmidt", 1778742000000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "distinct_export_types", 1.0, -1.0, 0.0, 0, 0, 1.0], ["user", "pharmacist.hans.meyer", 1778752800000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778767200000000000, "cloud", "distinct_export_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "billing.clerk.peter.wolf", 1778716800000000000, "cloud", "distinct_msg_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778724000000000000, "cloud", "distinct_msg_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".anna.schmidt", 1778731200000000000, "cloud", "distinct_msg_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778742000000000000, "cloud", "distinct_msg_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", ".lisa.bauer", 1778752800000000000, "cloud", "distinct_msg_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["user", "lab.tech.sarah.koch", 1778752800000000000, "cloud", "distinct_msg_types", 2.0, 0.0, 0.0, 0, 0, 0.0], ["user", "nurse.maria.m\\u00fcller", 1778760000000000000, "cloud", "distinct_msg_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "distinct_cards", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "distinct_cards", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "distinct_cards", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "distinct_cards", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "distinct_cards", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "distinct_cards", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "distinct_cards", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "distinct_cards", 2.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "distinct_cards", 2.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "distinct_cards", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "distinct_cards", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "distinct_cards", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "distinct_cards", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "distinct_cards", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "distinct_cards", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "distinct_cards", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "distinct_cards", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "distinct_cards", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "distinct_cards", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "distinct_cards", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "distinct_cards", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "distinct_cards", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "distinct_cards", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "distinct_cards", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "distinct_cards", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "distinct_cards", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "distinct_terminals", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "distinct_terminals", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "distinct_terminals", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "distinct_terminals", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "distinct_terminals", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "distinct_terminals", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "distinct_terminals", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "distinct_terminals", 2.0, 2.646, 2.646, 0, 0, 2.646], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "distinct_terminals", 2.0, 2.0, 2.0, 0, 0, 2.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "distinct_terminals", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "distinct_terminals", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "distinct_terminals", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "distinct_terminals", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "distinct_terminals", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "distinct_terminals", 1.0, -0.5, -0.5, 0, 0, 0.5], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "distinct_terminals", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "distinct_terminals", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "distinct_terminals", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "distinct_terminals", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "distinct_terminals", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "distinct_terminals", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "distinct_terminals", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "distinct_terminals", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "distinct_terminals", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "distinct_terminals", 1.0, -0.378, -0.378, 0, 0, 0.378], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "distinct_terminals", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ber-01.local", 1778706000000000000, "healthcare", "distinct_card_types", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778706000000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778706000000000000, "healthcare", "distinct_card_types", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778709600000000000, "healthcare", "distinct_card_types", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-ham-01.local", 1778713200000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778720400000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778724000000000000, "healthcare", "distinct_card_types", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778724000000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778724000000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778731200000000000, "healthcare", "distinct_card_types", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-fra-01.local", 1778731200000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778731200000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778731200000000000, "healthcare", "distinct_card_types", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778734800000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ham-01.local", 1778734800000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778734800000000000, "healthcare", "distinct_card_types", 2.0, 1.732, 1.732, 0, 0, 1.732], ["host", "omniconnect-mun-01.local", 1778738400000000000, "healthcare", "distinct_card_types", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778745600000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778749200000000000, "healthcare", "distinct_card_types", 2.0, 1.225, 1.225, 0, 0, 1.225], ["host", "omniconnect-mun-01.local", 1778749200000000000, "healthcare", "distinct_card_types", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778760000000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-ber-01.local", 1778763600000000000, "healthcare", "distinct_card_types", 1.0, -0.816, -0.816, 0, 0, 0.816], ["host", "omniconnect-fra-01.local", 1778763600000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778763600000000000, "healthcare", "distinct_card_types", 1.0, -0.577, -0.577, 0, 0, 0.577], ["host", "omniconnect-fra-01.local", 1778767200000000000, "healthcare", "distinct_card_types", 1.0, 0.0, 0.0, 0, 0, 0.0], ["host", "omniconnect-mun-01.local", 1778767200000000000, "healthcare", "distinct_card_types", 1.0, -0.577, -0.577, 0, 0, 0.577]]} \ No newline at end of file diff --git a/parsers/ueba_features_hourly b/parsers/ueba_features_hourly new file mode 100644 index 0000000..88ec506 --- /dev/null +++ b/parsers/ueba_features_hourly @@ -0,0 +1 @@ +{"columnNames": ["entity_type", "entity_id", "hour_ts", "family", "feature_name", "value"], "rows": [["user", ".anna.schmidt", 1779058800000000000, "auth", "account_locked", 0], ["user", ".lisa.bauer", 1779058800000000000, "auth", "account_locked", 1], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "account_locked", 0], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "account_locked", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "account_locked", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "account_locked", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "account_locked", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "account_locked", 1], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "account_locked", 1], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "account_locked", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "account_locked", 0], ["user", ".lisa.bauer", 1779066000000000000, "auth", "account_locked", 0], ["user", ".thomas.weber", 1779066000000000000, "auth", "account_locked", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "account_locked", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "account_locked", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "account_locked", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "account_locked", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "account_locked", 0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "account_locked", 1], ["user", ".lisa.bauer", 1779069600000000000, "auth", "account_locked", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "account_locked", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "account_locked", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "account_locked", 1], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "account_locked", 0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "account_locked", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "account_locked", 0], ["user", ".anna.schmidt", 1779073200000000000, "auth", "account_locked", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "account_locked", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "account_locked", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "account_locked", 1], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "account_locked", 0], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "account_locked", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "account_locked", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "account_locked", 0], ["user", ".anna.schmidt", 1779076800000000000, "auth", "account_locked", 1], ["user", ".lisa.bauer", 1779076800000000000, "auth", "account_locked", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "account_locked", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "account_locked", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "account_locked", 1], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "account_locked", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "account_locked", 1], ["user", ".anna.schmidt", 1779080400000000000, "auth", "account_locked", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "account_locked", 2], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "account_locked", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "account_locked", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "account_locked", 1], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "account_locked", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "account_locked", 0], ["user", ".anna.schmidt", 1779084000000000000, "auth", "account_locked", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "account_locked", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "account_locked", 1], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "account_locked", 0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "account_unlocked_fail", 0], ["user", ".lisa.bauer", 1779058800000000000, "auth", "account_unlocked_fail", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "account_unlocked_fail", 0], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "account_unlocked_fail", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "account_unlocked_fail", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "account_unlocked_fail", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "account_unlocked_fail", 1], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "account_unlocked_fail", 0], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "account_unlocked_fail", 0], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "account_unlocked_fail", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "account_unlocked_fail", 0], ["user", ".lisa.bauer", 1779066000000000000, "auth", "account_unlocked_fail", 0], ["user", ".thomas.weber", 1779066000000000000, "auth", "account_unlocked_fail", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "account_unlocked_fail", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "account_unlocked_fail", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "account_unlocked_fail", 1], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "account_unlocked_fail", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "account_unlocked_fail", 0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "account_unlocked_fail", 0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "account_unlocked_fail", 1], ["user", ".thomas.weber", 1779069600000000000, "auth", "account_unlocked_fail", 1], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "account_unlocked_fail", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "account_unlocked_fail", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "account_unlocked_fail", 1], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "account_unlocked_fail", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "account_unlocked_fail", 0], ["user", ".anna.schmidt", 1779073200000000000, "auth", "account_unlocked_fail", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "account_unlocked_fail", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "account_unlocked_fail", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "account_unlocked_fail", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "account_unlocked_fail", 0], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "account_unlocked_fail", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "account_unlocked_fail", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "account_unlocked_fail", 0], ["user", ".anna.schmidt", 1779076800000000000, "auth", "account_unlocked_fail", 1], ["user", ".lisa.bauer", 1779076800000000000, "auth", "account_unlocked_fail", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "account_unlocked_fail", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "account_unlocked_fail", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "account_unlocked_fail", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "account_unlocked_fail", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "account_unlocked_fail", 0], ["user", ".anna.schmidt", 1779080400000000000, "auth", "account_unlocked_fail", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "account_unlocked_fail", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "account_unlocked_fail", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "account_unlocked_fail", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "account_unlocked_fail", 0], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "account_unlocked_fail", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "account_unlocked_fail", 1], ["user", ".anna.schmidt", 1779084000000000000, "auth", "account_unlocked_fail", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "account_unlocked_fail", 1], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "account_unlocked_fail", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "account_unlocked_fail", 0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "auth_fail", 1], ["user", ".lisa.bauer", 1779058800000000000, "auth", "auth_fail", 1], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "auth_fail", 1], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "auth_fail", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "auth_fail", 1], ["user", ".lisa.bauer", 1779062400000000000, "auth", "auth_fail", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "auth_fail", 2], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "auth_fail", 2], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "auth_fail", 2], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "auth_fail", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "auth_fail", 1], ["user", ".lisa.bauer", 1779066000000000000, "auth", "auth_fail", 1], ["user", ".thomas.weber", 1779066000000000000, "auth", "auth_fail", 2], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "auth_fail", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "auth_fail", 1], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "auth_fail", 2], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "auth_fail", 1], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "auth_fail", 1], ["user", ".anna.schmidt", 1779069600000000000, "auth", "auth_fail", 1], ["user", ".lisa.bauer", 1779069600000000000, "auth", "auth_fail", 1], ["user", ".thomas.weber", 1779069600000000000, "auth", "auth_fail", 1], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "auth_fail", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "auth_fail", 1], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "auth_fail", 1], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "auth_fail", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "auth_fail", 1], ["user", ".anna.schmidt", 1779073200000000000, "auth", "auth_fail", 1], ["user", ".lisa.bauer", 1779073200000000000, "auth", "auth_fail", 1], ["user", ".thomas.weber", 1779073200000000000, "auth", "auth_fail", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "auth_fail", 2], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "auth_fail", 1], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "auth_fail", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "auth_fail", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "auth_fail", 1], ["user", ".anna.schmidt", 1779076800000000000, "auth", "auth_fail", 3], ["user", ".lisa.bauer", 1779076800000000000, "auth", "auth_fail", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "auth_fail", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "auth_fail", 2], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "auth_fail", 2], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "auth_fail", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "auth_fail", 1], ["user", ".anna.schmidt", 1779080400000000000, "auth", "auth_fail", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "auth_fail", 2], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "auth_fail", 2], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "auth_fail", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "auth_fail", 3], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "auth_fail", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "auth_fail", 1], ["user", ".anna.schmidt", 1779084000000000000, "auth", "auth_fail", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "auth_fail", 2], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "auth_fail", 1], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "auth_fail", 0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "auth_fail_ratio", 1.0], ["user", ".lisa.bauer", 1779058800000000000, "auth", "auth_fail_ratio", 1.0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "auth_fail_ratio", 1.0], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "auth_fail_ratio", 0.0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "auth_fail_ratio", 1.0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "auth_fail_ratio", 0.0], ["user", ".thomas.weber", 1779062400000000000, "auth", "auth_fail_ratio", 0.5], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "auth_fail_ratio", 0.6666666666666666], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "auth_fail_ratio", 0.5], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "auth_fail_ratio", 0.5], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "auth_fail_ratio", 0.2], ["user", ".lisa.bauer", 1779066000000000000, "auth", "auth_fail_ratio", 0.25], ["user", ".thomas.weber", 1779066000000000000, "auth", "auth_fail_ratio", 1.0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "auth_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "auth_fail_ratio", 1.0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "auth_fail_ratio", 1.0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "auth_fail_ratio", 0.3333333333333333], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "auth_fail_ratio", 0.5], ["user", ".anna.schmidt", 1779069600000000000, "auth", "auth_fail_ratio", 0.3333333333333333], ["user", ".lisa.bauer", 1779069600000000000, "auth", "auth_fail_ratio", 1.0], ["user", ".thomas.weber", 1779069600000000000, "auth", "auth_fail_ratio", 0.5], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "auth_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "auth_fail_ratio", 0.25], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "auth_fail_ratio", 0.5], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "auth_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "auth_fail_ratio", 0.3333333333333333], ["user", ".anna.schmidt", 1779073200000000000, "auth", "auth_fail_ratio", 1.0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "auth_fail_ratio", 1.0], ["user", ".thomas.weber", 1779073200000000000, "auth", "auth_fail_ratio", 0.3333333333333333], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "auth_fail_ratio", 0.6666666666666666], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "auth_fail_ratio", 0.3333333333333333], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "auth_fail_ratio", 0.0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "auth_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "auth_fail_ratio", 0.16666666666666666], ["user", ".anna.schmidt", 1779076800000000000, "auth", "auth_fail_ratio", 0.75], ["user", ".lisa.bauer", 1779076800000000000, "auth", "auth_fail_ratio", 0.0], ["user", ".thomas.weber", 1779076800000000000, "auth", "auth_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "auth_fail_ratio", 0.6666666666666666], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "auth_fail_ratio", 1.0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "auth_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "auth_fail_ratio", 0.3333333333333333], ["user", ".anna.schmidt", 1779080400000000000, "auth", "auth_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "auth_fail_ratio", 1.0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "auth_fail_ratio", 1.0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "auth_fail_ratio", 0.0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "auth_fail_ratio", 0.75], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "auth_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "auth_fail_ratio", 0.3333333333333333], ["user", ".anna.schmidt", 1779084000000000000, "auth", "auth_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "auth_fail_ratio", 1.0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "auth_fail_ratio", 0.5], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "auth_fail_ratio", 0.0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "auth_succ", 0], ["user", ".lisa.bauer", 1779058800000000000, "auth", "auth_succ", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "auth_succ", 0], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "auth_succ", 1], ["user", ".anna.schmidt", 1779062400000000000, "auth", "auth_succ", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "auth_succ", 1], ["user", ".thomas.weber", 1779062400000000000, "auth", "auth_succ", 2], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "auth_succ", 1], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "auth_succ", 2], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "auth_succ", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "auth_succ", 4], ["user", ".lisa.bauer", 1779066000000000000, "auth", "auth_succ", 3], ["user", ".thomas.weber", 1779066000000000000, "auth", "auth_succ", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "auth_succ", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "auth_succ", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "auth_succ", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "auth_succ", 2], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "auth_succ", 1], ["user", ".anna.schmidt", 1779069600000000000, "auth", "auth_succ", 2], ["user", ".lisa.bauer", 1779069600000000000, "auth", "auth_succ", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "auth_succ", 1], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "auth_succ", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "auth_succ", 3], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "auth_succ", 1], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "auth_succ", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "auth_succ", 2], ["user", ".anna.schmidt", 1779073200000000000, "auth", "auth_succ", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "auth_succ", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "auth_succ", 2], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "auth_succ", 1], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "auth_succ", 2], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "auth_succ", 1], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "auth_succ", 2], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "auth_succ", 5], ["user", ".anna.schmidt", 1779076800000000000, "auth", "auth_succ", 1], ["user", ".lisa.bauer", 1779076800000000000, "auth", "auth_succ", 1], ["user", ".thomas.weber", 1779076800000000000, "auth", "auth_succ", 1], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "auth_succ", 1], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "auth_succ", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "auth_succ", 1], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "auth_succ", 2], ["user", ".anna.schmidt", 1779080400000000000, "auth", "auth_succ", 1], ["user", ".lisa.bauer", 1779080400000000000, "auth", "auth_succ", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "auth_succ", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "auth_succ", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "auth_succ", 1], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "auth_succ", 2], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "auth_succ", 2], ["user", ".anna.schmidt", 1779084000000000000, "auth", "auth_succ", 1], ["user", ".lisa.bauer", 1779084000000000000, "auth", "auth_succ", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "auth_succ", 1], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "auth_succ", 2], ["user", ".anna.schmidt", 1779058800000000000, "auth", "auth_total", 1], ["user", ".lisa.bauer", 1779058800000000000, "auth", "auth_total", 1], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "auth_total", 1], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "auth_total", 1], ["user", ".anna.schmidt", 1779062400000000000, "auth", "auth_total", 1], ["user", ".lisa.bauer", 1779062400000000000, "auth", "auth_total", 1], ["user", ".thomas.weber", 1779062400000000000, "auth", "auth_total", 4], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "auth_total", 3], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "auth_total", 4], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "auth_total", 2], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "auth_total", 5], ["user", ".lisa.bauer", 1779066000000000000, "auth", "auth_total", 4], ["user", ".thomas.weber", 1779066000000000000, "auth", "auth_total", 2], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "auth_total", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "auth_total", 1], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "auth_total", 2], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "auth_total", 3], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "auth_total", 2], ["user", ".anna.schmidt", 1779069600000000000, "auth", "auth_total", 3], ["user", ".lisa.bauer", 1779069600000000000, "auth", "auth_total", 1], ["user", ".thomas.weber", 1779069600000000000, "auth", "auth_total", 2], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "auth_total", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "auth_total", 4], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "auth_total", 2], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "auth_total", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "auth_total", 3], ["user", ".anna.schmidt", 1779073200000000000, "auth", "auth_total", 1], ["user", ".lisa.bauer", 1779073200000000000, "auth", "auth_total", 1], ["user", ".thomas.weber", 1779073200000000000, "auth", "auth_total", 3], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "auth_total", 3], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "auth_total", 3], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "auth_total", 1], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "auth_total", 2], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "auth_total", 6], ["user", ".anna.schmidt", 1779076800000000000, "auth", "auth_total", 4], ["user", ".lisa.bauer", 1779076800000000000, "auth", "auth_total", 1], ["user", ".thomas.weber", 1779076800000000000, "auth", "auth_total", 1], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "auth_total", 3], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "auth_total", 2], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "auth_total", 1], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "auth_total", 3], ["user", ".anna.schmidt", 1779080400000000000, "auth", "auth_total", 1], ["user", ".lisa.bauer", 1779080400000000000, "auth", "auth_total", 2], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "auth_total", 2], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "auth_total", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "auth_total", 4], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "auth_total", 2], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "auth_total", 3], ["user", ".anna.schmidt", 1779084000000000000, "auth", "auth_total", 1], ["user", ".lisa.bauer", 1779084000000000000, "auth", "auth_total", 2], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "auth_total", 2], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "auth_total", 2], ["user", ".anna.schmidt", 1779058800000000000, "auth", "login_failure", 1], ["user", ".lisa.bauer", 1779058800000000000, "auth", "login_failure", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "login_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "login_failure", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "login_failure", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "login_failure", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "login_failure", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "login_failure", 0], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "login_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "login_failure", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "login_failure", 1], ["user", ".lisa.bauer", 1779066000000000000, "auth", "login_failure", 0], ["user", ".thomas.weber", 1779066000000000000, "auth", "login_failure", 1], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "login_failure", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "login_failure", 1], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "login_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "login_failure", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "login_failure", 1], ["user", ".anna.schmidt", 1779069600000000000, "auth", "login_failure", 0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "login_failure", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "login_failure", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "login_failure", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "login_failure", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "login_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "login_failure", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "login_failure", 0], ["user", ".anna.schmidt", 1779073200000000000, "auth", "login_failure", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "login_failure", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "login_failure", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "login_failure", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "login_failure", 1], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "login_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "login_failure", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "login_failure", 1], ["user", ".anna.schmidt", 1779076800000000000, "auth", "login_failure", 0], ["user", ".lisa.bauer", 1779076800000000000, "auth", "login_failure", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "login_failure", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "login_failure", 1], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "login_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "login_failure", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "login_failure", 0], ["user", ".anna.schmidt", 1779080400000000000, "auth", "login_failure", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "login_failure", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "login_failure", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "login_failure", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "login_failure", 1], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "login_failure", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "login_failure", 0], ["user", ".anna.schmidt", 1779084000000000000, "auth", "login_failure", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "login_failure", 1], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "login_failure", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "login_failure", 0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "login_success", 0], ["user", ".lisa.bauer", 1779058800000000000, "auth", "login_success", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "login_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "login_success", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "login_success", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "login_success", 1], ["user", ".thomas.weber", 1779062400000000000, "auth", "login_success", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "login_success", 1], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "login_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "login_success", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "login_success", 1], ["user", ".lisa.bauer", 1779066000000000000, "auth", "login_success", 0], ["user", ".thomas.weber", 1779066000000000000, "auth", "login_success", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "login_success", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "login_success", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "login_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "login_success", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "login_success", 0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "login_success", 0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "login_success", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "login_success", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "login_success", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "login_success", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "login_success", 1], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "login_success", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "login_success", 1], ["user", ".anna.schmidt", 1779073200000000000, "auth", "login_success", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "login_success", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "login_success", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "login_success", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "login_success", 0], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "login_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "login_success", 1], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "login_success", 0], ["user", ".anna.schmidt", 1779076800000000000, "auth", "login_success", 1], ["user", ".lisa.bauer", 1779076800000000000, "auth", "login_success", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "login_success", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "login_success", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "login_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "login_success", 1], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "login_success", 0], ["user", ".anna.schmidt", 1779080400000000000, "auth", "login_success", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "login_success", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "login_success", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "login_success", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "login_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "login_success", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "login_success", 1], ["user", ".anna.schmidt", 1779084000000000000, "auth", "login_success", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "login_success", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "login_success", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "login_success", 0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "logout", 0], ["user", ".lisa.bauer", 1779058800000000000, "auth", "logout", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "logout", 0], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "logout", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "logout", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "logout", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "logout", 1], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "logout", 0], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "logout", 0], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "logout", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "logout", 1], ["user", ".lisa.bauer", 1779066000000000000, "auth", "logout", 1], ["user", ".thomas.weber", 1779066000000000000, "auth", "logout", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "logout", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "logout", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "logout", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "logout", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "logout", 0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "logout", 0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "logout", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "logout", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "logout", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "logout", 2], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "logout", 0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "logout", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "logout", 0], ["user", ".anna.schmidt", 1779073200000000000, "auth", "logout", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "logout", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "logout", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "logout", 1], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "logout", 1], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "logout", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "logout", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "logout", 0], ["user", ".anna.schmidt", 1779076800000000000, "auth", "logout", 0], ["user", ".lisa.bauer", 1779076800000000000, "auth", "logout", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "logout", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "logout", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "logout", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "logout", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "logout", 0], ["user", ".anna.schmidt", 1779080400000000000, "auth", "logout", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "logout", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "logout", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "logout", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "logout", 1], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "logout", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "logout", 0], ["user", ".anna.schmidt", 1779084000000000000, "auth", "logout", 1], ["user", ".lisa.bauer", 1779084000000000000, "auth", "logout", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "logout", 1], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "logout", 1], ["user", ".anna.schmidt", 1779058800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779058800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "mfa_fail_ratio", 1.0], ["user", "nurse.maria.m\\u00fcller", 1779058800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "mfa_fail_ratio", 1.0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".thomas.weber", 1779062400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "mfa_fail_ratio", 1.0], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "mfa_fail_ratio", 1.0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779066000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".thomas.weber", 1779066000000000000, "auth", "mfa_fail_ratio", 1.0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".thomas.weber", 1779069600000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "mfa_fail_ratio", 0.5], ["user", ".anna.schmidt", 1779073200000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".thomas.weber", 1779073200000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".anna.schmidt", 1779076800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779076800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".thomas.weber", 1779076800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "mfa_fail_ratio", 1.0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".anna.schmidt", 1779080400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "mfa_fail_ratio", 1.0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "mfa_fail_ratio", 1.0], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".anna.schmidt", 1779084000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "mfa_fail_ratio", 0.0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "mfa_failure", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "mfa_failure", 1], ["user", ".anna.schmidt", 1779062400000000000, "auth", "mfa_failure", 1], ["user", ".lisa.bauer", 1779062400000000000, "auth", "mfa_failure", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "mfa_failure", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "mfa_failure", 1], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "mfa_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "mfa_failure", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "mfa_failure", 0], ["user", ".lisa.bauer", 1779066000000000000, "auth", "mfa_failure", 0], ["user", ".thomas.weber", 1779066000000000000, "auth", "mfa_failure", 1], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "mfa_failure", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "mfa_failure", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "mfa_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "mfa_failure", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "mfa_failure", 0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "mfa_failure", 0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "mfa_failure", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "mfa_failure", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "mfa_failure", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "mfa_failure", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "mfa_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "mfa_failure", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "mfa_failure", 1], ["user", ".anna.schmidt", 1779073200000000000, "auth", "mfa_failure", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "mfa_failure", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "mfa_failure", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "mfa_failure", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "mfa_failure", 0], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "mfa_failure", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "mfa_failure", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "mfa_failure", 0], ["user", ".anna.schmidt", 1779076800000000000, "auth", "mfa_failure", 0], ["user", ".lisa.bauer", 1779076800000000000, "auth", "mfa_failure", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "mfa_failure", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "mfa_failure", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "mfa_failure", 1], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "mfa_failure", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "mfa_failure", 0], ["user", ".anna.schmidt", 1779080400000000000, "auth", "mfa_failure", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "mfa_failure", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "mfa_failure", 1], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "mfa_failure", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "mfa_failure", 1], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "mfa_failure", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "mfa_failure", 0], ["user", ".anna.schmidt", 1779084000000000000, "auth", "mfa_failure", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "mfa_failure", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "mfa_failure", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "mfa_failure", 0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "mfa_success", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "mfa_success", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "mfa_success", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "mfa_success", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "mfa_success", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "mfa_success", 0], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "mfa_success", 1], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "mfa_success", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "mfa_success", 1], ["user", ".lisa.bauer", 1779066000000000000, "auth", "mfa_success", 1], ["user", ".thomas.weber", 1779066000000000000, "auth", "mfa_success", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "mfa_success", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "mfa_success", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "mfa_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "mfa_success", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "mfa_success", 0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "mfa_success", 0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "mfa_success", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "mfa_success", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "mfa_success", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "mfa_success", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "mfa_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "mfa_success", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "mfa_success", 1], ["user", ".anna.schmidt", 1779073200000000000, "auth", "mfa_success", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "mfa_success", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "mfa_success", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "mfa_success", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "mfa_success", 0], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "mfa_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "mfa_success", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "mfa_success", 2], ["user", ".anna.schmidt", 1779076800000000000, "auth", "mfa_success", 0], ["user", ".lisa.bauer", 1779076800000000000, "auth", "mfa_success", 1], ["user", ".thomas.weber", 1779076800000000000, "auth", "mfa_success", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "mfa_success", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "mfa_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "mfa_success", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "mfa_success", 1], ["user", ".anna.schmidt", 1779080400000000000, "auth", "mfa_success", 1], ["user", ".lisa.bauer", 1779080400000000000, "auth", "mfa_success", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "mfa_success", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "mfa_success", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "mfa_success", 0], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "mfa_success", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "mfa_success", 0], ["user", ".anna.schmidt", 1779084000000000000, "auth", "mfa_success", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "mfa_success", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "mfa_success", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "mfa_success", 1], ["user", ".anna.schmidt", 1779058800000000000, "auth", "password_change", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "password_change", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "password_change", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "password_change", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "password_change", 1], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "password_change", 0], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "password_change", 1], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "password_change", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "password_change", 1], ["user", ".lisa.bauer", 1779066000000000000, "auth", "password_change", 1], ["user", ".thomas.weber", 1779066000000000000, "auth", "password_change", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "password_change", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "password_change", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "password_change", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "password_change", 1], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "password_change", 0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "password_change", 0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "password_change", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "password_change", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "password_change", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "password_change", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "password_change", 0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "password_change", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "password_change", 0], ["user", ".anna.schmidt", 1779073200000000000, "auth", "password_change", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "password_change", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "password_change", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "password_change", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "password_change", 1], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "password_change", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "password_change", 1], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "password_change", 1], ["user", ".anna.schmidt", 1779076800000000000, "auth", "password_change", 0], ["user", ".lisa.bauer", 1779076800000000000, "auth", "password_change", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "password_change", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "password_change", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "password_change", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "password_change", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "password_change", 0], ["user", ".anna.schmidt", 1779080400000000000, "auth", "password_change", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "password_change", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "password_change", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "password_change", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "password_change", 0], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "password_change", 2], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "password_change", 0], ["user", ".anna.schmidt", 1779084000000000000, "auth", "password_change", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "password_change", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "password_change", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "password_change", 0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "password_reset_req", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "password_reset_req", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "password_reset_req", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "password_reset_req", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "password_reset_req", 1], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "password_reset_req", 0], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "password_reset_req", 1], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "password_reset_req", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "password_reset_req", 0], ["user", ".lisa.bauer", 1779066000000000000, "auth", "password_reset_req", 1], ["user", ".thomas.weber", 1779066000000000000, "auth", "password_reset_req", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "password_reset_req", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "password_reset_req", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "password_reset_req", 1], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "password_reset_req", 1], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "password_reset_req", 0], ["user", ".anna.schmidt", 1779069600000000000, "auth", "password_reset_req", 0], ["user", ".lisa.bauer", 1779069600000000000, "auth", "password_reset_req", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "password_reset_req", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "password_reset_req", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "password_reset_req", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "password_reset_req", 0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "password_reset_req", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "password_reset_req", 0], ["user", ".anna.schmidt", 1779073200000000000, "auth", "password_reset_req", 1], ["user", ".lisa.bauer", 1779073200000000000, "auth", "password_reset_req", 1], ["user", ".thomas.weber", 1779073200000000000, "auth", "password_reset_req", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "password_reset_req", 1], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "password_reset_req", 0], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "password_reset_req", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "password_reset_req", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "password_reset_req", 0], ["user", ".anna.schmidt", 1779076800000000000, "auth", "password_reset_req", 1], ["user", ".lisa.bauer", 1779076800000000000, "auth", "password_reset_req", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "password_reset_req", 0], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "password_reset_req", 1], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "password_reset_req", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "password_reset_req", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "password_reset_req", 0], ["user", ".anna.schmidt", 1779080400000000000, "auth", "password_reset_req", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "password_reset_req", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "password_reset_req", 1], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "password_reset_req", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "password_reset_req", 0], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "password_reset_req", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "password_reset_req", 0], ["user", ".anna.schmidt", 1779084000000000000, "auth", "password_reset_req", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "password_reset_req", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "password_reset_req", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "password_reset_req", 0], ["user", ".anna.schmidt", 1779058800000000000, "auth", "session_timeout", 0], ["user", "billing.clerk.peter.wolf", 1779058800000000000, "auth", "session_timeout", 0], ["user", ".anna.schmidt", 1779062400000000000, "auth", "session_timeout", 0], ["user", ".lisa.bauer", 1779062400000000000, "auth", "session_timeout", 0], ["user", ".thomas.weber", 1779062400000000000, "auth", "session_timeout", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "session_timeout", 0], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "session_timeout", 0], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "session_timeout", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "session_timeout", 0], ["user", ".lisa.bauer", 1779066000000000000, "auth", "session_timeout", 0], ["user", ".thomas.weber", 1779066000000000000, "auth", "session_timeout", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "session_timeout", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "session_timeout", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "session_timeout", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "session_timeout", 1], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "session_timeout", 1], ["user", ".anna.schmidt", 1779069600000000000, "auth", "session_timeout", 2], ["user", ".lisa.bauer", 1779069600000000000, "auth", "session_timeout", 0], ["user", ".thomas.weber", 1779069600000000000, "auth", "session_timeout", 1], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "session_timeout", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "session_timeout", 1], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "session_timeout", 0], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "session_timeout", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "session_timeout", 0], ["user", ".anna.schmidt", 1779073200000000000, "auth", "session_timeout", 0], ["user", ".lisa.bauer", 1779073200000000000, "auth", "session_timeout", 0], ["user", ".thomas.weber", 1779073200000000000, "auth", "session_timeout", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "session_timeout", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "session_timeout", 0], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "session_timeout", 1], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "session_timeout", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "session_timeout", 2], ["user", ".anna.schmidt", 1779076800000000000, "auth", "session_timeout", 0], ["user", ".lisa.bauer", 1779076800000000000, "auth", "session_timeout", 0], ["user", ".thomas.weber", 1779076800000000000, "auth", "session_timeout", 1], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "session_timeout", 1], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "session_timeout", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "session_timeout", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "session_timeout", 1], ["user", ".anna.schmidt", 1779080400000000000, "auth", "session_timeout", 0], ["user", ".lisa.bauer", 1779080400000000000, "auth", "session_timeout", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "session_timeout", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "session_timeout", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "session_timeout", 0], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "session_timeout", 0], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "session_timeout", 1], ["user", ".anna.schmidt", 1779084000000000000, "auth", "session_timeout", 0], ["user", ".lisa.bauer", 1779084000000000000, "auth", "session_timeout", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "session_timeout", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "session_timeout", 0], ["host", "avelios-app-01.berlin.local", 1779058800000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-app-03.berlin.local", 1779058800000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-int-01.berlin.local", 1779058800000000000, "endpoint", "host_auth_events", 0], ["host", "omniconnect-ber-01.local", 1779058800000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_auth_events", 4], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_auth_events", 8], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_auth_events", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_auth_events", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_auth_events", 4], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_auth_events", 7], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_auth_events", 6], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_auth_events", 7], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_auth_events", 6], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_auth_events", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_auth_events", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_auth_events", 5], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_auth_events", 8], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_auth_events", 5], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_auth_events", 8], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_auth_events", 4], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_auth_events", 6], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_auth_events", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_auth_events", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_auth_events", 4], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_auth_events", 5], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_auth_events", 3], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_auth_events", 8], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_auth_events", 6], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_auth_events", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_auth_events", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_auth_events", 9], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_auth_events", 7], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_auth_events", 4], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_auth_events", 4], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_auth_events", 4], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_auth_events", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_auth_events", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_auth_events", 6], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_auth_events", 2], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_auth_events", 4], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_auth_events", 6], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_auth_events", 6], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_auth_events", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_auth_events", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_auth_events", 4], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_auth_events", 9], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_auth_events", 4], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_auth_events", 3], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_auth_events", 1], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_auth_events", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_auth_events", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_auth_events", 3], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_auth_events", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_auth_events", 3], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_auth_events", 2], ["host", "avelios-app-01.berlin.local", 1779058800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.berlin.local", 1779058800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.berlin.local", 1779058800000000000, "endpoint", "host_card_events", 0], ["host", "omniconnect-ber-01.local", 1779058800000000000, "endpoint", "host_card_events", 1], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_card_events", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_card_events", 4], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_card_events", 7], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_card_events", 6], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_card_events", 7], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_card_events", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_card_events", 5], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_card_events", 8], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_card_events", 5], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_card_events", 8], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_card_events", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_card_events", 4], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_card_events", 5], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_card_events", 3], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_card_events", 3], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_card_events", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_card_events", 9], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_card_events", 7], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_card_events", 4], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_card_events", 4], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_card_events", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_card_events", 6], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_card_events", 2], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_card_events", 4], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_card_events", 6], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_card_events", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_card_events", 4], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_card_events", 9], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_card_events", 4], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_card_events", 3], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_card_events", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_card_events", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_card_events", 3], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_card_events", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_card_events", 3], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_card_events", 2], ["host", "avelios-app-01.berlin.local", 1779058800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.berlin.local", 1779058800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-int-01.berlin.local", 1779058800000000000, "endpoint", "host_data_events", 1], ["host", "omniconnect-ber-01.local", 1779058800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_data_events", 7], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_data_events", 8], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_data_events", 6], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_data_events", 2], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_data_events", 7], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_data_events", 5], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_data_events", 10], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_data_events", 3], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_data_events", 6], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_data_events", 3], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_data_events", 6], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_data_events", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_data_events", 2], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_data_events", 2], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_data_events", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_data_events", 0], ["host", "avelios-app-01.berlin.local", 1779058800000000000, "endpoint", "host_events", 1], ["host", "avelios-app-03.berlin.local", 1779058800000000000, "endpoint", "host_events", 1], ["host", "avelios-int-01.berlin.local", 1779058800000000000, "endpoint", "host_events", 1], ["host", "omniconnect-ber-01.local", 1779058800000000000, "endpoint", "host_events", 1], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_events", 4], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_events", 1], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_events", 3], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_events", 2], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_events", 8], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_events", 2], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_events", 7], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_events", 8], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_events", 10], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_events", 12], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_events", 9], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_events", 7], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_events", 1], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_events", 3], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_events", 2], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_events", 6], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_events", 2], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_events", 1], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_events", 6], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_events", 2], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_events", 6], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_events", 10], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_events", 7], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_events", 10], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_events", 4], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_events", 2], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_events", 6], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_events", 1], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_events", 2], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_events", 2], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_events", 7], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_events", 5], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_events", 11], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_events", 9], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_events", 9], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_events", 8], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_events", 8], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_events", 2], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_events", 1], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_events", 6], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_events", 3], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_events", 10], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_events", 3], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_events", 10], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_events", 9], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_events", 7], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_events", 9], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_events", 2], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_events", 1], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_events", 3], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_events", 2], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_events", 4], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_events", 3], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_events", 6], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_events", 3], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_events", 10], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_events", 8], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_events", 7], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_events", 6], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_events", 2], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_events", 6], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_events", 2], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_events", 3], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_events", 2], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_events", 6], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_events", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_events", 9], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_events", 11], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_events", 4], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_events", 6], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_events", 3], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_events", 2], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_events", 1], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_events", 1], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_events", 2], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_events", 2], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_events", 7], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_events", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_events", 4], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_events", 2], ["host", "avelios-app-01.berlin.local", 1779058800000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-app-03.berlin.local", 1779058800000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-int-01.berlin.local", 1779058800000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779058800000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.3333333333333333], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.25], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.6], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.5], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.2222222222222222], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_failure_ratio", 0.42857142857142855], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.3333333333333333], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.5], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.6666666666666666], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.3], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.7142857142857143], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_failure_ratio", 0.4], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.5], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.3333333333333333], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.18181818181818182], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.1111111111111111], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.2222222222222222], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_failure_ratio", 0.375], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.125], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.6666666666666666], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.6666666666666666], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.3333333333333333], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.14285714285714285], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_failure_ratio", 0.3333333333333333], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.6666666666666666], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.5], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.6666666666666666], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.125], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.8333333333333334], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.5], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.3333333333333333], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.5], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.4444444444444444], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.09090909090909091], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_failure_ratio", 0.16666666666666666], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_failure_ratio", 0.3333333333333333], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_failure_ratio", 1.0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_failure_ratio", 0.5714285714285714], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_failure_ratio", 0.0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_failure_ratio", 0.25], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_failure_ratio", 0.5], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_failures", 4], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_failures", 2], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_failures", 2], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_failures", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_failures", 6], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_failures", 6], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_failures", 2], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_failures", 3], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_failures", 4], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_failures", 2], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_failures", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_failures", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_failures", 3], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_failures", 5], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_failures", 4], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_failures", 2], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_failures", 2], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_failures", 2], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_failures", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_failures", 2], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_failures", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_failures", 2], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_failures", 3], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_failures", 4], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_failures", 2], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_failures", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_failures", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_failures", 3], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_failures", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_failures", 3], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_failures", 2], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_failures", 2], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_failures", 2], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_failures", 2], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_failures", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_failures", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_failures", 5], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_failures", 1], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_failures", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_failures", 4], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_failures", 1], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_failures", 0], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_failures", 1], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_failures", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_failures", 4], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_failures", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_failures", 1], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_failures", 1], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_high_severity", 4], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_high_severity", 6], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_high_severity", 2], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_high_severity", 1], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_high_severity", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_high_severity", 4], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_high_severity", 2], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_high_severity", 2], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_high_severity", 2], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_high_severity", 2], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_high_severity", 4], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_high_severity", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_high_severity", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_high_severity", 2], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_high_severity", 2], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_high_severity", 2], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_high_severity", 2], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_high_severity", 3], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_high_severity", 2], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_high_severity", 1], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_high_severity", 3], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_high_severity", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_high_severity", 1], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_high_severity", 0], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_infos", 2], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_infos", 2], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_infos", 1], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_infos", 4], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_infos", 3], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_infos", 1], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_infos", 2], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_infos", 3], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_infos", 2], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_infos", 3], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_infos", 1], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_infos", 2], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_infos", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_infos", 3], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_infos", 1], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_infos", 3], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_infos", 3], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_infos", 2], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_infos", 1], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_infos", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_infos", 3], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_infos", 1], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_infos", 0], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_infos", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_infos", 1], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_infos", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_infos", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_infos", 1], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_ti_events", 6], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_ti_events", 5], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_ti_events", 3], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_ti_events", 1], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_ti_events", 2], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_ti_events", 2], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_ti_events", 2], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_ti_events", 7], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_ti_events", 4], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_ti_events", 6], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_ti_events", 5], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_ti_events", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_ti_events", 2], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_ti_events", 3], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_ti_events", 5], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_ti_events", 4], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_ti_events", 6], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_ti_events", 3], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_ti_events", 5], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_ti_events", 2], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_ti_events", 3], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_ti_events", 4], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_ti_events", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_ti_events", 1], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_ti_events", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "cert_expired", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "cert_expired", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "cert_expired", 1], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "cert_expired", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "cert_expired", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "cert_expired", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "cert_expired", 1], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "cert_expired", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "cert_expired", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "cert_expired", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "cert_expired", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "cert_expired", 1], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "cert_expired", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "cert_expired", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "cert_expired", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "cert_expired", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "cert_expired", 2], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "cert_expired", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "cert_expired", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "cert_expired", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "cert_expired", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "cert_expired", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "cert_expired", 1], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "cert_expired", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "cert_expired", 2], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "cert_expired", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "cert_expiring", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "cert_expiring", 2], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "cert_expiring", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "cert_expiring", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "cert_expiring", 1], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "cert_expiring", 1], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "cert_expiring", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "cert_expiring", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "cert_expiring", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "cert_expiring", 1], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "cert_expiring", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "cert_expiring", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "cert_expiring", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "cert_expiring", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "cert_expiring", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "cert_expiring", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "cert_expiring", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "cert_expiring", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "cert_valid", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "cert_valid", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "cert_valid", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "cert_valid", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "cert_valid", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "cert_valid", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "cert_valid", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "cert_valid", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "cert_valid", 1], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "cert_valid", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "cert_valid", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "cert_valid", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "cert_valid", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "cert_valid", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "cert_valid", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "cert_valid", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "cert_valid", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "cert_valid", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "cert_valid", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "cert_valid", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "cert_valid", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "cert_valid", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "cert_valid", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "cert_valid", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "high_sev_events", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "high_sev_events", 3], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "high_sev_events", 3], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "high_sev_events", 1], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "high_sev_events", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "high_sev_events", 1], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "high_sev_events", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "high_sev_events", 2], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "high_sev_events", 1], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "high_sev_events", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "high_sev_events", 2], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "high_sev_events", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "high_sev_events", 2], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "high_sev_events", 3], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "high_sev_events", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "high_sev_events", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "high_sev_events", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "high_sev_events", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "high_sev_events", 2], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "high_sev_events", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "high_sev_events", 2], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "high_sev_events", 2], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "high_sev_events", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "high_sev_events", 2], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "high_sev_events", 2], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "high_sev_events", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "high_sev_events", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "high_sev_events", 2], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "high_sev_events", 1], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "konnektor_connected", 2], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "konnektor_connected", 1], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "konnektor_connected", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "konnektor_connected", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "konnektor_connected", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "konnektor_connected", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "konnektor_connected", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "konnektor_connected", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "konnektor_disconnected", 1], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "konnektor_disconnected", 2], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "konnektor_disconnected", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "konnektor_disconnected", 1], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "konnektor_disconnected", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "konnektor_disconnected", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "konnektor_disconnected", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "konnektor_flap_score", 2.0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "konnektor_flap_score", 1.0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "konnektor_flap_score", 1.0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "konnektor_flap_score", 2.0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "konnektor_flap_score", 2.0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "konnektor_flap_score", 1.0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "konnektor_flap_score", 1.0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "konnektor_flap_score", 1.0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "konnektor_flap_score", 1.0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "konnektor_flap_score", 1.0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "konnektor_flap_score", 0.0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "konnektor_flap_score", 0.0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "konnektor_health_check", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "konnektor_health_check", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "konnektor_health_check", 2], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "konnektor_health_check", 2], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "konnektor_health_check", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "konnektor_health_check", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "konnektor_health_check", 1], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "konnektor_health_check", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "konnektor_health_check", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "konnektor_health_check", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "ti_events", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "ti_events", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "ti_events", 6], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "ti_events", 5], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "ti_events", 3], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "ti_events", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "ti_events", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "ti_events", 1], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "ti_events", 2], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "ti_events", 2], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "ti_events", 2], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "ti_events", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "ti_events", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "ti_events", 7], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "ti_events", 4], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "ti_events", 6], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "ti_events", 5], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "ti_events", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "ti_events", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "ti_events", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "ti_events", 2], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "ti_events", 3], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "ti_events", 5], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "ti_events", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "ti_events", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "ti_events", 4], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "ti_events", 6], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "ti_events", 3], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "ti_events", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "ti_events", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "ti_events", 5], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "ti_events", 2], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "ti_events", 3], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "ti_events", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "ti_events", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "ti_events", 4], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "ti_events", 1], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "ti_failure_ratio", 0.5], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "ti_failure_ratio", 0.2], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "ti_failure_ratio", 0.3333333333333333], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "ti_failure_ratio", 0.5], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "ti_failure_ratio", 0.16666666666666666], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "ti_failure_ratio", 0.2], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "ti_failure_ratio", 0.3333333333333333], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "ti_failure_ratio", 0.4], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "ti_failure_ratio", 0.16666666666666666], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "ti_failure_ratio", 0.4], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "ti_failure_ratio", 0.5], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "ti_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "ti_failure_ratio", 0.5], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "ti_failure_ratio", 0.0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "ti_failures", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "ti_failures", 3], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "ti_failures", 1], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "ti_failures", 1], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "ti_failures", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "ti_failures", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "ti_failures", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "ti_failures", 1], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "ti_failures", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "ti_failures", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "ti_failures", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "ti_failures", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "ti_failures", 1], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "ti_failures", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "ti_failures", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "ti_failures", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "ti_failures", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "ti_failures", 2], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "ti_failures", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "ti_failures", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "ti_failures", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "ti_failures", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "ti_failures", 2], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "ti_failures", 1], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "ti_failures", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "ti_failures", 2], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "ti_failures", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "ti_service_available", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "ti_service_available", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "ti_service_available", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "ti_service_available", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "ti_service_available", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "ti_service_available", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "ti_service_available", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "ti_service_available", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "ti_service_available", 1], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "ti_service_available", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "ti_service_available", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "ti_service_available", 2], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "ti_service_available", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "ti_service_available", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "ti_service_available", 2], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "ti_service_available", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "ti_service_available", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "ti_service_unavailable", 1], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "ti_service_unavailable", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "ti_service_unavailable", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "ti_service_unavailable", 1], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "vpn_tunnel_failed", 2], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "vpn_tunnel_failed", 1], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "vpn_tunnel_failed", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "vpn_tunnel_failed", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "vpn_tunnel_failed", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "vpn_tunnel_failed", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "vpn_tunnel_failed", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "vpn_tunnel_failed", 0], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.munich.local", 1779062400000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "vpn_tunnel_reconnect", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.munich.local", 1779066000000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "vpn_tunnel_reconnect", 1], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.munich.local", 1779069600000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "vpn_tunnel_reconnect", 1], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "vpn_tunnel_reconnect", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "vpn_tunnel_reconnect", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.munich.local", 1779073200000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.munich.local", 1779076800000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "vpn_tunnel_reconnect", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.munich.local", 1779080400000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "vpn_tunnel_reconnect", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "avelios-int-01.munich.local", 1779084000000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "vpn_tunnel_reconnect", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "vpn_tunnel_reconnect", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "dt_events", 1], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "dt_events", 1], ["user", ".thomas.weber", 1779062400000000000, "cloud", "dt_events", 3], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "dt_events", 3], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "dt_events", 3], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "dt_events", 4], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "dt_events", 3], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "dt_events", 1], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "dt_events", 1], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "dt_events", 2], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "dt_events", 1], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "dt_events", 3], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "dt_events", 1], ["user", ".thomas.weber", 1779069600000000000, "cloud", "dt_events", 1], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "dt_events", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "dt_events", 3], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "dt_events", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "dt_events", 2], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "dt_events", 2], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "dt_events", 2], ["user", ".thomas.weber", 1779073200000000000, "cloud", "dt_events", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "dt_events", 3], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "dt_events", 2], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "dt_events", 2], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "dt_events", 1], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "dt_events", 2], ["user", ".thomas.weber", 1779076800000000000, "cloud", "dt_events", 2], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "dt_events", 2], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "dt_events", 1], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "dt_events", 1], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "dt_events", 1], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "dt_events", 3], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "dt_events", 3], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "dt_events", 1], ["user", ".thomas.weber", 1779084000000000000, "cloud", "dt_events", 1], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "dt_events", 1], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "dt_events", 1], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "dt_events", 1], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "dt_failures", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "dt_failures", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "dt_failures", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "dt_failures", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "dt_failures", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "dt_failures", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "dt_failures", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "dt_failures", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "dt_failures", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "dt_failures", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "dt_failures", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "dt_failures", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "dt_failures", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "dt_failures", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "dt_failures", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "dt_failures", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "dt_failures", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "dt_failures", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "dt_failures", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "dt_failures", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "dt_failures", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "dt_failures", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "dt_failures", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "dt_failures", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "dt_failures", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "dt_failures", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "dt_failures", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "dt_failures", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "dt_failures", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "dt_failures", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "dt_failures", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "dt_failures", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "dt_failures", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "dt_failures", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "dt_failures", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "dt_failures", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "dt_failures", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "dt_failures", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "email_notifications", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "email_notifications", 1], ["user", ".thomas.weber", 1779062400000000000, "cloud", "email_notifications", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "email_notifications", 1], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "email_notifications", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "email_notifications", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "email_notifications", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "email_notifications", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "email_notifications", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "email_notifications", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "email_notifications", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "email_notifications", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "email_notifications", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "email_notifications", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "email_notifications", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "email_notifications", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "email_notifications", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "email_notifications", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "email_notifications", 1], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "email_notifications", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "email_notifications", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "email_notifications", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "email_notifications", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "email_notifications", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "email_notifications", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "email_notifications", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "email_notifications", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "email_notifications", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "email_notifications", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "email_notifications", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "email_notifications", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "email_notifications", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "email_notifications", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "email_notifications", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "email_notifications", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "email_notifications", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "email_notifications", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "email_notifications", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "export_completed", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "export_completed", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "export_completed", 1], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "export_completed", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "export_completed", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "export_completed", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "export_completed", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "export_completed", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "export_completed", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "export_completed", 1], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "export_completed", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "export_completed", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "export_completed", 1], ["user", ".thomas.weber", 1779069600000000000, "cloud", "export_completed", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "export_completed", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "export_completed", 1], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "export_completed", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "export_completed", 1], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "export_completed", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "export_completed", 1], ["user", ".thomas.weber", 1779073200000000000, "cloud", "export_completed", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "export_completed", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "export_completed", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "export_completed", 2], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "export_completed", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "export_completed", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "export_completed", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "export_completed", 1], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "export_completed", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "export_completed", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "export_completed", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "export_completed", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "export_completed", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "export_completed", 1], ["user", ".thomas.weber", 1779084000000000000, "cloud", "export_completed", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "export_completed", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "export_completed", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "export_completed", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "export_initiated", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "export_initiated", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "export_initiated", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "export_initiated", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "export_initiated", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "export_initiated", 1], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "export_initiated", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "export_initiated", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "export_initiated", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "export_initiated", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "export_initiated", 1], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "export_initiated", 1], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "export_initiated", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "export_initiated", 1], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "export_initiated", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "export_initiated", 1], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "export_initiated", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "export_initiated", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "export_initiated", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "export_initiated", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "export_initiated", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "export_initiated", 2], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "export_initiated", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "export_initiated", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "export_initiated", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "export_initiated", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "export_initiated", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "export_initiated", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "export_initiated", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "export_initiated", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "export_initiated", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "export_initiated", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "export_initiated", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "export_initiated", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "export_initiated", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "export_initiated", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "export_initiated", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "export_initiated", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "external_destinations", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "external_destinations", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "external_destinations", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "external_destinations", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "external_destinations", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "external_destinations", 1], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "external_destinations", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "external_destinations", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "external_destinations", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "external_destinations", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "external_destinations", 1], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "external_destinations", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "external_destinations", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "external_destinations", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "external_destinations", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "external_destinations", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "external_destinations", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "external_destinations", 1], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "external_destinations", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "external_destinations", 1], ["user", ".thomas.weber", 1779073200000000000, "cloud", "external_destinations", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "external_destinations", 1], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "external_destinations", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "external_destinations", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "external_destinations", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "external_destinations", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "external_destinations", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "external_destinations", 1], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "external_destinations", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "external_destinations", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "external_destinations", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "external_destinations", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "external_destinations", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "external_destinations", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "external_destinations", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "external_destinations", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "external_destinations", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "external_destinations", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "fhir_requests", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "fhir_requests", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "fhir_requests", 1], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "fhir_requests", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "fhir_requests", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "fhir_requests", 3], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "fhir_requests", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "fhir_requests", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "fhir_requests", 1], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "fhir_requests", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "fhir_requests", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "fhir_requests", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "fhir_requests", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "fhir_requests", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "fhir_requests", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "fhir_requests", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "fhir_requests", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "fhir_requests", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "fhir_requests", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "fhir_requests", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "fhir_requests", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "fhir_requests", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "fhir_requests", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "fhir_requests", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "fhir_requests", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "fhir_requests", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "fhir_requests", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "fhir_requests", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "fhir_requests", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "fhir_requests", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "fhir_requests", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "fhir_requests", 1], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "fhir_requests", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "fhir_requests", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "fhir_requests", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "fhir_requests", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "fhir_requests", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "fhir_requests", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "hl7_received", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "hl7_received", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "hl7_received", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "hl7_received", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "hl7_received", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "hl7_received", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "hl7_received", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "hl7_received", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "hl7_received", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "hl7_received", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "hl7_received", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "hl7_received", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "hl7_received", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "hl7_received", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "hl7_received", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "hl7_received", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "hl7_received", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "hl7_received", 1], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "hl7_received", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "hl7_received", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "hl7_received", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "hl7_received", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "hl7_received", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "hl7_received", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "hl7_received", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "hl7_received", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "hl7_received", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "hl7_received", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "hl7_received", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "hl7_received", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "hl7_received", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "hl7_received", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "hl7_received", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "hl7_received", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "hl7_received", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "hl7_received", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "hl7_received", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "hl7_received", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "hl7_sent", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "hl7_sent", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "hl7_sent", 1], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "hl7_sent", 1], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "hl7_sent", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "hl7_sent", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "hl7_sent", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "hl7_sent", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "hl7_sent", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "hl7_sent", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "hl7_sent", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "hl7_sent", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "hl7_sent", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "hl7_sent", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "hl7_sent", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "hl7_sent", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "hl7_sent", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "hl7_sent", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "hl7_sent", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "hl7_sent", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "hl7_sent", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "hl7_sent", 1], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "hl7_sent", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "hl7_sent", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "hl7_sent", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "hl7_sent", 1], ["user", ".thomas.weber", 1779076800000000000, "cloud", "hl7_sent", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "hl7_sent", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "hl7_sent", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "hl7_sent", 1], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "hl7_sent", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "hl7_sent", 2], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "hl7_sent", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "hl7_sent", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "hl7_sent", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "hl7_sent", 1], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "hl7_sent", 1], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "hl7_sent", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "import_completed", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "import_completed", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "import_completed", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "import_completed", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "import_completed", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "import_completed", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "import_completed", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "import_completed", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "import_completed", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "import_completed", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "import_completed", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "import_completed", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "import_completed", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "import_completed", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "import_completed", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "import_completed", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "import_completed", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "import_completed", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "import_completed", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "import_completed", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "import_completed", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "import_completed", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "import_completed", 1], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "import_completed", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "import_completed", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "import_completed", 1], ["user", ".thomas.weber", 1779076800000000000, "cloud", "import_completed", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "import_completed", 1], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "import_completed", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "import_completed", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "import_completed", 1], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "import_completed", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "import_completed", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "import_completed", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "import_completed", 1], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "import_completed", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "import_completed", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "import_completed", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "import_initiated", 1], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "import_initiated", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "import_initiated", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "import_initiated", 1], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "import_initiated", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "import_initiated", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "import_initiated", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "import_initiated", 1], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "import_initiated", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "import_initiated", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "import_initiated", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "import_initiated", 0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "import_initiated", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "import_initiated", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "import_initiated", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "import_initiated", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "import_initiated", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "import_initiated", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "import_initiated", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "import_initiated", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "import_initiated", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "import_initiated", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "import_initiated", 1], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "import_initiated", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "import_initiated", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "import_initiated", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "import_initiated", 1], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "import_initiated", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "import_initiated", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "import_initiated", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "import_initiated", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "import_initiated", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "import_initiated", 0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "import_initiated", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "import_initiated", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "import_initiated", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "import_initiated", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "import_initiated", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "print_jobs", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "print_jobs", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "print_jobs", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "print_jobs", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "print_jobs", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "print_jobs", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "print_jobs", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "print_jobs", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "print_jobs", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "print_jobs", 1], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "print_jobs", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "print_jobs", 1], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "print_jobs", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "print_jobs", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "print_jobs", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "print_jobs", 0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "print_jobs", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "print_jobs", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "print_jobs", 1], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "print_jobs", 0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "print_jobs", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "print_jobs", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "print_jobs", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "print_jobs", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "print_jobs", 1], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "print_jobs", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "print_jobs", 1], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "print_jobs", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "print_jobs", 1], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "print_jobs", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "print_jobs", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "print_jobs", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "print_jobs", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "print_jobs", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "print_jobs", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "print_jobs", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "print_jobs", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "print_jobs", 1], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "report_generated", 0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "report_generated", 0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "report_generated", 0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "report_generated", 0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "report_generated", 0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "report_generated", 0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "report_generated", 0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "report_generated", 0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "report_generated", 0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "report_generated", 0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "report_generated", 0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "report_generated", 1], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "report_generated", 0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "report_generated", 0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "report_generated", 0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "report_generated", 1], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "report_generated", 0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "report_generated", 0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "report_generated", 0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "report_generated", 1], ["user", ".thomas.weber", 1779073200000000000, "cloud", "report_generated", 0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "report_generated", 0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "report_generated", 0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "report_generated", 0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "report_generated", 0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "report_generated", 0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "report_generated", 0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "report_generated", 0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "report_generated", 0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "report_generated", 0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "report_generated", 0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "report_generated", 0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "report_generated", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "report_generated", 0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "report_generated", 0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "report_generated", 0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "report_generated", 0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "report_generated", 0], ["user", ".anna.schmidt", 1779062400000000000, "cloud", "total_records_exported", 0.0], ["user", ".lisa.bauer", 1779062400000000000, "cloud", "total_records_exported", 0.0], ["user", ".thomas.weber", 1779062400000000000, "cloud", "total_records_exported", 268.0], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "total_records_exported", 0.0], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "total_records_exported", 8.0], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "total_records_exported", 936.0], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "total_records_exported", 216.0], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "cloud", "total_records_exported", 0.0], ["user", "lab.tech.sarah.koch", 1779066000000000000, "cloud", "total_records_exported", 0.0], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "total_records_exported", 647.0], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "total_records_exported", 107.0], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "total_records_exported", 486.0], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "total_records_exported", 477.0], ["user", ".thomas.weber", 1779069600000000000, "cloud", "total_records_exported", 637.0], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "total_records_exported", 591.0], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "total_records_exported", 1217.0], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "total_records_exported", 71.0], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "total_records_exported", 625.0], ["user", ".anna.schmidt", 1779073200000000000, "cloud", "total_records_exported", 0.0], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "total_records_exported", 606.0], ["user", ".thomas.weber", 1779073200000000000, "cloud", "total_records_exported", 0.0], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "total_records_exported", 1731.0], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "cloud", "total_records_exported", 0.0], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "total_records_exported", 1551.0], ["user", "pharmacist.hans.meyer", 1779073200000000000, "cloud", "total_records_exported", 0.0], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "total_records_exported", 0.0], ["user", ".thomas.weber", 1779076800000000000, "cloud", "total_records_exported", 0.0], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "total_records_exported", 11.0], ["user", "lab.tech.sarah.koch", 1779076800000000000, "cloud", "total_records_exported", 0.0], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "total_records_exported", 0.0], ["user", "pharmacist.hans.meyer", 1779076800000000000, "cloud", "total_records_exported", 0.0], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "total_records_exported", 0.0], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "total_records_exported", 832.0], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "total_records_exported", 107.0], ["user", ".thomas.weber", 1779084000000000000, "cloud", "total_records_exported", 0.0], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "total_records_exported", 0.0], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "total_records_exported", 0.0], ["user", "pharmacist.hans.meyer", 1779084000000000000, "cloud", "total_records_exported", 0.0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_auth_failed", 2], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_auth_failed", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_auth_failed", 1], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_auth_success", 2], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_auth_success", 3], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_auth_success", 1], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_auth_success", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_decryption", 2], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_decryption", 1], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_decryption", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_events", 3], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_events", 7], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_events", 5], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_events", 7], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_events", 5], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_events", 8], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_events", 5], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_events", 8], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_events", 4], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_events", 5], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_events", 3], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_events", 3], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_events", 9], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_events", 7], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_events", 4], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_events", 4], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_events", 6], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_events", 2], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_events", 4], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_events", 6], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_events", 4], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_events", 9], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_events", 4], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_events", 3], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_events", 3], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_events", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_events", 3], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_events", 2], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_failure_ratio", 0.6666666666666666], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_failure_ratio", 0.7142857142857143], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_failure_ratio", 0.2], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_failure_ratio", 0.42857142857142855], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_failure_ratio", 0.375], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_failure_ratio", 0.8], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_failure_ratio", 0.5], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_failure_ratio", 0.5], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_failure_ratio", 0.2], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_failure_ratio", 0.3333333333333333], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_failure_ratio", 0.6666666666666666], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_failure_ratio", 0.1111111111111111], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_failure_ratio", 0.42857142857142855], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_failure_ratio", 0.25], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_failure_ratio", 0.5], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_failure_ratio", 0.3333333333333333], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_failure_ratio", 0.6666666666666666], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_failure_ratio", 0.0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_failure_ratio", 0.3333333333333333], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_failure_ratio", 0.5], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_failures", 2], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_failures", 5], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_failures", 1], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_failures", 3], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_failures", 3], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_failures", 4], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_failures", 4], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_failures", 2], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_failures", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_failures", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_failures", 2], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_failures", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_failures", 3], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_failures", 1], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_failures", 2], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_failures", 1], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_failures", 2], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_failures", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_failures", 1], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_failures", 1], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_pin_blocked", 3], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_pin_blocked", 2], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_pin_blocked", 1], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_pin_blocked", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_pin_failed", 2], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_pin_failed", 1], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_pin_failed", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_pin_verified", 1], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_pin_verified", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_read_failure", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_read_failure", 2], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_read_failure", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_read_failure", 2], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_read_failure", 1], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_read_failure", 1], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_read_failure", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_read_failure", 3], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_read_failure", 1], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_read_failure", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_read_failure", 1], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_read_success", 2], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_read_success", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_read_success", 2], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_read_success", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_read_success", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_read_success", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_read_success", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_read_success", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_read_success", 2], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_read_success", 1], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_read_success", 1], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_read_success", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_removed", 2], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_removed", 2], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_removed", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_removed", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_removed", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_removed", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_removed", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "card_signature_created", 2], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "card_signature_created", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "card_signature_created", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "card_signature_created", 1], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "card_signature_created", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "card_signature_created", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "card_signature_created", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "card_signature_created", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "hba_events", 2], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "hba_events", 4], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "hba_events", 2], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "hba_events", 4], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "hba_events", 3], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "hba_events", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "hba_events", 4], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "hba_events", 3], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "hba_events", 2], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "hba_events", 2], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "hba_events", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "low_attempts_remaining", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "low_attempts_remaining", 1], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "low_attempts_remaining", 1], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "low_attempts_remaining", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "low_attempts_remaining", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "low_attempts_remaining", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "low_attempts_remaining", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "qes_pin_attempts", 2], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "qes_pin_attempts", 2], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "qes_pin_attempts", 1], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "qes_pin_attempts", 0], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "smcb_events", 3], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "smcb_events", 3], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "smcb_events", 3], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "smcb_events", 2], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "smcb_events", 0], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "smcb_events", 0], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "smcb_events", 3], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "smcb_events", 2], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "smcb_events", 3], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "smcb_events", 3], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "smcb_events", 1], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "distinct_card_types", 4], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "distinct_card_types", 4], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "distinct_card_types", 4], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "distinct_card_types", 4], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "distinct_card_types", 4], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "distinct_card_types", 4], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "distinct_card_types", 4], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "distinct_card_types", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "distinct_card_types", 3], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "distinct_card_types", 2], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "distinct_cards", 3], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "distinct_cards", 6], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "distinct_cards", 5], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "distinct_cards", 7], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "distinct_cards", 5], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "distinct_cards", 8], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "distinct_cards", 5], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "distinct_cards", 8], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "distinct_cards", 4], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "distinct_cards", 5], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "distinct_cards", 3], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "distinct_cards", 3], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "distinct_cards", 9], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "distinct_cards", 7], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "distinct_cards", 4], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "distinct_cards", 4], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "distinct_cards", 6], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "distinct_cards", 2], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "distinct_cards", 4], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "distinct_cards", 6], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "distinct_cards", 4], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "distinct_cards", 9], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "distinct_cards", 4], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "distinct_cards", 3], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "distinct_cards", 3], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "distinct_cards", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "distinct_cards", 3], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "distinct_cards", 2], ["user", ".thomas.weber", 1779062400000000000, "cloud", "distinct_destinations", 2], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "distinct_destinations", 1], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "distinct_destinations", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "distinct_destinations", 1], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "distinct_destinations", 1], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "distinct_destinations", 1], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "distinct_destinations", 1], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "distinct_destinations", 1], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "distinct_destinations", 1], ["user", ".thomas.weber", 1779069600000000000, "cloud", "distinct_destinations", 1], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "distinct_destinations", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "distinct_destinations", 1], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "distinct_destinations", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "distinct_destinations", 2], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "distinct_destinations", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "distinct_destinations", 3], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "distinct_destinations", 2], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "distinct_destinations", 1], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "distinct_destinations", 1], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "distinct_destinations", 1], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "distinct_destinations", 1], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "distinct_destinations", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "distinct_destinations", 1], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "distinct_destinations", 1], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "distinct_destinations", 1], ["user", ".thomas.weber", 1779062400000000000, "cloud", "distinct_export_types", 1], ["user", "lab.tech.sarah.koch", 1779062400000000000, "cloud", "distinct_export_types", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "cloud", "distinct_export_types", 1], ["user", "admin.klaus.fischer", 1779066000000000000, "cloud", "distinct_export_types", 1], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "cloud", "distinct_export_types", 1], ["user", "pharmacist.hans.meyer", 1779066000000000000, "cloud", "distinct_export_types", 1], ["user", ".anna.schmidt", 1779069600000000000, "cloud", "distinct_export_types", 1], ["user", ".lisa.bauer", 1779069600000000000, "cloud", "distinct_export_types", 1], ["user", ".thomas.weber", 1779069600000000000, "cloud", "distinct_export_types", 1], ["user", "admin.klaus.fischer", 1779069600000000000, "cloud", "distinct_export_types", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "cloud", "distinct_export_types", 2], ["user", "lab.tech.sarah.koch", 1779069600000000000, "cloud", "distinct_export_types", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "distinct_export_types", 1], ["user", ".lisa.bauer", 1779073200000000000, "cloud", "distinct_export_types", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "distinct_export_types", 1], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "cloud", "distinct_export_types", 2], ["user", "admin.klaus.fischer", 1779076800000000000, "cloud", "distinct_export_types", 1], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "cloud", "distinct_export_types", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "cloud", "distinct_export_types", 1], ["user", ".thomas.weber", 1779062400000000000, "cloud", "distinct_msg_types", 1], ["user", "admin.klaus.fischer", 1779062400000000000, "cloud", "distinct_msg_types", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "cloud", "distinct_msg_types", 1], ["user", "admin.klaus.fischer", 1779073200000000000, "cloud", "distinct_msg_types", 1], ["user", ".lisa.bauer", 1779076800000000000, "cloud", "distinct_msg_types", 1], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "cloud", "distinct_msg_types", 1], ["user", "admin.klaus.fischer", 1779080400000000000, "cloud", "distinct_msg_types", 2], ["user", "admin.klaus.fischer", 1779084000000000000, "cloud", "distinct_msg_types", 1], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "cloud", "distinct_msg_types", 1], ["user", ".thomas.weber", 1779062400000000000, "auth", "distinct_src_host", 2], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "distinct_src_host", 2], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "distinct_src_host", 4], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "distinct_src_host", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "distinct_src_host", 2], ["user", ".lisa.bauer", 1779066000000000000, "auth", "distinct_src_host", 3], ["user", ".thomas.weber", 1779066000000000000, "auth", "distinct_src_host", 1], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "distinct_src_host", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "distinct_src_host", 1], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "distinct_src_host", 1], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "distinct_src_host", 2], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "distinct_src_host", 2], ["user", ".anna.schmidt", 1779069600000000000, "auth", "distinct_src_host", 2], ["user", ".lisa.bauer", 1779069600000000000, "auth", "distinct_src_host", 1], ["user", ".thomas.weber", 1779069600000000000, "auth", "distinct_src_host", 2], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "distinct_src_host", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "distinct_src_host", 4], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "distinct_src_host", 1], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "distinct_src_host", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "distinct_src_host", 3], ["user", ".anna.schmidt", 1779073200000000000, "auth", "distinct_src_host", 1], ["user", ".lisa.bauer", 1779073200000000000, "auth", "distinct_src_host", 1], ["user", ".thomas.weber", 1779073200000000000, "auth", "distinct_src_host", 3], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "distinct_src_host", 3], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "distinct_src_host", 2], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "distinct_src_host", 1], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "distinct_src_host", 2], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "distinct_src_host", 3], ["user", ".anna.schmidt", 1779076800000000000, "auth", "distinct_src_host", 3], ["user", ".lisa.bauer", 1779076800000000000, "auth", "distinct_src_host", 1], ["user", ".thomas.weber", 1779076800000000000, "auth", "distinct_src_host", 1], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "distinct_src_host", 2], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "distinct_src_host", 2], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "distinct_src_host", 1], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "distinct_src_host", 2], ["user", ".anna.schmidt", 1779080400000000000, "auth", "distinct_src_host", 1], ["user", ".lisa.bauer", 1779080400000000000, "auth", "distinct_src_host", 1], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "distinct_src_host", 2], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "distinct_src_host", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "distinct_src_host", 3], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "distinct_src_host", 2], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "distinct_src_host", 3], ["user", ".anna.schmidt", 1779084000000000000, "auth", "distinct_src_host", 1], ["user", ".lisa.bauer", 1779084000000000000, "auth", "distinct_src_host", 2], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "distinct_src_host", 2], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "distinct_src_host", 2], ["user", ".thomas.weber", 1779062400000000000, "auth", "distinct_src_ip", 4], ["user", "admin.klaus.fischer", 1779062400000000000, "auth", "distinct_src_ip", 3], ["user", "billing.clerk.peter.wolf", 1779062400000000000, "auth", "distinct_src_ip", 4], ["user", "nurse.maria.m\\u00fcller", 1779062400000000000, "auth", "distinct_src_ip", 1], ["user", "pharmacist.hans.meyer", 1779062400000000000, "auth", "distinct_src_ip", 5], ["user", ".lisa.bauer", 1779066000000000000, "auth", "distinct_src_ip", 4], ["user", ".thomas.weber", 1779066000000000000, "auth", "distinct_src_ip", 2], ["user", "admin.klaus.fischer", 1779066000000000000, "auth", "distinct_src_ip", 1], ["user", "billing.clerk.peter.wolf", 1779066000000000000, "auth", "distinct_src_ip", 1], ["user", "lab.tech.sarah.koch", 1779066000000000000, "auth", "distinct_src_ip", 2], ["user", "nurse.maria.m\\u00fcller", 1779066000000000000, "auth", "distinct_src_ip", 3], ["user", "pharmacist.hans.meyer", 1779066000000000000, "auth", "distinct_src_ip", 2], ["user", ".anna.schmidt", 1779069600000000000, "auth", "distinct_src_ip", 3], ["user", ".lisa.bauer", 1779069600000000000, "auth", "distinct_src_ip", 1], ["user", ".thomas.weber", 1779069600000000000, "auth", "distinct_src_ip", 2], ["user", "admin.klaus.fischer", 1779069600000000000, "auth", "distinct_src_ip", 1], ["user", "billing.clerk.peter.wolf", 1779069600000000000, "auth", "distinct_src_ip", 4], ["user", "lab.tech.sarah.koch", 1779069600000000000, "auth", "distinct_src_ip", 2], ["user", "nurse.maria.m\\u00fcller", 1779069600000000000, "auth", "distinct_src_ip", 1], ["user", "pharmacist.hans.meyer", 1779069600000000000, "auth", "distinct_src_ip", 3], ["user", ".anna.schmidt", 1779073200000000000, "auth", "distinct_src_ip", 1], ["user", ".lisa.bauer", 1779073200000000000, "auth", "distinct_src_ip", 1], ["user", ".thomas.weber", 1779073200000000000, "auth", "distinct_src_ip", 3], ["user", "admin.klaus.fischer", 1779073200000000000, "auth", "distinct_src_ip", 3], ["user", "billing.clerk.peter.wolf", 1779073200000000000, "auth", "distinct_src_ip", 3], ["user", "lab.tech.sarah.koch", 1779073200000000000, "auth", "distinct_src_ip", 1], ["user", "nurse.maria.m\\u00fcller", 1779073200000000000, "auth", "distinct_src_ip", 2], ["user", "pharmacist.hans.meyer", 1779073200000000000, "auth", "distinct_src_ip", 6], ["user", ".anna.schmidt", 1779076800000000000, "auth", "distinct_src_ip", 4], ["user", ".lisa.bauer", 1779076800000000000, "auth", "distinct_src_ip", 1], ["user", ".thomas.weber", 1779076800000000000, "auth", "distinct_src_ip", 1], ["user", "billing.clerk.peter.wolf", 1779076800000000000, "auth", "distinct_src_ip", 3], ["user", "lab.tech.sarah.koch", 1779076800000000000, "auth", "distinct_src_ip", 2], ["user", "nurse.maria.m\\u00fcller", 1779076800000000000, "auth", "distinct_src_ip", 1], ["user", "pharmacist.hans.meyer", 1779076800000000000, "auth", "distinct_src_ip", 3], ["user", ".anna.schmidt", 1779080400000000000, "auth", "distinct_src_ip", 1], ["user", ".lisa.bauer", 1779080400000000000, "auth", "distinct_src_ip", 2], ["user", "admin.klaus.fischer", 1779080400000000000, "auth", "distinct_src_ip", 2], ["user", "billing.clerk.peter.wolf", 1779080400000000000, "auth", "distinct_src_ip", 1], ["user", "lab.tech.sarah.koch", 1779080400000000000, "auth", "distinct_src_ip", 4], ["user", "nurse.maria.m\\u00fcller", 1779080400000000000, "auth", "distinct_src_ip", 2], ["user", "pharmacist.hans.meyer", 1779080400000000000, "auth", "distinct_src_ip", 3], ["user", ".anna.schmidt", 1779084000000000000, "auth", "distinct_src_ip", 1], ["user", ".lisa.bauer", 1779084000000000000, "auth", "distinct_src_ip", 2], ["user", "billing.clerk.peter.wolf", 1779084000000000000, "auth", "distinct_src_ip", 2], ["user", "pharmacist.hans.meyer", 1779084000000000000, "auth", "distinct_src_ip", 2], ["host", "omniconnect-ber-01.local", 1779062400000000000, "network", "distinct_telematik_ids", 6], ["host", "omniconnect-fra-01.local", 1779062400000000000, "network", "distinct_telematik_ids", 4], ["host", "omniconnect-ham-01.local", 1779062400000000000, "network", "distinct_telematik_ids", 3], ["host", "omniconnect-ber-01.local", 1779066000000000000, "network", "distinct_telematik_ids", 1], ["host", "omniconnect-fra-01.local", 1779066000000000000, "network", "distinct_telematik_ids", 2], ["host", "omniconnect-ham-01.local", 1779066000000000000, "network", "distinct_telematik_ids", 2], ["host", "omniconnect-mun-01.local", 1779066000000000000, "network", "distinct_telematik_ids", 2], ["host", "omniconnect-ber-01.local", 1779069600000000000, "network", "distinct_telematik_ids", 7], ["host", "omniconnect-fra-01.local", 1779069600000000000, "network", "distinct_telematik_ids", 4], ["host", "omniconnect-ham-01.local", 1779069600000000000, "network", "distinct_telematik_ids", 6], ["host", "omniconnect-mun-01.local", 1779069600000000000, "network", "distinct_telematik_ids", 5], ["host", "omniconnect-ber-01.local", 1779073200000000000, "network", "distinct_telematik_ids", 1], ["host", "omniconnect-fra-01.local", 1779073200000000000, "network", "distinct_telematik_ids", 2], ["host", "omniconnect-ham-01.local", 1779073200000000000, "network", "distinct_telematik_ids", 3], ["host", "omniconnect-mun-01.local", 1779073200000000000, "network", "distinct_telematik_ids", 5], ["host", "omniconnect-ber-01.local", 1779076800000000000, "network", "distinct_telematik_ids", 4], ["host", "omniconnect-fra-01.local", 1779076800000000000, "network", "distinct_telematik_ids", 6], ["host", "omniconnect-ham-01.local", 1779076800000000000, "network", "distinct_telematik_ids", 3], ["host", "omniconnect-ber-01.local", 1779080400000000000, "network", "distinct_telematik_ids", 5], ["host", "omniconnect-fra-01.local", 1779080400000000000, "network", "distinct_telematik_ids", 2], ["host", "omniconnect-mun-01.local", 1779080400000000000, "network", "distinct_telematik_ids", 3], ["host", "omniconnect-ber-01.local", 1779084000000000000, "network", "distinct_telematik_ids", 4], ["host", "omniconnect-ham-01.local", 1779084000000000000, "network", "distinct_telematik_ids", 1], ["host", "omniconnect-ber-01.local", 1779062400000000000, "healthcare", "distinct_terminals", 3], ["host", "omniconnect-fra-01.local", 1779062400000000000, "healthcare", "distinct_terminals", 5], ["host", "omniconnect-ham-01.local", 1779062400000000000, "healthcare", "distinct_terminals", 5], ["host", "omniconnect-mun-01.local", 1779062400000000000, "healthcare", "distinct_terminals", 7], ["host", "omniconnect-ber-01.local", 1779066000000000000, "healthcare", "distinct_terminals", 5], ["host", "omniconnect-fra-01.local", 1779066000000000000, "healthcare", "distinct_terminals", 8], ["host", "omniconnect-ham-01.local", 1779066000000000000, "healthcare", "distinct_terminals", 5], ["host", "omniconnect-mun-01.local", 1779066000000000000, "healthcare", "distinct_terminals", 8], ["host", "omniconnect-ber-01.local", 1779069600000000000, "healthcare", "distinct_terminals", 4], ["host", "omniconnect-fra-01.local", 1779069600000000000, "healthcare", "distinct_terminals", 5], ["host", "omniconnect-ham-01.local", 1779069600000000000, "healthcare", "distinct_terminals", 3], ["host", "omniconnect-mun-01.local", 1779069600000000000, "healthcare", "distinct_terminals", 3], ["host", "omniconnect-ber-01.local", 1779073200000000000, "healthcare", "distinct_terminals", 9], ["host", "omniconnect-fra-01.local", 1779073200000000000, "healthcare", "distinct_terminals", 7], ["host", "omniconnect-ham-01.local", 1779073200000000000, "healthcare", "distinct_terminals", 4], ["host", "omniconnect-mun-01.local", 1779073200000000000, "healthcare", "distinct_terminals", 4], ["host", "omniconnect-ber-01.local", 1779076800000000000, "healthcare", "distinct_terminals", 6], ["host", "omniconnect-fra-01.local", 1779076800000000000, "healthcare", "distinct_terminals", 2], ["host", "omniconnect-ham-01.local", 1779076800000000000, "healthcare", "distinct_terminals", 4], ["host", "omniconnect-mun-01.local", 1779076800000000000, "healthcare", "distinct_terminals", 6], ["host", "omniconnect-ber-01.local", 1779080400000000000, "healthcare", "distinct_terminals", 4], ["host", "omniconnect-fra-01.local", 1779080400000000000, "healthcare", "distinct_terminals", 9], ["host", "omniconnect-ham-01.local", 1779080400000000000, "healthcare", "distinct_terminals", 4], ["host", "omniconnect-mun-01.local", 1779080400000000000, "healthcare", "distinct_terminals", 3], ["host", "omniconnect-ber-01.local", 1779084000000000000, "healthcare", "distinct_terminals", 3], ["host", "omniconnect-fra-01.local", 1779084000000000000, "healthcare", "distinct_terminals", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "healthcare", "distinct_terminals", 3], ["host", "omniconnect-mun-01.local", 1779084000000000000, "healthcare", "distinct_terminals", 2], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 6], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 5], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 3], ["host", "omniconnect-ber-01.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 8], ["host", "omniconnect-fra-01.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 7], ["host", "omniconnect-ham-01.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 7], ["host", "omniconnect-mun-01.local", 1779062400000000000, "endpoint", "host_distinct_etypes", 7], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 3], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 5], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 4], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 1], ["host", "omniconnect-ber-01.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 4], ["host", "omniconnect-fra-01.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 9], ["host", "omniconnect-ham-01.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 6], ["host", "omniconnect-mun-01.local", 1779066000000000000, "endpoint", "host_distinct_etypes", 9], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 4], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 3], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 4], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 3], ["host", "omniconnect-ber-01.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 9], ["host", "omniconnect-fra-01.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 8], ["host", "omniconnect-ham-01.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 7], ["host", "omniconnect-mun-01.local", 1779069600000000000, "endpoint", "host_distinct_etypes", 8], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 4], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 4], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 3], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 7], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 3], ["host", "omniconnect-ber-01.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 7], ["host", "omniconnect-fra-01.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 9], ["host", "omniconnect-ham-01.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 6], ["host", "omniconnect-mun-01.local", 1779073200000000000, "endpoint", "host_distinct_etypes", 7], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 3], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 4], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 3], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 5], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 2], ["host", "omniconnect-ber-01.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 10], ["host", "omniconnect-fra-01.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 8], ["host", "omniconnect-ham-01.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 6], ["host", "omniconnect-mun-01.local", 1779076800000000000, "endpoint", "host_distinct_etypes", 6], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 5], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 3], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 4], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 1], ["host", "omniconnect-ber-01.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 8], ["host", "omniconnect-fra-01.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 6], ["host", "omniconnect-ham-01.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 3], ["host", "omniconnect-mun-01.local", 1779080400000000000, "endpoint", "host_distinct_etypes", 5], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 3], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 1], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 2], ["host", "omniconnect-ber-01.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 6], ["host", "omniconnect-fra-01.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 1], ["host", "omniconnect-ham-01.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 4], ["host", "omniconnect-mun-01.local", 1779084000000000000, "endpoint", "host_distinct_etypes", 2], ["host", "avelios-app-01.berlin.local", 1779062400000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-01.munich.local", 1779062400000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-02.berlin.local", 1779062400000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-02.munich.local", 1779062400000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-03.berlin.local", 1779062400000000000, "endpoint", "host_distinct_users", 3], ["host", "avelios-app-03.munich.local", 1779062400000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-int-01.berlin.local", 1779062400000000000, "endpoint", "host_distinct_users", 4], ["host", "avelios-int-01.munich.local", 1779062400000000000, "endpoint", "host_distinct_users", 5], ["host", "avelios-app-01.berlin.local", 1779066000000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-01.munich.local", 1779066000000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-02.berlin.local", 1779066000000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-02.munich.local", 1779066000000000000, "endpoint", "host_distinct_users", 4], ["host", "avelios-app-03.berlin.local", 1779066000000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-03.munich.local", 1779066000000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-int-01.berlin.local", 1779066000000000000, "endpoint", "host_distinct_users", 5], ["host", "avelios-int-01.munich.local", 1779066000000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-01.berlin.local", 1779069600000000000, "endpoint", "host_distinct_users", 4], ["host", "avelios-app-01.munich.local", 1779069600000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-02.berlin.local", 1779069600000000000, "endpoint", "host_distinct_users", 4], ["host", "avelios-app-02.munich.local", 1779069600000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-03.berlin.local", 1779069600000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-03.munich.local", 1779069600000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-int-01.berlin.local", 1779069600000000000, "endpoint", "host_distinct_users", 6], ["host", "avelios-int-01.munich.local", 1779069600000000000, "endpoint", "host_distinct_users", 4], ["host", "avelios-app-01.berlin.local", 1779073200000000000, "endpoint", "host_distinct_users", 6], ["host", "avelios-app-02.berlin.local", 1779073200000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-02.munich.local", 1779073200000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-03.berlin.local", 1779073200000000000, "endpoint", "host_distinct_users", 5], ["host", "avelios-app-03.munich.local", 1779073200000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-int-01.berlin.local", 1779073200000000000, "endpoint", "host_distinct_users", 5], ["host", "avelios-int-01.munich.local", 1779073200000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-01.berlin.local", 1779076800000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-01.munich.local", 1779076800000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-02.berlin.local", 1779076800000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-02.munich.local", 1779076800000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-03.berlin.local", 1779076800000000000, "endpoint", "host_distinct_users", 3], ["host", "avelios-app-03.munich.local", 1779076800000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-int-01.berlin.local", 1779076800000000000, "endpoint", "host_distinct_users", 4], ["host", "avelios-int-01.munich.local", 1779076800000000000, "endpoint", "host_distinct_users", 3], ["host", "avelios-app-01.munich.local", 1779080400000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-02.berlin.local", 1779080400000000000, "endpoint", "host_distinct_users", 4], ["host", "avelios-app-02.munich.local", 1779080400000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-03.berlin.local", 1779080400000000000, "endpoint", "host_distinct_users", 3], ["host", "avelios-app-03.munich.local", 1779080400000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-int-01.berlin.local", 1779080400000000000, "endpoint", "host_distinct_users", 3], ["host", "avelios-int-01.munich.local", 1779080400000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-01.berlin.local", 1779084000000000000, "endpoint", "host_distinct_users", 3], ["host", "avelios-app-02.berlin.local", 1779084000000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-app-02.munich.local", 1779084000000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-app-03.berlin.local", 1779084000000000000, "endpoint", "host_distinct_users", 1], ["host", "avelios-int-01.berlin.local", 1779084000000000000, "endpoint", "host_distinct_users", 2], ["host", "avelios-int-01.munich.local", 1779084000000000000, "endpoint", "host_distinct_users", 2]]} \ No newline at end of file diff --git a/parsers/ueba_peer_membership b/parsers/ueba_peer_membership new file mode 100644 index 0000000..008af32 --- /dev/null +++ b/parsers/ueba_peer_membership @@ -0,0 +1 @@ +{"columnNames": ["entity_type", "entity_id", "peer_id"], "rows": [["user", ".thomas.weber", "role=Physician|hosp=HOSP-003"], ["user", "admin.klaus.fischer", "role=SystemAdmin|hosp=HOSP-003"], ["user", "billing.clerk.peter.wolf", "role=BillingClerk|hosp=HOSP-001"], ["user", "nurse.maria.m\\u00fcller", "role=Nurse|hosp=HOSP-001"], ["user", "nurse.maria.m\\u00fcller", "role=Nurse|hosp=HOSP-002"], ["user", "nurse.maria.m\\u00fcller", "role=Nurse|hosp=HOSP-003"], ["user", "pharmacist.hans.meyer", "role=Pharmacist|hosp=HOSP-001"], ["user", "pharmacist.hans.meyer", "role=Pharmacist|hosp=HOSP-003"], ["host", "avelios-app-01.berlin.local", "host_fam=avelios|loc=Berlin"], ["host", "avelios-app-03.berlin.local", "host_fam=avelios|loc=Berlin"], ["host", "avelios-app-03.munich.local", "host_fam=avelios|loc=Munich"], ["host", "avelios-int-01.berlin.local", "host_fam=avelios|loc=Berlin"], ["host", "avelios-int-01.munich.local", "host_fam=avelios|loc=Munich"], ["host", "omniconnect-ber-01.local", "host_fam=omniconnect|loc=unknown"], ["host", "omniconnect-ber-01.local", "host_fam=omniconnect|loc=Berlin"], ["host", "omniconnect-fra-01.local", "host_fam=omniconnect|loc=unknown"], ["host", "omniconnect-fra-01.local", "host_fam=omniconnect|loc=Frankfurt"], ["host", "omniconnect-ham-01.local", "host_fam=omniconnect|loc=unknown"], ["host", "omniconnect-ham-01.local", "host_fam=omniconnect|loc=Hamburg"], ["host", "omniconnect-mun-01.local", "host_fam=omniconnect|loc=unknown"], ["host", "omniconnect-mun-01.local", "host_fam=omniconnect|loc=Munich"]]} \ No newline at end of file diff --git a/parsers/ueba_smoke_test b/parsers/ueba_smoke_test new file mode 100644 index 0000000..18f4492 --- /dev/null +++ b/parsers/ueba_smoke_test @@ -0,0 +1,4 @@ +{ + "columnNames": [], + "rows": [] +} \ No newline at end of file diff --git a/parsers/ueba_test_default b/parsers/ueba_test_default new file mode 100644 index 0000000..708bcd9 --- /dev/null +++ b/parsers/ueba_test_default @@ -0,0 +1,13 @@ +{ + "columnNames": ["entity_id", "feature_name", "value"], + "rows": [ + [".anna.schmidt", "featureD3", 16], + [".lisa.bauer", "featureD3", 9], + [".thomas.weber", "featureD3", 18], + ["admin.klaus.fischer", "featureD3", 17], + ["billing.clerk.peter.wolf", "featureD3", 19], + ["lab.tech.sarah.koch", "featureD3", 9], + ["nurse.maria.m\\u00fcller", "featureD3", 16], + ["pharmacist.hans.meyer", "featureD3", 17] + ] +} \ No newline at end of file diff --git a/parsers/ueba_test_merge b/parsers/ueba_test_merge new file mode 100644 index 0000000..37ae277 --- /dev/null +++ b/parsers/ueba_test_merge @@ -0,0 +1,13 @@ +{ + "columnNames": ["entity_id", "feature_name", "value"], + "rows": [ + [".anna.schmidt", "featureB3", 16], + [".lisa.bauer", "featureB3", 9], + [".thomas.weber", "featureB3", 18], + ["admin.klaus.fischer", "featureB3", 17], + ["billing.clerk.peter.wolf", "featureB3", 19], + ["lab.tech.sarah.koch", "featureB3", 9], + ["nurse.maria.m\\u00fcller", "featureB3", 16], + ["pharmacist.hans.meyer", "featureB3", 17] + ] +} \ No newline at end of file diff --git a/parsers/ueba_test_same_feat_merge b/parsers/ueba_test_same_feat_merge new file mode 100644 index 0000000..0d99c70 --- /dev/null +++ b/parsers/ueba_test_same_feat_merge @@ -0,0 +1,13 @@ +{ + "columnNames": ["entity_id", "feature_name", "value"], + "rows": [ + [".anna.schmidt", "featF_same", 16], + [".lisa.bauer", "featF_same", 9], + [".thomas.weber", "featF_same", 18], + ["admin.klaus.fischer", "featF_same", 17], + ["billing.clerk.peter.wolf", "featF_same", 19], + ["lab.tech.sarah.koch", "featF_same", 9], + ["nurse.maria.m\\u00fcller", "featF_same", 16], + ["pharmacist.hans.meyer", "featF_same", 17] + ] +} \ No newline at end of file diff --git a/parsers/ueba_test_same_feat_replace b/parsers/ueba_test_same_feat_replace new file mode 100644 index 0000000..1776fca --- /dev/null +++ b/parsers/ueba_test_same_feat_replace @@ -0,0 +1,13 @@ +{ + "columnNames": ["entity_id", "feature_name", "value"], + "rows": [ + [".anna.schmidt", "featG_same", 16], + [".lisa.bauer", "featG_same", 9], + [".thomas.weber", "featG_same", 18], + ["admin.klaus.fischer", "featG_same", 17], + ["billing.clerk.peter.wolf", "featG_same", 19], + ["lab.tech.sarah.koch", "featG_same", 9], + ["nurse.maria.m\\u00fcller", "featG_same", 16], + ["pharmacist.hans.meyer", "featG_same", 17] + ] +} \ No newline at end of file diff --git a/parsers/zscaler_logs-latest b/parsers/zscaler_logs-latest new file mode 100644 index 0000000..e3f8b3f --- /dev/null +++ b/parsers/zscaler_logs-latest @@ -0,0 +1,19 @@ +{ + // specify a time zone if the timestamps in your log are not in GMT + // timezone: "GMT-0800" + + formats: [ + + { + id: "format1", + format: ".*$=json{parse=dottedJson}$" + rewrites: [ + {input: "TimestampConnectionEnd", output: "timestamp", match: ".*", replace: "$0"} + // moved upstread wher it is more efficient + {input: "message", output: "message", match: "(.*\")(\\{\"\\w+\".*)", replace: "$2"} + + ] + } + + ] +}